From 8f80b7a32a79ced522be2f4a00d4823fd8b5d7b2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 3 May 2022 11:41:15 +0100 Subject: [PATCH 001/126] updated to allow audit_env to be set Signed-off-by: Mark Bolwell --- defaults/main.yml | 5 +++++ tasks/post_remediation_audit.yml | 3 +++ tasks/pre_remediation_audit.yml | 3 +++ 3 files changed, 11 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 029b053a..ec80d184 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -711,6 +711,11 @@ rhel7stig_world_write_files_owner_root: false rhel7stig_sudo_timestamp_timeout: 1 #### Audit Configuration Settings #### +# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +audit_run_script_environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_FILE: 'goss.yml' + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Audit binary settings ### audit_bin_version: diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index d01d4e4e..67a4b2aa 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,6 +2,9 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + Environment: "{{ audit_run_script_environment|default({}) }}" + changed_when: audit_run_post_remediation.rc == 0 + register: audit_run_post_remediation vars: warn: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 45f42c11..9a8468a5 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -79,6 +79,9 @@ - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + Environment: "{{ audit_run_script_environment|default({}) }}" + changed_when: audit_run_pre_remediation.rc == 0 + register: audit_run_pre_remediation vars: warn: false From 31e5d35ecd2f56fac0661ae14f5b6357697654d2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 3 May 2022 11:54:25 +0100 Subject: [PATCH 002/126] added passwd hash to inv Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 9ad9240b..21352981 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -78,6 +78,6 @@ resource "local_file" "inventory" { run_audit: true system_is_ec2: true audit_git_version: devel + rhel7stig_bootloader_password_hash: thishasbeenchangedfortesting EOF } - From 604aa01e1aa9c90b9df870a7c3518d505df7cb5b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 3 May 2022 11:57:30 +0100 Subject: [PATCH 003/126] updated password hash Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 21352981..66d2b5d8 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -78,6 +78,6 @@ resource "local_file" "inventory" { run_audit: true system_is_ec2: true audit_git_version: devel - rhel7stig_bootloader_password_hash: thishasbeenchangedfortesting + rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.thishasbeenchangedfortesting' EOF } From 3cf0bda8ddbb8d7b1c5e1956dc461f9f099079c9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 3 May 2022 12:24:38 +0100 Subject: [PATCH 004/126] fixed typo Signed-off-by: Mark Bolwell --- tasks/post_remediation_audit.yml | 2 +- tasks/pre_remediation_audit.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 67a4b2aa..5087b679 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,7 +2,7 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - Environment: "{{ audit_run_script_environment|default({}) }}" + environment: "{{ audit_run_script_environment|default({}) }}" changed_when: audit_run_post_remediation.rc == 0 register: audit_run_post_remediation vars: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 9a8468a5..c685eafd 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -79,7 +79,7 @@ - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - Environment: "{{ audit_run_script_environment|default({}) }}" + environment: "{{ audit_run_script_environment|default({}) }}" changed_when: audit_run_pre_remediation.rc == 0 register: audit_run_pre_remediation vars: From b56fa95356f6dacaf766af884a7a63e3bc5c21bb Mon Sep 17 00:00:00 2001 From: Patrick Date: Mon, 2 May 2022 12:49:10 -0400 Subject: [PATCH 005/126] Update fix-cat2.yml Fix typo in RHEL-07-010483/RHEL-07-010492 tags Signed-off-by: Patrick Callahan --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index db41a6e5..af2dad91 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -938,7 +938,7 @@ - SRG-OS-000080-GPOS-00048 - SV-244557r744063_rule - V-244557 - - RHEL-07-01092 + - RHEL-07-010492 - SV-244558r744066_rule - V-244558 - grub From 9be8e1f257e8e55dbb42ed38a281d3c3a3757be4 Mon Sep 17 00:00:00 2001 From: Patrick Date: Mon, 2 May 2022 13:21:04 -0400 Subject: [PATCH 006/126] Update fix-cat2.yml s/United Extensible/Unified Extensible/ Signed-off-by: Patrick Callahan --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index db41a6e5..92004bc5 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -901,7 +901,7 @@ - name: | "MEDIUM | RHEL-07-010483 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes." - "MEDIUM | RHEL-07-010492 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance." + "MEDIUM | RHEL-07-010492 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with Unified Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance." block: - name: "MEDIUM | RHEL-07-010483 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes. | Set grub unique name BIOS" lineinfile: @@ -916,7 +916,7 @@ - { regexp: '^\s*password_pbkdf2', line: ' password_pbkdf2 {{ rhel7stig_grub_superusers }} \${GRUB2_PASSWORD}' } when: not rhel7stig_machine_uses_uefi - - name: "MEDIUM | RHEL-07-010492 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance. | Set grub unique name UEFI" + - name: "MEDIUM | RHEL-07-010492 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with Unified Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance. | Set grub unique name UEFI" lineinfile: path: "{{ rhel7stig_bootloader_path }}/grub.cfg" regexp: "{{ item.regexp }}" From 9a992ba3d3c65af24ca48316a6d7c83ad163890a Mon Sep 17 00:00:00 2001 From: Patrick Date: Fri, 29 Apr 2022 08:31:27 -0400 Subject: [PATCH 007/126] Update main.yml Fix couple of typos Signed-off-by: Patrick Callahan --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 029b053a..e49ba594 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -521,7 +521,7 @@ rhel7stig_logon_banner_nice: | -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - -notwithstanding the above, using this IS does not constitute consent to PM, LE + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such @@ -550,7 +550,7 @@ rhel7stig_ssh_sysadm_login_state: false # RHEL-07-040160 # Session timeout setting file (TMOUT setting can be set in multiple files) -# Timeout value is in seconds. (60 seconds * 15 = 600) +# Timeout value is in seconds. (60 seconds * 15 = 900) rhel7stig_shell_session_timeout: file: /etc/profile.d/tmout.sh timeout: 900 From 5e34a706f49bb8a5460bcb1709ce352812153c3a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Jul 2022 11:56:49 +0100 Subject: [PATCH 008/126] improved 010010 control Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 396f995d..ac4dffd8 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -8,31 +8,22 @@ warn: false check_mode: false failed_when: false - changed_when: rhel_07_010010_audit.stdout|length > 0 + changed_when: false register: rhel_07_010010_audit - - name: "HIGH | RHEL-07-010010 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." - debug: - msg: "{{ rhel_07_010010_audit.stdout_lines }}" - changed_when: true - when: rhel_07_010010_audit.stdout|length > 0 - - name: "HIGH | RHEL-07-010010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." - shell: > - ( rpm --setugids {{ item }}; rpm --setperms {{ item }} ) - 2>&1 1>&2 | grep -v ': No such file or directory$' + shell: ( rpm --setugids {{ item }} && rpm --setperms {{ item }} ) args: warn: false register: rhel_07_010010_patch - failed_when: rhel_07_010010_audit.stdout|length > 0 - ignore_errors: true with_items: "{{ rhel_07_010010_audit.stdout_lines }}" + when: rhel_07_010010_audit.stdout_lines | length > 0 - - name: "HIGH | RHEL-07-010010 | AUDIT | WARNING: error during remediation" + - name: "HIGH | RHEL-07-010010 | AUDIT | Error during remediation" debug: - msg: "{{ item.stdout_lines }}" + msg: "Warning!! The following package files have been reset to default {{ item }}" changed_when: true - with_items: "{{ rhel_07_010010_patch.results }}" + loop: "{{ rhel_07_010010_patch.results }}" loop_control: label: "{{ item.item }}" when: From a8727c07fc06718652dbc3eab1dfb5e0cb33c61e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Jul 2022 12:05:56 +0100 Subject: [PATCH 009/126] updated min_supported OS for CentOS to align with ansible_distribution Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 40a82327..8eb3064f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -369,7 +369,7 @@ rhel_07_020730_WWP_Change: true # (Red Hat has support for older versions if you pay extra for it.) rhel7stig_min_supported_os_ver: RedHat: "7.9" - CentOS: "7.9.2009" + CentOS: "7.9" OracleLinux: "7.9" # RHEL-07-040740 From efa041fd1702e4584ab5c84a8cb7999e2abef51d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Jul 2022 13:59:11 +0100 Subject: [PATCH 010/126] updates and rewrite for 021700 Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 ++- tasks/fix-cat2.yml | 19 +++++++------------ 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8eb3064f..88bdb116 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -454,7 +454,8 @@ rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' rhel7stig_boot_superuser: root # RHEL-07-021700 set the value for correctly configured grub bootloader sequence -rhel7stig_grub_bootloader_validorder: " set root='hd0,msdos1'" +# note this is different for bios and EFI boot types. so can be changed via the inventory or alternate vars +rhel7stig_grub_bootloader_validorder: "set root='hd0,msdos1'" # RHEL-07-040200 Path for cacrt bundle that holds LDAP certs for tls transport rhel_07_040200_cabundle_path: etc/pki/tls/certs/ca-bundle.crt diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4caf4c7b..8c37f2da 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -512,19 +512,19 @@ - name: "MEDIUM | RHEL-07-010260 | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime." block: - name: "MEDIUM | RHEL-07-010260 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime." - command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" + shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" check_mode: no changed_when: rhel_07_010260_audit.stdout| length > 0 register: rhel_07_010260_audit - name: "MEDIUM | RHEL-07-010260 | PATCH | Reset password timeout to prevent locking out user." - command: chage -d '-1 day' {{ item }} + shell: chage -d '-1 day' {{ item }} check_mode: "{{ rhel7stig_disruptive_check_mode }}" with_items: - "{{ rhel_07_010260_audit.stdout_lines }}" - name: "MEDIUM | RHEL-07-010260 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime." - command: chage -M 60 {{ item }} + shell: "chage -M 60 {{ item }}" check_mode: "{{ rhel7stig_disruptive_check_mode }}" with_items: - "{{ rhel_07_010260_audit.stdout_lines }}" @@ -2123,24 +2123,19 @@ block: # Let's see what is configured in grub. - name: "MEDIUM | RHEL-07-021700 | AUDIT | The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved." - shell: grep "set root" "{{ rhel7stig_grub_cfg_path }}" + shell: grep -o "set root=.*" "{{rhel7stig_grub_cfg_path }}" | grep -v "{{ rhel7stig_grub_bootloader_validorder }}" | uniq register: rhel7stig_grub_cfg_mediacheck changed_when: false failed_when: false - # Set the fact, even if the return was empty/nonexistant - - name: "MEDIUM | RHEL-07-021700 | AUDIT | The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved." - set_fact: - rhel7stig_grub_bootloader_checkorder: "{{ rhel7stig_grub_cfg_mediacheck.stdout_lines | default(rhel7stig_grub_bootloader_validorder | list) | unique }}" - # Report on the bootloader list - name: "MEDIUM | RHEL-07-021700 | AUDIT | The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved." debug: - msg: "The grub2 bootloader is configured to set root for menu entries as follows: {{ item }}. The configured expected entry is \"{{ rhel7stig_grub_bootloader_validorder }}\". If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding. You can set this comparison list in default vars as 'rhel7stig_grub_bootloader_validorder'" + msg: "Warning!! The grub2 bootloader potentially has some invalid entries that contain {{ item }}" changed_when: true with_items: - - "{{ rhel7stig_grub_bootloader_checkorder }}" - when: rhel7stig_grub_bootloader_validorder != rhel7stig_grub_bootloader_checkorder + - "{{ rhel7stig_grub_cfg_mediacheck.stdout }}" + when: rhel7stig_grub_cfg_mediacheck.stdout | length > 0 when: - rhel_07_021700 - not rhel7stig_system_is_chroot From a19085b43e6b66695274933737b152be30266e2d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Jul 2022 15:58:56 +0100 Subject: [PATCH 011/126] updated testing on 040100 Signed-off-by: Mark Bolwell --- defaults/main.yml | 5 +++++ tasks/fix-cat2.yml | 18 ++++++++---------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 88bdb116..4b0ba6cd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -412,6 +412,11 @@ rhel7stig_firewall_service: firewalld # The toggle to start the firewall service. Set to true the role will start the service for you where needed rhel7stig_start_firewall_service: true +# allowed firewall ports and protocols as found in the command used to discover +rhel7stig_firewall_ports_protocols: +- '22/tcp' +- '546/udp' + # RHEL-07-031010 rhel7stig_system_is_log_aggregator: false diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8c37f2da..51c8da3a 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3089,23 +3089,21 @@ - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." block: - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u + shell: for p in `firewall-cmd --list-services`; do firewall-cmd --permanent --service $p --get-ports | grep -Ev '{{ rhel7stig_firewall_ports_protocols|flatten|join('|') }}'; done; changed_when: false failed_when: false check_mode: false register: rhel7stig_PPSM_CLSA_check_firewalld + when: rhel7stig_firewall_ports_protocols is defined - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." debug: - msg: "The following task output is what firewalld is accepting on service ports to {{ ansible_hostname }}." - changed_when: true - when: rhel7stig_PPSM_CLSA_check_firewalld.stdout_lines is defined - - - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - debug: - var: rhel7stig_PPSM_CLSA_check_firewalld.stdout_lines - changed_when: true - when: rhel7stig_PPSM_CLSA_check_firewalld.stdout_lines is defined + msg: "Warning!! Firewalld is accepting the following port/protocols that are not in the accepted list: {{ item }}." + changed_when: false + with_items: "{{ rhel7stig_PPSM_CLSA_check_firewalld.stdout }}" + when: + - rhel7stig_PPSM_CLSA_check_firewalld.stdout_lines is defined + - rhel7stig_PPSM_CLSA_check_firewalld.stdout_lines | length > 0 when: - rhel7stig_firewall_service == "firewalld" - rhel7stig_start_firewall_service From d3f1399675db80cedb518d240405586943734539 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Jul 2022 16:32:54 +0100 Subject: [PATCH 012/126] fixed auditd restart logic Signed-off-by: Mark Bolwell --- handlers/main.yml | 9 ++++++--- tasks/fix-cat2.yml | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 90cc79c8..1cdfc5ae 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -63,16 +63,19 @@ owner: root group: root mode: 0600 + register: auditd_file notify: restart auditd + when: + - not rhel7stig_skip_for_travis + - not rhel7stig_system_is_chroot + - not rhel7stig_system_is_container - name: restart auditd command: /usr/sbin/service auditd restart args: warn: no when: - - not rhel7stig_skip_for_travis - - not rhel7stig_system_is_chroot - - not rhel7stig_system_is_container + - auditd_file.changed - name: rebuild initramfs command: dracut -f diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 51c8da3a..57c4be87 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2213,7 +2213,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" create: yes - mode: 0644 + mode: 0640 notify: restart auditd with_items: - { regexp: '^active =', line: 'active = yes'} From d7d865c75bc8776f34483935872773bf9b720a8d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Jul 2022 16:33:15 +0100 Subject: [PATCH 013/126] tidy up white space Signed-off-by: Mark Bolwell --- tasks/audit_firewalld.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/audit_firewalld.yml b/tasks/audit_firewalld.yml index 9ebe6930..24d00499 100644 --- a/tasks/audit_firewalld.yml +++ b/tasks/audit_firewalld.yml @@ -9,6 +9,7 @@ tags: - RHEL-07-040810 - firewall + - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." command: firewall-cmd --list-all --zone="{{ rhel_07_040810_firewalld_zone_audit.stdout }}" register: rhel_07_040810_firewalld_zone_default_audit @@ -39,7 +40,7 @@ - firewall - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." debug: - msg: "WARNING! We could pull no configured rules for {{ rhel7stig_firewall_service }} on {{ ansible_hostname }}! This is a finding per RHEL-07-040810 - The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." + msg: "Warning!! We could pull no configured rules for {{ rhel7stig_firewall_service }} on {{ ansible_hostname }}! This is a finding per RHEL-07-040810 - The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." changed_when: true when: - rhel_07_040810_firewalld_zone_audit.stdout | length == 0 From 3a1ae7695daac30a195ae40c402455211c8561f6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Jul 2022 16:48:47 +0100 Subject: [PATCH 014/126] yamllint Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 2 +- tasks/audit_command.yml | 2 +- tasks/audit_file.yml | 2 +- tasks/audit_system_call.yml | 2 +- tasks/fix-cat1.yml | 25 ++---- tasks/fix-cat2.yml | 106 ++++++++++++------------ tasks/fix-cat3.yml | 4 +- tasks/main.yml | 2 +- tasks/pre_remediation_audit.yml | 138 ++++++++++++++++---------------- tasks/prelim.yml | 60 +++++++------- 10 files changed, 164 insertions(+), 179 deletions(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 616edd8a..7df51c6a 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -19,4 +19,4 @@ owner: root group: root when: - - get_audit_binary_method == 'copy' \ No newline at end of file + - get_audit_binary_method == 'copy' diff --git a/tasks/audit_command.yml b/tasks/audit_command.yml index 6bc823e2..153ffee8 100644 --- a/tasks/audit_command.yml +++ b/tasks/audit_command.yml @@ -4,7 +4,7 @@ - name: "MEDIUM | RHEL-07-{{ item.id }} | {{ audit_present | ternary('PATCH', 'REVERT') }} | The Red Hat Enterprise Linux operating system must audit all uses of the {{ item.path | basename }} command." lineinfile: path: "/etc/audit/rules.d/rhel7stig_commands.rules" - create: yes + create: true owner: root group: root mode: 0600 diff --git a/tasks/audit_file.yml b/tasks/audit_file.yml index b2aa0963..81093364 100644 --- a/tasks/audit_file.yml +++ b/tasks/audit_file.yml @@ -4,7 +4,7 @@ - name: "MEDIUM | RHEL-07-{{ item.id }} | {{ audit_present | ternary('PATCH', 'REVERT') }} | The Red Hat Enterprise Linux operating system must generate audit records for all {{ item.description }}." lineinfile: path: "/etc/audit/rules.d/rhel7stig_files.rules" - create: yes + create: true owner: root group: root mode: 0600 diff --git a/tasks/audit_system_call.yml b/tasks/audit_system_call.yml index 92381f5d..94b7fef7 100644 --- a/tasks/audit_system_call.yml +++ b/tasks/audit_system_call.yml @@ -4,7 +4,7 @@ - name: "MEDIUM | RHEL-07-{{ item.id }} | {{ audit_present | ternary('PATCH', 'REVERT') }} | The Red Hat Enterprise Linux operating system must audit all uses of the {{ item.call }} syscall." lineinfile: path: "/etc/audit/rules.d/rhel7stig_system_calls.rules" - create: yes + create: true owner: root group: root mode: 0600 diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index ac4dffd8..c3671cd8 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -222,7 +222,7 @@ - name: "HIGH | RHEL-07-010482 | Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." lineinfile: path: /boot/grub2/user.cfg - create: yes + create: true mode: '0644' regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -239,7 +239,7 @@ - name: "HIGH | RHEL-07-010491 | Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." lineinfile: path: "{{ rhel7stig_bootloader_path }}/user.cfg" - create: yes + create: true mode: '0644' regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -252,21 +252,6 @@ - make grub2 config when: - rhel7stig_machine_uses_uefi - - # - name: | - # "HIGH | RHEL-07-010482 | Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." - # "HIGH | RHEL-07-010491 | Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." - # lineinfile: - # path: /etc/grub.d/01_users - # regexp: "{{ item.regexp }}" - # line: "{{ item.line }}" - # notify: - # - make grub2 config - # with_items: - # - regexp: ^\s*set superusers= - # line: ' set superusers="{{ rhel7stig_boot_superuser }}"' - # - regexp: ^\s*export superusers - # line: ' export superusers' when: - rhel_07_010482 or rhel_07_010491 @@ -359,7 +344,7 @@ - name: "HIGH | RHEL-07-020230 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line." systemd: name: ctrl-alt-del.target - masked: yes + masked: true when: - rhel_07_020230 tags: @@ -494,7 +479,7 @@ key: GRUB_CMDLINE_LINUX param: fips value: "{{ fips_value }}" - append: yes # this is the default + append: true # this is the default notify: confirm grub2 user cfg when: - not ansible_check_mode or @@ -589,7 +574,7 @@ service: name: "{{ rhel7stig_av_package.service }}" state: "{{ rhel7stig_service_started }}" - enabled: yes + enabled: true failed_when: false when: - rhel7stig_antivirus_required diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 57c4be87..ab86a3f0 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -228,7 +228,7 @@ - name: "MEDIUM | RHEL-07-010119 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used." lineinfile: - create: yes + create: true dest: /etc/pam.d/system-auth regexp: '^#?password\s+required pam_pwquality.so retry' line: password required pam_pwquality.so retry=3 @@ -246,7 +246,7 @@ - name: "MEDIUM | RHEL-07-010120 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character." lineinfile: - create: yes + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*ucredit' line: "ucredit = {{ rhel7stig_password_complexity.ucredit | default('-1') }}" @@ -264,7 +264,7 @@ - name: "MEDIUM | RHEL-07-010130 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character." lineinfile: - create: yes + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*lcredit' line: "lcredit = {{ rhel7stig_password_complexity.lcredit | default('-1') }}" @@ -282,7 +282,7 @@ - name: "MEDIUM | RHEL-07-010140 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character." lineinfile: - create: yes + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*dcredit' line: "dcredit = {{ rhel7stig_password_complexity.dcredit | default('-1') }}" @@ -299,7 +299,7 @@ - name: "MEDIUM | RHEL-07-010150 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character." lineinfile: - create: yes + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*ocredit' line: "ocredit = {{ rhel7stig_password_complexity.ocredit | default('-1') }}" @@ -317,7 +317,7 @@ - name: "MEDIUM | RHEL-07-010160 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed." lineinfile: - create: yes + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*difok' line: "difok = {{ rhel7stig_password_complexity.difok | default('8') }}" @@ -335,7 +335,7 @@ - name: "MEDIUM | RHEL-07-010170 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed." lineinfile: - create: yes + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*minclass' line: "minclass = {{ rhel7stig_password_complexity.minclass | default('4') }}" @@ -353,7 +353,7 @@ - name: "MEDIUM | RHEL-07-010180 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters." lineinfile: - create: yes + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*maxrepeat' line: "maxrepeat = {{ rhel7stig_password_complexity.maxrepeat | default('3') }}" @@ -371,7 +371,7 @@ - name: "MEDIUM | RHEL-07-010190 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters." lineinfile: - create: yes + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*maxclassrepeat' line: "maxclassrepeat = {{ rhel7stig_password_complexity.maxclassrepeat | default('4') }}" @@ -452,7 +452,7 @@ - name: "MEDIUM | RHEL-07-010230 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime." lineinfile: - create: yes + create: true dest: /etc/login.defs regexp: ^#?PASS_MIN_DAYS line: "PASS_MIN_DAYS {{ rhel7stig_login_defaults.pass_min_days | default('1') }}" @@ -493,7 +493,7 @@ - name: "MEDIUM | RHEL-07-010250 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime." lineinfile: - create: yes + create: true dest: /etc/login.defs regexp: ^#?PASS_MAX_DAYS line: "PASS_MAX_DAYS {{ rhel7stig_login_defaults.pass_max_days | default('60') }}" @@ -513,7 +513,7 @@ block: - name: "MEDIUM | RHEL-07-010260 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime." shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" - check_mode: no + check_mode: false changed_when: rhel_07_010260_audit.stdout| length > 0 register: rhel_07_010260_audit @@ -596,7 +596,7 @@ - name: "MEDIUM | RHEL-07-010280 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length." lineinfile: - create: yes + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*minlen' line: "minlen = {{ rhel7stig_password_complexity.minlen | default('15') }}" @@ -989,7 +989,7 @@ # This remediates the screensaver settings for smartcard authentication - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. lineinfile: - create: yes + create: true dest: /etc/pam_pkcs11/pkcs11_eventmgr.conf regexp: '^#?/usr/X11R6/bin/xscreensaver-command -lock' line: "/usr/X11R6/bin/xscreensaver-command -lock" @@ -1118,7 +1118,7 @@ insertafter: "{{ item.insertafter }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" - create: yes + create: true owner: root group: root mode: "0644" @@ -1150,7 +1150,7 @@ insertafter: "{{ item.insertafter }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" - create: yes + create: true owner: root group: root mode: "0644" @@ -1185,7 +1185,7 @@ - name: "MEDIUM | RHEL-07-020110 | PATCH | The Red Hat Enterprise Linux operating system must disable the file system automounter unless required." service: name: autofs - enabled: no + enabled: false state: stopped when: - rhel_07_020110_autofs_service_status == "loaded" @@ -1576,7 +1576,7 @@ - name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." file: path: "{{ item.0 }}" - recurse: yes + recurse: true mode: a-st,g-w,o-rwx register: rhel_07_020680_patch with_together: @@ -1592,9 +1592,9 @@ - name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." acl: path: "{{ item.0 }}" - default: yes + default: true state: present - recursive: yes + recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" with_nested: @@ -1609,7 +1609,7 @@ when: - rhel_07_020680 tags: - - RHEL-07-020680 + - RHEL-07-020680 - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 @@ -2075,7 +2075,7 @@ - name: "MEDIUM | RHEL-07-021300 | PATCH | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed." service: name: kdump - enabled: no + enabled: false state: stopped when: - rhel_07_021300_kdump_service_status.stdout == "loaded" @@ -2173,7 +2173,7 @@ service: name: auditd state: "{{ rhel7stig_service_started }}" - enabled: yes + enabled: true when: - not rhel7stig_system_is_container when: @@ -2212,7 +2212,7 @@ path: /etc/audisp/plugins.d/au-remote.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - create: yes + create: true mode: 0640 notify: restart auditd with_items: @@ -3101,7 +3101,7 @@ msg: "Warning!! Firewalld is accepting the following port/protocols that are not in the accepted list: {{ item }}." changed_when: false with_items: "{{ rhel7stig_PPSM_CLSA_check_firewalld.stdout }}" - when: + when: - rhel7stig_PPSM_CLSA_check_firewalld.stdout_lines is defined - rhel7stig_PPSM_CLSA_check_firewalld.stdout_lines | length > 0 when: @@ -3175,7 +3175,7 @@ - name: "MEDIUM | RHEL-07-040160 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements." blockinfile: - create: yes + create: true mode: 0644 dest: "{{ item.dest }}" state: "{{ item.state }}" @@ -3262,7 +3262,7 @@ ldap_tls_cacert = "{{ rhel_07_040200_cabundle_path }}" path: /etc/sssd/sssd.conf insertafter: "^ldap_search_base*" - create: yes + create: true mode: 0600 when: rhel_07_040180_audit.stdout == "Active" when: @@ -3290,8 +3290,8 @@ value: '2' state: present reload: "{{ rhel7stig_sysctl_reload }}" - sysctl_set: yes - ignoreerrors: yes + sysctl_set: true + ignoreerrors: true when: - rhel_07_040201 tags: @@ -3330,7 +3330,7 @@ service: name: sshd state: "{{ rhel7stig_service_started }}" - enabled: yes + enabled: true when: - rhel_07_040310 - rhel7stig_ssh_required @@ -3345,7 +3345,7 @@ - name: "MEDIUM | RHEL-07-040320 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." lineinfile: - create: yes + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?ClientAliveInterval" line: ClientAliveInterval {{ rhel7stig_ssh_session_timeout }} @@ -3387,7 +3387,7 @@ - name: "MEDIUM | RHEL-07-040340 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity." lineinfile: - create: yes + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?ClientAliveCountMax" line: ClientAliveCountMax 0 @@ -3447,7 +3447,7 @@ - name: "MEDIUM | RHEL-07-040370 | PATCH | The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH." lineinfile: - create: yes + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?PermitRootLogin" line: PermitRootLogin no @@ -3468,7 +3468,7 @@ - name: "MEDIUM | RHEL-07-040380 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication." lineinfile: - create: yes + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?IgnoreUserKnownHosts" line: IgnoreUserKnownHosts yes @@ -3489,7 +3489,7 @@ - name: "MEDIUM | RHEL-07-040400 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms." lineinfile: - create: yes + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?MACs" line: "MACs {{ rhel7stig_ssh_macs }}" @@ -3513,7 +3513,7 @@ - name: "MEDIUM | RHEL-07-040410 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive." find: paths: /etc/ssh - recurse: yes + recurse: true file_type: file patterns: 'ssh_host*_key.pub' hidden: true @@ -3544,7 +3544,7 @@ - name: "MEDIUM | RHEL-07-040420 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive." find: paths: /etc/ssh - recurse: yes + recurse: true file_type: file patterns: 'ssh_host*_key' hidden: true @@ -3573,7 +3573,7 @@ - name: "MEDIUM | RHEL-07-040430 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed." lineinfile: - create: yes + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?GSSAPIAuthentication" line: GSSAPIAuthentication no @@ -3696,7 +3696,7 @@ - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." lineinfile: - create: yes + create: true dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -3791,7 +3791,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040610 tags: @@ -3845,7 +3845,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040620 tags: @@ -3862,9 +3862,9 @@ name: net.ipv4.icmp_echo_ignore_broadcasts state: present value: '1' - sysctl_set: yes + sysctl_set: true reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040630 tags: @@ -3882,7 +3882,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040640 tags: @@ -3900,7 +3900,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040641 tags: @@ -3918,7 +3918,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040650 tags: @@ -3936,7 +3936,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040660 tags: @@ -3955,7 +3955,7 @@ changed_when: rhel_07_040670_promisc_check.stdout| length > 0 failed_when: false check_mode: false - ignore_errors: yes + ignore_errors: true register: rhel_07_040670_promisc_check - name: "MEDIUM | RHEL-07-040670 | PATCH | Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode." @@ -3999,7 +3999,7 @@ - name: "MEDIUM | RHEL-07-040710 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requiremen" lineinfile: - create: yes + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?X11Forwarding" line: X11Forwarding no @@ -4067,7 +4067,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - not rhel7stig_system_is_router - rhel_07_040740 @@ -4163,7 +4163,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040830 tags: @@ -4429,7 +4429,7 @@ - name: "MEDIUM | RHEL-07-040711 | PATCH | The Red Hat Enterprise Linux operating system must prevent remote hosts from connecting to the proxy display." lineinfile: - create: yes + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?X11UseLocalhost" line: X11UseLocalhost yes @@ -4598,7 +4598,7 @@ debug: msg: "Warning! Below are your SELinux Role mappings. Please review the mappings with your SA to determine validity of the mappings" when: rhel_07_020021_sel_role_mappings.stdout | length > 0 - + - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Alert that semanage is not installed" debug: msg: "Alert! You do not have semanage installed! Please installed the needed packages" diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 1b0e3b38..a7610716 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -131,8 +131,8 @@ systemd: name: tmp.mount daemon_reload: "{{ rhel7stig_systemd_daemon_reload }}" - enabled: yes - masked: no + enabled: true + masked: false state: "{{ rhel7stig_service_started }}" when: - rhel_07_021340 diff --git a/tasks/main.yml b/tasks/main.yml index d2718edb..50aca496 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -46,7 +46,7 @@ - cat1 - import_tasks: prelim.yml - become: yes + become: true tags: - prelim_tasks - run_audit diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index c685eafd..12381fd7 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -3,80 +3,80 @@ - name: Audit Binary Setup | Setup the LE audit include_tasks: LE_audit_setup.yml when: - - setup_audit + - setup_audit tags: - - setup_audit + - setup_audit - name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" file: - path: "{{ audit_conf_dir }}" - state: directory - mode: '0755' + path: "{{ audit_conf_dir }}" + state: directory + mode: '0755' - name: Pre Audit Setup | If using git for content set up block: - - name: Pre Audit Setup | Install git (rh8 python3) - package: - name: git - state: present - when: ansible_distribution_major_version == '8' - - - name: Pre Audit Setup | Install git (rh7 python2) - package: - name: git - state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == '7' + - name: Pre Audit Setup | Install git (rh8 python3) + package: + name: git + state: present + when: ansible_distribution_major_version == '8' - - name: Pre Audit Setup | retrieve audit content files from git - git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" + - name: Pre Audit Setup | Install git (rh7 python2) + package: + name: git + state: present + vars: + ansible_python_interpreter: "{{ python2_bin }}" + when: ansible_distribution_major_version == '7' + + - name: Pre Audit Setup | retrieve audit content files from git + git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - - audit_content == 'git' + - audit_content == 'git' - name: Pre Audit Setup | copy to audit content files to server copy: - src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dir }}" - mode: 0644 + src: "{{ audit_local_copy }}" + dest: "{{ audit_conf_dir }}" + mode: 0644 when: - - audit_content == 'copy' + - audit_content == 'copy' - name: Pre Audit Setup | get audit content from url get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" + url: "{{ audit_files_url }}" + dest: "{{ audit_conf_dir }}" when: - - audit_content == 'get_url' + - audit_content == 'get_url' - name: Pre Audit Setup | Check Goss is available block: - - name: Pre Audit Setup | Check for goss file - stat: - path: "{{ audit_bin }}" - register: goss_available - - - name: Pre Audit Setup | If audit ensure goss is available - assert: - msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - not goss_available.stat.exists + - name: Pre Audit Setup | Check for goss file + stat: + path: "{{ audit_bin }}" + register: goss_available + + - name: Pre Audit Setup | If audit ensure goss is available + assert: + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" + when: + - not goss_available.stat.exists when: - - run_audit + - run_audit - name: Pre Audit Setup | Copy ansible default vars values to test audit template: - src: ansible_vars_goss.yml.j2 - dest: "{{ audit_vars_path }}" - mode: 0600 + src: ansible_vars_goss.yml.j2 + dest: "{{ audit_vars_path }}" + mode: 0600 when: - - run_audit + - run_audit tags: - - goss_template - + - goss_template + - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" environment: "{{ audit_run_script_environment|default({}) }}" @@ -87,28 +87,28 @@ - name: Pre Audit | Capture audit data if json format block: - - name: "capture data {{ pre_audit_outfile }}" - command: "cat {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false - - - name: Pre Audit | Capture pre-audit result - set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}" - vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + - name: "capture data {{ pre_audit_outfile }}" + command: "cat {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false + + - name: Pre Audit | Capture pre-audit result + set_fact: + pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}" + vars: + summary: 'summary."summary-line"' + when: + - audit_format == "json" - name: Pre Audit | Capture audit data if documentation format block: - - name: "capture data {{ pre_audit_outfile }}" - command: "tail -2 {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false + - name: "capture data {{ pre_audit_outfile }}" + command: "tail -2 {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false - - name: Pre Audit | Capture pre-audit result - set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" - when: - - audit_format == "documentation" + - name: Pre Audit | Capture pre-audit result + set_fact: + pre_audit_summary: "{{ pre_audit.stdout_lines }}" + when: + - audit_format == "documentation" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f0c1635f..c2a6ec7b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -409,7 +409,7 @@ service: name: sshd state: "{{ rhel7stig_service_started }}" - enabled: yes + enabled: true - name: PRELIM | check if ssh host key exists stat: @@ -425,40 +425,40 @@ - name: "PRELIM | Check whether machine is UEFI-based" stat: - path: /sys/firmware/efi + path: /sys/firmware/efi register: rhel7_efi_boot tags: - - goss_template + - goss_template - name: set bootloader type block: - - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" - set_fact: - rhel7stig_bootloader_path: /boot/efi/EFI/redhat - rhel7stig_legacy_boot: false - when: - - rhel7_efi_boot.stat.exists - - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path - - - name: "PRELIM | set fact if UEFI boot | CentOS " - set_fact: - rhel7stig_bootloader_path: /boot/efi/EFI/centos - rhel7stig_legacy_boot: false - when: - - rhel7_efi_boot.stat.exists - - ansible_distribution == 'CentOS' - - - name: "PRELIM | set if not UEFI boot" - set_fact: - rhel7stig_bootloader_path: /boot/grub2/ - rhel7stig_legacy_boot: true - when: not rhel7_efi_boot.stat.exists - - - name: PRELIM | output bootloader and efi state - debug: - msg: - - "bootloader path set to {{ rhel7stig_bootloader_path }}" - - "legacy boot equals {{ rhel7stig_legacy_boot }}" + - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" + set_fact: + rhel7stig_bootloader_path: /boot/efi/EFI/redhat + rhel7stig_legacy_boot: false + when: + - rhel7_efi_boot.stat.exists + - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path + + - name: "PRELIM | set fact if UEFI boot | CentOS " + set_fact: + rhel7stig_bootloader_path: /boot/efi/EFI/centos + rhel7stig_legacy_boot: false + when: + - rhel7_efi_boot.stat.exists + - ansible_distribution == 'CentOS' + + - name: "PRELIM | set if not UEFI boot" + set_fact: + rhel7stig_bootloader_path: /boot/grub2/ + rhel7stig_legacy_boot: true + when: not rhel7_efi_boot.stat.exists + + - name: PRELIM | output bootloader and efi state + debug: + msg: + - "bootloader path set to {{ rhel7stig_bootloader_path }}" + - "legacy boot equals {{ rhel7stig_legacy_boot }}" - name: "PRELIM | Gather interactive user ID min" block: From 2faf9a94e3e8ec34d7194e09febcc84d5a8d4578 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Jul 2022 16:57:06 +0100 Subject: [PATCH 015/126] lint Signed-off-by: Mark Bolwell --- defaults/main.yml | 8 ++++---- tasks/audit_selinuxlocaluserdefs.yml | 1 - tasks/fix-cat2.yml | 6 +++--- tasks/main.yml | 1 - 4 files changed, 7 insertions(+), 9 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4b0ba6cd..f4ba1206 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -413,9 +413,9 @@ rhel7stig_firewall_service: firewalld rhel7stig_start_firewall_service: true # allowed firewall ports and protocols as found in the command used to discover -rhel7stig_firewall_ports_protocols: -- '22/tcp' -- '546/udp' +rhel7stig_firewall_ports_protocols: + - '22/tcp' + - '546/udp' # RHEL-07-031010 rhel7stig_system_is_log_aggregator: false @@ -547,7 +547,7 @@ rhel7stig_password_complexity: minlen: 15 # RHEL-07-020022 -# rhel7stig_ssh_sysadm_login_state is the state for the ssh_sysadmin_login boolean. +# rhel7stig_ssh_sysadm_login_state is the state for the ssh_sysadmin_login boolean. # The value False will set the value to off, which does not allow privileged accounts to utilize SSH # The value True will set the value to on, which allows privileged accounts to utilize SSH # To confrom to STIG requirements use the value of false diff --git a/tasks/audit_selinuxlocaluserdefs.yml b/tasks/audit_selinuxlocaluserdefs.yml index 1a0cb921..22dea8f2 100644 --- a/tasks/audit_selinuxlocaluserdefs.yml +++ b/tasks/audit_selinuxlocaluserdefs.yml @@ -81,4 +81,3 @@ - rhel7stig_audit_disruptive tags: - RHEL-07-020020 - diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index ab86a3f0..48ef7fca 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1609,7 +1609,7 @@ when: - rhel_07_020680 tags: - - RHEL-07-020680 + - RHEL-07-020680 - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 @@ -2123,7 +2123,7 @@ block: # Let's see what is configured in grub. - name: "MEDIUM | RHEL-07-021700 | AUDIT | The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved." - shell: grep -o "set root=.*" "{{rhel7stig_grub_cfg_path }}" | grep -v "{{ rhel7stig_grub_bootloader_validorder }}" | uniq + shell: grep -o "set root=.*" "{{ rhel7stig_grub_cfg_path }}" | grep -v "{{ rhel7stig_grub_bootloader_validorder }}" | uniq register: rhel7stig_grub_cfg_mediacheck changed_when: false failed_when: false @@ -3248,7 +3248,7 @@ stat: path: /etc/sssd/sssd.conf changed_when: false - register: rhel_07_040180_LDAPconf_audit + register: rhel_07_040180_ldapconf_audit when: rhel_07_040180_audit.stdout == "Active" - name: | diff --git a/tasks/main.yml b/tasks/main.yml index 50aca496..fade713f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -113,4 +113,3 @@ - run_audit tags: - run_audit - From 5df4373d175c30b2d51bf009f401854dbd090b1d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Jul 2022 17:23:11 +0100 Subject: [PATCH 016/126] removed auditd step as updated in handlers Signed-off-by: Mark Bolwell --- tasks/main.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index fade713f..8a75b775 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -84,16 +84,6 @@ - cat3 - low -- name: trigger update auditd - shell: /bin/true - args: - warn: false - notify: update auditd - changed_when: true - check_mode: false - tags: - - auditd - - name: flush handlers meta: flush_handlers From 299a811137f73e8191e7a840a4ecbeaed8b9a031 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Jul 2022 17:23:36 +0100 Subject: [PATCH 017/126] auditd updates Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 + handlers/main.yml | 4 +- tasks/fix-cat2.yml | 190 ++++++++++++++++++--------------------------- 3 files changed, 80 insertions(+), 117 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f4ba1206..bd080704 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -634,6 +634,9 @@ rhel7stig_login_defaults: umask: '077' create_home: 'yes' +# Default value - if control is enabled this will run for the valid controls. +update_audit_template: false + # RHEL-07-030300 uncomment and set the value to a remote IP address that can receive audit logs # rhel7stig_audisp_remote_server: 10.10.10.10 diff --git a/handlers/main.yml b/handlers/main.yml index 1cdfc5ae..84d06692 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -66,9 +66,7 @@ register: auditd_file notify: restart auditd when: - - not rhel7stig_skip_for_travis - - not rhel7stig_system_is_chroot - - not rhel7stig_system_is_container + - update_audit_template - name: restart auditd command: /usr/sbin/service auditd restart diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 48ef7fca..662e9d5b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2396,9 +2396,8 @@ - logging - name: "MEDIUM | RHEL-07-030360 | PATCH | The Red Hat Enterprise Linux operating system must audit all executions of privileged functions." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030360 tags: @@ -2411,9 +2410,8 @@ - auditd - name: "MEDIUM | RHEL-07-030370 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat, and lchown syscalls." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030370 tags: @@ -2426,9 +2424,8 @@ - auditd - name: "MEDIUM | RHEL-07-030410 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030410 tags: @@ -2441,9 +2438,8 @@ - auditd - name: "MEDIUM | RHEL-07-030440 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030440 tags: @@ -2456,9 +2452,8 @@ - auditd - name: "MEDIUM | RHEL-07-030510 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030510 tags: @@ -2471,9 +2466,8 @@ - auditd - name: "MEDIUM | RHEL-07-030560 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the semanage command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030560 tags: @@ -2486,9 +2480,8 @@ - auditd - name: "MEDIUM | RHEL-07-030570 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030570 tags: @@ -2501,9 +2494,8 @@ - auditd - name: "MEDIUM | RHEL-07-030580 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chcon command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030580 tags: @@ -2516,9 +2508,8 @@ - auditd - name: "MEDIUM | RHEL-07-030590 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030590 tags: @@ -2531,9 +2522,8 @@ - auditd - name: "MEDIUM | RHEL-07-030610 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030610 tags: @@ -2548,9 +2538,8 @@ - auditd - name: "MEDIUM | RHEL-07-030620 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030620 tags: @@ -2565,9 +2554,8 @@ - auditd - name: "MEDIUM | RHEL-07-030630 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the passwd command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030630 tags: @@ -2582,9 +2570,8 @@ - auditd - name: "MEDIUM | RHEL-07-030640 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030640 tags: @@ -2599,9 +2586,8 @@ - auditd - name: "MEDIUM | RHEL-07-030650 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030650 tags: @@ -2616,9 +2602,8 @@ - auditd - name: "MEDIUM | RHEL-07-030660 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chage command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030660 tags: @@ -2633,9 +2618,8 @@ - auditd - name: "MEDIUM | RHEL-07-030670 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030670 tags: @@ -2650,9 +2634,8 @@ - auditd - name: "MEDIUM | RHEL-07-030680 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the su command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030680 tags: @@ -2668,9 +2651,8 @@ - auditd - name: "MEDIUM | RHEL-07-030690 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the sudo command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030690 tags: @@ -2686,9 +2668,8 @@ - auditd - name: "MEDIUM | RHEL-07-030700 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the sudo command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030700 tags: @@ -2704,9 +2685,8 @@ - auditd - name: "MEDIUM | RHEL-07-030710 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030710 tags: @@ -2722,9 +2702,8 @@ - auditd - name: "MEDIUM | RHEL-07-030720 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chsh command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030720 tags: @@ -2740,9 +2719,8 @@ - auditd - name: "MEDIUM | RHEL-07-030740 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030740 tags: @@ -2756,9 +2734,8 @@ - auditd - name: "MEDIUM | RHEL-07-030750 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the umount command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030750 tags: @@ -2772,9 +2749,8 @@ - auditd - name: "MEDIUM | RHEL-07-030760 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030760 tags: @@ -2788,9 +2764,8 @@ - auditd - name: "MEDIUM | RHEL-07-030770 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030770 tags: @@ -2804,9 +2779,8 @@ - auditd - name: "MEDIUM | RHEL-07-030780 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030780 tags: @@ -2821,9 +2795,8 @@ - auditd - name: "MEDIUM | RHEL-07-030800 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the crontab command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030800 tags: @@ -2838,9 +2811,8 @@ - auditd - name: "MEDIUM | RHEL-07-030810 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030810 tags: @@ -2853,9 +2825,8 @@ - auditd - name: "MEDIUM | RHEL-07-030819 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030819 tags: @@ -2868,9 +2839,8 @@ - auditd - name: "MEDIUM | RHEL-07-030820 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscall." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030820 tags: @@ -2883,9 +2853,8 @@ - auditd - name: "MEDIUM | RHEL-07-030830 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030830 tags: @@ -2898,9 +2867,8 @@ - auditd - name: "MEDIUM | RHEL-07-030840 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the kmod command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030840 tags: @@ -2913,9 +2881,8 @@ - auditd - name: "MEDIUM | RHEL-07-030870 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030870 tags: @@ -2931,9 +2898,8 @@ - auditd - name: "MEDIUM | RHEL-07-030871 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030871 tags: @@ -2949,9 +2915,8 @@ - auditd - name: "MEDIUM | RHEL-07-030872 | PATCH | he Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030872 tags: @@ -2967,9 +2932,8 @@ - auditd - name: "MEDIUM | RHEL-07-030873 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030873 tags: @@ -2985,9 +2949,8 @@ - auditd - name: "MEDIUM | RHEL-07-030874 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030874 tags: @@ -3003,9 +2966,8 @@ - auditd - name: "MEDIUM | RHEL-07-030910 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat, and rmdir syscalls" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + set_fact: + update_audit_template: true when: - rhel_07_030910 tags: From fc5cf3ef1f70c35fb6d48237219770c0393c128f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Jul 2022 19:26:56 +0100 Subject: [PATCH 018/126] auditd template update moved to main Signed-off-by: Mark Bolwell --- handlers/main.yml | 12 ------------ tasks/main.yml | 12 ++++++++++++ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 84d06692..88642b57 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -56,18 +56,6 @@ - not rhel7stig_system_is_chroot - not rhel7stig_system_is_container -- name: update auditd - template: - src: audit/99_auditd.rules.j2 - dest: /etc/audit/rules.d/99_auditd.rules - owner: root - group: root - mode: 0600 - register: auditd_file - notify: restart auditd - when: - - update_audit_template - - name: restart auditd command: /usr/sbin/service auditd restart args: diff --git a/tasks/main.yml b/tasks/main.yml index 8a75b775..5028393e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -84,6 +84,18 @@ - cat3 - low +- name: update auditd + template: + src: audit/99_auditd.rules.j2 + dest: /etc/audit/rules.d/99_auditd.rules + owner: root + group: root + mode: 0600 + register: auditd_file + notify: restart auditd + when: + - update_audit_template + - name: flush handlers meta: flush_handlers From d121121cbd2fe9ef1ead8168a62aaac003416354 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 12 Jul 2022 10:34:42 +0100 Subject: [PATCH 019/126] std warning message Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 662e9d5b..50aea1d9 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1035,7 +1035,7 @@ - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Show SELinux authorized users" debug: msg: - - "Warning! Below is your SELinux user/group list. Please review and make sure all of the following are met:" + - "Warning!! Below is your SELinux user/group list. Please review and make sure all of the following are met:" - "1) All administrators are mapped to staff_u or an appropriately tailored confined SELinux user as defined by the organization" - "2) All authorized non-administrative users must be mapped to the user_u SELinux user" - "{{ rhel_07_020020_sel_auth_users.stdout_lines }}" @@ -1044,7 +1044,7 @@ - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Warn that semanage is not installed" debug: msg: - - "Alert! You do not have semanage installed! Please installed the needed packages" + - "Warning!! You do not have semanage installed! Please installed the needed packages" when: "'command not found' in rhel_07_020020_sel_auth_users.stderr" when: - rhel_07_020020 @@ -4561,9 +4561,9 @@ msg: "Warning! Below are your SELinux Role mappings. Please review the mappings with your SA to determine validity of the mappings" when: rhel_07_020021_sel_role_mappings.stdout | length > 0 - - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Alert that semanage is not installed" + - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Warning!! that semanage is not installed" debug: - msg: "Alert! You do not have semanage installed! Please installed the needed packages" + msg: "Warning!! You do not have semanage installed! Please installed the needed packages" when: "'command not found' in rhel_07_020021_sel_role_mappings.stderr" when: - rhel_07_020021 @@ -4603,7 +4603,7 @@ - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command" debug: msg: - - "Warning! Below is your sysadm_r settings in your sudoers file." + - "Warning!! Below is your sysadm_r settings in your sudoers file." - "Please review to confirm a designated sudoers admin group or account(s) is not configured to eleveate the SELinux type and role to sysadm_t and sysadm_r with the use of the sudo command | Display if entry exists" - "{{ rhel_07_020023_sel_admin_sudo_status.stdout_lines }}" when: rhel_07_020023_sel_admin_sudo_status.stdout | length > 0 @@ -4611,8 +4611,8 @@ - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command" debug: msg: - - "Alert! You do not have sysadm_r configured in your sudoers file(s_" - - "Please configure to designate sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to sysadm_t and sysadm_r with the use of the sudo command | Alert that on entry exists" + - "Warning!! You do not have sysadm_r configured in your sudoers file(s_" + - "Please configure to designate sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to sysadm_t and sysadm_r with the use of the sudo command | Warning!! that on entry exists" when: rhel_07_020023_sel_admin_sudo_status.stdout | length == 0 when: - rhel_07_020023 From 94753689d10fc7aeb6c45ec819e213ba4e202815 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 12 Jul 2022 12:13:08 +0100 Subject: [PATCH 020/126] updated to align audit Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index c62c7b86..9284a07c 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -394,8 +394,13 @@ rhel7stig_shell_session_timeout: # RHEL_07_040180 # Whether the system should be using LDAP for authentication rhel7stig_auth_settings: +{% if rhel7stig_complex %} use_ldap: {{ rhel7stig_auth_settings.use_ldap }} use_sssd: {{ rhel7stig_auth_settings.use_sssd }} +{% else %} + use_ldap: false + use_sssd: false +{% endif %} # RHEL-07-040740 rhel7stig_system_is_router: {{ rhel7stig_system_is_router }} From c5de31b3909c35bcadba1525ab4fe735c643e21b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 12 Jul 2022 12:26:45 +0100 Subject: [PATCH 021/126] updated 040520 firewall service to be running and enabled Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 50aea1d9..be522d5b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3731,9 +3731,17 @@ - chronyd - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." - package: - name: "{{ rhel7stig_firewall_service }}" - state: present + block: + - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." + package: + name: "{{ rhel7stig_firewall_service }}" + state: present + + - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." + service: + name: "{{ rhel7stig_firewall_service }}" + enabled: true + started: true vars: ansible_python_interpreter: "{{ python2_bin }}" when: From 4fc4d3e4839353e3c669e87c7e94e2e4facc02da Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 12 Jul 2022 17:44:15 +0100 Subject: [PATCH 022/126] fixed notify_cmd Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 9284a07c..0de8f4bc 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -339,6 +339,7 @@ rhel7stig_aide_cron: # Disable the notification check rule to disable mailing notifications notify_by_mail: {{ rhel_07_020040 }} notify_cmd: ' {{ rhel7stig_aide_cron.notify_cmd }}' +rhel7stig_notify_cmd: ' {{ rhel7stig_aide_cron.notify_cmd }}' rhel7stig_unnecessary_accounts: - gopher From 30b47cf01ccc53c39a121df61ff2250a316a9e11 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 12 Jul 2022 17:54:12 +0100 Subject: [PATCH 023/126] fixed command Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index be522d5b..7a18add9 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3741,7 +3741,7 @@ service: name: "{{ rhel7stig_firewall_service }}" enabled: true - started: true + state: started vars: ansible_python_interpreter: "{{ python2_bin }}" when: From d26ab0b95d04a958211392e09fcd6ae02e34d7d8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 12 Jul 2022 20:17:27 +0100 Subject: [PATCH 024/126] updated changed_when to false Signed-off-by: Mark Bolwell --- tasks/audit_firewalld.yml | 2 +- tasks/post_remediation_audit.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/audit_firewalld.yml b/tasks/audit_firewalld.yml index 24d00499..d9dfac90 100644 --- a/tasks/audit_firewalld.yml +++ b/tasks/audit_firewalld.yml @@ -13,6 +13,7 @@ - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." command: firewall-cmd --list-all --zone="{{ rhel_07_040810_firewalld_zone_audit.stdout }}" register: rhel_07_040810_firewalld_zone_default_audit + changed_when: false when: - rhel_07_040810_firewalld_zone_audit.stdout | length > 0 - rhel7stig_start_firewall_service @@ -22,7 +23,6 @@ - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." debug: msg: "The following task output is the firewalld settings for zone {{ rhel_07_040810_firewalld_zone_audit.stdout }} from {{ ansible_hostname }}:" - changed_when: true when: - rhel_07_040810_firewalld_zone_audit.stdout | length > 0 - rhel7stig_start_firewall_service diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 5087b679..489775a5 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -3,7 +3,7 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" environment: "{{ audit_run_script_environment|default({}) }}" - changed_when: audit_run_post_remediation.rc == 0 + changed_when: false register: audit_run_post_remediation vars: warn: false From d45776e66db6497f49cb81a6d7c5604606d53933 Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Mon, 18 Jul 2022 15:33:21 +0100 Subject: [PATCH 025/126] skipping control rhel_07_010340 Skipping as no passwd set on marketplace images --- .github/workflows/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 66d2b5d8..8626711e 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -79,5 +79,6 @@ resource "local_file" "inventory" { system_is_ec2: true audit_git_version: devel rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.thishasbeenchangedfortesting' + rhel_07_010340: false # turned off as requires passwd for sudo on ec2 images it breaks EOF } From 9a8e4d7d6cac6c5a5f7cc7a22d0c78197789931d Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 22 Jun 2022 15:48:32 -0400 Subject: [PATCH 026/126] updates for v3r7 changes Signed-off-by: George Nalen Signed-off-by: Mark Bolwell --- README.md | 2 +- tasks/fix-cat2.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 346aa8b8..c8cb8c99 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Configure a RHEL 7 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`. -This role is based on RHEL 7 DISA STIG: [Version 3, Rel 6 released on Jan 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R6_STIG.zip). +This role is based on RHEL 7 DISA STIG: [Version 3, Rel 7 released on Apr 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R7_STIG.zip). ## Join us diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4caf4c7b..a901e437 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1015,7 +1015,7 @@ - CAT2 - CCI-000766 - SRG-OS-000104-GPOS-00051 - - SV-204441r603261_rule + - SV-204441r818813_rule - V-204441 - authentication From d32f26f94cb818644866531ca41b6af88832be88 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 22 Jun 2022 20:21:20 -0400 Subject: [PATCH 027/126] Updated changelog and removed local.yml Signed-off-by: George Nalen Signed-off-by: Mark Bolwell --- ChangeLog.md | 4 ++++ local.yml | 10 ---------- 2 files changed, 4 insertions(+), 10 deletions(-) delete mode 100644 local.yml diff --git a/ChangeLog.md b/ChangeLog.md index d825f81d..18da3e38 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,9 @@ # Changelog +## Release 1.6.0 +- Update to STIG v3r7 Apr 27th 2022 +- Removed unnecessary local.yml + ## Release 1.3.3 - update to STIG v3r6 Jan 27th 2022 diff --git a/local.yml b/local.yml deleted file mode 100644 index 4d9e4862..00000000 --- a/local.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- hosts: localhost - connection: local - become: yes - vars: - is_container: false - roles: - - role: "{{ playbook_dir }}" - rhel7stig_system_is_container: "{{ is_container | default(false) }}" - rhel7stig_ssh_required: "{{ is_container == false }}" From 8b4d666a14ecf837f977bcbdb7501e4218f82bda Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Mon, 18 Jul 2022 15:43:38 +0100 Subject: [PATCH 028/126] skipp rhel_07_010340 Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 66d2b5d8..f2ebf152 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -79,5 +79,6 @@ resource "local_file" "inventory" { system_is_ec2: true audit_git_version: devel rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.thishasbeenchangedfortesting' + rhel_07_010340: false # turned off as requires passwd for sudo on ec2 images it breaks EOF } From 48ae74e83c9ac9d3d598ad44e35237695513ccd2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Jul 2022 16:06:43 +0100 Subject: [PATCH 029/126] updated to skip 010340 due to ec2 no user passwords Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index f2ebf152..96b09ec5 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -79,6 +79,6 @@ resource "local_file" "inventory" { system_is_ec2: true audit_git_version: devel rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.thishasbeenchangedfortesting' - rhel_07_010340: false # turned off as requires passwd for sudo on ec2 images it breaks + rhel_07_010340: false #turned off as requires passwd for sudo on ec2 images it breaks EOF } From 63de6531568e98cb919e069fcd8334c696d5a41d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 19 Jul 2022 16:31:50 +0100 Subject: [PATCH 030/126] revert control 10010 Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index c3671cd8..9416e813 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -12,7 +12,9 @@ register: rhel_07_010010_audit - name: "HIGH | RHEL-07-010010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." - shell: ( rpm --setugids {{ item }} && rpm --setperms {{ item }} ) + shell: > + ( rpm --setugids {{ item }}; rpm --setperms {{ item }} ) + 2>&1 1>&2 | grep -v ': No such file or directory$' args: warn: false register: rhel_07_010010_patch From 4be031873368c7062a0dde0ec6917a76b165d611 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 19 Jul 2022 16:11:23 -0400 Subject: [PATCH 031/126] Updated name for 010291 Signed-off-by: George Nalen --- tasks/fix-cat1.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 9416e813..1e4d2e60 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -99,7 +99,7 @@ - V-204424 - accounts -- name: "MEDIUM | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords." +- name: "HIGH | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords." block: - name: "MEDIUM | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords. | Get users with no pw set" command: "awk -F: '!$2 {print $1}' /etc/shadow" @@ -108,7 +108,7 @@ check_mode: false register: rhel_07_010291_no_pw_users - - name: "MEDIUM | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords. | Warn on accounts with no passwords" + - name: "HIGH | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords. | Warn on accounts with no passwords" debug: msg: - "Alert! You have users that are not using passwords. Please either set a password, lock, or remove the accounts below:" From 4a0ebf1c21da6b668152cd96bedabf45277af782 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 19 Jul 2022 16:12:08 -0400 Subject: [PATCH 032/126] Updated name for 010291 part2 Signed-off-by: George Nalen --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 1e4d2e60..d60475cc 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -101,7 +101,7 @@ - name: "HIGH | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords." block: - - name: "MEDIUM | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords. | Get users with no pw set" + - name: "HIGH | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords. | Get users with no pw set" command: "awk -F: '!$2 {print $1}' /etc/shadow" changed_when: false failed_when: false From f27ce053b4a7f5dcd0f0f03e6c377f8f061c6882 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Jul 2022 10:15:06 +0100 Subject: [PATCH 033/126] revert to ignore_errors due to output types Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 9416e813..04a51b7b 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -18,6 +18,7 @@ args: warn: false register: rhel_07_010010_patch + ignore_errors: true with_items: "{{ rhel_07_010010_audit.stdout_lines }}" when: rhel_07_010010_audit.stdout_lines | length > 0 From 879dd54f2a9fe633e92a802c7b4e4e2b5e6e4fe2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 1 Aug 2022 12:13:06 +0100 Subject: [PATCH 034/126] removed .changed conditionals not required Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 88642b57..16d40340 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -60,8 +60,6 @@ command: /usr/sbin/service auditd restart args: warn: no - when: - - auditd_file.changed - name: rebuild initramfs command: dracut -f From 62eb5b34bba9ea21b55e32b2352226efaa588069 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 1 Aug 2022 12:13:50 +0100 Subject: [PATCH 035/126] updated rule ID for stigv3r8 Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- tasks/fix-cat2.yml | 62 +++++++++++++++++++++++----------------------- 2 files changed, 32 insertions(+), 32 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index cf7af0b7..33b2fc75 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -355,7 +355,7 @@ - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204455r603261_rule + - SV-204455r833106_rule - V-204455 - systemctl diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 24fa4765..09b00669 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -759,7 +759,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-251703r809566_rule + - SV-251703r833183_rule - V-251703 - sudoers @@ -779,7 +779,7 @@ - CAT2 - CCI-002038 - SRG-OS-000373-GPOS-00156 - - SV-204429r603261_rule + - SV-204429r833190_rule - V-204429 - sudoers @@ -936,10 +936,10 @@ - CAT2 - CCI-000213 - SRG-OS-000080-GPOS-00048 - - SV-244557r744063_rule + - SV-244557r833185_rule - V-244557 - RHEL-07-010492 - - SV-244558r744066_rule + - SV-244558r833187_rule - V-244558 - grub - bootloader @@ -1069,7 +1069,7 @@ - CAT2 - CCI-002696 - SRG-OS-000445-GPOS-00199 - - SV-251705r809229_rule + - SV-251705r833192_rule - V-251705 - aide @@ -2475,7 +2475,7 @@ - CAT2 - CCI-000172 - SRG-OS-000392-GPOS-00172 - - SV-204536r603261_rule + - SV-204536r833109_rule - V-204536 - auditd @@ -2489,7 +2489,7 @@ - CAT2 - CCI-000172 - SRG-OS-000392-GPOS-00172 - - SV-204537r603261_rule + - SV-204537r833112_rule - V-204537 - auditd @@ -2503,7 +2503,7 @@ - CAT2 - CCI-000172 - SRG-OS-000392-GPOS-00172 - - SV-204538r603261_rule + - SV-204538r833115_rule - V-204538 - auditd @@ -2517,7 +2517,7 @@ - CAT2 - CCI-000172 - SRG-OS-000392-GPOS-00172 - - SV-204539r603261_rule + - SV-204539r833118_rule - V-204539 - auditd @@ -2565,7 +2565,7 @@ - CCI-000172 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204542r603261_rule + - SV-204542r833121_rule - V-204542 - auditd @@ -2581,7 +2581,7 @@ - CCI-000172 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204543r603261_rule + - SV-204543r833124_rule - V-204543 - auditd @@ -2597,7 +2597,7 @@ - CCI-000172 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204544r603261_rule + - SV-204544r833127_rule - V-204544 - auditd @@ -2613,7 +2613,7 @@ - CCI-000172 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204545r603261_rule + - SV-204545r833130_rule - V-204545 - auditd @@ -2629,7 +2629,7 @@ - CCI-000172 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204546r603261_rule + - SV-204546r833133_rule - V-204546 - auditd @@ -2646,7 +2646,7 @@ - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - - SV-204547r603261_rule + - SV-204547r833136_rule - V-204547 - auditd @@ -2663,7 +2663,7 @@ - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - - SV-204548r603261_rule + - SV-204548r833139_rule - V-204548 - auditd @@ -2697,7 +2697,7 @@ - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - - SV-204550r603261_rule + - SV-204550r833142_rule - V-204550 - auditd @@ -2714,7 +2714,7 @@ - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - - SV-204551r603261_rule + - SV-204551r833145_rule - V-204551 - auditd @@ -2729,7 +2729,7 @@ - CCI-000135 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204552r603261_rule + - SV-204552r833148_rule - V-204552 - auditd @@ -2744,7 +2744,7 @@ - CCI-000135 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204553r603261_rule + - SV-204553r833151_rule - V-204553 - auditd @@ -2759,7 +2759,7 @@ - CCI-000135 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204554r603261_rule + - SV-204554r833154_rule - V-204554 - auditd @@ -2774,7 +2774,7 @@ - CCI-000135 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204555r603261_rule + - SV-204555r833157_rule - V-204555 - auditd @@ -2790,7 +2790,7 @@ - CCI-000172 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204556r603261_rule + - SV-204556r833160_rule - V-204556 - auditd @@ -2806,7 +2806,7 @@ - CCI-000172 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204557r603261_rule + - SV-204557r833163_rule - V-204557 - auditd @@ -2820,7 +2820,7 @@ - CAT2 - CCI-000172 - SRG-OS-000471-GPOS-00215 - - SV-204558r603261_rule + - SV-204558r833166_rule - V-204558 - auditd @@ -2834,7 +2834,7 @@ - CAT2 - CCI-000172 - SRG-OS-000471-GPOS-00216 - - SV-204559r603261_rule + - SV-204559r833169_rule - V-204559 - auditd @@ -2848,7 +2848,7 @@ - CAT2 - CCI-000172 - SRG-OS-000471-GPOS-00216 - - SV-204560r603261_rule + - SV-204560r833172_rule - V-204560 - auditd @@ -2862,7 +2862,7 @@ - CAT2 - CCI-000172 - SRG-OS-000471-GPOS-00216 - - SV-204562r603261_rule + - SV-204562r833175_rule - V-204562 - auditd @@ -4515,7 +4515,7 @@ - CAT2 - CCI-002227 - SRG-OS-000480-GPOS-00227 - - SV-237634r809213_rule + - SV-237634r833177_rule - V-237634 - sudo @@ -4552,7 +4552,7 @@ - CAT2 - CCI-002038 - SRG-OS-000373-GPOS-00156 - - SV-237635r809215_rule + - SV-237635r833179_rule - V-237635 - sudo @@ -4630,5 +4630,5 @@ - CCI-002165 - CCI-002235 - SRG-OS-000324-GPOS-00125 - - SV-250314r809217_rule + - SV-250314r833181_rule - V-250314 From 685b2da7498065ab5fafde453d4b9fdc0866bf7c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 1 Aug 2022 12:15:46 +0100 Subject: [PATCH 036/126] updated for v3r8 Signed-off-by: Mark Bolwell --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c8cb8c99..e8ccb455 100644 --- a/README.md +++ b/README.md @@ -6,11 +6,11 @@ Configure a RHEL 7 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`. -This role is based on RHEL 7 DISA STIG: [Version 3, Rel 7 released on Apr 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R7_STIG.zip). +This role is based on RHEL 7 DISA STIG: [Version 3, Rel 8 released on Jul 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R8_STIG.zip). ## Join us -On our [Discord Server](https://discord.gg/JFxpSgPFEJ) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users ## Updating From c1daf266085ad9a27f80e7b7901389f94cf93b55 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Aug 2022 10:04:09 +0100 Subject: [PATCH 037/126] updated for #404 Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index bd080704..57a02e60 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -388,9 +388,9 @@ rhel7stig_antivirus_required: false rhel7stig_av_package: package: - clamav - - clamav-scanner - - clamav-server - service: clamav-daemon + - clamav-update + - clamd + service: clamd rhel7stig_time_service: chronyd rhel7stig_time_service_configs: From f0a321245679da2c9f2bd1575ade0425be6a42b5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Aug 2022 10:11:55 +0100 Subject: [PATCH 038/126] added more comments to meet requirements Signed-off-by: Mark Bolwell --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index e8ccb455..4e1fd19c 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,11 @@ Access to download or add the goss binary and content to the system if using aud - Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/RHEL7-STIG/wiki/Main-Variables). - While check_mode may work, This is not supported. +### Please be aware + +- This does set the single user password for grub this does need to be defined - You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2' +- Some controls make changes to sudo, please ensure a sudo password is set for the user and it is added to the way to run your playbook. + ## Documentation - [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL7-STIG/) From 43e62d3b2c5fe19e05e44ff09a02163f995ec5bb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Aug 2022 10:13:43 +0100 Subject: [PATCH 039/126] added disruption high to 010344 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 09b00669..8d72470c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -790,6 +790,7 @@ state: absent when: - rhel_07_010344 + - rhel7stig_disruption_high tags: - RHEL-07-010344 - CAT2 From 9d5630d505e90b7c57d3e4cabcb23032c6863593 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Aug 2022 10:29:19 +0100 Subject: [PATCH 040/126] changed control 010340 for sudo password Signed-off-by: Mark Bolwell --- ChangeLog.md | 8 ++++++++ tasks/fix-cat2.yml | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog.md b/ChangeLog.md index 18da3e38..d6216753 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,6 +1,14 @@ # Changelog +## Relase 1.7.0 + +- Update to STIG V3R8 Jul 27th 2022 +- update to README and requirements +- 010340 added disruption is high + + ## Release 1.6.0 + - Update to STIG v3r7 Apr 27th 2022 - Removed unnecessary local.yml diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8d72470c..10368f34 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -773,6 +773,7 @@ - "{{ rhel7stig_sudoers_files.stdout_lines }}" when: - rhel7stig_using_password_auth + - rhel7stig_disruption_high - rhel_07_010340 tags: - RHEL-07-010340 @@ -790,7 +791,6 @@ state: absent when: - rhel_07_010344 - - rhel7stig_disruption_high tags: - RHEL-07-010344 - CAT2 From 32c78d497c7a2932025b3898bcb3446aacdec27b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Aug 2022 10:31:06 +0100 Subject: [PATCH 041/126] added jmespath dependancy back in Signed-off-by: Mark Bolwell --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4e1fd19c..f5e836ed 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,7 @@ Access to download or add the goss binary and content to the system if using aud - Python3 (preferred) - Ansible 2.9+ +- jmespath Ansible is set to run in a python3 environment. From 3dad2021e68ce2f09c0da2076e76facffcd8314d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Aug 2022 10:42:36 +0100 Subject: [PATCH 042/126] updated Signed-off-by: Mark Bolwell --- ChangeLog.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog.md b/ChangeLog.md index d6216753..28f51cac 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -4,7 +4,12 @@ - Update to STIG V3R8 Jul 27th 2022 - update to README and requirements -- 010340 added disruption is high +- thanks to @bordentit + - 010340 added disruption is high + - updated audit restart control + - README jmespath added back in +- thanks to @dtm966 + - updated clamav packages and service name ## Release 1.6.0 From 48c06b10f4e1dfb02f280de3b0e6aa754ec9fc9b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Aug 2022 11:07:07 +0100 Subject: [PATCH 043/126] updated with issues Signed-off-by: Mark Bolwell --- ChangeLog.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 28f51cac..1c7326f2 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -4,13 +4,15 @@ - Update to STIG V3R8 Jul 27th 2022 - update to README and requirements +- thanks to @dirtyharrycallahan + - [ansible-lockdown/RHEL7-STIG#410](https://github.com/ansible-lockdown/RHEL7-STIG/issues/410) +- thanks to @dtm966 + - #404 updated clamav packages and service name - thanks to @bordentit + - [ansible-lockdown/RHEL7-STIG#412](https://github.com/ansible-lockdown/RHEL7-STIG/issues/412) addressed slightly differently - 010340 added disruption is high - updated audit restart control - README jmespath added back in -- thanks to @dtm966 - - updated clamav packages and service name - ## Release 1.6.0 From 230c381a2e65dad40586195a817f6ce83fe78658 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Aug 2022 11:08:14 +0100 Subject: [PATCH 044/126] #410 grub user password 10482/10491 Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 33b2fc75..6d026ad6 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -227,14 +227,11 @@ path: /boot/grub2/user.cfg create: true mode: '0644' - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + regexp: ^GRUB2_PASSWORD= + line: GRUB2_PASSWORD={{ rhel7stig_bootloader_password_hash }} notify: - confirm grub2 user cfg - make grub2 config - with_items: - - regexp: ^GRUB2_PASSWORD={{ rhel7stig_bootloader_password_hash }} - line: GRUB2_PASSWORD={{ rhel7stig_bootloader_password_hash }} no_log: true when: - not rhel7stig_machine_uses_uefi @@ -244,11 +241,8 @@ path: "{{ rhel7stig_bootloader_path }}/user.cfg" create: true mode: '0644' - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - regexp: ^GRUB2_PASSWORD={{ rhel7stig_bootloader_password_hash }} - line: GRUB2_PASSWORD={{ rhel7stig_bootloader_password_hash }} + regexp: ^GRUB2_PASSWORD= + line: GRUB2_PASSWORD={{ rhel7stig_bootloader_password_hash }} no_log: true notify: - confirm grub2 user cfg From 4465f9610ddbd9cd1432e1a953e0d2346fb83bc8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Aug 2022 11:08:55 +0100 Subject: [PATCH 045/126] added extra comment to stig update Signed-off-by: Mark Bolwell --- ChangeLog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.md b/ChangeLog.md index 1c7326f2..7c66199d 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -2,7 +2,7 @@ ## Relase 1.7.0 -- Update to STIG V3R8 Jul 27th 2022 +- Update to STIG V3R8 Jul 27th 2022 - rule ID changes - update to README and requirements - thanks to @dirtyharrycallahan - [ansible-lockdown/RHEL7-STIG#410](https://github.com/ansible-lockdown/RHEL7-STIG/issues/410) From 83b86b29b9ec915d1d8b77d32233007d525251a8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 14:00:18 +0100 Subject: [PATCH 046/126] updated workflow Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 2 +- .github/workflows/github_networks.tf | 46 ++++++++++++++++++- .github/workflows/github_vars.tfvars | 3 +- .github/workflows/linux_benchmark_testing.yml | 2 +- .github/workflows/terraform.tfvars | 1 + .github/workflows/variables.tf | 13 +++++- 6 files changed, 61 insertions(+), 6 deletions(-) diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index d70f1e36..325c24f2 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -5,5 +5,5 @@ ami_username = "centos" ami_user_home = "/home/centos" instance_tags = { Name = "RHEL7-STIG" - Environment = "lockdown_github_repo_workflow" + Environment = "github_test_pipeline" } diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf index d5a0db02..998cb768 100644 --- a/.github/workflows/github_networks.tf +++ b/.github/workflows/github_networks.tf @@ -1,11 +1,53 @@ resource "aws_vpc" "Main" { cidr_block = var.main_vpc_cidr - tags = var.instance_tags + instance_tenancy = "default" + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-VPC" + } } resource "aws_internet_gateway" "IGW" { vpc_id = aws_vpc.Main.id tags = { - Name = "${var.namespace}-IGW" + Environment = "${var.environment}" + Name = "${var.namespace}-IGW" } } + +resource "aws_subnet" "publicsubnets" { + vpc_id = aws_vpc.Main.id + cidr_block = var.public_subnets + availability_zone = var.availability_zone + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-pubsub" + } +} + +resource "aws_subnet" "Main" { + vpc_id = aws_vpc.Main.id + availability_zone = var.availability_zone + cidr_block = var.private_subnets + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-prvsub" + } +} + +resource "aws_route_table" "PublicRT" { + vpc_id = aws_vpc.Main.id + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.IGW.id + } + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-publicRT" + } +} + +resource "aws_route_table_association" "rt_associate_public" { + subnet_id = aws_subnet.Main.id + route_table_id = aws_route_table.PublicRT.id +} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index 38be3edc..464f5130 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -4,9 +4,10 @@ // namespace = "github_actions" +environment = "github_test_pipeline" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" main_vpc_cidr = "172.22.0.0/24" public_subnets = "172.22.0.128/26" -private_subnets = "172.22.0.192/26" \ No newline at end of file +private_subnets = "172.22.0.192/26" diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 3c4cf3f5..0bdd644b 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -117,4 +117,4 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false diff --git a/.github/workflows/terraform.tfvars b/.github/workflows/terraform.tfvars index 6d98b8bb..31113784 100644 --- a/.github/workflows/terraform.tfvars +++ b/.github/workflows/terraform.tfvars @@ -1,4 +1,5 @@ // vars should be loaded by OSname.tfvars +availability_zone = "us-east-1b" aws_region = "us-east-1" ami_os = var.ami_os ami_username = var.ami_username diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf index eabec247..16bc9f6e 100644 --- a/.github/workflows/variables.tf +++ b/.github/workflows/variables.tf @@ -6,6 +6,12 @@ variable "aws_region" { type = string } +variable "availability_zone" { + description = "List of availability zone in the region" + default = "us-east-1b" + type = string +} + variable "instance_type" { description = "EC2 Instance Type" default = "t3.micro" @@ -47,6 +53,11 @@ variable "namespace" { type = string } +variable "environment" { + description = "Env Name used across all tags" + type = string +} + // taken from github_vars.tfvars & variable "main_vpc_cidr" { @@ -62,4 +73,4 @@ variable "public_subnets" { variable "private_subnets" { description = "private subnet cidr block" type = string -} \ No newline at end of file +} From a7fe1caed2bbeb0fb360a70655aaf32ff9b73c87 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 14:02:17 +0100 Subject: [PATCH 047/126] updated Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 8626711e..a7fd514c 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -5,9 +5,6 @@ provider "aws" { // Create a security group with access to port 22 and port 80 open to serve HTTP traffic -data "aws_vpc" "default" { - default = true -} resource "random_id" "server" { keepers = { @@ -19,8 +16,8 @@ resource "random_id" "server" { } resource "aws_security_group" "github_actions" { - name = "${var.namespace}-${random_id.server.hex}" - vpc_id = data.aws_vpc.default.id + name = "${var.namespace}-${random_id.server.hex}-SG" + vpc_id = aws_vpc.Main.id ingress { from_port = 22 @@ -43,6 +40,7 @@ resource "aws_security_group" "github_actions" { cidr_blocks = ["0.0.0.0/0"] } tags = { + Environment = "${var.environment}" Name = "${var.namespace}-SG" } } @@ -51,11 +49,13 @@ resource "aws_security_group" "github_actions" { resource "aws_instance" "testing_vm" { ami = var.ami_id + availability_zone = var.availability_zone associate_public_ip_address = true key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs instance_type = var.instance_type tags = var.instance_tags vpc_security_group_ids = [aws_security_group.github_actions.id] + subnet_id = aws_subnet.Main.id root_block_device { delete_on_termination = true } @@ -78,7 +78,6 @@ resource "local_file" "inventory" { run_audit: true system_is_ec2: true audit_git_version: devel - rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.thishasbeenchangedfortesting' - rhel_07_010340: false # turned off as requires passwd for sudo on ec2 images it breaks EOF } + From fce29878f0455c72c27cf8205c751a47fa3ed97b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Aug 2022 14:08:55 +0100 Subject: [PATCH 048/126] fixed stig specific inventroy settings Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index a7fd514c..0ff7db9c 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -78,6 +78,8 @@ resource "local_file" "inventory" { run_audit: true system_is_ec2: true audit_git_version: devel + rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.thishasbeenchangedfortesting' + rhel_07_010340: false # turned off as requires passwd for sudo on ec2 images it breaks EOF } From 2cc9371137e36c705492c467b6a30c398f41959a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 14 Sep 2022 15:53:11 +0100 Subject: [PATCH 049/126] Lint add blank line Signed-off-by: Mark Bolwell --- .github/workflows/github_vars.tfvars | 1 + .github/workflows/variables.tf | 1 + tasks/audit_firewalld.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index 464f5130..a1b63fc6 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -11,3 +11,4 @@ ami_key_pair_name = "github_actions" main_vpc_cidr = "172.22.0.0/24" public_subnets = "172.22.0.128/26" private_subnets = "172.22.0.192/26" + diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf index 16bc9f6e..ccdf10e1 100644 --- a/.github/workflows/variables.tf +++ b/.github/workflows/variables.tf @@ -74,3 +74,4 @@ variable "private_subnets" { description = "private subnet cidr block" type = string } + diff --git a/tasks/audit_firewalld.yml b/tasks/audit_firewalld.yml index d9dfac90..bdd2d248 100644 --- a/tasks/audit_firewalld.yml +++ b/tasks/audit_firewalld.yml @@ -1,4 +1,5 @@ --- + - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." command: firewall-cmd --get-default-zone register: rhel_07_040810_firewalld_zone_audit From 17cfe4ca7f3b4b1c412af6f3a943ada29ce361b4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 14 Sep 2022 15:53:27 +0100 Subject: [PATCH 050/126] reorder Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 7df51c6a..5075a8c0 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -20,3 +20,4 @@ group: root when: - get_audit_binary_method == 'copy' + From 08fa33bc627e69d68efa5d2450076590d9f020a0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 17:31:54 +0100 Subject: [PATCH 051/126] lint updates Signed-off-by: Mark Bolwell --- .ansible-lint | 5 ++++- .yamllint | 11 +++++++++++ ansible-lint | 14 ++++++++++++++ handlers/main.yml | 6 +++--- tasks/LE_audit_setup.yml | 1 - tasks/fix-cat1.yml | 4 ++-- tasks/fix-cat2.yml | 27 ++++++++++++++++----------- tasks/main.yml | 21 +++++++++++++++++++++ tasks/post_remediation_audit.yml | 4 ++-- tasks/pre_remediation_audit.yml | 7 +++++-- 10 files changed, 78 insertions(+), 22 deletions(-) create mode 100644 ansible-lint diff --git a/.ansible-lint b/.ansible-lint index 01e7ca8c..5e92333f 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,8 +1,11 @@ parseable: true quiet: true skip_list: + - 'schema' + - 'no-changed-when' + - 'fqcn-builtins' + - 'var-naming' # Older playbook no new release - '204' - - '208' - '305' - '303' - '403' diff --git a/.yamllint b/.yamllint index faa9773d..693eec6c 100644 --- a/.yamllint +++ b/.yamllint @@ -21,4 +21,15 @@ rules: brackets: max-spaces-inside: 1 level: error + indentation: + indent-sequences: consistent + level: error line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: false diff --git a/ansible-lint b/ansible-lint new file mode 100644 index 00000000..f21e1f44 --- /dev/null +++ b/ansible-lint @@ -0,0 +1,14 @@ +parseable: true +quiet: true +skip_list: + - 'schema' + - 'no-changed-when' + - 'fqcn-builtins' + - '204' + - '305' + - '303' + - '403' + - '306' + - '602' +use_default_rules: true +verbosity: 0 diff --git a/handlers/main.yml b/handlers/main.yml index 16d40340..c2cbad7b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -36,7 +36,7 @@ copy: src: "{{ rhel7stig_grub_cfg_path | dirname }}/{{ item }}" dest: "{{ rhel7stig_grub_cfg_path_invalid | dirname }}/{{ item }}" - remote_src: yes + remote_src: true mode: 0600 with_items: - grub.cfg @@ -59,7 +59,7 @@ - name: restart auditd command: /usr/sbin/service auditd restart args: - warn: no + warn: false - name: rebuild initramfs command: dracut -f @@ -69,7 +69,7 @@ - name: update running audit failure mode command: auditctl -f {{ rhel7stig_auditd_failure_flag }} - failed_when: no + failed_when: false - name: clean up ssh host key file: diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 5075a8c0..7df51c6a 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -20,4 +20,3 @@ group: root when: - get_audit_binary_method == 'copy' - diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index cf7af0b7..ba433feb 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -12,7 +12,7 @@ register: rhel_07_010010_audit - name: "HIGH | RHEL-07-010010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." - shell: > + shell: > ( rpm --setugids {{ item }}; rpm --setperms {{ item }} ) 2>&1 1>&2 | grep -v ': No such file or directory$' args: @@ -502,7 +502,7 @@ key: GRUB_CMDLINE_LINUX param: boot value: UUID={{ item.uuid }} - insert: yes + insert: true when: - rhel7stig_boot_part not in ['/', ''] - not ansible_check_mode or diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 24fa4765..77f34068 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -478,6 +478,8 @@ - name: "MEDIUM | RHEL-07-010240 | PATCH | Passwords must be restricted to a 24 hours/1 day minimum lifetime." command: chage -m 1 {{ item }} + check_mode: false + changed_when: true with_items: - "{{ rhel_07_010240_audit.stdout_lines }}" when: @@ -1385,6 +1387,7 @@ file: path: "{{ item.dir }}" state: directory + mode: 0700 with_items: - "{{ rhel7stig_passwd }}" loop_control: @@ -1426,6 +1429,7 @@ file: path: "{{ item.dir }}" owner: "{{ item.id }}" + mode: 0700 state: directory with_items: - "{{ rhel7stig_passwd }}" @@ -1446,8 +1450,9 @@ - name: "MEDIUM | RHEL-07-020650 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group." file: path: "{{ item.dir }}" - group: "{{ item.gid }}" + group: "{{ item.gid }}" # noqa risky-file-permissions state: directory + mode: 0700 with_items: - "{{ rhel7stig_passwd }}" loop_control: @@ -3042,16 +3047,16 @@ - V-204575 - rsyslog -# ###################### -# ####### 040000 ####### -# ###################### +####################### +######## 040000 ####### +####################### - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." block: - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." block: - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - shell: for p in `firewall-cmd --list-services`; do firewall-cmd --permanent --service $p --get-ports | grep -Ev '{{ rhel7stig_firewall_ports_protocols|flatten|join('|') }}'; done; + shell: for p in `firewall-cmd --list-services`; do firewall-cmd --permanent --service $p --get-ports | grep -Ev '{{ rhel7stig_firewall_ports_protocols | flatten | join('|') }}'; done; changed_when: false failed_when: false check_mode: false @@ -3077,7 +3082,7 @@ changed_when: false failed_when: false check_mode: false - register: rhel7stig_PPSM_CLSA_check_iptables + register: rhel7stig_PPSM_CLSA_check_iptables # noqa var-naming - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." debug: @@ -3087,7 +3092,7 @@ - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." debug: - var: rhel7stig_PPSM_CLSA_check_iptables.stdout_lines + var: rhel7stig_PPSM_CLSA_check_iptables.stdout_lines # noqa var-naming changed_when: true when: rhel7stig_PPSM_CLSA_check_iptables.stdout_lines is defined when: @@ -3738,10 +3743,10 @@ state: present - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." - service: - name: "{{ rhel7stig_firewall_service }}" - enabled: true - state: started + service: + name: "{{ rhel7stig_firewall_service }}" + enabled: true + state: started vars: ansible_python_interpreter: "{{ python2_bin }}" when: diff --git a/tasks/main.yml b/tasks/main.yml index 5028393e..2c587589 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -21,6 +21,27 @@ tags: - always +- name: "Check password set for {{ ansible_user }}" + block: + - name: Capture current password state of "{{ ansible_user }}" + shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + changed_when: false + failed_when: false + check_mode: false + register: ansible_user_password_set + + - name: "Assert that password set for {{ ansible_user }} and account not locked" + assert: + that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" + success_msg: "You a password set for the {{ ansible_user }}" + vars: + sudo_password_rule: RHEL-07-010340 + when: + - rhel_07_010340 + tags: + - user_passwd + - name: FIPS turned on set_fact: fips_value: '1' diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 489775a5..c875a344 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,7 +2,7 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment|default({}) }}" + environment: "{{ audit_run_script_environment | default({}) }}" changed_when: false register: audit_run_post_remediation vars: @@ -26,7 +26,7 @@ - name: Capture post-audit result set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json |json_query(summary) }}" + post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' when: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 12381fd7..ce67f765 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -49,6 +49,9 @@ get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" + owner: root + group: root + mode: 0755 when: - audit_content == 'get_url' @@ -79,7 +82,7 @@ - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment|default({}) }}" + environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_pre_remediation.rc == 0 register: audit_run_pre_remediation vars: @@ -94,7 +97,7 @@ - name: Pre Audit | Capture pre-audit result set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}" + pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' when: From 44903f319e5f724048510850fd9dfe3fbea7543d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Oct 2022 13:53:33 +0100 Subject: [PATCH 052/126] lint stds and updates Signed-off-by: Mark Bolwell --- .ansible-lint | 8 +++++++- .yamllint | 13 ++++++++++++- handlers/main.yml | 6 +++--- meta/main.yml | 5 ++++- site.yml | 2 +- tasks/fix-cat1.yml | 4 ++-- tasks/fix-cat2.yml | 12 ++++++------ 7 files changed, 35 insertions(+), 15 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 01e7ca8c..c3dfee39 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,8 +1,14 @@ parseable: true quiet: true skip_list: + - 'schema' + - 'no-changed-when' + - 'fqcn-builtins' + - 'experimental' + - 'name[casing]' + - 'name[template]' + - 'jinja[spacing]' - '204' - - '208' - '305' - '303' - '403' diff --git a/.yamllint b/.yamllint index faa9773d..9c823be2 100644 --- a/.yamllint +++ b/.yamllint @@ -14,11 +14,22 @@ rules: spaces: 4 # Requiring consistent indentation within a file, either indented or not indent-sequences: consistent - truthy: disable braces: max-spaces-inside: 1 level: error brackets: max-spaces-inside: 1 level: error + indentation: + indent-sequences: consistent + level: error line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: false + diff --git a/handlers/main.yml b/handlers/main.yml index 16d40340..c2cbad7b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -36,7 +36,7 @@ copy: src: "{{ rhel7stig_grub_cfg_path | dirname }}/{{ item }}" dest: "{{ rhel7stig_grub_cfg_path_invalid | dirname }}/{{ item }}" - remote_src: yes + remote_src: true mode: 0600 with_items: - grub.cfg @@ -59,7 +59,7 @@ - name: restart auditd command: /usr/sbin/service auditd restart args: - warn: no + warn: false - name: rebuild initramfs command: dracut -f @@ -69,7 +69,7 @@ - name: update running audit failure mode command: auditctl -f {{ rhel7stig_auditd_failure_flag }} - failed_when: no + failed_when: false - name: clean up ssh host key file: diff --git a/meta/main.yml b/meta/main.yml index b69ab484..40edc8c8 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,9 +5,12 @@ galaxy_info: company: "MindPoint Group" license: MIT role_name: rhel7_stig - min_ansible_version: 2.9 + namespace: mindpointgroup + min_ansible_version: 2.9.0 platforms: - name: EL + versions: + - 7 galaxy_tags: - system - security diff --git a/site.yml b/site.yml index efcfabb7..830c253d 100644 --- a/site.yml +++ b/site.yml @@ -1,5 +1,5 @@ --- -- hosts: all +- hosts: all # noqa: name[play] become: true vars: is_container: false diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 6d026ad6..506b0d80 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -12,7 +12,7 @@ register: rhel_07_010010_audit - name: "HIGH | RHEL-07-010010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." - shell: > + shell: > ( rpm --setugids {{ item }}; rpm --setperms {{ item }} ) 2>&1 1>&2 | grep -v ': No such file or directory$' args: @@ -496,7 +496,7 @@ key: GRUB_CMDLINE_LINUX param: boot value: UUID={{ item.uuid }} - insert: yes + insert: true when: - rhel7stig_boot_part not in ['/', ''] - not ansible_check_mode or diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 10368f34..0f3ebcc1 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1,7 +1,7 @@ --- ### RHEL-07-010030 | RHEL-07-010040 combined as related tasks in regards to a config file no other content will be in. - name: "MEDIUM | RHEL-07-010030 | RHEL-07-010040 | PATCH | The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." - copy: + copy: # noqa: template-instead-of-copy dest: /etc/dconf/db/local.d/01-banner-message content: | [org/gnome/login-screen] @@ -29,7 +29,7 @@ - name: "MEDIUM | RHEL-07-010050 | PATCH | The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon." copy: - content: "{{ rhel7stig_logon_banner }}" + content: "{{ rhel7stig_logon_banner }}" # noqa: template-instead-of-copy dest: "{{ item }}" owner: root group: root @@ -3739,10 +3739,10 @@ state: present - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." - service: - name: "{{ rhel7stig_firewall_service }}" - enabled: true - state: started + service: + name: "{{ rhel7stig_firewall_service }}" + enabled: true + state: started vars: ansible_python_interpreter: "{{ python2_bin }}" when: From 8f1258e9923a61519b12c726d1f35e6d120f96b1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Oct 2022 20:30:32 +0100 Subject: [PATCH 053/126] updated audit outfile Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 57a02e60..0cee35a6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -761,8 +761,8 @@ audit_out_dir: '/var/tmp' audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" ## The following should not need changing audit_control_file: "{{ audit_conf_dir }}goss.yml" From 1e3025ab238dc9f306d0f528d24f13efabaaf44d Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Wed, 2 Nov 2022 08:27:22 -0700 Subject: [PATCH 054/126] Full Uopdate To V3R9 Signed-off-by: Stephen Williams --- ChangeLog.md | 11 +++++++++ README.md | 2 +- defaults/main.yml | 7 +++--- tasks/fix-cat2.yml | 37 ++++++++++++++++++++++-------- tasks/fix-cat3.yml | 10 ++++---- templates/audit/99_auditd.rules.j2 | 4 ++-- 6 files changed, 51 insertions(+), 20 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 7c66199d..41cabaea 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,16 @@ # Changelog +## Release 1.9.0 +- RHEL-07-010271 - New Control Added +- Update to STIG V3R9 Oct 27th 2022 + · RHEL-07-010342, RHEL-07-010343, RHEL- 07-020023, RHEL-07-030201 - Updated fix text. + · RHEL-07-021040, RHEL-07-021700 - Updated check text command to eliminate false positives. + · RHEL-07-030840 - Updated check and fix text. + · RHEL-07-040160 - Updated check text. + · RHEL-07-040310 - Corrected typo in the Vulnerability Discussion. + · RHEL-07-040360, RHEL-07-040530 - Updated CCI. +- Update to README and requirements + ## Relase 1.7.0 - Update to STIG V3R8 Jul 27th 2022 - rule ID changes diff --git a/README.md b/README.md index f5e836ed..441a1773 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Configure a RHEL 7 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`. -This role is based on RHEL 7 DISA STIG: [Version 3, Rel 8 released on Jul 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R8_STIG.zip). +This role is based on RHEL 7 DISA STIG: [Version 3, Rel 9 released on Oct 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R9_STIG.zip). ## Join us diff --git a/defaults/main.yml b/defaults/main.yml index 0cee35a6..671cc249 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -137,6 +137,7 @@ rhel_07_010240: true rhel_07_010250: true rhel_07_010260: true rhel_07_010270: true +rhel_07_010271: true rhel_07_010280: true rhel_07_010310: true rhel_07_010320: true @@ -460,7 +461,7 @@ rhel7stig_boot_superuser: root # RHEL-07-021700 set the value for correctly configured grub bootloader sequence # note this is different for bios and EFI boot types. so can be changed via the inventory or alternate vars -rhel7stig_grub_bootloader_validorder: "set root='hd0,msdos1'" +rhel7stig_grub_bootloader_validorder: "set root='hd0,1'" # RHEL-07-040200 Path for cacrt bundle that holds LDAP certs for tls transport rhel_07_040200_cabundle_path: etc/pki/tls/certs/ca-bundle.crt @@ -761,8 +762,8 @@ audit_out_dir: '/var/tmp' audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" ## The following should not need changing audit_control_file: "{{ audit_conf_dir }}goss.yml" diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 0f3ebcc1..072f0eee 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -594,6 +594,20 @@ - V-204422 - pamd +- name: "MEDIUM | AUDIT | RHEL-07-010271 | The Red Hat Enterprise Linux operating system emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + debug: + msg: + - "Warning!! Verify every existing emergency account and make sure it has an expiration date set within 72 hours." + when: + - rhel_07_010271 + tags: + - RHEL-07-010271 + - CAT2 + - CCI-001682 + - SRG-OS-000123-GPOS-00064 + - SV-254523r858501_rule + - V-254523 + - name: "MEDIUM | RHEL-07-010280 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length." lineinfile: create: true @@ -1990,7 +2004,7 @@ - name: "MEDIUM | RHEL-07-021040 | PATCH | The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts." file: path: "{{ item }}" - mode: '0700' + mode: '077' state: touch changed_when: false with_items: @@ -2877,7 +2891,7 @@ - CAT2 - CCI-000172 - SRG-OS-000471-GPOS-00216 - - SV-204563r603261_rule + - SV-204563r858498_rule - V-204563 - auditd @@ -3151,6 +3165,8 @@ state: present - dest: /etc/profile state: "{{ (rhel7stig_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" + - dest: /etc/bashrc + state: "{{ (rhel7stig_shell_session_timeout.file == '/etc/bashrc') | ternary('present', 'absent') }}" when: - rhel_07_040160 tags: @@ -3159,7 +3175,7 @@ - CCI-001133 - CCI-002361 - SRG-OS-000163-GPOS-00072 - - SV-204579r646844_rule + - SV-204579r861070_rule - V-204579 - profile @@ -3300,9 +3316,12 @@ tags: - RHEL-07-040310 - CAT2 + - CCI-002418 + - CCI-002420 - CCI-002421 + - CCI-002422 - SRG-OS-000423-GPOS-00187 - - SV-204586r603261_rule + - SV-204586r861071_rule - V-204586 - ssh @@ -3402,9 +3421,9 @@ tags: - RHEL-07-040360 - CAT2 - - CCI-000366 + - CCI-000052 - SRG-OS-000480-GPOS-00227 - - SV-204591r603261_rule + - SV-204591r858477_rule - V-204591 - ssh @@ -4460,7 +4479,7 @@ - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo." block: - name: "MEDIUM | RHEL-07-010342 | AUDIT | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Get privilege escalation" - shell: egrep -is '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d":" -f1 | sort --unique + shell: egrep -irs '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d":" -f1 | sort --unique changed_when: false failed_when: false register: rhel_07_010342_priv_escalation @@ -4523,7 +4542,7 @@ - name: "MEDIUM | RHEL-07-010343 | PATCH | The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command." block: - name: "MEDIUM | RHEL-07-010343 | PATCH | The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command. | Get files with timeout set" - shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + shell: grep -irs 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false register: rhel_07_010343_timeout_files @@ -4604,7 +4623,7 @@ - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command" block: - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command | Get sysadm_r sudoers status" - shell: grep -s sysadm_r /etc/sudoers.d/* /etc/sudoers + shell: grep -rs sysadm_r /etc/sudoers /etc/sudoers.d/* changed_when: false failed_when: false register: rhel_07_020023_sel_admin_sudo_status diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index a7610716..c49aed30 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -192,7 +192,7 @@ - name: "LOW | RHEL-07-040530 | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon." block: - - name: "LOW | RHEL-07-040530 | Update pam_lastlog control to satisfy benchmark." + - name: "LOW | RHEL-07-040530 | PATCH | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon | Update pam_lastlog control to satisfy benchmark." pamd: name: postlogin type: session @@ -201,7 +201,7 @@ module_path: pam_lastlog.so state: updated - - name: "LOW | RHEL-07-040530 | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon." + - name: "LOW | RHEL-07-040530 | PATCH | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon | Update pam_lastlog when line absent." pamd: name: postlogin state: args_absent @@ -213,7 +213,7 @@ - '[default=1]' - "{{ default_control }}" - - name: "MEDIUM | RHEL-07-010270 | PATCH | Remove old remediation" + - name: "LOW | RHEL-07-040530 | PATCH | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon | Remove old remediation." blockinfile: state: absent path: /etc/pam.d/postlogin @@ -229,9 +229,9 @@ tags: - RHEL-07-040530 - CAT3 - - CCI-000366 + - CCI-000052 - SRG-OS-000480-GPOS-00227 - - SV-204605r603261_rule + - SV-204605r858478_rule - V-204605 # NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 5ea1a464..2b730902 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -140,7 +140,7 @@ {% endif %} {% if rhel_07_030840 %} --w /usr/bin/kmod -p x -F auid!=unset -k module-change +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules {% endif %} {% if rhel_07_030870 %} @@ -166,4 +166,4 @@ {% if rhel_07_030910 %} -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k delete -{% endif %} \ No newline at end of file +{% endif %} From 2d7013a4d63ce4297fce0841c10e972dc0903ca0 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 4 Nov 2022 13:43:00 -0400 Subject: [PATCH 055/126] Updated Changelog Signed-off-by: Stephen Williams --- ChangeLog.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 41cabaea..fe8d8fe0 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,14 +1,15 @@ # Changelog ## Release 1.9.0 + - RHEL-07-010271 - New Control Added -- Update to STIG V3R9 Oct 27th 2022 - · RHEL-07-010342, RHEL-07-010343, RHEL- 07-020023, RHEL-07-030201 - Updated fix text. - · RHEL-07-021040, RHEL-07-021700 - Updated check text command to eliminate false positives. - · RHEL-07-030840 - Updated check and fix text. - · RHEL-07-040160 - Updated check text. - · RHEL-07-040310 - Corrected typo in the Vulnerability Discussion. - · RHEL-07-040360, RHEL-07-040530 - Updated CCI. +- Update to STIG V3R9 Oct 27th 2022 - Changes Listed Below + - RHEL-07-010342, RHEL-07-010343, RHEL- 07-020023, RHEL-07-030201 - Updated fix text. + - RHEL-07-021040, RHEL-07-021700 - Updated check text command to eliminate false positives. + - RHEL-07-030840 - Updated check and fix text. + - RHEL-07-040160 - Updated check text. + - RHEL-07-040310 - Corrected typo in the Vulnerability Discussion. + - RHEL-07-040360, RHEL-07-040530 - Updated CCI. - Update to README and requirements ## Relase 1.7.0 From 53cf8ead43c7622420975e51863a7cfc0a774326 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 4 Nov 2022 13:55:49 -0400 Subject: [PATCH 056/126] Updated Readme Signed-off-by: Stephen Williams --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 441a1773..011aa37c 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Configure a RHEL 7 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`. -This role is based on RHEL 7 DISA STIG: [Version 3, Rel 9 released on Oct 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R9_STIG.zip). +This role is based on RHEL 7 DISA STIG: [Version 3, Rel 9 released on Oct 11, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R9_STIG.zip). ## Join us From 1ba285509a15eb50f9d57169068272a178be8640 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 4 Nov 2022 14:10:42 -0400 Subject: [PATCH 057/126] Updated RHEL-07-010010 Control Signed-off-by: Stephen Williams --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 506b0d80..9db5f3f5 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -42,7 +42,7 @@ - CCI-002165 - CCI-002235 - SRG-OS-000257-GPOS-00098 - - SV-204392r646841_rule + - SV-204392r853878_rule - V-204392 - permissions From 4e768698744acc63f03b863abefc8ad409ee92d8 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 4 Nov 2022 14:18:54 -0400 Subject: [PATCH 058/126] Updated RHEL-07-010291 Control Signed-off-by: Stephen Williams --- tasks/fix-cat1.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 9db5f3f5..47d4fb6e 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -78,7 +78,7 @@ - CAT1 - CCI-001749 - SRG-OS-000480-GPOS-00227 - - SV-214799r603261_rule + - SSV-214799r854001_rule - V-214799 - packages @@ -120,7 +120,7 @@ when: - rhel_07_010291 tags: - - RHEL-07-010290 + - RHEL-07-010291 - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 From 3c2d0d080a71a421770381fdbfe0f3d2bc9a7fb6 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 4 Nov 2022 14:27:28 -0400 Subject: [PATCH 059/126] Updated RHEL-07-021030 Signed-off-by: Stephen Williams --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 072f0eee..047dc174 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1997,7 +1997,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204487r603261_rule + - SV-204487r744106_rule - V-204487 - disruption-high From 36a99476c73796338bc8da6dc92b78913467017e Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 4 Nov 2022 14:30:05 -0400 Subject: [PATCH 060/126] Updated RHEL-07-021040 Signed-off-by: Stephen Williams --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 047dc174..89ae1ec7 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2019,9 +2019,9 @@ - CCI-000368 - CCI-001813 - CCI-001814 - - CCI-00181 + - CCI-001812 - SRG-OS-000480-GPOS-00227 - - SV-204488r603261_rule + - SV-204488r861006_rule - V-204488 - permissions - accounts From 2c825b3cc85b06e17dd6cfbd6be32f0341fc63b5 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 4 Nov 2022 14:32:47 -0400 Subject: [PATCH 061/126] Updated RHEL-07-040160 Signed-off-by: Stephen Williams --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 89ae1ec7..5b014bba 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3165,7 +3165,7 @@ state: present - dest: /etc/profile state: "{{ (rhel7stig_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" - - dest: /etc/bashrc + - dest: /etc/bashrc state: "{{ (rhel7stig_shell_session_timeout.file == '/etc/bashrc') | ternary('present', 'absent') }}" when: - rhel_07_040160 From 143af72500cab2532e1c8f6fb2aa29ef656f3944 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 4 Nov 2022 14:40:31 -0400 Subject: [PATCH 062/126] Updated RHEL-07-010342 Signed-off-by: Stephen Williams --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5b014bba..0e830410 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4535,7 +4535,7 @@ - CAT2 - CCI-002227 - SRG-OS-000480-GPOS-00227 - - SV-237634r833177_rule + - SV-237634r861074_rule - V-237634 - sudo From 5e7c8e02de1e7b8995d44fc2e9e32408b536fd3f Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 4 Nov 2022 14:42:56 -0400 Subject: [PATCH 063/126] Updated RHEL-07-020023 Signed-off-by: Stephen Williams --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 0e830410..df89b51a 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4650,5 +4650,5 @@ - CCI-002165 - CCI-002235 - SRG-OS-000324-GPOS-00125 - - SV-250314r833181_rule + - SV-250314r861076_rule - V-250314 From 026255859cc17a57bab4039223f0b1e0e1553c54 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 4 Nov 2022 14:45:00 -0400 Subject: [PATCH 064/126] Updated ChangeLog Signed-off-by: Stephen Williams --- ChangeLog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog.md b/ChangeLog.md index fe8d8fe0..daba9d23 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -11,6 +11,7 @@ - RHEL-07-040310 - Corrected typo in the Vulnerability Discussion. - RHEL-07-040360, RHEL-07-040530 - Updated CCI. - Update to README and requirements +- RHEL-07-010010, RHEL-07-010020, RHEL-07-010291, RHEL-07-021030,RHEL-07-021040 - Updated Tag Information ## Relase 1.7.0 From 553c71596bba903327010ee64b91cdc444815055 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 4 Nov 2022 16:28:05 -0400 Subject: [PATCH 065/126] Lint Update Signed-off-by: Stephen Williams --- .ansible-lint | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.ansible-lint b/.ansible-lint index c3dfee39..470d43ec 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -5,6 +5,8 @@ skip_list: - 'no-changed-when' - 'fqcn-builtins' - 'experimental' + - 'fqcn[action-core]' + - 'fqcn[action]' - 'name[casing]' - 'name[template]' - 'jinja[spacing]' From 223e1463ea12ae92c4a5824132ea524e16d8c303 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 4 Nov 2022 16:31:22 -0400 Subject: [PATCH 066/126] Tasks Main Update Signed-off-by: Stephen Williams --- tasks/main.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 5028393e..a13f018f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -45,13 +45,15 @@ - RHEL-07-010491 - cat1 -- import_tasks: prelim.yml +- name: include prelim tasks + import_tasks: prelim.yml become: true tags: - prelim_tasks - run_audit -- import_tasks: pre_remediation_audit.yml +- name: include pre-remediation audit + import_tasks: pre_remediation_audit.yml when: - run_audit tags: @@ -104,7 +106,8 @@ when: - not rhel7stig_skip_reboot -- import_tasks: post_remediation_audit.yml +- name: include post-remediation audit + import_tasks: post_remediation_audit.yml when: - run_audit From f71205e31a73922f9698d9b6475e3f38fe9bc1f1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 7 Nov 2022 17:14:02 +0000 Subject: [PATCH 067/126] updated goss version and output file Signed-off-by: Mark Bolwell --- defaults/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 671cc249..cfacd863 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -729,8 +729,8 @@ audit_run_script_environment: ### Audit binary settings ### audit_bin_version: - release: v0.3.16 - checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb' + release: v0.3.20 + checksum: 'sha256:459bc14662967d07795234374a04d611cd2f821140eb4225e7d9ba4572630e11' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json @@ -757,13 +757,13 @@ audit_files_url: "some url maybe s3?" ## Goss configuration information # Where the goss configs and outputs are stored -audit_out_dir: '/var/tmp' +audit_out_dir: '/opt' # Where the goss audit configuration will be stored audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" ## The following should not need changing audit_control_file: "{{ audit_conf_dir }}goss.yml" From 86c6bf743f40adb2c68719ff33fbb7e6153f1f0a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 7 Nov 2022 17:14:37 +0000 Subject: [PATCH 068/126] Added cat2 10271 Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 0de8f4bc..1841d0c4 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -82,6 +82,7 @@ RHEL_07_010240: {{ rhel_07_010240 }} RHEL_07_010250: {{ rhel_07_010250 }} RHEL_07_010260: {{ rhel_07_010260 }} RHEL_07_010270: {{ rhel_07_010270 }} +RHEL_07_010271: {{ rhel_07_010271 }} RHEL_07_010280: {{ rhel_07_010280 }} RHEL_07_010310: {{ rhel_07_010310 }} RHEL_07_010320: {{ rhel_07_010320 }} From 9a4e380b5b7ca82f487f9ea12709535428985a40 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 7 Nov 2022 17:17:10 +0000 Subject: [PATCH 069/126] updated welcome first interaction version Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 0bdd644b..9b837b91 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/first-interaction@v1.1.0 + - uses: actions/first-interaction@main with: repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- From 4ae09074fdc933118cc112a424982767f06f0c82 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Jan 2023 11:22:40 +0000 Subject: [PATCH 070/126] updated title thanks to discord Signed-off-by: Mark Bolwell --- tasks/post_remediation_audit.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index c875a344..0de7e2ae 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -19,12 +19,12 @@ - name: Post Audit | Capture audit data if json format block: - - name: "capture data {{ post_audit_outfile }}" + - name: "Post Audit | capture data {{ post_audit_outfile }} | JSON format" command: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false - - name: Capture post-audit result + - name: PostAudit | Capture post-audit result | JSON format set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: @@ -34,12 +34,12 @@ - name: Post Audit | Capture audit data if documentation format block: - - name: "Post Audit | capture data {{ post_audit_outfile }}" + - name: "Post Audit | capture data {{ post_audit_outfile }} | documentation format" command: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false - - name: Post Audit | Capture post-audit result + - name: Post Audit | Capture post-audit result | documentation format set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" when: From 8a064da8650119773f0e8d9893ad375df68ed53a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 10:13:32 +0000 Subject: [PATCH 071/126] #405 updated regex thanks to @JosephHoffman Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 370c77a4..928e55f3 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3397,7 +3397,7 @@ - name: "MEDIUM | RHEL-07-040350 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication." lineinfile: dest: /etc/ssh/sshd_config - regexp: "(?i)^#?IgnoreRhosts" + regexp: '(?i)^#?\s*IgnoreRhosts' line: IgnoreRhosts yes validate: /usr/sbin/sshd -t -f %s notify: restart sshd From f151c43716ced075500ee91fce704f6c6cc9d429 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 10:22:00 +0000 Subject: [PATCH 072/126] updated msg for bootloader Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 721c6f23..540446d5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -53,7 +53,7 @@ - name: Check rhel7stig_bootloader_password_hash variable has been changed assert: that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' - msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set" + msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'" when: - rhel_07_010481 or rhel_07_010482 or From e02ca7058c647eb8c8fe6d3f257615b5ecabbe6d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 10:22:26 +0000 Subject: [PATCH 073/126] made auditd process a variable Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + handlers/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index cfacd863..2bf599b5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -646,6 +646,7 @@ rhel7stig_auditd_space_left: "{{ ( ansible_mounts | json_query(rhel7stig_audit_d rhel7stig_audit_disk_size_query: "[?mount=='{{ rhel7stig_audit_part }}'].size_total | [0]" # RHEL-07-030350 +rhel7stig_audit_daemon: auditd rhel7stig_auditd_mail_acct: root # RHEL-07-020630 diff --git a/handlers/main.yml b/handlers/main.yml index c2cbad7b..63671263 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -57,7 +57,7 @@ - not rhel7stig_system_is_container - name: restart auditd - command: /usr/sbin/service auditd restart + command: /usr/sbin/service "{{ rhel7stig_audit_daemon }}" restart args: warn: false From ccec4536178f531b042ce8fcea0797fc017ae4d4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 10:30:24 +0000 Subject: [PATCH 074/126] Add version updates Signed-off-by: Mark Bolwell --- README.md | 2 +- defaults/main.yml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 011aa37c..a26f7b09 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Configure a RHEL 7 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`. -This role is based on RHEL 7 DISA STIG: [Version 3, Rel 9 released on Oct 11, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R9_STIG.zip). +This role is based on RHEL 7 DISA STIG: [Version 3, Rel 10 released on Jan 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R10_STIG.zip). ## Join us diff --git a/defaults/main.yml b/defaults/main.yml index 2bf599b5..74756f88 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -12,6 +12,8 @@ python2_bin: /bin/python2.7 ## Benchmark name used by auditing control role # audit variable found at the base benchmark: RHEL7-STIG +## metadata for Audit benchmark +benchmark_version: 'v3r10' # Whether to skip the reboot rhel7stig_skip_reboot: true From 967e0eea79c8ac3583f1a3f39cdfeba75f16b6f6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 10:46:14 +0000 Subject: [PATCH 075/126] updated rule IDs added 010090 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 928e55f3..640794fa 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -66,7 +66,7 @@ - CAT2 - CCI-000056 - SRG-OS-000028-GPOS-00009 - - SV-204396r603261_rule + - SV-204396r880746_rule - V-204396 - dconf @@ -108,7 +108,7 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-204398r603261_rule + - SV-204398r880770_rule - V-204398 - dconf @@ -127,7 +127,7 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-204399r603261_rule + - SV-204399r880773_rule - V-204399 - dconf @@ -146,10 +146,27 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-204400r603261_rule + - SV-204400r880776_rule - V-204400 - dconf +- name: "MEDIUM | RHEL-07-010090 | PATCH | The Red Hat Enterprise Linux operating system must have the screen package installed." + package: + name: screen + state: present + when: + - rhel_07_010090 + - "'screen' not in ansible_facts.packages" + - "'tmux' not in ansible_facts.packages" + tags: + - RHEL-07-010090 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-255926r880779_rule + - V-255926 + - screen + - name: "MEDIUM | RHEL-07-010100 | PATCH | The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces." copy: dest: /etc/dconf/db/local.d/00-screensaver_rhel_07_010100 @@ -166,7 +183,7 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-204402r603261_rule + - SV-204402r880782_rule - V-204402 - dconf @@ -185,7 +202,7 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-204403r603261_rule + - SV-204403r880785_rule - V-204403 - dconf @@ -206,7 +223,7 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-204404r603261_rule + - SV-204404r880788_rule - V-204404 - dconf @@ -4314,7 +4331,7 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-214937r603261_rule + - SV-214937r880767_rule - V-214937 - dconf From d9d09f9dc7a1390f1aa90b109f666e5b38a976de Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 10:46:24 +0000 Subject: [PATCH 076/126] ruleid 010010 Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 47d4fb6e..7d2ca9d8 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -42,7 +42,7 @@ - CCI-002165 - CCI-002235 - SRG-OS-000257-GPOS-00098 - - SV-204392r853878_rule + - SV-204392r880752_rule - V-204392 - permissions From 09647cdb8e74877d06b802595e72c239d7842d54 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 10:58:57 +0000 Subject: [PATCH 077/126] Add control 010199 Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + tasks/fix-cat2.yml | 31 +++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 74756f88..93bfa56a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -131,6 +131,7 @@ rhel_07_010160: true rhel_07_010170: true rhel_07_010180: true rhel_07_010190: true +rhel_07_010199: true rhel_07_010200: true rhel_07_010210: true rhel_07_010220: true diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 640794fa..10ef8277 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -404,6 +404,37 @@ - V-204414 - pwquality +- name: "MEDIUM | RHEL-07-010199 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility." + block: + - name: "MEDIUM | RHEL-07-010199 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. | stat" + stat: + path: "{{ item }}" + register: rhel7cis_010199_auth_symlinks + loop: + - '/etc/pam.d/password-auth-local' + - '/etc/pam.d/system-auth-local' + + - name: "MEDIUM | RHEL-07-010199 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. | symlink" + file: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + state: link + loop: + - { 'src': '/etc/pam.d/password-auth', 'dest': '/etc/pam.d/password-auth-local' } + - { 'src': '/etc/pam.d/system-auth', 'dest': '/etc/pam.d/system-auth-local' } + when: + - item.dest not in rhel7cis_010199_auth_symlinks.stat.exists + when: + - rhel_07_010199 + tags: + - RHEL-07-010199 + - CAT2 + - CCI-000196 + - SRG-OS-000072-GPOS-00040 + - SV-255928r880830_rule + - V-255928 + - pamd + - name: "MEDIUM | RHEL-07-010200 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords." pamd: name: "{{ item[0] }}" From e05dc37ba2a7f09d1c7c572ed13589f5ac573865 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 11:38:25 +0000 Subject: [PATCH 078/126] new rule 010375 Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + tasks/fix-cat3.yml | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 93bfa56a..d56e2b86 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -319,6 +319,7 @@ rhel_07_041010: true rhel_07_910055: true # CAT 3 rules +rhel_07_010375: true rhel_07_020200: true rhel_07_020300: true rhel_07_021024: true diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index c49aed30..fa5f066e 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -1,4 +1,24 @@ --- + +- name: "LOW | RHEL-07-010375 | PATCH | The Red Hat Enterprise Linux operating system must restrict access to the kernel message buffer." + sysctl: + name: kernel.dmesg_restrict + value: '1' + state: present + reload: "{{ rhel7stig_sysctl_reload }}" + sysctl_set: true + ignoreerrors: true + when: + - rhel_07_010375 + tags: + - RHEL-07-010375 + - CAT3 + - CCI-001090 + - SRG-OS-000138-GPOS-00069 + - SV-255927r880791_rule + - V-255927 + - sysctl + - name: "LOW | RHEL-07-020200 | PATCH | The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed." lineinfile: dest: /etc/yum.conf From 02246212cb0e5ff5a56f96371dd88e58d5f557b9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 11:38:45 +0000 Subject: [PATCH 079/126] rule no. updates Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- tasks/fix-cat2.yml | 13 +++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 7d2ca9d8..abb95356 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -96,7 +96,7 @@ - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204424r809187_rule + - SV-204424r880839_rule - V-204424 - accounts diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 10ef8277..5e91e015 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -462,7 +462,7 @@ - CAT2 - CCI-000196 - SRG-OS-000073-GPOS-00041 - - SV-204415r603261_rule + - SV-204415r880833_rule - V-204415 - pamd @@ -640,7 +640,7 @@ - CAT2 - CCI-000200 - SRG-OS-000077-GPOS-00045 - - SV-204422r603261_rule + - SV-204422r880836_rule - V-204422 - pamd @@ -803,13 +803,14 @@ - CCI-002237 - CCI-002238 - SRG-OS-000329-GPOS-00128 - - SV-204427r603824_rule + - SV-204427r880842_rule - V-204427 - RHEL-07-010330 - CCI-002238 - - SV-204428r603261_rule + - SV-204428r880845_rule - V-204428 - pamd + - name: "MEDIUM | RHEL-08-010339 | PATCH | The Red Hat Enterprise Linux operating system must specify the default 'include' directory for the /etc/sudoers file." lineinfile: path: /etc/sudoers @@ -4532,7 +4533,7 @@ - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo." block: - name: "MEDIUM | RHEL-07-010342 | AUDIT | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Get privilege escalation" - shell: egrep -irs '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d":" -f1 | sort --unique + shell: grep -Eirs '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d":" -f1 | sort --unique changed_when: false failed_when: false register: rhel_07_010342_priv_escalation @@ -4588,7 +4589,7 @@ - CAT2 - CCI-002227 - SRG-OS-000480-GPOS-00227 - - SV-237634r861074_rule + - SV-237634r880755_rule - V-237634 - sudo From 62b8f05254d4b79ccbe144fe5f83a66916a62282 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 11:45:31 +0000 Subject: [PATCH 080/126] 20029 - aide notify added Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5e91e015..e9c73f93 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1127,6 +1127,7 @@ package: name: aide state: present + notify: "{{ rhel7stig_aide_handler }}" when: - rhel_07_020029 - "'aide' not in ansible_facts.packages" @@ -1135,7 +1136,7 @@ - CAT2 - CCI-002696 - SRG-OS-000445-GPOS-00199 - - SV-251705r833192_rule + - SV-251705r880854_rule - V-251705 - aide From 09d8c98f5aaf10e9abeee64f87a8dd362eb7357f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 11:50:49 +0000 Subject: [PATCH 081/126] 20030/20040 update Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/fix-cat2.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d56e2b86..4263e4df 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -494,7 +494,7 @@ rhel7stig_aide_cron: special_time: daily # Disable the notification check rule to disable mailing notifications notify_by_mail: "{{ rhel_07_020040 }}" - notify_cmd: ' | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' + notify_cmd: ' | /var/spool/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' rhel7stig_cron_special_disable: "{{ rhel7stig_workaround_for_disa_benchmark or diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e9c73f93..198a2e5e 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1171,11 +1171,11 @@ - RHEL-07-020030 - CCI-001744 - SRG-OS-000363-GPOS-00150 - - SV-204445r603261_rule + - SV-204445r880848_rule - V-204445 - RHEL-07-020040 - SRG-OS-000363-GPOS-00150 - - SV-204446r603261_rule + - SV-204446r880851_rule - V-204446 - aide From c0dc2c6c588739204299fcf6924b25f3af7586c7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 11:57:15 +0000 Subject: [PATCH 082/126] updated rule_ids Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- tasks/fix-cat3.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 198a2e5e..682369bc 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1530,7 +1530,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204470r744102_rule + - SV-204470r880764_rule - V-204470 - users @@ -2185,7 +2185,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204500r603261_rule + - SV-204500r880860_rule - V-204500 - aide diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index fa5f066e..b354a43f 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -184,12 +184,12 @@ - RHEL-07-021600 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204498r603261_rule + - SV-204498r880856_rule - V-204498 - RHEL-07-021610 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204499r603261_rule + - SV-204499r880858_rule - V-204499 - aide From 71405e4f1c3d2d750c356b5d4bf9ad809303cffa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 12:04:40 +0000 Subject: [PATCH 083/126] ruleID updates Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 682369bc..2771111d 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2272,7 +2272,7 @@ - CAT2 - CCI-000139 - SRG-OS-000046-GPOS-00022 - - SV-204504r603261_rule + - SV-204504r880761_rule - V-204504 - auditd - logging @@ -3333,7 +3333,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204584r603261_rule + - SV-204584r880794_rule - V-204584 - sysctl @@ -3844,7 +3844,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204609r603261_rule + - SV-204609r880797_rule - V-204609 - ipv4 @@ -3879,7 +3879,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204611r603261_rule + - SV-204611r880803_rule - V-204611 - sysctl - ipv4 @@ -3898,7 +3898,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204612r603261_rule + - SV-204612r880806_rule - V-204612 - ipv4 @@ -3917,7 +3917,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204613r603261_rule + - SV-204613r880809_rule - V-204613 - ipv4 @@ -3935,7 +3935,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204614r603261_rule + - SV-204614r880812_rule - V-204614 - ipv4 @@ -3953,7 +3953,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204615r603261_rule + - SV-204615r880815_rule - V-204615 - ipv4 @@ -3971,7 +3971,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204616r603261_rule + - SV-204616r880818_rule - V-204616 - ipv4 @@ -3989,7 +3989,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204617r603261_rule + - SV-204617r880821_rule - V-204617 - ipv4 @@ -4121,7 +4121,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204625r603261_rule + - SV-204625r880824_rule - V-204625 - ipv4 @@ -4216,7 +4216,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204630r603261_rule + - SV-204630r880827_rule - V-204630 - ipv6 From cfd2824b07666960a06c557bb16fe957a44ea4a6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 12:11:19 +0000 Subject: [PATCH 084/126] ruleID and 040470- conditional pre 7.4 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 2771111d..997ab954 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3604,7 +3604,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204597r603261_rule + - SV-204597r880743_rule - V-204597 - ssh @@ -3704,6 +3704,7 @@ when: - rhel_07_040470 - rhel7stig_ssh_required + - ansible_facts['distribution_version'] <= "7.4" tags: - RHEL-07-040470 - CAT2 From b73a1e2fd0c11d1b4dcf22f610069e6eb5ea9316 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 12:16:50 +0000 Subject: [PATCH 085/126] control 40712 added Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ tasks/fix-cat2.yml | 25 +++++++++++++++++++++++-- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4263e4df..8a8cd200 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -305,6 +305,7 @@ rhel_07_040670: true rhel_07_040680: true rhel_07_040710: true rhel_07_040711: true +rhel_07_040712: true rhel_07_040720: true rhel_07_040730: true rhel_07_040740: true @@ -429,12 +430,14 @@ rhel7stig_use_fips: true fips_value: '0' rhel7stig_FIPS_ciphers: aes256-ctr,aes192-ctr,aes128-ctr rhel7stig_FIPS_MACs: hmac-sha2-512,hmac-sha2-256 +rhel7stig_FIPS_KEX: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 # RHEL-07-040300 # RHEL-07-040310 # Install and enable ssh on networked systems rhel7stig_ssh_required: true rhel7stig_ssh_ciphers: "{{ rhel7stig_FIPS_ciphers }}" rhel7stig_ssh_macs: "{{ rhel7stig_FIPS_MACs }}" +rhel7_stig_ssh_kex: "{{ rhel7stig_FIPS_KEX }}" # RHEL-07-040490 # If not required, remove vsftpd. diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 997ab954..ae627ec1 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3710,7 +3710,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204602r603261_rule + - SV-204602r880758_rule - V-204602 - ssh @@ -3862,7 +3862,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204610r603261_rule + - SV-204610r880800_rule - V-204610 - sysctl - ipv4 @@ -4064,6 +4064,27 @@ - V-204622 - ssh +- name: "MEDIUM | RHEL-07-040712 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requiremen" + lineinfile: + create: true + dest: /etc/ssh/sshd_config + regexp: "(?i)^#?KexAlgorithms" + line: KexAlgorithms "{{ rhel7_stig_ssh_kex }}" + validate: /usr/sbin/sshd -t -f %s + mode: 0600 + notify: restart sshd + when: + - rhel_07_040712 + - rhel7stig_ssh_required + tags: + - RHEL-07-040712 + - CAT2 + - CCI-001453 + - SRG-OS-000033-GPOS-00014 + - SV-255925r880749_rule + - V-255925 + - ssh + - name: "MEDIUM | RHEL-07-040720 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode." lineinfile: path: /etc/xinetd.d/tftp From aeb82df290d3d8831bc52f8eda763b09243b0368 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 12:34:19 +0000 Subject: [PATCH 086/126] updated Signed-off-by: Mark Bolwell --- ChangeLog.md | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/ChangeLog.md b/ChangeLog.md index daba9d23..2b266329 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,65 @@ # Changelog +## Release 2.0.0 + +### Issues + +- Thanks to @Joseph Hoffman + - [#405](https://github.com/ansible-lockdown/RHEL7-STIG/issues/405) +- Thanks to @Bordenit + - [#412](https://github.com/ansible-lockdown/RHEL7-STIG/issues/412) + - #415 + +- Update to V3R10 - Jan 2023 + All controls have rules updated + - cat_1 + - 010010 + - 010290 + - 010375 - new control + + - cat 2 + - 010060 + - 010060 + - 010062 + - 010062 + - 010070 + - 010081 + - 010082 + - 010090 Added back in for screen pkgs to be installed + - 010100 + - 010101 + - 010110 + - 010199 - new control + - 010200 + - 010270 + - 010320 + - 010330 + - 010342 - updated grep command to grep -E + - 020029 - added notify and updated rule + - 020030 - updated mail path in cron job + - 020040 + - 020650 + - 021620 + - 040201 + - 040420 + - 040470 - conditional added only pre 7.4 + - 040610 + - 040611 + - 040612 + - 040620 + - 040630 + - 040640 + - 040641 + - 040650 + - 040660 + - 040712 - new control ssh KEX + - 040740 + - 040830 + +- cat 3 + - 021600 + - 021610 + ## Release 1.9.0 - RHEL-07-010271 - New Control Added From 51b62b439f6f5f416aaea5a67d7085c5471814a1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 12:44:58 +0000 Subject: [PATCH 087/126] updated workflows Signed-off-by: Mark Bolwell --- .github/workflows/github_networks.tf | 38 +++++++++---------- .github/workflows/github_vars.tfvars | 6 +-- .github/workflows/linux_benchmark_testing.yml | 25 ++++++------ .github/workflows/main.tf | 2 - .github/workflows/test.sh | 6 --- .github/workflows/variables.tf | 8 +++- 6 files changed, 39 insertions(+), 46 deletions(-) delete mode 100644 .github/workflows/test.sh diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf index 998cb768..ba777642 100644 --- a/.github/workflows/github_networks.tf +++ b/.github/workflows/github_networks.tf @@ -1,53 +1,53 @@ resource "aws_vpc" "Main" { - cidr_block = var.main_vpc_cidr + cidr_block = var.main_vpc_cidr instance_tenancy = "default" - tags = { + tags = { Environment = "${var.environment}" - Name = "${var.namespace}-VPC" - } + Name = "${var.namespace}-VPC" + } } resource "aws_internet_gateway" "IGW" { vpc_id = aws_vpc.Main.id tags = { Environment = "${var.environment}" - Name = "${var.namespace}-IGW" + Name = "${var.namespace}-IGW" } } resource "aws_subnet" "publicsubnets" { - vpc_id = aws_vpc.Main.id - cidr_block = var.public_subnets + vpc_id = aws_vpc.Main.id + cidr_block = var.public_subnets availability_zone = var.availability_zone tags = { Environment = "${var.environment}" - Name = "${var.namespace}-pubsub" + Name = "${var.namespace}-pubsub" } } resource "aws_subnet" "Main" { - vpc_id = aws_vpc.Main.id - availability_zone = var.availability_zone + vpc_id = aws_vpc.Main.id cidr_block = var.private_subnets + availability_zone = var.availability_zone tags = { Environment = "${var.environment}" - Name = "${var.namespace}-prvsub" + Name = "${var.namespace}-prvsub" } } resource "aws_route_table" "PublicRT" { - vpc_id = aws_vpc.Main.id - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.IGW.id - } - tags = { + vpc_id = aws_vpc.Main.id + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.IGW.id + } + tags = { Environment = "${var.environment}" - Name = "${var.namespace}-publicRT" + Name = "${var.namespace}-publicRT" } } resource "aws_route_table_association" "rt_associate_public" { - subnet_id = aws_subnet.Main.id + subnet_id = aws_subnet.Main.id route_table_id = aws_route_table.PublicRT.id } diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index a1b63fc6..24daeca6 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -3,12 +3,12 @@ // Declared in variables.tf // -namespace = "github_actions" -environment = "github_test_pipeline" +namespace = "github_actions" +environment = "lockdown_github_repo_workflow" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" +private_key = ".ssh/github_actions.pem" main_vpc_cidr = "172.22.0.0/24" public_subnets = "172.22.0.128/26" private_subnets = "172.22.0.192/26" - diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 9b837b91..48e7eed3 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -31,7 +31,7 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well. + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. # This workflow contains a single job called "build" build: # The type of runner that the job will run on @@ -44,7 +44,7 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, # so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} @@ -73,7 +73,7 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false ## Debug Section - name: DEBUG - Show Ansible hostfile @@ -81,21 +81,18 @@ jobs: working-directory: .github/workflows run: cat hosts.yml -# Centos 7 images take a while to come up insert sleep or playbook fails +# Aws deployments taking a while to come up insert sleep or playbook fails - - name: Check if test os is rhel7 - working-directory: .github/workflows - id: test_os - run: >- - echo "::set-output name=RHEL7::$( - grep -c RHEL7 OS.tfvars - )" - - - name: if RHEL7 - Sleep for 60 seconds - if: steps.test_os.outputs.RHEL7 >= 1 + - name: Sleep for 60 seconds run: sleep 60s shell: bash +# Set up requirements for random root password CIS 5.6.6 + - name: add urandom passwd to root account + shell: bash + run: | + ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i .github/workflows/hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" --private-key ${{ secrets.SSH_PRV_KEY }} -b + # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 0ff7db9c..a7fd514c 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -78,8 +78,6 @@ resource "local_file" "inventory" { run_audit: true system_is_ec2: true audit_git_version: devel - rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.thishasbeenchangedfortesting' - rhel_07_010340: false # turned off as requires passwd for sudo on ec2 images it breaks EOF } diff --git a/.github/workflows/test.sh b/.github/workflows/test.sh deleted file mode 100644 index 1a7202a8..00000000 --- a/.github/workflows/test.sh +++ /dev/null @@ -1,6 +0,0 @@ -RHEL7=$(grep -c RHEL7 OS.tfvars) -if [ `echo $?` != 0 ]; then - exit 0 -fi - - diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf index ccdf10e1..7e05228b 100644 --- a/.github/workflows/variables.tf +++ b/.github/workflows/variables.tf @@ -28,6 +28,11 @@ variable "ami_key_pair_name" { type = string } +variable "private_key" { + description = "path to private key for ssh" + type = string +} + variable "ami_os" { description = "AMI OS Type" type = string @@ -35,7 +40,7 @@ variable "ami_os" { variable "ami_id" { description = "AMI ID reference" - type = string + type = string } variable "ami_username" { @@ -74,4 +79,3 @@ variable "private_subnets" { description = "private subnet cidr block" type = string } - From 3246513446407d092aa6c1625ffada176eb98465 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 16:02:23 +0000 Subject: [PATCH 088/126] fix typo Signed-off-by: Mark Bolwell --- ChangeLog.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 2b266329..44c4720d 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -15,12 +15,9 @@ - cat_1 - 010010 - 010290 - - 010375 - new control - cat 2 - 010060 - - 010060 - - 010062 - 010062 - 010070 - 010081 @@ -57,6 +54,7 @@ - 040830 - cat 3 + - 010375 - new control - 021600 - 021610 From efed8edcebfd606ada0948f30ed94b39a785ade0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 16:03:05 +0000 Subject: [PATCH 089/126] fix typo Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/fix-cat2.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8a8cd200..b1bd1136 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -437,7 +437,7 @@ rhel7stig_FIPS_KEX: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,dif rhel7stig_ssh_required: true rhel7stig_ssh_ciphers: "{{ rhel7stig_FIPS_ciphers }}" rhel7stig_ssh_macs: "{{ rhel7stig_FIPS_MACs }}" -rhel7_stig_ssh_kex: "{{ rhel7stig_FIPS_KEX }}" +rhel7stig_ssh_kex: "{{ rhel7stig_FIPS_KEX }}" # RHEL-07-040490 # If not required, remove vsftpd. diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index ae627ec1..e2ec52fd 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4069,7 +4069,7 @@ create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?KexAlgorithms" - line: KexAlgorithms "{{ rhel7_stig_ssh_kex }}" + line: KexAlgorithms "{{ rhel7stig_ssh_kex }}" validate: /usr/sbin/sshd -t -f %s mode: 0600 notify: restart sshd From 6fed141dc0aa66c7079c8447b4def9df5944ae37 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 17:24:20 +0000 Subject: [PATCH 090/126] updated goss version Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index b1bd1136..e9de26e8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -737,14 +737,14 @@ audit_run_script_environment: ### Audit binary settings ### audit_bin_version: - release: v0.3.20 - checksum: 'sha256:459bc14662967d07795234374a04d611cd2f821140eb4225e7d9ba4572630e11' + release: v0.3.21 + checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json # if get_audit_binary_method == download change accordingly -audit_bin_url: "https://github.com/aelsabbahy/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64" +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64" ## if get_audit_binary_method - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node From bcfa72af5bd07f8c390980bc3f30657ec1105c4e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 17:24:30 +0000 Subject: [PATCH 091/126] improved handler logic Signed-off-by: Mark Bolwell --- handlers/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 63671263..c4898d53 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -25,9 +25,8 @@ notify: make grub2 config - name: make grub2 config - command: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_grub_cfg_path }} + command: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_grub2_user_cfg.stat.exists | ternary('/boot/grub2/user.cfg', rhel7stig_grub_cfg_path) }} when: - - rhel7stig_grub2_user_cfg.stat.exists - not rhel7stig_skip_for_travis - not rhel7stig_system_is_container From e5b55e6bdc53b3e26b0f03994eb8958947c3af74 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 17:24:46 +0000 Subject: [PATCH 092/126] updated control Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 28 ++++++++-------------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e2ec52fd..2af5a1a9 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -404,26 +404,14 @@ - V-204414 - pwquality -- name: "MEDIUM | RHEL-07-010199 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility." - block: - - name: "MEDIUM | RHEL-07-010199 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. | stat" - stat: - path: "{{ item }}" - register: rhel7cis_010199_auth_symlinks - loop: - - '/etc/pam.d/password-auth-local' - - '/etc/pam.d/system-auth-local' - - - name: "MEDIUM | RHEL-07-010199 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. | symlink" - file: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - state: link - loop: - - { 'src': '/etc/pam.d/password-auth', 'dest': '/etc/pam.d/password-auth-local' } - - { 'src': '/etc/pam.d/system-auth', 'dest': '/etc/pam.d/system-auth-local' } - when: - - item.dest not in rhel7cis_010199_auth_symlinks.stat.exists +- name: "MEDIUM | RHEL-07-010199 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. | symlink" + file: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + state: link + loop: + - { 'src': '/etc/pam.d/password-auth', 'dest': '/etc/pam.d/password-auth-local' } + - { 'src': '/etc/pam.d/system-auth', 'dest': '/etc/pam.d/system-auth-local' } when: - rhel_07_010199 tags: From cd32e5bc14c10391afe5a59550b530b3bfa99aaa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Feb 2023 17:25:00 +0000 Subject: [PATCH 093/126] audit alignment Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 1841d0c4..555c3dbd 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -74,6 +74,7 @@ RHEL_07_010160: {{ rhel_07_010160 }} RHEL_07_010170: {{ rhel_07_010170 }} RHEL_07_010180: {{ rhel_07_010180 }} RHEL_07_010190: {{ rhel_07_010190 }} +RHEL_07_010199: {{ rhel_07_010199 }} RHEL_07_010200: {{ rhel_07_010200 }} RHEL_07_010210: {{ rhel_07_010210 }} RHEL_07_010220: {{ rhel_07_010220 }} @@ -153,6 +154,7 @@ RHEL_07_030201: {{ rhel_07_030201 }} RHEL_07_030210: {{ rhel_07_030210 }} RHEL_07_030211: {{ rhel_07_030211 }} # if you set 030300 to 'true' ensure you define rhel7stig_audisp_remote_server +RHEL_07_010375: {{ rhel_07_010375 }} RHEL_07_030300: {{ rhel_07_030300 }} RHEL_07_030310: {{ rhel_07_030310 }} RHEL_07_030320: {{ rhel_07_030320 }} @@ -245,6 +247,7 @@ RHEL_07_040670: {{ rhel_07_040670 }} RHEL_07_040680: {{ rhel_07_040680 }} RHEL_07_040710: {{ rhel_07_040710 }} RHEL_07_040711: {{ rhel_07_040711 }} +RHEL_07_040712: {{ rhel_07_040712 }} RHEL_07_040720: {{ rhel_07_040720 }} RHEL_07_040730: {{ rhel_07_040730 }} RHEL_07_040740: {{ rhel_07_040740 }} @@ -260,6 +263,7 @@ RHEL_07_910055: {{ rhel_07_910055 }} ## Cat III +RHEL_07_010375: {{ rhel_07_010375 }} RHEL_07_020200: {{ rhel_07_020200 }} RHEL_07_020300: {{ rhel_07_020300 }} RHEL_07_021024: {{ rhel_07_021024 }} @@ -387,6 +391,7 @@ rhel7stig_firewalld_services: #SSH settings rhel7stig_ssh_ciphers: {{ rhel7stig_ssh_ciphers }} rhel7stig_ssh_MACs: {{ rhel7stig_ssh_macs }} +rhel7stig_ssh_kex: {{ rhel7stig_ssh_kex }} # RHEL_07_040160 # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) From d5eae787468903527eb28ab9ba8d9d7d10bc5227 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 8 Feb 2023 12:02:03 +0000 Subject: [PATCH 094/126] changed audit git release to match branch names Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index e9de26e8..d52299cc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -755,7 +755,7 @@ audit_bin_copy_location: /some/accessible/path ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: main +audit_git_version: "benchmark_{{ benchmark_version }}_rh7" # copy: audit_local_copy: "some path to copy from" From b3b4f09278ad3f72c596f67aa4eab7ca75acfe04 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 8 Feb 2023 12:02:18 +0000 Subject: [PATCH 095/126] revert change Signed-off-by: Mark Bolwell --- handlers/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index c4898d53..63671263 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -25,8 +25,9 @@ notify: make grub2 config - name: make grub2 config - command: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_grub2_user_cfg.stat.exists | ternary('/boot/grub2/user.cfg', rhel7stig_grub_cfg_path) }} + command: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_grub_cfg_path }} when: + - rhel7stig_grub2_user_cfg.stat.exists - not rhel7stig_skip_for_travis - not rhel7stig_system_is_container From f089c767ac7b2665b3dc44cde516e49b101acfbb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 8 Feb 2023 12:02:30 +0000 Subject: [PATCH 096/126] fix typo Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 2af5a1a9..819fbac6 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4544,7 +4544,7 @@ - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo." block: - name: "MEDIUM | RHEL-07-010342 | AUDIT | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Get privilege escalation" - shell: grep -Eirs '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d":" -f1 | sort --unique + shell: grep -Eirs '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d":" -f1 | sort --uniq changed_when: false failed_when: false register: rhel_07_010342_priv_escalation From 84f7594c5a081a06719595e0c8576324652f26bc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 8 Feb 2023 12:44:57 +0000 Subject: [PATCH 097/126] removed become statement Signed-off-by: Mark Bolwell --- tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 540446d5..c32bdbf4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -68,7 +68,6 @@ - name: include prelim tasks import_tasks: prelim.yml - become: true tags: - prelim_tasks - run_audit From 5fd060645975db9d8f36b7e401bb253211b061d0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 8 Feb 2023 12:45:38 +0000 Subject: [PATCH 098/126] updated 10260 changed_when Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 819fbac6..ba6f3ed7 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -552,7 +552,7 @@ - name: "MEDIUM | RHEL-07-010260 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime." shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" check_mode: false - changed_when: rhel_07_010260_audit.stdout| length > 0 + changed_when: false register: rhel_07_010260_audit - name: "MEDIUM | RHEL-07-010260 | PATCH | Reset password timeout to prevent locking out user." @@ -4179,7 +4179,7 @@ - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." debug: - msg: "Your configured firewall service is {{ rhel7stig_firewall_service }}, but you have set the variable rhel7stig_start_firewall_service to false. We cannot audit control RHEL-07-040810. Please set the variable rhel7stig_start_firewall_service to true in the defaults file of this role and re-run the playbook." + msg: "Could not pull configuration rules for RHEL-07-040810 {{ rhel7stig_firewall_service }}, but you have set the variable rhel7stig_start_firewall_service to false." changed_when: true when: not rhel7stig_start_firewall_service when: From bc515f48717fed71013ecbdb81dbefc6ee9e18e9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 8 Feb 2023 12:46:10 +0000 Subject: [PATCH 099/126] updated Ansible version Signed-off-by: Mark Bolwell --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 516b97c2..7dd1e3de 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,5 @@ --- -rhel7stig_min_ansible_version: 2.9 +rhel7stig_min_ansible_version: 2.10.0 rhel7stig_dconf_available: "{{ rhel7stig_gui or rhel7stig_dconf_audit.rc == 0 or rhel7stig_always_configure_dconf }}" From 87e9298f26690afa086439bfa2f852739d12fa93 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 8 Feb 2023 12:46:20 +0000 Subject: [PATCH 100/126] removed files no loner used Signed-off-by: Mark Bolwell --- tasks/audit_command.yml | 17 ------ tasks/audit_file.yml | 15 ----- tasks/audit_selinuxlocaluserdefs.yml | 83 ---------------------------- tasks/audit_system_call.yml | 20 ------- 4 files changed, 135 deletions(-) delete mode 100644 tasks/audit_command.yml delete mode 100644 tasks/audit_file.yml delete mode 100644 tasks/audit_selinuxlocaluserdefs.yml delete mode 100644 tasks/audit_system_call.yml diff --git a/tasks/audit_command.yml b/tasks/audit_command.yml deleted file mode 100644 index 153ffee8..00000000 --- a/tasks/audit_command.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# tasks/audit_command.yml - -- name: "MEDIUM | RHEL-07-{{ item.id }} | {{ audit_present | ternary('PATCH', 'REVERT') }} | The Red Hat Enterprise Linux operating system must audit all uses of the {{ item.path | basename }} command." - lineinfile: - path: "/etc/audit/rules.d/rhel7stig_commands.rules" - create: true - owner: root - group: root - mode: 0600 - line: "{{ item.trivial | default(false) | ternary(trivial_audit, normal_audit) }}" - state: "{{ audit_present | ternary('present', 'absent') }}" - vars: - trivial_audit: "-w {{ item.path }} -p x -F auid!=4294967295 -k {{ item.key }}" - normal_audit: "-a always,exit -F path={{ item.path }} {% if not item.no_perm_x_filter is defined or not item.no_perm_x_filter %}-F perm=x {% endif %}-F auid>={{ rhel7stig_int_gid }} -F auid!=4294967295 -k {{ item.key }}" - audit_present: "{{ item.create | default(vars['rhel_07_' + item.id]) }}" - notify: restart auditd diff --git a/tasks/audit_file.yml b/tasks/audit_file.yml deleted file mode 100644 index 81093364..00000000 --- a/tasks/audit_file.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# tasks/audit_file.yml - -- name: "MEDIUM | RHEL-07-{{ item.id }} | {{ audit_present | ternary('PATCH', 'REVERT') }} | The Red Hat Enterprise Linux operating system must generate audit records for all {{ item.description }}." - lineinfile: - path: "/etc/audit/rules.d/rhel7stig_files.rules" - create: true - owner: root - group: root - mode: 0600 - line: "-w {{ item.path }} -p wa -k {{ item.key }}" - state: "{{ audit_present | ternary('present', 'absent') }}" - vars: - audit_present: "{{ item.create | default(vars['rhel_07_' + item.id]) }}" - notify: restart auditd diff --git a/tasks/audit_selinuxlocaluserdefs.yml b/tasks/audit_selinuxlocaluserdefs.yml deleted file mode 100644 index 22dea8f2..00000000 --- a/tasks/audit_selinuxlocaluserdefs.yml +++ /dev/null @@ -1,83 +0,0 @@ ---- -# # Let's now check to see what is mapped to selinux -- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - command: semanage login -l - register: rhel_07_020020_semanage_check - when: - - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive - tags: - - RHEL-07-020020 - -# find the local interactive staff -- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - shell: "awk -F: '/^{{ rhel_07_020020_selinux_local_interactive_staff_group }}/ {print $4;}' /etc/group | tr ',' '\n'" - register: rhel_07_020020_local_interactive_staff - when: - - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive - tags: - - RHEL-07-020020 - -- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - debug: - msg: "WARNING: There are no users configured to be part of the specified local interactive staff group {{ rhel_07_020020_selinux_local_interactive_staff_group }}. You must configure this group to satisfy requirements of this control." - changed_when: - - rhel7stig_audit_complex - when: - - not rhel_07_020020_local_interactive_staff.stdout_lines | length > 0 - - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive - tags: - - RHEL-07-020020 - -- name: "MEDIUM | RHEL-07-020020 | PATCH | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - shell: semanage login -m -s user_u "{{ item }}" - with_items: - - "{{ rhel_07_020020_local_interactive_staff.stdout_lines }}" - when: - - rhel_07_020020_local_interactive_staff.stdout_lines | length > 0 - - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive - tags: - - RHEL-07-020020 - -# find the local interactive users -- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - shell: "awk -F: '/^{{ rhel_07_020020_selinux_local_interactive_users_group }}/ {print $4;}' /etc/group | tr ',' '\n'" - register: rhel_07_020020_local_interactive_users - when: - - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive - tags: - - RHEL-07-020020 - -- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - debug: - msg: "WARNING: There are no users configured to be part of the specified local interactive user group {{ rhel_07_020020_selinux_local_interactive_users_group }}. You must configure this group to satisfy requirements of this control." - changed_when: - - rhel7stig_audit_complex - when: - - not rhel_07_020020_local_interactive_users.stdout_lines | length > 0 - - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive - tags: - - RHEL-07-020020 - -- name: "MEDIUM | RHEL-07-020020 | PATCH | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - shell: semanage login -m -s user_u "{{ item }}" - with_items: - - "{{ rhel_07_020020_local_interactive_users.stdout_lines }}" - when: - - rhel_07_020020_local_interactive_users.stdout_lines | length > 0 - - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive - tags: - - RHEL-07-020020 diff --git a/tasks/audit_system_call.yml b/tasks/audit_system_call.yml deleted file mode 100644 index 94b7fef7..00000000 --- a/tasks/audit_system_call.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# tasks/audit_system_call.yml - -- name: "MEDIUM | RHEL-07-{{ item.id }} | {{ audit_present | ternary('PATCH', 'REVERT') }} | The Red Hat Enterprise Linux operating system must audit all uses of the {{ item.call }} syscall." - lineinfile: - path: "/etc/audit/rules.d/rhel7stig_system_calls.rules" - create: true - owner: root - group: root - mode: 0600 - line: "-a always,exit -F arch={{ arch }} -S {{ item.call }} {% if item.extra_fields is defined %}{{ item.extra_fields }} {% endif %}{{ item.include_all_auids | default(false) | ternary('', '-F auid>=1000 -F auid!=4294967295 ') }}-k {{ item.key }}" - state: "{{ audit_present | ternary('present', 'absent') }}" - with_items: - - b64 - - b32 - loop_control: - loop_var: arch - vars: - audit_present: "{{ item.create | default(vars['rhel_07_' + item.id]) }}" - notify: restart auditd From ce964f0490f288429a2841fecd9d8bd67e053bb3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 10:25:51 +0000 Subject: [PATCH 101/126] added update galaxy workflow Signed-off-by: Mark Bolwell --- .github/workflows/update_galaxy.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/update_galaxy.yml diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml new file mode 100644 index 00000000..5d41affe --- /dev/null +++ b/.github/workflows/update_galaxy.yml @@ -0,0 +1,20 @@ +--- + +# This is a basic workflow to help you get started with Actions + +name: update galaxy + +# Controls when the action will run. +# Triggers the workflow on merge request events to the main branch +on: + push: + branches: + - main +jobs: + update_role: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: hspaans/ansible-galaxy-action@master + with: + api_key: ${{ secrets.GALAXY_API_KEY }} From 1cf2c779445bb9b60689a678e63861b2cc7bc262 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 10:43:05 +0000 Subject: [PATCH 102/126] updated Signed-off-by: Mark Bolwell --- .ansible-lint | 31 +++++++++++++++---------------- .yamllint | 10 +--------- 2 files changed, 16 insertions(+), 25 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index c65e7eb5..e582a588 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,21 +1,20 @@ parseable: true quiet: true skip_list: - - 'schema' - - 'no-changed-when' - - 'fqcn-builtins' - - 'experimental' - - 'fqcn[action-core]' - - 'fqcn[action]' - - 'name[casing]' - - 'name[template]' - - 'jinja[spacing]' - - 'var-naming' # Older playbook no new release - - '204' - - '305' - - '303' - - '403' - - '306' - - '602' + - 'schema' + - 'no-changed-when' + - 'var-spacing' + - 'experimental' + - 'name[play]' + - 'name[casing]' + - 'name[template]' + - 'fqcn[action]' + - '204' + - '305' + - '303' + - '403' + - '306' + - '602' + - '208' use_default_rules: true verbosity: 0 diff --git a/.yamllint b/.yamllint index 1fd654ac..4823010f 100644 --- a/.yamllint +++ b/.yamllint @@ -9,11 +9,6 @@ ignore: | extends: default rules: - indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent braces: max-spaces-inside: 1 level: error @@ -31,7 +26,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false - - - + check-keys: true From 2027e1f4fba39f639b51ae36459a3702688518df Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 10:43:22 +0000 Subject: [PATCH 103/126] lint Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index ba6f3ed7..c2af62d0 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -156,7 +156,7 @@ state: present when: - rhel_07_010090 - - "'screen' not in ansible_facts.packages" + - "'screen' not in ansible_facts.packages" - "'tmux' not in ansible_facts.packages" tags: - RHEL-07-010090 From 462943383cfec9c73e3b4d39bcfffe9d37d382d0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 10:43:42 +0000 Subject: [PATCH 104/126] moved to use default audit_git version Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index a7fd514c..16dfdf69 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -77,7 +77,6 @@ resource "local_file" "inventory" { setup_audit: true run_audit: true system_is_ec2: true - audit_git_version: devel EOF } From 2654fb6017f10f5591fab31a447b3f00851db859 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 10:43:50 +0000 Subject: [PATCH 105/126] fqcn lint Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 4 +- tasks/audit_firewalld.yml | 10 +-- tasks/audit_homedirinifiles.yml | 2 +- tasks/audit_homedirperms.yml | 6 +- tasks/audit_iptables.yml | 12 ++- tasks/fix-cat1.yml | 125 +++++++++++-------------------- tasks/main.yml | 60 +++++++-------- tasks/parse_etc_passwd.yml | 4 +- tasks/post_remediation_audit.yml | 12 +-- tasks/pre_remediation_audit.yml | 32 ++++---- tasks/prelim.yml | 78 +++++++++---------- 11 files changed, 153 insertions(+), 192 deletions(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 7df51c6a..fd75cea5 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,7 +1,7 @@ --- - name: Download audit binary - get_url: + ansible.builtin.get_url: url: "{{ audit_bin_url }}" dest: "{{ audit_bin }}" owner: root @@ -12,7 +12,7 @@ - get_audit_binary_method == 'download' - name: copy audit binary - copy: + ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" mode: 0555 diff --git a/tasks/audit_firewalld.yml b/tasks/audit_firewalld.yml index bdd2d248..ebfc496c 100644 --- a/tasks/audit_firewalld.yml +++ b/tasks/audit_firewalld.yml @@ -1,7 +1,7 @@ --- - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - command: firewall-cmd --get-default-zone + ansible.builtin.shell: firewall-cmd --get-default-zone register: rhel_07_040810_firewalld_zone_audit changed_when: false failed_when: false @@ -12,7 +12,7 @@ - firewall - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - command: firewall-cmd --list-all --zone="{{ rhel_07_040810_firewalld_zone_audit.stdout }}" + ansible.builtin.shell: firewall-cmd --list-all --zone="{{ rhel_07_040810_firewalld_zone_audit.stdout }}" register: rhel_07_040810_firewalld_zone_default_audit changed_when: false when: @@ -22,7 +22,7 @@ - RHEL-07-040810 - firewall - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - debug: + ansible.builtin.debug: msg: "The following task output is the firewalld settings for zone {{ rhel_07_040810_firewalld_zone_audit.stdout }} from {{ ansible_hostname }}:" when: - rhel_07_040810_firewalld_zone_audit.stdout | length > 0 @@ -31,7 +31,7 @@ - RHEL-07-040810 - firewall - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - debug: var=rhel_07_040810_firewalld_zone_default_audit.stdout_lines + ansible.builtin.debug: var=rhel_07_040810_firewalld_zone_default_audit.stdout_lines changed_when: true when: - rhel_07_040810_firewalld_zone_audit.stdout | length > 0 @@ -40,7 +40,7 @@ - RHEL-07-040810 - firewall - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - debug: + ansible.builtin.debug: msg: "Warning!! We could pull no configured rules for {{ rhel7stig_firewall_service }} on {{ ansible_hostname }}! This is a finding per RHEL-07-040810 - The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." changed_when: true when: diff --git a/tasks/audit_homedirinifiles.yml b/tasks/audit_homedirinifiles.yml index fcf7c63f..44c6b7a1 100644 --- a/tasks/audit_homedirinifiles.yml +++ b/tasks/audit_homedirinifiles.yml @@ -1,6 +1,6 @@ --- - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." - debug: + ansible.builtin.debug: msg: "You will need to audit {{ ini_item }} for reference to {{ item }}, which has been found with world-writable permissions. Those permissions will be changed in the next task to 0755." failed_when: false changed_when: false diff --git a/tasks/audit_homedirperms.yml b/tasks/audit_homedirperms.yml index 6ca917a7..1292a60a 100644 --- a/tasks/audit_homedirperms.yml +++ b/tasks/audit_homedirperms.yml @@ -1,6 +1,6 @@ --- - name: "MEDIUM | RHEL-07-020680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - find: + ansible.builtin.find: paths: - "{{ homedir }}" recurse: true @@ -14,7 +14,7 @@ - complexity-high - name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - file: + ansible.builtin.file: path: "{{ line_item.path }}" mode: 0640 loop: "{{ rhel_07_020680_results.files }}" @@ -30,7 +30,7 @@ - complexity-high - name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - file: + ansible.builtin.file: path: "{{ line_item.path }}" mode: 0750 loop: "{{ rhel_07_020680_results.files }}" diff --git a/tasks/audit_iptables.yml b/tasks/audit_iptables.yml index 4c03dd29..cca47c0d 100644 --- a/tasks/audit_iptables.yml +++ b/tasks/audit_iptables.yml @@ -1,6 +1,7 @@ --- + - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - command: iptables-save + ansible.builtin.shell: iptables-save register: rhel_07_040810_iptables_audit changed_when: false failed_when: false @@ -9,8 +10,9 @@ tags: - RHEL-07-040810 - firewall + - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - debug: + ansible.builtin.debug: msg: "The following task output is the iptables-save output in full from {{ ansible_hostname }}:" changed_when: true when: @@ -19,8 +21,9 @@ tags: - RHEL-07-040810 - firewall + - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - debug: var=rhel_07_040810_iptables_audit.stdout_lines + ansible.builtin.debug: var=rhel_07_040810_iptables_audit.stdout_lines changed_when: false when: - rhel_07_040810_iptables_audit.stdout_lines is defined @@ -28,8 +31,9 @@ tags: - RHEL-07-040810 - firewall + - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - debug: + ansible.builtin.debug: msg: "WARNING! We could pull no configured rules for {{ rhel7stig_firewall_service }} on {{ ansible_hostname }}! This is a finding per RHEL-07-040810 - The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." changed_when: true when: diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index abb95356..d4663bd9 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -2,7 +2,7 @@ - name: "HIGH | RHEL-07-010010 | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." block: - name: "HIGH | RHEL-07-010010 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." - shell: | + ansible.builtin.shell: | rpm -Va --nolinkto --nofiledigest --nosize --nomtime --nodigest --nosignature | grep -E '^(.M|.....U|......G)' | tee /dev/stderr | cut -c13- | sed 's/^ //' | xargs rpm -qf --qf='%{name}\n' | sort -u args: warn: false @@ -12,18 +12,16 @@ register: rhel_07_010010_audit - name: "HIGH | RHEL-07-010010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." - shell: > + ansible.builtin.shell: > ( rpm --setugids {{ item }}; rpm --setperms {{ item }} ) 2>&1 1>&2 | grep -v ': No such file or directory$' - args: - warn: false register: rhel_07_010010_patch ignore_errors: true with_items: "{{ rhel_07_010010_audit.stdout_lines }}" when: rhel_07_010010_audit.stdout_lines | length > 0 - name: "HIGH | RHEL-07-010010 | AUDIT | Error during remediation" - debug: + ansible.builtin.debug: msg: "Warning!! The following package files have been reset to default {{ item }}" changed_when: true loop: "{{ rhel_07_010010_patch.results }}" @@ -49,24 +47,20 @@ - name: "HIGH | RHEL-07-010020 | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." block: - name: "HIGH | RHEL-07-010020 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." - shell: 'rpm -Va --noconfig --nolinkto --nosize --nouser --nogroup --nomtime --nomode --nodigest --nosignature | grep ''^..5'' | tee /dev/stderr | cut -c13- | sed ''s/^ //'' | xargs rpm -qf --qf=''%{name}\n'' | sort -u' - args: - warn: false + ansible.builtin.shell: 'rpm -Va --noconfig --nolinkto --nosize --nouser --nogroup --nomtime --nomode --nodigest --nosignature | grep ''^..5'' | tee /dev/stderr | cut -c13- | sed ''s/^ //'' | xargs rpm -qf --qf=''%{name}\n'' | sort -u' check_mode: false failed_when: false changed_when: rhel_07_010020_audit.stdout| length > 0 register: rhel_07_010020_audit - name: "HIGH | RHEL-07-010020 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." - debug: + ansible.builtin.debug: msg: "{{ rhel_07_010020_audit.stderr_lines }}" changed_when: true when: rhel_07_010020_audit.stdout | length > 0 - name: "HIGH | RHEL-07-010020 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." - command: yum reinstall -y {{ item }} - args: - warn: false + ansible.builtin.shell: yum reinstall -y {{ item }} failed_when: false with_items: - "{{ rhel_07_010020_audit.stdout_lines }}" @@ -83,7 +77,7 @@ - packages - name: "HIGH | RHEL-07-010290 | PATCH | The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords." - replace: + ansible.builtin.replace: dest: "{{ item }}" regexp: 'nullok ?' when: @@ -103,14 +97,14 @@ - name: "HIGH | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords." block: - name: "HIGH | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords. | Get users with no pw set" - command: "awk -F: '!$2 {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '!$2 {print $1}' /etc/shadow" changed_when: false failed_when: false check_mode: false register: rhel_07_010291_no_pw_users - name: "HIGH | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords. | Warn on accounts with no passwords" - debug: + ansible.builtin.debug: msg: - "Alert! You have users that are not using passwords. Please either set a password, lock, or remove the accounts below:" - "{{ rhel_07_010291_no_pw_users.stdout_lines }}" @@ -129,7 +123,7 @@ - accounts - name: "HIGH | RHEL-07-010300 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password." - lineinfile: + ansible.builtin.lineinfile: state: present dest: /etc/ssh/sshd_config regexp: "(?i)^#?PermitEmptyPasswords" @@ -149,7 +143,7 @@ - ssh - name: "HIGH | RHEL-07-010440 | PATCH | The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/gdm/custom.conf regexp: (?i)automaticloginenable line: AutomaticLoginEnable=false @@ -167,7 +161,7 @@ - gui - name: "HIGH | RHEL-07-010450 | PATCH | The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/gdm/custom.conf regexp: (?i)timedloginenable line: TimedLoginEnable=false @@ -183,47 +177,12 @@ - SV-204433r603261_rule - V-204433 -# - name: | -# "HIGH | RHEL-07-010480 | PATCH | Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." -# "HIGH | RHEL-07-010490 | PATCH | Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." -# lineinfile: -# dest: /etc/grub.d/40_custom -# insertafter: EOF -# regexp: "{{ item.regex }}" -# line: "{{ item.line }}" -# with_items: -# - regexp: ^\s*set superusers= -# line: ' set superusers="root"' -# - regexp: ^password_pbkdf2 -# line: "^password_pbkdf2 {{ rhel7stig_boot_superuser }} {{ rhel7stig_bootloader_password_hash }}" -# no_log: true -# notify: -# - make grub2 config -# when: -# - rhel_07_010480 or -# rhel_07_010490 -# - ansible_distribution_version is version_compare('7.2', '<') -# tags: -# - CAT1 -# - RHEL-07-010480 -# - CCI-000213 -# - SRG-OS-000080-GPOS-00048 -# - SV-204436r603261_rule -# - V-204436 -# - RHEL-07-010490 -# - CCI-000213 -# - SRG-OS-000080-GPOS-00048 -# - SV-204439r603261_rule -# - V-204439 -# - grub -# - bootloader - - name: | "HIGH | RHEL-07-010482 | Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." "HIGH | RHEL-07-010491 | Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." block: - name: "HIGH | RHEL-07-010482 | Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." - lineinfile: + ansible.builtin.lineinfile: path: /boot/grub2/user.cfg create: true mode: '0644' @@ -237,7 +196,7 @@ - not rhel7stig_machine_uses_uefi - name: "HIGH | RHEL-07-010491 | Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel7stig_bootloader_path }}/user.cfg" create: true mode: '0644' @@ -269,7 +228,7 @@ - bootloader - name: "HIGH | RHEL-07-020000 | PATCH | The Red Hat Enterprise Linux operating system must not have the rsh-server package installed." - package: + ansible.builtin.package: name: rsh-server state: absent vars: @@ -287,7 +246,7 @@ - rsh - name: "HIGH | RHEL-07-020010 | PATCH | The Red Hat Enterprise Linux operating system must not have the ypserv package installed." - package: + ansible.builtin.package: name: ypserv state: absent vars: @@ -305,7 +264,7 @@ - ypserv - name: "HIGH | RHEL-07-020050 | PATCH | The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/yum.conf regexp: ^gpgcheck line: gpgcheck=1 @@ -322,7 +281,7 @@ - yum - name: "HIGH | RHEL-07-020060 | PATCH | The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/yum.conf regexp: ^localpkg_gpgcheck line: localpkg_gpgcheck=1 @@ -339,7 +298,7 @@ - yum - name: "HIGH | RHEL-07-020230 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line." - systemd: + ansible.builtin.systemd: name: ctrl-alt-del.target masked: true when: @@ -354,7 +313,7 @@ - systemctl - name: "HIGH | RHEL-07-020231 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-disable-ctrl-alt-del content: | [org/gnome/settings-daemon/plugins/media-keys] @@ -378,7 +337,7 @@ # EUS RHEL7.7 31st August 2021 # Maintainance RHEL7.9 30th April 2021 - name: "HIGH | RHEL-07-020250 | PATCH | The Red Hat Enterprise Linux operating system must be a vendor supported release." - debug: + ansible.builtin.debug: msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel7stig_min_supported_os_ver[ansible_distribution] }} changed_when: - rhel7stig_audit_complex @@ -399,14 +358,14 @@ block: # Currently just locks user account - name: "HIGH | RHEL-07-020310 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system." - shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" + ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" check_mode: false changed_when: false failed_when: false register: rhel_07_020310_audit - name: "HIGH | RHEL-07-020310 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system." - command: "passwd -l {{ item }}" + ansible.builtin.shell: "passwd -l {{ item }}" with_items: "{{ rhel_07_020310_audit.stdout_lines }}" when: rhel_07_020310_audit.rc when: @@ -423,7 +382,7 @@ - name: "HIGH | RHEL-07-021350 | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." block: - name: "HIGH | RHEL-07-021350 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." - package: + ansible.builtin.package: name: dracut-fips state: present vars: @@ -433,7 +392,7 @@ - "'dracut-fips' not in ansible_facts.packages" - name: "HIGH | RHEL-07-021350 | PATCH | Disable prelinking." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sysconfig/prelink regexp: ^#?PRELINKING line: PRELINKING=no @@ -449,14 +408,14 @@ - name: "HIGH | RHEL-07-021350 | AUDIT | Capture GRUB_CMDLINE_LINUX from /proc/cmdline" block: - name: "HIGH | RHEL-07-021350 | AUDIT | Capture GRUB_CMDLINE_LINUX from /proc/cmdline" - command: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline + ansible.builtin.shell: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline check_mode: false changed_when: false failed_when: rhel_07_021350_grub_cmdline_linux_audit.rc > 1 register: rhel_07_021350_grub_cmdline_linux_audit - name: "HIGH | RHEL-07-021350 | PATCH | Copy over a sane /etc/default/grub" - template: + ansible.builtin.template: src: etc_default_grub.j2 dest: /etc/default/grub owner: root @@ -468,7 +427,7 @@ when: not rhel7_stig_default_grub.stat.exists - name: "HIGH | RHEL-07-021350 | PATCH | fips=1 must be in /etc/default/grub" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: "{{ rhel7stig_regexp_quoted_params }}" replace: "{{ rhel7stig_replace_quoted_params }}" @@ -485,7 +444,7 @@ - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." block: - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: "{{ rhel7stig_regexp_quoted_params }}" replace: "{{ rhel7stig_replace_quoted_params }}" @@ -505,7 +464,7 @@ register: result - name: "HIGH | RHEL-07-021350 | AUDIT | Verify kernel parameters in /etc/default/grub" - command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub check_mode: false with_items: - "fips={{ fips_value }}" @@ -541,7 +500,7 @@ - fips - name: "HIGH | RHEL-07-021710 | PATCH | The Red Hat Enterprise Linux operating system must not have the telnet-server package installed." - package: + ansible.builtin.package: name: telnet-server state: absent vars: @@ -561,14 +520,14 @@ - name: "HIGH | RHEL-07-032000 | The Red Hat Enterprise Linux operating system must use a virus scan program." block: - name: "HIGH | RHEL-07-032000 | PATCH | The Red Hat Enterprise Linux operating system must use a virus scan program." - package: + ansible.builtin.package: name: "{{ rhel7stig_av_package.package }}" state: present vars: ansible_python_interpreter: "{{ python2_bin }}" - name: "HIGH | RHEL-07-032000 | PATCH | The Red Hat Enterprise Linux operating system must use a virus scan program." - service: + ansible.builtin.service: name: "{{ rhel7stig_av_package.service }}" state: "{{ rhel7stig_service_started }}" enabled: true @@ -586,7 +545,7 @@ - antivirus - name: "HIGH | RHEL-07-040390 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config regexp: "(?i)^#?Protocol" line: Protocol 2 @@ -609,13 +568,13 @@ - name: "HIGH | RHEL-07-040540 | The Red Hat Enterprise Linux operating system must not contain .shosts files." block: - name: "HIGH | RHEL-07-040540 | AUDIT | The Red Hat Enterprise Linux operating system must not contain .shosts files." - command: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -name '.shosts' + ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -name '.shosts' check_mode: false changed_when: false register: rhel_07_040540_audit - name: "HIGH | RHEL-07-040540 | PATCH | The Red Hat Enterprise Linux operating system must not contain .shosts files." - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: @@ -634,13 +593,13 @@ - name: "HIGH | RHEL-07-040550 | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." block: - name: "HIGH | RHEL-07-040550 | AUDIT | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." - command: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -name 'shosts.equiv' + ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -name 'shosts.equiv' check_mode: false changed_when: false register: rhel_07_040550_audit - name: "HIGH | RHEL-07-040550 | PATCH | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: @@ -657,7 +616,7 @@ - shosts - name: "HIGH | RHEL-07-040690 | PATCH | The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed." - package: + ansible.builtin.package: name: vsftpd state: absent vars: @@ -676,7 +635,7 @@ - ftp - name: "HIGH | RHEL-07-040700 | PATCH | The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support." - package: + ansible.builtin.package: name: - tftp - tftp-server @@ -703,7 +662,7 @@ - name: "HIGH | RHEL-07-040800 | SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default." block: - name: "HIGH | RHEL-07-040800 | AUDIT | SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default." - command: grep {{ item }} /etc/snmp/snmpd.conf + ansible.builtin.shell: grep {{ item }} /etc/snmp/snmpd.conf check_mode: false failed_when: false changed_when: false @@ -713,7 +672,7 @@ - private - name: "HIGH | RHEL-07-040800 | PATCH | SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default." - replace: + ansible.builtin.replace: dest: /etc/snmp/snmpd.conf regexp: (^com2sec.*default\s+)(public|private) replace: \1{{ rhel7stig_snmp_community }} diff --git a/tasks/main.yml b/tasks/main.yml index c32bdbf4..fe187585 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Gather distribution info - setup: + ansible.builtin.setup: gather_subset: distribution,!all,!min when: - ansible_distribution is not defined @@ -8,14 +8,14 @@ - always - name: Check OS version and family - assert: + ansible.builtin.assert: that: ansible_os_family == 'RedHat' and ansible_distribution_major_version is version_compare('7', '==') msg: "This role can only be run against RHEL/CENTOS 7. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." tags: - always - name: Check ansible version - assert: + ansible.builtin.assert: that: ansible_version.full is version_compare(rhel7stig_min_ansible_version, '>=') msg: You must use Ansible {{ rhel7stig_min_ansible_version }} or greater tags: @@ -23,27 +23,27 @@ - name: "Check password set for {{ ansible_user }}" block: - - name: Capture current password state of "{{ ansible_user }}" - shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" - changed_when: false - failed_when: false - check_mode: false - register: ansible_user_password_set - - - name: "Assert that password set for {{ ansible_user }} and account not locked" - assert: - that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" - success_msg: "You a password set for the {{ ansible_user }}" - vars: - sudo_password_rule: RHEL-07-010340 + - name: Capture current password state of "{{ ansible_user }}" + ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + changed_when: false + failed_when: false + check_mode: false + register: ansible_user_password_set + + - name: "Assert that password set for {{ ansible_user }} and account not locked" + ansible.builtin.assert: + that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" + success_msg: "You a password set for the {{ ansible_user }}" + vars: + sudo_password_rule: RHEL-07-010340 when: - rhel_07_010340 tags: - user_passwd - name: FIPS turned on - set_fact: + ansible.builtin.set_fact: fips_value: '1' when: - rhel7stig_use_fips @@ -51,7 +51,7 @@ - RHEL-07-021350 - name: Check rhel7stig_bootloader_password_hash variable has been changed - assert: + ansible.builtin.assert: that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'" when: @@ -67,47 +67,47 @@ - cat1 - name: include prelim tasks - import_tasks: prelim.yml + ansible.builtin.import_tasks: prelim.yml tags: - prelim_tasks - run_audit - name: include pre-remediation audit - import_tasks: pre_remediation_audit.yml + ansible.builtin.import_tasks: pre_remediation_audit.yml when: - run_audit tags: - run_audit - name: Gather the package facts - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always - name: Include CAT I patches - import_tasks: fix-cat1.yml + ansible.builtin.import_tasks: fix-cat1.yml when: rhel7stig_cat1_patch tags: - cat1 - high - name: Include CAT II patches - import_tasks: fix-cat2.yml + ansible.builtin.import_tasks: fix-cat2.yml when: rhel7stig_cat2_patch tags: - cat2 - medium - name: Include CAT III patches - import_tasks: fix-cat3.yml + ansible.builtin.import_tasks: fix-cat3.yml when: rhel7stig_cat3_patch tags: - cat3 - low - name: update auditd - template: + ansible.builtin.template: src: audit/99_auditd.rules.j2 dest: /etc/audit/rules.d/99_auditd.rules owner: root @@ -119,20 +119,20 @@ - update_audit_template - name: flush handlers - meta: flush_handlers + ansible.builtin.meta: flush_handlers - name: Reboot system - reboot: + ansible.builtin.reboot: when: - not rhel7stig_skip_reboot - name: include post-remediation audit - import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit - name: Show Audit Summary - debug: + ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" when: - run_audit diff --git a/tasks/parse_etc_passwd.yml b/tasks/parse_etc_passwd.yml index d27e2d6d..4df03de1 100644 --- a/tasks/parse_etc_passwd.yml +++ b/tasks/parse_etc_passwd.yml @@ -2,13 +2,13 @@ - name: "PRELIM | {{ rhel7stig_passwd_tasks }} | Parse /etc/passwd" block: - name: "PRELIM | {{ rhel7stig_passwd_tasks }} | Parse /etc/passwd" - command: cat /etc/passwd + ansible.builtin.shell: cat /etc/passwd changed_when: false check_mode: false register: rhel7stig_passwd_file_audit - name: "PRELIM | {{ rhel7stig_passwd_tasks }} | Split passwd entries" - set_fact: + ansible.builtin.set_fact: rhel7stig_passwd: "{{ rhel7stig_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" with_items: "{{ rhel7stig_passwd_file_audit.stdout_lines }}" diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 0de7e2ae..e31be2ff 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,7 +1,7 @@ --- - name: "Post Audit | Run post_remediation {{ benchmark }} audit" - shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" environment: "{{ audit_run_script_environment | default({}) }}" changed_when: false register: audit_run_post_remediation @@ -9,7 +9,7 @@ warn: false - name: Post Audit | ensure audit files readable by users - file: + ansible.builtin.file: path: "{{ item }}" mode: 0644 state: file @@ -20,12 +20,12 @@ - name: Post Audit | Capture audit data if json format block: - name: "Post Audit | capture data {{ post_audit_outfile }} | JSON format" - command: "cat {{ post_audit_outfile }}" + ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false - name: PostAudit | Capture post-audit result | JSON format - set_fact: + ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' @@ -35,12 +35,12 @@ - name: Post Audit | Capture audit data if documentation format block: - name: "Post Audit | capture data {{ post_audit_outfile }} | documentation format" - command: "tail -2 {{ post_audit_outfile }}" + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false - name: Post Audit | Capture post-audit result | documentation format - set_fact: + ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" when: - audit_format == "documentation" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index ce67f765..e8e1daba 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,14 +1,14 @@ --- - name: Audit Binary Setup | Setup the LE audit - include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: LE_audit_setup.yml when: - setup_audit tags: - setup_audit - name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" - file: + ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' @@ -16,13 +16,13 @@ - name: Pre Audit Setup | If using git for content set up block: - name: Pre Audit Setup | Install git (rh8 python3) - package: + ansible.builtin.package: name: git state: present when: ansible_distribution_major_version == '8' - name: Pre Audit Setup | Install git (rh7 python2) - package: + ansible.builtin.package: name: git state: present vars: @@ -30,7 +30,7 @@ when: ansible_distribution_major_version == '7' - name: Pre Audit Setup | retrieve audit content files from git - git: + ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" @@ -38,7 +38,7 @@ - audit_content == 'git' - name: Pre Audit Setup | copy to audit content files to server - copy: + ansible.builtin.copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dir }}" mode: 0644 @@ -46,7 +46,7 @@ - audit_content == 'copy' - name: Pre Audit Setup | get audit content from url - get_url: + ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" owner: root @@ -58,12 +58,12 @@ - name: Pre Audit Setup | Check Goss is available block: - name: Pre Audit Setup | Check for goss file - stat: + ansible.builtin.stat: path: "{{ audit_bin }}" register: goss_available - name: Pre Audit Setup | If audit ensure goss is available - assert: + ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" when: - not goss_available.stat.exists @@ -71,7 +71,7 @@ - run_audit - name: Pre Audit Setup | Copy ansible default vars values to test audit - template: + ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: 0600 @@ -81,22 +81,20 @@ - goss_template - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_pre_remediation.rc == 0 register: audit_run_pre_remediation - vars: - warn: false - name: Pre Audit | Capture audit data if json format block: - name: "capture data {{ pre_audit_outfile }}" - command: "cat {{ pre_audit_outfile }}" + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result - set_fact: + ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' @@ -106,12 +104,12 @@ - name: Pre Audit | Capture audit data if documentation format block: - name: "capture data {{ pre_audit_outfile }}" - command: "tail -2 {{ pre_audit_outfile }}" + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result - set_fact: + ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: - audit_format == "documentation" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c2a6ec7b..b085dba4 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,7 +1,7 @@ --- - name: "PREREQ | Check required packages installed | Python2" - package: + ansible.builtin.package: list: "{{ item }}" state: present loop: @@ -14,7 +14,7 @@ - name: "PREREQ | Add the required packages | Python 3" block: - name: Check if python36-rpm package installed - command: rpm -q python36-rpm + ansible.builtin.shell: rpm -q python36-rpm failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] ) changed_when: false register: python36_rpm_present @@ -22,7 +22,7 @@ warn: false - name: Add the EPEL repository required for the python36-rpm pkg - package: + ansible.builtin.package: name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm state: present register: epel_installed @@ -30,7 +30,7 @@ - python36_rpm_present.rc != '0' - name: "PREREQ | Check required packages installed | Python3 " - package: + ansible.builtin.package: name: "{{ item }}" state: present register: python3reqs_installed @@ -39,7 +39,7 @@ - libselinux-python3 - name: Disable Epel repo if installed earlier - command: yum-config-manager disable epel + ansible.builtin.shell: yum-config-manager disable epel when: epel_installed.changed when: - ( ansible_python.version.major == 3 and ansible_python.version.minor == 6 ) @@ -49,14 +49,14 @@ - name: "PRELIM | dconf" block: - name: "PRELIM | Check for dconf availability" - command: rpm -q dconf + ansible.builtin.shell: rpm -q dconf changed_when: false failed_when: rhel7stig_dconf_audit.rc >= 2 check_mode: false register: rhel7stig_dconf_audit - name: "PRELIM | Install dconf" - package: + ansible.builtin.package: name: dconf vars: ansible_python_interpreter: "{{ python2_bin }}" @@ -65,7 +65,7 @@ - rhel7stig_gui - name: dconf directory structure - file: + ansible.builtin.file: path: /etc/dconf/db/local.d/locks state: directory mode: '0755' @@ -99,7 +99,7 @@ - RHEL-07-020230 - name: "MEDIUM | RHEL-07-020710 | RHEL-07-020720 | RHEL-07-020730 | AUDIT | Find ini files for interactive users." - shell: find "{{ item }}" -maxdepth 1 -type f | awk -F"/" '$NF ~ /^\..*$/ {print $NF}' | grep -v history + ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | awk -F"/" '$NF ~ /^\..*$/ {print $NF}' | grep -v history changed_when: false failed_when: false register: rhel_07_020710_ini_file_list @@ -118,7 +118,7 @@ - complexity-high - name: "MEDIUM | RHEL-07-020710 | RHEL-07-020720 | RHEL-07-020730 | Set fact for home directory paths for interactive users" - set_fact: + ansible.builtin.set_fact: rhel_07_stig_interactive_homedir_inifiles: "{{ rhel_07_020710_ini_file_list.results | map(attribute='stdout_lines') | list }}" when: - rhel_07_stig_interactive_homedir_results is defined @@ -134,7 +134,7 @@ - complexity-high - name: "PRELIM | Find all sudoers files." - command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" + ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false check_mode: false @@ -149,7 +149,7 @@ - RHEL-07-010350 - name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | Install grub2-tools." - package: + ansible.builtin.package: name: grub2-tools vars: ansible_python_interpreter: "{{ python2_bin }}" @@ -169,7 +169,7 @@ - RHEL-07-021350 - name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | RHEL-07-021700 | Check whether machine is UEFI-based" - stat: + ansible.builtin.stat: path: /sys/firmware/efi register: rhel_07_sys_firmware_efi when: @@ -192,7 +192,7 @@ - RHEL-07-021700 - name: "PRELIM | Gather chroot status" - setup: + ansible.builtin.setup: gather_subset: chroot,!all,!min filter: ansible_is_chroot when: @@ -202,7 +202,7 @@ - always - name: "PRELIM | Gather mount information" - setup: + ansible.builtin.setup: gather_subset: hardware,!all,!min filter: ansible_mounts when: @@ -211,7 +211,7 @@ - always - name: ensure cronie is available - package: + ansible.builtin.package: name: cronie vars: ansible_python_interpreter: "{{ python2_bin }}" @@ -226,7 +226,7 @@ - RHEL-07-020040 - name: "PRELIM | RHEL-07-020600 | RHEL-07-020620 | RHEL-07-020630 | RHEL-07-020640 | RHEL-07-020650 | RHEL-07-020660 | RHEL-07-020690 | Parse /etc/passwd" - include_tasks: parse_etc_passwd.yml + ansible.builtin.include_tasks: parse_etc_passwd.yml vars: rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" when: @@ -258,7 +258,7 @@ # NOTE: You will need to adjust the UID range in parenthases below. # ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below. - name: "PRELIM | RHEL-07-020680 | RHEL-07-020710 | RHEL-07-020720 | RHEL-07-020730 | Gather local interactive user directories" - shell: "getent passwd { {{ rhel7stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'" + ansible.builtin.shell: "getent passwd { {{ rhel7stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'" # rhel_07_020680_getent.stdout_lines is defined changed_when: false failed_when: false @@ -271,7 +271,7 @@ - complexity-high - name: "PRELIM | RHEL-07-020680 | RHEL-07-020710 | RHEL-07-020720 | RHEL-07-020730 | Set fact for home directory paths for interactive users" - set_fact: + ansible.builtin.set_fact: rhel_07_stig_interactive_homedir_results: "{{ rhel_07_020680_getent.stdout_lines }}" when: - rhel_07_020680_getent.stdout_lines is defined @@ -283,7 +283,7 @@ - complexity-high - name: "PRELIM | RHEL-07-021100 | RHEL-07-031000 | RHEL-07-031010 | Ensure rsyslog is installed when required." - package: + ansible.builtin.package: name: rsyslog vars: ansible_python_interpreter: "{{ python2_bin }}" @@ -299,7 +299,7 @@ - RHEL-07-031010 - name: "PRELIM | RHEL-07-021350 | Check if /boot or /boot/efi reside on separate partitions" - shell: df --output=target /boot | tail -n 1 + ansible.builtin.shell: df --output=target /boot | tail -n 1 changed_when: false check_mode: false register: rhel_07_boot_part @@ -311,7 +311,7 @@ - RHEL-07-021350 - name: "PRELIM | RHEL-07-030300 | RHEL-07-030310 | RHEL-07-030320 | RHEL-07-030321 | Install audit remote plugin." - package: + ansible.builtin.package: name: audispd-plugins vars: ansible_python_interpreter: "{{ python2_bin }}" @@ -332,13 +332,13 @@ - name: "PRELIM | RHEL-07-030330 | Determine audit log partition." block: - name: "PRELIM | RHEL-07-030330 | Find audit.log location" - command: grep -oP '^log_file\s*=\s*\K.*?(?=\s*$)' /etc/audit/auditd.conf + ansible.builtin.shell: grep -oP '^log_file\s*=\s*\K.*?(?=\s*$)' /etc/audit/auditd.conf changed_when: false check_mode: false register: rhel_07_audit_log_file - name: "PRELIM | RHEL-07-030330 | Find partition holding audit.log" - shell: df --output=target {{ rhel_07_audit_log_file.stdout }} | tail -n 1 + ansible.builtin.shell: df --output=target {{ rhel_07_audit_log_file.stdout }} | tail -n 1 changed_when: false check_mode: false register: rhel_07_audit_part @@ -353,7 +353,7 @@ - name: "PRELIM | RHEL-07-020030 | RHEL-07-020040 | RHEL-07-021600 | RHEL-07-021610 RHEL-07-021620 | Install and initialize AIDE" block: - name: "PRELIM | RHEL-07-020030 | RHEL-07-020040 | RHEL-07-021600 | RHEL-07-021610 | RHEL-07-021620 | Install AIDE" - package: + ansible.builtin.package: name: aide state: present vars: @@ -361,7 +361,7 @@ notify: "{{ rhel7stig_aide_handler }}" - name: "PRELIM | RHEL-07-020030 | RHEL-07-020040 | RHEL-07-021600 | RHEL-07-021610 | RHEL-07-021620 | Check for existing AIDE database" - stat: + ansible.builtin.stat: path: "{{ rhel7stig_aide_db_file }}" changed_when: not rhel7stig_aide_db_status.stat.exists check_mode: false @@ -385,7 +385,7 @@ - RHEL-07-021620 - name: "PRELIM | RHEL-07-020210 | RHEL-07-020220 | Install SELinux related dependencies" - package: + ansible.builtin.package: name: - libselinux-python - policycoreutils-python @@ -400,31 +400,31 @@ - name: "PRELIM | Bare bones SSH Server" block: - name: "PRELIM | Install SSH" - package: + ansible.builtin.package: name: openssh-server vars: ansible_python_interpreter: "{{ python2_bin }}" - name: PRELIM | Start SSH - service: + ansible.builtin.service: name: sshd state: "{{ rhel7stig_service_started }}" enabled: true - name: PRELIM | check if ssh host key exists - stat: + ansible.builtin.stat: path: /etc/ssh/ssh_host_rsa_key register: rhel7stig_ssh_host_rsa_key_stat - name: PRELIM | create ssh host key to allow 'sshd -t -f %s' to succeed - command: ssh-keygen -N '' -f /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 + ansible.builtin.shell: ssh-keygen -N '' -f /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 notify: clean up ssh host key when: not rhel7stig_ssh_host_rsa_key_stat.stat.exists when: -rhel7stig_ssh_required - name: "PRELIM | Check whether machine is UEFI-based" - stat: + ansible.builtin.stat: path: /sys/firmware/efi register: rhel7_efi_boot tags: @@ -433,7 +433,7 @@ - name: set bootloader type block: - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" - set_fact: + ansible.builtin.set_fact: rhel7stig_bootloader_path: /boot/efi/EFI/redhat rhel7stig_legacy_boot: false when: @@ -441,7 +441,7 @@ - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path - name: "PRELIM | set fact if UEFI boot | CentOS " - set_fact: + ansible.builtin.set_fact: rhel7stig_bootloader_path: /boot/efi/EFI/centos rhel7stig_legacy_boot: false when: @@ -449,13 +449,13 @@ - ansible_distribution == 'CentOS' - name: "PRELIM | set if not UEFI boot" - set_fact: + ansible.builtin.set_fact: rhel7stig_bootloader_path: /boot/grub2/ rhel7stig_legacy_boot: true when: not rhel7_efi_boot.stat.exists - name: PRELIM | output bootloader and efi state - debug: + ansible.builtin.debug: msg: - "bootloader path set to {{ rhel7stig_bootloader_path }}" - "legacy boot equals {{ rhel7stig_legacy_boot }}" @@ -463,19 +463,19 @@ - name: "PRELIM | Gather interactive user ID min" block: - name: "PRELIM | Gather interactive user ID min" - shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' + ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' changed_when: false failed_when: false register: rhel7stig_min_uid - name: "PRELIM | Gather interactive user ID max" - shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' + ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' changed_when: false failed_when: false register: rhel7stig_max_uid - name: "PRELIM | Setting the fact" - set_fact: + ansible.builtin.set_fact: rhel7stig_interactive_uid_start: "{{ rhel7stig_min_uid.stdout }}" rhel7stig_interactive_uid_stop: "{{ rhel7stig_max_uid.stdout }}" tags: From 2940470527961daa66dde5f5f2ee81d28e7698da Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 12:00:09 +0000 Subject: [PATCH 106/126] FQCN lint Signed-off-by: Mark Bolwell --- tasks/fix-cat3.yml | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index b354a43f..43c9a28f 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -1,7 +1,7 @@ --- - name: "LOW | RHEL-07-010375 | PATCH | The Red Hat Enterprise Linux operating system must restrict access to the kernel message buffer." - sysctl: + ansible.posix.sysctl: name: kernel.dmesg_restrict value: '1' state: present @@ -20,7 +20,7 @@ - sysctl - name: "LOW | RHEL-07-020200 | PATCH | The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/yum.conf regexp: ^#?clean_requirements_on_remove line: clean_requirements_on_remove=1 @@ -39,14 +39,14 @@ - name: "LOW | RHEL-07-020300 | The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file." block: - name: "LOW | RHEL-07-020300 | PATCH | Check /etc/passwd entries" - shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' changed_when: false failed_when: false check_mode: false register: passwd_gid_check - name: "LOW | RHEL-07-020300 | PATCH | Print warning about users with invalid GIDs missing GID entries in /etc/group" - debug: + ansible.builtin.debug: msg: "WARNING: The following users have non-existent GIDs: {{ passwd_gid_check.stdout_lines | join (', ') }}" changed_when: rhel7stig_audit_complex when: passwd_gid_check.stdout_lines @@ -64,7 +64,7 @@ - passwd - name: "LOW | RHEL-07-021024 | PATCH | The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options." - mount: + ansible.builtin.mount: path: /dev/shm state: mounted src: "{{ dev_shm_mount.device | default('tmpfs') }}" @@ -86,7 +86,7 @@ - mount - name: "LOW | RHEL-07-021310 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent)." - debug: + ansible.builtin.debug: msg: "WARNING: /home is not mounted on a separate partition" changed_when: - rhel7stig_audit_complex @@ -107,7 +107,7 @@ - home - name: "LOW | RHEL-07-021320 | PATCH | The Red Hat Enterprise Linux operating system must use a separate file system for /var." - debug: + ansible.builtin.debug: msg: "WARNING: /var is not mounted on a separate partition" changed_when: - rhel7stig_audit_complex @@ -128,7 +128,7 @@ - var - name: "LOW | RHEL-07-021330 | PATCH | The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path." - debug: + ansible.builtin.debug: msg: "WARNING: /var/log/audit is not mounted on a separate partition" changed_when: rhel7stig_audit_complex when: @@ -148,7 +148,7 @@ - auditd - name: "LOW | RHEL-07-021340 | PATCH | The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent)." - systemd: + ansible.builtin.systemd: name: tmp.mount daemon_reload: "{{ rhel7stig_systemd_daemon_reload }}" enabled: true @@ -170,7 +170,7 @@ - name: | "LOW | RHEL-07-021600 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs)." "LOW | RHEL-07-021610 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes." - template: + ansible.builtin.template: src: aide.conf.j2 dest: /etc/aide.conf owner: root @@ -194,7 +194,7 @@ - aide - name: "LOW | RHEL-07-040000 | PATCH | The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types." - lineinfile: + ansible.builtin.lineinfile: state: present dest: /etc/security/limits.conf insertbefore: '^# End of file' @@ -213,7 +213,7 @@ - name: "LOW | RHEL-07-040530 | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon." block: - name: "LOW | RHEL-07-040530 | PATCH | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon | Update pam_lastlog control to satisfy benchmark." - pamd: + community.general.pamd: name: postlogin type: session control: "{{ old_control }}" @@ -222,7 +222,7 @@ state: updated - name: "LOW | RHEL-07-040530 | PATCH | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon | Update pam_lastlog when line absent." - pamd: + community.general.pamd: name: postlogin state: args_absent type: session @@ -234,7 +234,7 @@ - "{{ default_control }}" - name: "LOW | RHEL-07-040530 | PATCH | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon | Remove old remediation." - blockinfile: + ansible.builtin.blockinfile: state: absent path: /etc/pam.d/postlogin insertafter: '^# User changes will be destroyed' @@ -259,7 +259,7 @@ block: # Audit the /etc/nsswitch.conf config - name: "LOW | RHEL-07-040600 | AUDIT | For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured." - shell: grep "dns" /etc/nsswitch.conf | grep -v "#" + ansible.builtin.shell: grep "dns" /etc/nsswitch.conf | grep -v "#" changed_when: false failed_when: false check_mode: false @@ -267,7 +267,7 @@ # Determine if networkmanager is setting /etc/resolv.conf - name: "LOW | RHEL-07-040600 | AUDIT | For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured." - command: grep "# Generated by NetworkManager" /etc/resolv.conf + ansible.builtin.shell: grep "# Generated by NetworkManager" /etc/resolv.conf changed_when: false failed_when: false check_mode: false @@ -275,7 +275,7 @@ # Determine number of nameserver lines in /etc/resolv.conf - name: "LOW | RHEL-07-040600 | AUDIT | For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured." - shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l + ansible.builtin.shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l changed_when: false failed_when: false check_mode: false @@ -283,12 +283,12 @@ # Change resolv.conf if dns is not present in nsswitch.conf - name: "LOW | RHEL-07-040600 | PATCH | For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured." - shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf + ansible.builtin.shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf when: - "'dns' not in rhel_07_040600_nsswitch_check.stdout" # Set resolv.conf if dns is set in nsswitch.conf - name: "LOW | RHEL-07-040600 | PATCH | For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/resolv.conf regexp: '^nameserver {{ item }}' line: nameserver {{ item }} @@ -301,7 +301,7 @@ # If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp. - name: "LOW | RHEL-07-040600 | PATCH | For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured." - debug: + ansible.builtin.debug: msg: "The file /etc/resolv.conf is managed by network manager and shows less than two DNS servers configured. Please correct this in your DHCP configurations." changed_when: true when: From 0691198050b664c0176fa85751e8c731cdc98955 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 12:00:32 +0000 Subject: [PATCH 107/126] FQCN lint Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index d4663bd9..0fa0c31a 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -401,7 +401,7 @@ - "'prelink' in ansible_facts.packages" - name: "HIGH | RHEL-07-021350 | AUDIT | Check /etc/default/grub exists" - stat: + ansible.builtin.stat: path: /etc/default/grub register: rhel7_stig_default_grub From ff0ba1238563e8e322c3441c5bbf81122669b2c9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 12:00:47 +0000 Subject: [PATCH 108/126] FQCN and shell/command updates Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 541 +++++++++++++++++++++++---------------------- 1 file changed, 271 insertions(+), 270 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c2af62d0..950a55fd 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1,7 +1,8 @@ --- + ### RHEL-07-010030 | RHEL-07-010040 combined as related tasks in regards to a config file no other content will be in. - name: "MEDIUM | RHEL-07-010030 | RHEL-07-010040 | PATCH | The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." - copy: # noqa: template-instead-of-copy + ansible.builtin.copy: # noqa: template-instead-of-copy dest: /etc/dconf/db/local.d/01-banner-message content: | [org/gnome/login-screen] @@ -28,7 +29,7 @@ - dod_logon_banner - name: "MEDIUM | RHEL-07-010050 | PATCH | The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon." - copy: + ansible.builtin.copy: content: "{{ rhel7stig_logon_banner }}" # noqa: template-instead-of-copy dest: "{{ item }}" owner: root @@ -51,7 +52,7 @@ - dod_logon_banner - name: "MEDIUM | RHEL-07-010060 | PATCH | The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-screensaver_rhel_07_010060 content: | [org/gnome/desktop/screensaver] @@ -71,7 +72,7 @@ - dconf - name: "MEDIUM | RHEL-07-010061 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-defaults_rhel_07_010061 content: | [org/gnome/login-screen] @@ -93,7 +94,7 @@ - dconf - name: "MEDIUM | RHEL-07-010070 | PATCH | The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-screensaver_rhel_07_010070 content: | [org/gnome/desktop/session] @@ -113,7 +114,7 @@ - dconf - name: "MEDIUM | RHEL-07-010081 | PATCH | The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/locks/session_rhel_07_010081 content: | /org/gnome/desktop/screensaver/lock-delay @@ -132,7 +133,7 @@ - dconf - name: "MEDIUM | RHEL-07-010082 | PATCH | The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/locks/session_rhel_07_010082 content: | /org/gnome/desktop/session/idle-delay @@ -151,7 +152,7 @@ - dconf - name: "MEDIUM | RHEL-07-010090 | PATCH | The Red Hat Enterprise Linux operating system must have the screen package installed." - package: + ansible.builtin.package: name: screen state: present when: @@ -168,7 +169,7 @@ - screen - name: "MEDIUM | RHEL-07-010100 | PATCH | The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-screensaver_rhel_07_010100 content: | [org/gnome/desktop/screensaver] @@ -188,7 +189,7 @@ - dconf - name: "MEDIUM | RHEL-07-010101 | PATCH | The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/locks/session_rhel_07_010101 content: | /org/gnome/desktop/screensaver/idle-activation-enabled @@ -207,7 +208,7 @@ - dconf - name: "MEDIUM | RHEL-07-010110 | PATCH | The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-screensaver_rhel_07_010110 content: | [org/gnome/desktop/screensaver] @@ -228,7 +229,7 @@ - dconf - name: "MEDIUM | RHEL-07-010118 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords." - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/passwd regexp: '^password\s+substack\s+system-auth' line: 'password substack system-auth' @@ -244,7 +245,7 @@ - pamd - name: "MEDIUM | RHEL-07-010119 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/pam.d/system-auth regexp: '^#?password\s+required pam_pwquality.so retry' @@ -262,7 +263,7 @@ - pamd - name: "MEDIUM | RHEL-07-010120 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*ucredit' @@ -280,7 +281,7 @@ - pwquality - name: "MEDIUM | RHEL-07-010130 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*lcredit' @@ -298,7 +299,7 @@ - pwquality - name: "MEDIUM | RHEL-07-010140 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*dcredit' @@ -315,7 +316,7 @@ - RHELsality - name: "MEDIUM | RHEL-07-010150 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*ocredit' @@ -333,7 +334,7 @@ - pwquality - name: "MEDIUM | RHEL-07-010160 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*difok' @@ -351,7 +352,7 @@ - pwquality - name: "MEDIUM | RHEL-07-010170 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*minclass' @@ -369,7 +370,7 @@ - pwquality - name: "MEDIUM | RHEL-07-010180 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*maxrepeat' @@ -387,7 +388,7 @@ - pwquality - name: "MEDIUM | RHEL-07-010190 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*maxclassrepeat' @@ -405,7 +406,7 @@ - pwquality - name: "MEDIUM | RHEL-07-010199 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. | symlink" - file: + ansible.builtin.file: src: "{{ item.src }}" dest: "{{ item.dest }}" state: link @@ -424,7 +425,7 @@ - pamd - name: "MEDIUM | RHEL-07-010200 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords." - pamd: + community.general.pamd: name: "{{ item[0] }}" state: "{{ item[1].state }}" type: password @@ -455,7 +456,7 @@ - pamd - name: "MEDIUM | RHEL-07-010210 | PATCH | The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/login.defs regexp: ^#?ENCRYPT_METHOD line: "ENCRYPT_METHOD {{ rhel7stig_login_defaults.encrypt_method | default('SHA512') }}" @@ -471,7 +472,7 @@ - login - name: "MEDIUM | RHEL-07-010220 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/libuser.conf regexp: ^#?crypt_style line: crypt_style = sha512 @@ -487,7 +488,7 @@ - login - name: "MEDIUM | RHEL-07-010230 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/login.defs regexp: ^#?PASS_MIN_DAYS @@ -507,13 +508,13 @@ - name: "MEDIUM | RHEL-07-010240 | The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime." block: - name: "MEDIUM | RHEL-07-010240 | AUDIT | Passwords must be restricted to a 24 hours/1 day minimum lifetime." - command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" check_mode: false changed_when: false register: rhel_07_010240_audit - name: "MEDIUM | RHEL-07-010240 | PATCH | Passwords must be restricted to a 24 hours/1 day minimum lifetime." - command: chage -m 1 {{ item }} + ansible.builtin.shell: chage -m 1 {{ item }} check_mode: false changed_when: true with_items: @@ -530,7 +531,7 @@ - password - name: "MEDIUM | RHEL-07-010250 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/login.defs regexp: ^#?PASS_MAX_DAYS @@ -550,19 +551,19 @@ - name: "MEDIUM | RHEL-07-010260 | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime." block: - name: "MEDIUM | RHEL-07-010260 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime." - shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" check_mode: false changed_when: false register: rhel_07_010260_audit - name: "MEDIUM | RHEL-07-010260 | PATCH | Reset password timeout to prevent locking out user." - shell: chage -d '-1 day' {{ item }} + ansible.builtin.shell: chage -d '-1 day' {{ item }} check_mode: "{{ rhel7stig_disruptive_check_mode }}" with_items: - "{{ rhel_07_010260_audit.stdout_lines }}" - name: "MEDIUM | RHEL-07-010260 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime." - shell: "chage -M 60 {{ item }}" + ansible.builtin.shell: "chage -M 60 {{ item }}" check_mode: "{{ rhel7stig_disruptive_check_mode }}" with_items: - "{{ rhel_07_010260_audit.stdout_lines }}" @@ -582,7 +583,7 @@ - name: "MEDIUM | RHEL-07-010270 | The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations." block: - name: "MEDIUM | RHEL-07-010270 | PATCH | Ensure pam_pwhistory rule exists" - pamd: + community.general.pamd: name: "{{ item }}" state: before type: password @@ -597,7 +598,7 @@ # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent - name: "MEDIUM | RHEL-07-010270 | AUDIT | Check for existing password history reuse settings" - command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel7stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel7stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" + ansible.builtin.shell: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel7stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel7stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" check_mode: false changed_when: false failed_when: rhel_07_010270_audit.rc > 1 @@ -608,7 +609,7 @@ # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. - name: "MEDIUM | RHEL-07-010270 | PATCH | Ensure pam_pwhistory module arguments are set" - pamd: + community.general.pamd: name: "{{ item.item }}" state: updated type: password @@ -633,7 +634,7 @@ - pamd - name: "MEDIUM | AUDIT | RHEL-07-010271 | The Red Hat Enterprise Linux operating system emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." - debug: + ansible.builtin.debug: msg: - "Warning!! Verify every existing emergency account and make sure it has an expiration date set within 72 hours." when: @@ -647,7 +648,7 @@ - V-254523 - name: "MEDIUM | RHEL-07-010280 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*minlen' @@ -665,7 +666,7 @@ - pwquality - name: "MEDIUM | RHEL-07-010310 | PATCH | The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/useradd regexp: ^#?INACTIVE line: INACTIVE=35 @@ -687,7 +688,7 @@ - name: | "MEDIUM | RHEL-07-010320 | PATCH | The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe." "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period." - pamd: + community.general.pamd: name: "{{ item }}" state: before type: auth @@ -704,7 +705,7 @@ # - name: | # "MEDIUM | RHEL-07-010320 | AUDIT | Check for existing account lockout settings" # "MEDIUM | RHEL-07-010330 | AUDIT | Check for existing account lockout settings" - # command: "grep -iE '^auth\\s+required\\s+pam_faillock.so\\s+preauth\\s+silent\\s+audit\\s+deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }}\\s+unlock_time={{ rhel7stig_pam_faillock.unlock_time }}$' /etc/pam.d/{{ item }}" + # ansible.builtin.shell: "grep -iE '^auth\\s+required\\s+pam_faillock.so\\s+preauth\\s+silent\\s+audit\\s+deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }}\\s+unlock_time={{ rhel7stig_pam_faillock.unlock_time }}$' /etc/pam.d/{{ item }}" # check_mode: no # changed_when: no # failed_when: rhel_07_010320_010330_preauth_audit.rc > 1 @@ -717,7 +718,7 @@ - name: | "MEDIUM | RHEL-07-010320 | PATCH | The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe." "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period." - pamd: + community.general.pamd: name: "{{ item }}" state: updated type: auth @@ -729,7 +730,7 @@ - "password-auth" - name: "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period." - pamd: + community.general.pamd: name: "{{ item }}" state: before type: auth @@ -744,7 +745,7 @@ # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent # - name: "MEDIUM | RHEL-07-010330 | AUDIT | Check for existing account lockout settings" - # command: "grep -iE '^auth\\s+\\[default=die\\]\\s+pam_faillock.so\\s+authfail\\s+audit\\s+deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }}\\s+unlock_time={{ rhel7stig_pam_faillock.unlock_time }}$' /etc/pam.d/{{ item }}" + # ansible.builtin.shell: "grep -iE '^auth\\s+\\[default=die\\]\\s+pam_faillock.so\\s+authfail\\s+audit\\s+deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }}\\s+unlock_time={{ rhel7stig_pam_faillock.unlock_time }}$' /etc/pam.d/{{ item }}" # check_mode: no # changed_when: no # failed_when: rhel_07_010330_authfail_audit.rc > 1 @@ -755,7 +756,7 @@ # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. - name: "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period." - pamd: + community.general.pamd: name: "{{ item }}" state: updated type: auth @@ -768,7 +769,7 @@ # when: item.rc == 1 - name: "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period." - pamd: + community.general.pamd: name: "{{ item }}" state: before type: account @@ -800,7 +801,7 @@ - pamd - name: "MEDIUM | RHEL-08-010339 | PATCH | The Red Hat Enterprise Linux operating system must specify the default 'include' directory for the /etc/sudoers file." - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regex: '^#includedir' line: '#includedir /etc/sudoers.d' @@ -817,7 +818,7 @@ - sudoers - name: "MEDIUM | RHEL-07-010340 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation." - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#].*)NOPASSWD(.*)' replace: '\1PASSWD\2' @@ -838,7 +839,7 @@ - sudoers - name: "MEDIUM | RHEL-07-010344 | PATCH | The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation." - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/sudo regex: 'pam_succeed_if' state: absent @@ -853,7 +854,7 @@ - V-251704 - name: "MEDIUM | RHEL-07-010350 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation." - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' @@ -872,7 +873,7 @@ - sudoers - name: "MEDIUM | RHEL-07-010430 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/login.defs regexp: ^#?FAIL_DELAY line: "FAIL_DELAY {{ rhel7stig_login_defaults.fail_delay_secs | default('4') }}" @@ -888,7 +889,7 @@ - login - name: "MEDIUM | RHEL-07-010460 | PATCH | The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config regexp: "(?i)^#?PermitUserEnvironment" line: PermitUserEnvironment no @@ -907,7 +908,7 @@ - ssh - name: "MEDIUM | RHEL-07-010470 | PATCH | The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config regexp: "(?i)^#?HostbasedAuthentication" line: HostbasedAuthentication no @@ -933,14 +934,14 @@ - name: "MEDIUM | RHEL-07-010481 | The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes." block: - name: "MEDIUM | RHEL-07-010481 | PATCH | Check if the packaged rescue.service file was edited directly" - shell: "cat /usr/lib/systemd/system/rescue.service | grep 'ExecStart=.*/usr/sbin/sulogin'" + ansible.builtin.shell: "cat /usr/lib/systemd/system/rescue.service | grep 'ExecStart=.*/usr/sbin/sulogin'" changed_when: false failed_when: false check_mode: false register: systemd_rescue_unit_check - name: "MEDIUM | RHEL-07-010481 | PATCH | Force reinstall systemd package to replace edited /usr/lib/systemd/system/rescue.service" - shell: yum -y reinstall systemd + ansible.builtin.shell: yum -y reinstall systemd when: systemd_rescue_unit_check.rc == 1 when: - rhel_07_010481 @@ -958,7 +959,7 @@ "MEDIUM | RHEL-07-010492 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with Unified Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance." block: - name: "MEDIUM | RHEL-07-010483 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes. | Set grub unique name BIOS" - lineinfile: + ansible.builtin.lineinfile: path: /etc/grub.d/01_users regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -971,7 +972,7 @@ when: not rhel7stig_machine_uses_uefi - name: "MEDIUM | RHEL-07-010492 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with Unified Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance. | Set grub unique name UEFI" - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel7stig_bootloader_path }}/grub.cfg" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -1002,22 +1003,22 @@ block: # This task checks to test if pamd is enabled for pkcs11 - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - shell: authconfig --test | grep "pam_pkcs11 is enabled" + ansible.builtin.shell: authconfig --test | grep "pam_pkcs11 is enabled" register: rhel_07_010500pkcs11output # This task gathers output so we can test if smartcard removal action is enabled - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - shell: authconfig --test | grep "smartcard removal action" + ansible.builtin.shell: authconfig --test | grep "smartcard removal action" register: rhel_07_010500scremovaloutput # This task gathers output so we can test if smartcard module is enabled - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - shell: authconfig --test | grep "smartcard module" + ansible.builtin.shell: authconfig --test | grep "smartcard module" register: rhel_07_010500scenabledoutput # This is to remediate if pam_pkcs11 is not installed. - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - package: + ansible.builtin.package: name: "{{ item }}" state: present with_items: @@ -1031,18 +1032,18 @@ # This task will remediate the smartcard login setting - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - shell: authconfig --enablesmartcard --smartcardaction=0 --update + ansible.builtin.shell: authconfig --enablesmartcard --smartcardaction=0 --update when: - rhel_07_010500scenabledoutput.stdout == ' smartcard module = \"\"' or rhel_07_010500scremovaloutput.stdout == ' smartcard removal action = \"\"' # This task will remediate the smartcard login setting - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - shell: authconfig --enablerequiresmartcard --update + ansible.builtin.shell: authconfig --enablerequiresmartcard --update when: rhel_07_010500scenabledoutput.stdout == ' smartcard module = \"\"' or rhel_07_010500scremovaloutput.stdout == ' smartcard removal action = \"\"' # This remediates the screensaver settings for smartcard authentication - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/pam_pkcs11/pkcs11_eventmgr.conf regexp: '^#?/usr/X11R6/bin/xscreensaver-command -lock' @@ -1052,7 +1053,7 @@ # This remediates the pam_pkcs11.conf file to enforce the cackey usage for smartcard authentication ### NOTE: If you have custom rules for /etc/pam_pkcs11/pam_pkcs11.conf then change the template pam_pkcs11.conf.j2 - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - template: + ansible.builtin.template: src: pam_pkcs11.conf.j2 dest: /etc/pam_pkcs11/pam_pkcs11.conf owner: root @@ -1081,13 +1082,13 @@ - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." block: - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Get SELinux authorized users" - shell: semanage login -l + ansible.builtin.shell: semanage login -l changed_when: false failed_when: false register: rhel_07_020020_sel_auth_users - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Show SELinux authorized users" - debug: + ansible.builtin.debug: msg: - "Warning!! Below is your SELinux user/group list. Please review and make sure all of the following are met:" - "1) All administrators are mapped to staff_u or an appropriately tailored confined SELinux user as defined by the organization" @@ -1096,7 +1097,7 @@ when: rhel_07_020020_sel_auth_users.stdout | length > 0 - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Warn that semanage is not installed" - debug: + ansible.builtin.debug: msg: - "Warning!! You do not have semanage installed! Please installed the needed packages" when: "'command not found' in rhel_07_020020_sel_auth_users.stderr" @@ -1112,7 +1113,7 @@ - V-204444 - name: "MEDIUM | RHEL-07-020029 | PATCH | The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions." - package: + ansible.builtin.package: name: aide state: present notify: "{{ rhel7stig_aide_handler }}" @@ -1131,7 +1132,7 @@ - name: | "MEDIUM | RHEL-07-020030 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly." "MEDIUM | RHEL-07-020040 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner." - cron: + ansible.builtin.cron: name: 'Run AIDE integrity check {{ rhel7stig_aide_cron.special_time }}' user: "{{ rhel7stig_aide_cron.user }}" cron_file: "{{ rhel7stig_aide_cron.cron_file }}" @@ -1168,7 +1169,7 @@ - aide - name: "MEDIUM | RHEL-07-020100 | PATCH | The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage." - lineinfile: + ansible.builtin.lineinfile: dest: "{{ item.file }}" insertafter: "{{ item.insertafter }}" regexp: "{{ item.regexp }}" @@ -1200,7 +1201,7 @@ - usb_devices - name: "MEDIUM | RHEL-07-020101 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required." - lineinfile: + ansible.builtin.lineinfile: dest: "{{ item.file }}" insertafter: "{{ item.insertafter }}" regexp: "{{ item.regexp }}" @@ -1232,13 +1233,13 @@ - name: "MEDIUM | RHEL-07-020110 | PATCH | The Red Hat Enterprise Linux operating system must disable the file system automounter unless required." block: - name: "MEDIUM | RHEL-07-020110 | PATCH | The Red Hat Enterprise Linux operating system must disable the file system automounter unless required." - shell: "systemctl show autofs | grep LoadState | cut -d = -f 2" + ansible.builtin.shell: "systemctl show autofs | grep LoadState | cut -d = -f 2" changed_when: false check_mode: false register: rhel_07_020110_autofs_service_status - name: "MEDIUM | RHEL-07-020110 | PATCH | The Red Hat Enterprise Linux operating system must disable the file system automounter unless required." - service: + ansible.builtin.service: name: autofs enabled: false state: stopped @@ -1284,7 +1285,7 @@ - name: "MEDIUM | RHEL-07-020240 | PATCH | The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/login.defs regexp: ^#?UMASK line: "UMASK {{ rhel7stig_login_defaults.umask | default('077') }}" @@ -1301,7 +1302,7 @@ - umask - name: "MEDIUM | RHEL-07-020260 | The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date." - package: + ansible.builtin.package: name: '*' state: latest vars: @@ -1320,7 +1321,7 @@ - name: "MEDIUM | RHEL-07-020270 | AUDIT | The Red Hat Enterprise Linux operating system must not have unnecessary accounts." block: - name: "MEDIUM | RHEL-07-020270 | AUDIT | The Red Hat Enterprise Linux operating system must not have unnecessary accounts." - command: "grep '^{{ item }}:' /etc/passwd" + ansible.builtin.shell: "grep '^{{ item }}:' /etc/passwd" check_mode: false failed_when: rhel_07_020270_audit.rc > 1 changed_when: rhel_07_020270_audit.rc == 0 @@ -1329,7 +1330,7 @@ - "{{ rhel7stig_unnecessary_accounts }}" - name: "MEDIUM | RHEL-07-020270 | PATCH | The Red Hat Enterprise Linux operating system must not have unnecessary accounts." - user: + ansible.builtin.user: name: "{{ item }}" state: absent remove: "{{ rhel7stig_remove_unnecessary_user_files }}" @@ -1356,7 +1357,7 @@ - name: "MEDIUM | RHEL-07-020320 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." block: - name: "MEDIUM | RHEL-07-020320 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." - command: find "{{ item.mount }}" -xdev -nouser + ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser check_mode: false failed_when: false changed_when: false @@ -1366,7 +1367,7 @@ when: item['device'].startswith('/dev') and not 'bind' in item['options'] - name: "MEDIUM | RHEL-07-020320 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." - debug: + ansible.builtin.debug: msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" changed_when: rhel7stig_audit_complex with_items: @@ -1389,7 +1390,7 @@ - name: "MEDIUM | RHEL-07-020330 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." block: - name: "MEDIUM | RHEL-07-020330 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." - command: find "{{ item.mount }}" -xdev -nogroup + ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup check_mode: false failed_when: false changed_when: false @@ -1399,7 +1400,7 @@ when: item['device'].startswith('/dev') and not 'bind' in item['options'] - name: "MEDIUM | RHEL-07-020330 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." - debug: + ansible.builtin.debug: msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" changed_when: rhel7stig_audit_complex with_items: @@ -1420,7 +1421,7 @@ - complexity-high - name: "MEDIUM | RHEL-07-020610 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/login.defs regexp: ^#?CREATE_HOME line: "CREATE_HOME {{ rhel7stig_login_defaults.create_home | default('yes') }}" @@ -1437,7 +1438,7 @@ - home - name: "MEDIUM | RHEL-07-020620 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are defined in the /etc/passwd file." - file: + ansible.builtin.file: path: "{{ item.dir }}" state: directory mode: 0700 @@ -1458,7 +1459,7 @@ - users - name: "MEDIUM | RHEL-07-020630 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive." - file: + ansible.builtin.file: path: "{{ item.dir }}" mode: "{{ rhel7stig_homedir_mode }}" state: directory @@ -1479,7 +1480,7 @@ - users - name: "MEDIUM | RHEL-07-020640 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users." - file: + ansible.builtin.file: path: "{{ item.dir }}" owner: "{{ item.id }}" mode: 0700 @@ -1501,7 +1502,7 @@ - users - name: "MEDIUM | RHEL-07-020650 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group." - file: + ansible.builtin.file: path: "{{ item.dir }}" group: "{{ item.gid }}" # noqa risky-file-permissions state: directory @@ -1525,7 +1526,7 @@ - name: "MEDIUM | RHEL-07-020660 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory." block: - name: "MEDIUM | RHEL-07-020660 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory." - command: "{{ find_command_base }} -print -quit" + ansible.builtin.shell: "{{ find_command_base }} -print -quit" check_mode: false changed_when: rhel_07_020660_audit.stdout |length > 0 register: rhel_07_020660_audit @@ -1537,7 +1538,7 @@ this_item: "{{ item }}" - name: "MEDIUM | RHEL-07-020660 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory." - command: "{{ find_command_base }} -exec chown {{ this_item.uid }} {} +" + ansible.builtin.shell: "{{ find_command_base }} -exec chown {{ this_item.uid }} {} +" with_items: "{{ rhel_07_020660_audit.results }}" loop_control: label: "{{ rhel7stig_passwd_label }}" @@ -1546,7 +1547,7 @@ this_item: "{{ item.item }}" vars: find_command_base: 'find "{{ this_item.dir }}" -mindepth 1 - ( -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*" -type f ) -o + -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*" -type f -o -not -user {{ this_item.uid }}' when: - rhel_07_020660 @@ -1562,7 +1563,7 @@ - name: "MEDIUM | RHEL-07-020670 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." block: - name: "MEDIUM | RHEL-07-020670 | AUDIT | Get all GIDs for each user." - command: id -G "{{ item.id }}" + ansible.builtin.shell: id -G "{{ item.id }}" check_mode: false changed_when: false register: rhel_07_all_gid_audit @@ -1572,7 +1573,7 @@ label: "{{ rhel7stig_passwd_label }}" - name: "MEDIUM | RHEL-07-020670 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." - command: "{{ find_command_base }} -print -quit" + ansible.builtin.shell: "{{ find_command_base }} -print -quit" check_mode: false changed_when: rhel_07_020670_audit.stdout| length > 0 register: rhel_07_020670_audit @@ -1586,7 +1587,7 @@ this_result: "{{ item }}" - name: "MEDIUM | RHEL-07-020670 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." - command: "{{ find_command_base }} -exec chgrp {{ this_item.gid }} {} +" + ansible.builtin.shell: "{{ find_command_base }} -exec chgrp {{ this_item.gid }} {} +" with_items: "{{ rhel_07_020670_audit.results }}" loop_control: label: "{{ rhel7stig_passwd_label }}" @@ -1596,7 +1597,7 @@ this_result: "{{ item.item }}" vars: find_command_base: 'find "{{ this_item.dir }}" -mindepth 1 - ( -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*" -type f ) -o + -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*" -type f -o -not -group {{ this_result.stdout.split(" ") | join(" -not -group ") }}' when: - rhel_07_020670 @@ -1612,13 +1613,13 @@ - name: "MEDIUM | RHEL-07-020680 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." block: - name: "MEDIUM | RHEL-07-020680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - stat: + ansible.builtin.stat: path: "{{ item }}" with_items: "{{ rhel7stig_passwd | selectattr('uid', '>=', rhel7stig_interactive_uid_start | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" register: rhel_07_020680_audit - name: "MEDIUM | RHEL-07-020680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - command: find -H {{ item.0 | quote }} -not -type l -perm /027 + ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false changed_when: rhel_07_020680_patch_audit.stdout| length > 0 register: rhel_07_020680_patch_audit @@ -1632,7 +1633,7 @@ - item.1.exists - name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - file: + ansible.builtin.file: path: "{{ item.0 }}" recurse: true mode: a-st,g-w,o-rwx @@ -1678,7 +1679,7 @@ - name: "MEDIUM | RHEL-07-020690 | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root." block: - name: "MEDIUM | RHEL-07-020690 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root." - command: "{{ find_command_base }} -print -quit" + ansible.builtin.shell: "{{ find_command_base }} -print -quit" check_mode: false changed_when: rhel_07_020690_audit.stdout | length > 0 register: rhel_07_020690_audit @@ -1691,7 +1692,7 @@ this_item: "{{ item }}" - name: "MEDIUM | RHEL-07-020690 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root." - command: "{{ find_command_base }} -exec chown {{ this_item.uid }} {} +" + ansible.builtin.shell: "{{ find_command_base }} -exec chown {{ this_item.uid }} {} +" with_items: "{{ rhel_07_020690_audit.results }}" loop_control: label: "{{ rhel7stig_passwd_label }}" @@ -1701,7 +1702,7 @@ vars: find_command_base: 'find "{{ this_item.dir }}" -mindepth 1 -type f -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*" - -not ( -user {{ this_item.uid }} -o -user root )' + -not -user {{ this_item.uid }} -o -user root' when: - rhel_07_020690 tags: @@ -1716,7 +1717,7 @@ - name: "MEDIUM | RHEL-07-020700 | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root." block: - name: "MEDIUM | RHEL-07-020700 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root." - command: "{{ find_command_base }} -print -quit" + ansible.builtin.shell: "{{ find_command_base }} -print -quit" check_mode: false changed_when: rhel_07_020700_audit.stdout| length > 0 register: rhel_07_020700_audit @@ -1729,7 +1730,7 @@ this_item: "{{ item }}" - name: "MEDIUM | RHEL-07-020700 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root." - command: "{{ find_command_base }} -exec chgrp {{ this_item.gid }} {} +" + ansible.builtin.shell: "{{ find_command_base }} -exec chgrp {{ this_item.gid }} {} +" with_items: "{{ rhel_07_020700_audit.results }}" loop_control: label: "{{ rhel7stig_passwd_label }}" @@ -1739,7 +1740,7 @@ vars: find_command_base: 'find "{{ this_item.dir }}" -mindepth 1 -type f -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*" - -not ( -group {{ this_item.gid }} -o -group root )' + -not -group {{ this_item.gid }} -o -group root' when: - rhel_07_020700 tags: @@ -1752,7 +1753,7 @@ - permissions - name: "MEDIUM | RHEL-07-020710 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files must have mode 0740 or less permissive." - file: + ansible.builtin.file: path: "{{ item }}" mode: '0640' state: touch @@ -1773,7 +1774,7 @@ - name: "MEDIUM | RHEL-07-020720 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory." block: - name: "MEDIUM | RHEL-07-020720 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory." - shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath + ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath with_items: "{{ rhel_07_stig_interactive_homedir_results }}" changed_when: false failed_when: false @@ -1783,13 +1784,13 @@ - rhel_07_stig_interactive_homedir_inifiles is defined - name: "MEDIUM | RHEL-07-020720 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory." - debug: + ansible.builtin.debug: msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. with_items: - "{{ rhel_07_020710_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" - name: "MEDIUM | RHEL-07-020720 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory." - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: "^PATH=" line: "{{ rhel_07_020720_user_path }}" @@ -1813,14 +1814,14 @@ block: # Let's find any progerams with world-writable permissions. - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." - shell: find / -xdev -perm -002 -type f -exec ls -ld {} \; | awk '{print $9}' + ansible.builtin.shell: find / -xdev -perm -002 -type f -exec ls -ld {} \; | awk '{print $9}' failed_when: false changed_when: false register: rhel_07_020730_perms_results # Now let's see if those come up in any interactive users' home directory ini files. - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." - debug: + ansible.builtin.debug: msg: "Good news! We have not found any world-writable exeutable programs on your system." failed_when: false changed_when: false @@ -1835,7 +1836,7 @@ when: rhel_07_020730_perms_results.stdout_lines | length > 0 - name: "MEDIUM | RHEL-07-020730 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." - file: + ansible.builtin.file: path: "{{ item }}" mode: '0755' state: touch @@ -1858,7 +1859,7 @@ - complexity-high - name: "MEDIUM | RHEL-07-020900 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification." - setup: + ansible.builtin.setup: gather_subset: selinux,!min,!all filter: ansible_selinux when: @@ -1881,13 +1882,13 @@ - name: "MEDIUM | RHEL-07-020900 | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification." block: - name: "MEDIUM | RHEL-07-020900 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification." - command: find {{ rhel7stig_local_mounts | join(' ') }} -xdev ( -context *:device_t:* -o -context *:unlabeled_t:* ) ( -type c -o -type b ) -printf '%p %Z\n' + ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -context *:device_t:* -o -context *:unlabeled_t:* -type c -o -type b -printf '%p %Z\n' changed_when: false check_mode: false register: rhel_07_020900_audit - name: "MEDIUM | RHEL-07-020900 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification." - debug: + ansible.builtin.debug: msg: "{{ rhel_07_020900_audit.stdout_lines }}" changed_when: rhel7stig_audit_complex when: rhel_07_020900_audit.stdout_lines | length > 0 @@ -1909,7 +1910,7 @@ - complexity-high - name: "MEDIUM | RHEL-07-021000 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed." - mount: + ansible.builtin.mount: path: /home state: mounted src: "{{ home_mount.device }}" @@ -1932,7 +1933,7 @@ - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." block: - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." - mount: + ansible.builtin.mount: path: /media state: mounted src: "{{ removable_mount.device }}" @@ -1945,7 +1946,7 @@ - "'nosuid' not in home_mount.options" - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." - mount: + ansible.builtin.mount: path: /mnt state: mounted src: "{{ removable_mount2.device }}" @@ -1968,7 +1969,7 @@ - V-204481 - name: "MEDIUM | RHEL-07-021020 | PATCH | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)." - mount: + ansible.builtin.mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" fstype: "{{ ansible_mounts | json_query(fstype_query) }}" @@ -1993,7 +1994,7 @@ - mounts - name: "MEDIUM | RHEL-07-021021 | PATCH | The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)." - mount: + ansible.builtin.mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" fstype: "{{ ansible_mounts | json_query(fstype_query) }}" @@ -2020,13 +2021,13 @@ - name: "MEDIUM | RHEL-07-021030 | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group." block: - name: "MEDIUM | RHEL-07-021030 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group." - command: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -type d -perm -002 -gid +999 + ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -type d -perm -002 -gid +999 changed_when: rhel_07_021030_audit.stdout != "" check_mode: false register: rhel_07_021030_audit - name: "MEDIUM | RHEL-07-021030 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group." - file: + ansible.builtin.file: path: "{{ item }}" group: root check_mode: "{{ rhel7stig_disruptive_check_mode }}" @@ -2045,7 +2046,7 @@ - disruption-high - name: "MEDIUM | RHEL-07-021040 | PATCH | The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts." - file: + ansible.builtin.file: path: "{{ item }}" mode: '077' state: touch @@ -2070,7 +2071,7 @@ - accounts - name: "MEDIUM | RHEL-07-021100 | PATCH | The Red Hat Enterprise Linux operating system must have cron logging implemented." - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf state: present regexp: '^cron\.\*[ \t]+/var/log/cron$' @@ -2096,12 +2097,12 @@ MEDIUM | RHEL-07-021120 | The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root. block: - name: "MEDIUM | RHEL-07-021110, RHEL-07-021120 | PATCH | Check if cron.allow file exists" - stat: + ansible.builtin.stat: path: /etc/cron.allow register: cron_allow_file_check - name: "MEDIUM | RHEL-07-021110, RHEL-07-021120 | PATCH | Set cron.allow file owner and group-owner to root" - file: + ansible.builtin.file: dest: /etc/cron.allow state: file owner: root @@ -2125,13 +2126,13 @@ - name: "MEDIUM | RHEL-07-021300 | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed." block: - name: "MEDIUM | RHEL-07-021300 | PATCH | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed." - shell: "systemctl show kdump | grep LoadState | cut -d = -f 2" + ansible.builtin.shell: "systemctl show kdump | grep LoadState | cut -d = -f 2" register: rhel_07_021300_kdump_service_status changed_when: false check_mode: false - name: "MEDIUM | RHEL-07-021300 | PATCH | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed." - service: + ansible.builtin.service: name: kdump enabled: false state: stopped @@ -2152,7 +2153,7 @@ - name: "MEDIUM | RHEL-07-021620 | The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories." block: - name: "Replace sha256+sha512 entries with sha512" - replace: + ansible.builtin.replace: path: /etc/aide.conf regexp: '([A-Z]+ = .*)(sha256\+sha512)(.*)' replace: '\1sha512\3' @@ -2160,7 +2161,7 @@ notify: "{{ rhel7stig_aide_handler }}" - name: "Replace sha256 entries with sha512" - replace: + ansible.builtin.replace: path: /etc/aide.conf regexp: '([A-Z]+ = .*)(sha256)(.*)' replace: '\1sha512\3' @@ -2181,14 +2182,14 @@ block: # Let's see what is configured in grub. - name: "MEDIUM | RHEL-07-021700 | AUDIT | The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved." - shell: grep -o "set root=.*" "{{ rhel7stig_grub_cfg_path }}" | grep -v "{{ rhel7stig_grub_bootloader_validorder }}" | uniq + ansible.builtin.shell: grep -o "set root=.*" "{{ rhel7stig_grub_cfg_path }}" | grep -v "{{ rhel7stig_grub_bootloader_validorder }}" | uniq register: rhel7stig_grub_cfg_mediacheck changed_when: false failed_when: false # Report on the bootloader list - name: "MEDIUM | RHEL-07-021700 | AUDIT | The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved." - debug: + ansible.builtin.debug: msg: "Warning!! The grub2 bootloader potentially has some invalid entries that contain {{ item }}" changed_when: true with_items: @@ -2219,7 +2220,7 @@ - name: "MEDIUM | RHEL-07-030000 | The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users." block: - name: "MEDIUM | RHEL-07-030000 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users." - package: + ansible.builtin.package: name: audit state: present vars: @@ -2228,7 +2229,7 @@ - "'audit' not in ansible_facts.packages" - name: "MEDIUM | RHEL-07-030000 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users." - service: + ansible.builtin.service: name: auditd state: "{{ rhel7stig_service_started }}" enabled: true @@ -2248,7 +2249,7 @@ - logging - name: "MEDIUM | RHEL-07-030010 | PATCH | The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: "^-f " line: "-f {{ rhel7stig_auditd_failure_flag }}" @@ -2266,7 +2267,7 @@ - logging - name: "MEDIUM | RHEL-07-030201 | PATCH | The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audisp/plugins.d/au-remote.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -2292,7 +2293,7 @@ - logging - name: "MEDIUM | RHEL-07-030210 | PATCH | The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audisp/audispd.conf regexp: '^overflow_action =' line: "overflow_action = syslog" @@ -2309,7 +2310,7 @@ - logging - name: "MEDIUM | RHEL-07-030211 | PATCH | The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audisp/audispd.conf regexp: '^name_format =' line: name_format = hostname @@ -2327,7 +2328,7 @@ - logging - name: "MEDIUM | RHEL-07-030300 | PATCH | The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audisp/audisp-remote.conf regexp: ^remote_server *= line: remote_server = {{ rhel7stig_audisp_remote_server }} @@ -2344,7 +2345,7 @@ - logging - name: "MEDIUM | RHEL-07-030310 | PATCH | The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audisp/audisp-remote.conf regexp: ^enable_krb5 += line: enable_krb5 = yes @@ -2361,7 +2362,7 @@ - logging - name: "MEDIUM | RHEL-07-030320 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audisp/audisp-remote.conf regexp: ^disk_full_action += line: "disk_full_action = {{ rhel7stig_audisp_disk_full_action }}" @@ -2378,7 +2379,7 @@ - logging - name: "MEDIUM | RHEL-07-030321 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audisp/audisp-remote.conf regexp: ^network_failure_action += line: "network_failure_action = {{ rhel7stig_audisp_network_failure_action }}" @@ -2395,7 +2396,7 @@ - logging - name: "MEDIUM | RHEL-07-030330 | PATCH | The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^space_left += line: "space_left = {{ [rhel7stig_auditd_space_left | int, 51] | max }}" @@ -2412,7 +2413,7 @@ - logging - name: "MEDIUM | RHEL-07-030340 | PATCH | The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^space_left_action += line: "space_left_action = email" @@ -2433,7 +2434,7 @@ - logging - name: "MEDIUM | RHEL-07-030350 | PATCH | The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^action_mail_acct += line: "action_mail_acct = {{ rhel7stig_auditd_mail_acct }}" @@ -2454,7 +2455,7 @@ - logging - name: "MEDIUM | RHEL-07-030360 | PATCH | The Red Hat Enterprise Linux operating system must audit all executions of privileged functions." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030360 @@ -2468,7 +2469,7 @@ - auditd - name: "MEDIUM | RHEL-07-030370 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat, and lchown syscalls." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030370 @@ -2482,7 +2483,7 @@ - auditd - name: "MEDIUM | RHEL-07-030410 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030410 @@ -2496,7 +2497,7 @@ - auditd - name: "MEDIUM | RHEL-07-030440 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030440 @@ -2510,7 +2511,7 @@ - auditd - name: "MEDIUM | RHEL-07-030510 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030510 @@ -2524,7 +2525,7 @@ - auditd - name: "MEDIUM | RHEL-07-030560 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the semanage command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030560 @@ -2538,7 +2539,7 @@ - auditd - name: "MEDIUM | RHEL-07-030570 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030570 @@ -2552,7 +2553,7 @@ - auditd - name: "MEDIUM | RHEL-07-030580 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chcon command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030580 @@ -2566,7 +2567,7 @@ - auditd - name: "MEDIUM | RHEL-07-030590 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030590 @@ -2580,7 +2581,7 @@ - auditd - name: "MEDIUM | RHEL-07-030610 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030610 @@ -2596,7 +2597,7 @@ - auditd - name: "MEDIUM | RHEL-07-030620 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030620 @@ -2612,7 +2613,7 @@ - auditd - name: "MEDIUM | RHEL-07-030630 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the passwd command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030630 @@ -2628,7 +2629,7 @@ - auditd - name: "MEDIUM | RHEL-07-030640 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030640 @@ -2644,7 +2645,7 @@ - auditd - name: "MEDIUM | RHEL-07-030650 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030650 @@ -2660,7 +2661,7 @@ - auditd - name: "MEDIUM | RHEL-07-030660 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chage command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030660 @@ -2676,7 +2677,7 @@ - auditd - name: "MEDIUM | RHEL-07-030670 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030670 @@ -2692,7 +2693,7 @@ - auditd - name: "MEDIUM | RHEL-07-030680 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the su command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030680 @@ -2709,7 +2710,7 @@ - auditd - name: "MEDIUM | RHEL-07-030690 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the sudo command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030690 @@ -2726,7 +2727,7 @@ - auditd - name: "MEDIUM | RHEL-07-030700 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the sudo command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030700 @@ -2743,7 +2744,7 @@ - auditd - name: "MEDIUM | RHEL-07-030710 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030710 @@ -2760,7 +2761,7 @@ - auditd - name: "MEDIUM | RHEL-07-030720 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chsh command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030720 @@ -2777,7 +2778,7 @@ - auditd - name: "MEDIUM | RHEL-07-030740 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030740 @@ -2792,7 +2793,7 @@ - auditd - name: "MEDIUM | RHEL-07-030750 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the umount command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030750 @@ -2807,7 +2808,7 @@ - auditd - name: "MEDIUM | RHEL-07-030760 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030760 @@ -2822,7 +2823,7 @@ - auditd - name: "MEDIUM | RHEL-07-030770 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030770 @@ -2837,7 +2838,7 @@ - auditd - name: "MEDIUM | RHEL-07-030780 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030780 @@ -2853,7 +2854,7 @@ - auditd - name: "MEDIUM | RHEL-07-030800 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the crontab command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030800 @@ -2869,7 +2870,7 @@ - auditd - name: "MEDIUM | RHEL-07-030810 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030810 @@ -2883,7 +2884,7 @@ - auditd - name: "MEDIUM | RHEL-07-030819 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030819 @@ -2897,7 +2898,7 @@ - auditd - name: "MEDIUM | RHEL-07-030820 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscall." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030820 @@ -2911,7 +2912,7 @@ - auditd - name: "MEDIUM | RHEL-07-030830 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030830 @@ -2925,7 +2926,7 @@ - auditd - name: "MEDIUM | RHEL-07-030840 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the kmod command." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030840 @@ -2939,7 +2940,7 @@ - auditd - name: "MEDIUM | RHEL-07-030870 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030870 @@ -2956,7 +2957,7 @@ - auditd - name: "MEDIUM | RHEL-07-030871 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030871 @@ -2973,7 +2974,7 @@ - auditd - name: "MEDIUM | RHEL-07-030872 | PATCH | he Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030872 @@ -2990,7 +2991,7 @@ - auditd - name: "MEDIUM | RHEL-07-030873 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030873 @@ -3007,7 +3008,7 @@ - auditd - name: "MEDIUM | RHEL-07-030874 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030874 @@ -3024,7 +3025,7 @@ - auditd - name: "MEDIUM | RHEL-07-030910 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat, and rmdir syscalls" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel_07_030910 @@ -3041,7 +3042,7 @@ - auditd - name: "MEDIUM | RHEL-07-031000 | PATCH | The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server." - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present block: | @@ -3070,7 +3071,7 @@ - rsyslog - name: "MEDIUM | RHEL-07-031010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation." - replace: + ansible.builtin.replace: path: /etc/rsyslog.conf regexp: '({{ item }})' replace: '# \1' @@ -3109,7 +3110,7 @@ - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." block: - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - shell: for p in `firewall-cmd --list-services`; do firewall-cmd --permanent --service $p --get-ports | grep -Ev '{{ rhel7stig_firewall_ports_protocols | flatten | join('|') }}'; done; + ansible.builtin.shell: for p in `firewall-cmd --list-services`; do firewall-cmd --permanent --service $p --get-ports | grep -Ev '{{ rhel7stig_firewall_ports_protocols | flatten | join('|') }}'; done; changed_when: false failed_when: false check_mode: false @@ -3117,7 +3118,7 @@ when: rhel7stig_firewall_ports_protocols is defined - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - debug: + ansible.builtin.debug: msg: "Warning!! Firewalld is accepting the following port/protocols that are not in the accepted list: {{ item }}." changed_when: false with_items: "{{ rhel7stig_PPSM_CLSA_check_firewalld.stdout }}" @@ -3131,20 +3132,20 @@ - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." block: - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - shell: iptables-save | grep -i accept | grep -i input + ansible.builtin.shell: iptables-save | grep -i accept | grep -i input changed_when: false failed_when: false check_mode: false register: rhel7stig_PPSM_CLSA_check_iptables # noqa var-naming - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - debug: + ansible.builtin.debug: msg: "The following task output is what iptables is accepting on service ports to {{ ansible_hostname }}." changed_when: true when: rhel7stig_PPSM_CLSA_check_iptables.stdout_lines is defined - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - debug: + ansible.builtin.debug: var: rhel7stig_PPSM_CLSA_check_iptables.stdout_lines # noqa var-naming changed_when: true when: rhel7stig_PPSM_CLSA_check_iptables.stdout_lines is defined @@ -3153,7 +3154,7 @@ - rhel7stig_start_firewall_service - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - debug: + ansible.builtin.debug: msg: "Your configured firewall service is {{ rhel7stig_firewall_service }}, but you have set the variable rhel7stig_start_firewall_service to false. We cannot audit control RHEL-07-040100 - The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." changed_when: true when: not rhel7stig_start_firewall_service @@ -3173,7 +3174,7 @@ - disruption-high - name: "MEDIUM | RHEL-07-040110 | PATCH | The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config regexp: "(?i)^#?Ciphers" line: "Ciphers {{ rhel7stig_ssh_ciphers }}" @@ -3194,7 +3195,7 @@ - ssh - name: "MEDIUM | RHEL-07-040160 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements." - blockinfile: + ansible.builtin.blockinfile: create: true mode: 0644 dest: "{{ item.dest }}" @@ -3223,7 +3224,7 @@ - profile - name: "MEDIUM | RHEL-07-040170 | PATCH | The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config regexp: "(?i)^#?Banner" line: Banner /etc/issue @@ -3257,7 +3258,7 @@ "MEDIUM | RHEL-07-040180 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." "MEDIUM | RHEL-07-040190 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." "MEDIUM | RHEL-07-040200 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." - shell: systemctl status sssd.service | grep "Active" | cut -d ':' -f1 | tr " " "\n" | sed '/^$/d' + ansible.builtin.shell: systemctl status sssd.service | grep "Active" | cut -d ':' -f1 | tr " " "\n" | sed '/^$/d' check_mode: false failed_when: false changed_when: false @@ -3267,7 +3268,7 @@ "MEDIUM | RHEL-07-040180 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." "MEDIUM | RHEL-07-040190 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." "MEDIUM | RHEL-07-040200 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." - stat: + ansible.builtin.stat: path: /etc/sssd/sssd.conf changed_when: false register: rhel_07_040180_ldapconf_audit @@ -3277,7 +3278,7 @@ "MEDIUM | RHEL-07-040180 | PATCH | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." "MEDIUM | RHEL-07-040190 | PATCH | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." "MEDIUM | RHEL-07-040200 | PATCH | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." - blockinfile: + ansible.builtin.blockinfile: block: | ldap_id_use_start_tls = true ldap_tls_reqcert = demand @@ -3326,7 +3327,7 @@ - sysctl - name: "MEDIUM | RHEL-07-040300 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed." - package: + ansible.builtin.package: name: - openssh-clients - openssh-server @@ -3349,7 +3350,7 @@ - ssh - name: "MEDIUM | RHEL-07-040310 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission." - service: + ansible.builtin.service: name: sshd state: "{{ rhel7stig_service_started }}" enabled: true @@ -3369,7 +3370,7 @@ - ssh - name: "MEDIUM | RHEL-07-040320 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?ClientAliveInterval" @@ -3391,7 +3392,7 @@ - ssh - name: "MEDIUM | RHEL-07-040330 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config regexp: "(?i)^#?RhostsRSAAuthentication" line: RhostsRSAAuthentication no @@ -3411,7 +3412,7 @@ - ssh - name: "MEDIUM | RHEL-07-040340 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?ClientAliveCountMax" @@ -3433,7 +3434,7 @@ - ssh - name: "MEDIUM | RHEL-07-040350 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config regexp: '(?i)^#?\s*IgnoreRhosts' line: IgnoreRhosts yes @@ -3452,7 +3453,7 @@ - ssh - name: "MEDIUM | RHEL-07-040360 | PATCH | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config regexp: "(?i)^#?PrintLastLog" line: PrintLastLog yes @@ -3471,7 +3472,7 @@ - ssh - name: "MEDIUM | RHEL-07-040370 | PATCH | The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?PermitRootLogin" @@ -3492,7 +3493,7 @@ - ssh - name: "MEDIUM | RHEL-07-040380 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?IgnoreUserKnownHosts" @@ -3513,7 +3514,7 @@ - ssh - name: "MEDIUM | RHEL-07-040400 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?MACs" @@ -3536,7 +3537,7 @@ - name: "MEDIUM | RHEL-07-040410 | The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive." block: - name: "MEDIUM | RHEL-07-040410 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive." - find: + ansible.builtin.find: paths: /etc/ssh recurse: true file_type: file @@ -3547,7 +3548,7 @@ register: rhel_07_040410_audit - name: "MEDIUM | RHEL-07-040410 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive." - file: + ansible.builtin.file: dest: "{{ item.path }}" mode: a-stx,go-w state: file @@ -3567,7 +3568,7 @@ - name: "MEDIUM | RHEL-07-040420 | The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive." block: - name: "MEDIUM | RHEL-07-040420 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive." - find: + ansible.builtin.find: paths: /etc/ssh recurse: true file_type: file @@ -3578,7 +3579,7 @@ register: rhel_07_040420_audit - name: "MEDIUM | RHEL-07-040420 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive." - file: + ansible.builtin.file: dest: "{{ item.path }}" mode: a-stx,go-w,o-r state: file @@ -3597,7 +3598,7 @@ - ssh - name: "MEDIUM | RHEL-07-040430 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?GSSAPIAuthentication" @@ -3622,7 +3623,7 @@ - ssh - name: "MEDIUM | RHEL-07-040440 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config regexp: "(?i)^#?KerberosAuthentication" line: KerberosAuthentication no @@ -3645,7 +3646,7 @@ - ssh - name: "MEDIUM | RHEL-07-040450 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config regexp: "(?i)^#?StrictModes" line: StrictModes yes @@ -3664,7 +3665,7 @@ - ssh - name: "MEDIUM | RHEL-07-040460 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config regexp: "(?i)^#?UsePrivilegeSeparation" line: UsePrivilegeSeparation sandbox @@ -3683,7 +3684,7 @@ - ssh - name: "MEDIUM | RHEL-07-040470 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config regexp: "(?i)^#?Compression" line: Compression no @@ -3705,7 +3706,7 @@ - name: "MEDIUM | RHEL-07-040500 | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." block: - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - package: + ansible.builtin.package: name: chrony state: absent vars: @@ -3713,7 +3714,7 @@ when: "'chrony' in ansible_facts.packages" - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - package: + ansible.builtin.package: name: ntp state: present vars: @@ -3721,7 +3722,7 @@ when: "'ntp' not in ansible_facts.packages" - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - lineinfile: + ansible.builtin.lineinfile: create: true dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" regexp: "{{ item.regexp }}" @@ -3747,7 +3748,7 @@ - name: "MEDIUM | RHEL-07-040500 | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." block: - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - package: + ansible.builtin.package: name: ntp state: absent vars: @@ -3755,7 +3756,7 @@ when: "'ntp' in ansible_facts.packages" - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - package: + ansible.builtin.package: name: chrony state: present vars: @@ -3763,7 +3764,7 @@ when: "'chrony' not in ansible_facts.packages" - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - replace: + ansible.builtin.replace: dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" regexp: '^server \S+( \w+)?$' notify: restart {{ rhel7stig_time_service }} @@ -3775,7 +3776,7 @@ - chronyd - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - blockinfile: + ansible.builtin.blockinfile: insertbefore: BOF dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" block: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].block }}" @@ -3797,12 +3798,12 @@ - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." block: - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." - package: + ansible.builtin.package: name: "{{ rhel7stig_firewall_service }}" state: present - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." - service: + ansible.builtin.service: name: "{{ rhel7stig_firewall_service }}" enabled: true state: started @@ -3985,7 +3986,7 @@ - name: "MEDIUM | RHEL-07-040670 | Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode." block: - name: "MEDIUM | RHEL-07-040670 | PATCH | Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode." - shell: "ip link | grep -i promisc | cut -d ':' -f 2" + ansible.builtin.shell: "ip link | grep -i promisc | cut -d ':' -f 2" changed_when: rhel_07_040670_promisc_check.stdout| length > 0 failed_when: false check_mode: false @@ -3993,7 +3994,7 @@ register: rhel_07_040670_promisc_check - name: "MEDIUM | RHEL-07-040670 | PATCH | Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode." - shell: "ip link set dev {{ item }} promisc off" + ansible.builtin.shell: "ip link set dev {{ item }} promisc off" with_items: - "{{ rhel_07_040670_promisc_check.stdout_lines }}" when: @@ -4010,14 +4011,14 @@ - name: "MEDIUM | RHEL-07-040680 | The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying." block: - name: "MEDIUM | RHEL-07-040680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying." - command: "/usr/sbin/postconf -n smtpd_client_restrictions" + ansible.builtin.shell: "/usr/sbin/postconf -n smtpd_client_restrictions" check_mode: false changed_when: false register: rhel_07_040680_postconf_audit when: "'postfix' in ansible_facts.packages" - name: "MEDIUM | RHEL-07-040680 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying." - command: "/usr/sbin/postconf -e 'smtpd_client_restrictions=permit_mynetworks, reject'" + ansible.builtin.shell: "/usr/sbin/postconf -e 'smtpd_client_restrictions=permit_mynetworks, reject'" when: - "'postfix' in ansible_facts.packages" - rhel_07_040680_postconf_audit.stdout != 'smtpd_client_restrictions = permit_mynetworks, reject' @@ -4032,7 +4033,7 @@ - V-204619 - name: "MEDIUM | RHEL-07-040710 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requiremen" - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?X11Forwarding" @@ -4053,7 +4054,7 @@ - ssh - name: "MEDIUM | RHEL-07-040712 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requiremen" - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?KexAlgorithms" @@ -4074,7 +4075,7 @@ - ssh - name: "MEDIUM | RHEL-07-040720 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode." - lineinfile: + ansible.builtin.lineinfile: path: /etc/xinetd.d/tftp regexp: "(?i)^.*server_args.*=" line: " server_args = -s /var/lib/tftpboot" @@ -4097,7 +4098,7 @@ - tftp - name: "MEDIUM | RHEL-07-040730 | PATCH | The Red Hat Enterprise Linux operating system must not have an X Windows display manager installed unless approved." - package: + ansible.builtin.package: name: - "@x11" - xorg-x11-server-common @@ -4138,20 +4139,20 @@ - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS." block: - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS." - shell: cat /etc/fstab | grep nfs + ansible.builtin.shell: cat /etc/fstab | grep nfs register: rhel_07_040750_nfssec_check changed_when: false failed_when: false check_mode: false - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS." - debug: + ansible.builtin.debug: msg: "There were no applicable NFS mounts found to audit per RHEL-07-040750." changed_when: true when: rhel_07_040750_nfssec_check.stdout_lines is not defined - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS." - debug: + ansible.builtin.debug: msg: "The following NFS mount is required to be audited per RHEL-07-040750: {{ item }} - If the system is mounting file systems via NFS and has the sec option without the 'krb5:krb5i:krb5p' settings, the 'sec' option has the 'sys' setting, or the 'sec' option is missing, this is a finding." changed_when: true with_items: @@ -4178,7 +4179,7 @@ when: rhel7stig_firewall_service != "firewalld" - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - debug: + ansible.builtin.debug: msg: "Could not pull configuration rules for RHEL-07-040810 {{ rhel7stig_firewall_service }}, but you have set the variable rhel7stig_start_firewall_service to false." changed_when: true when: not rhel7stig_start_firewall_service @@ -4196,7 +4197,7 @@ - disruption-high - name: "MEDIUM | RHEL-07-040820 | PATCH | The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured." - package: + ansible.builtin.package: name: libreswan state: absent vars: @@ -4233,7 +4234,7 @@ - name: "MEDIUM | RHEL-07-041001 | The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed." block: - name: "MEDIUM | RHEL-07-041001 | PATCH | The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed." - package: + ansible.builtin.package: name: - esc - authconfig-gtk @@ -4244,7 +4245,7 @@ - rhel7stig_gui - name: "MEDIUM | RHEL-07-041001 | PATCH | The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed." - package: + ansible.builtin.package: name: pam_pkcs11 state: present vars: @@ -4266,7 +4267,7 @@ - name: "MEDIUM | RHEL-07-041002 | The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)." block: - name: "MEDIUM | RHEL-07-041002 | AUDIT | Check if pam service is configured in sssd file" - command: 'grep -E "^\s*services\s*=.*pam" /etc/sssd/sssd.conf' + ansible.builtin.shell: 'grep -E "^\s*services\s*=.*pam" /etc/sssd/sssd.conf' check_mode: false changed_when: - sssd_services_check.rc == 1 @@ -4277,7 +4278,7 @@ register: sssd_services_check - name: "MEDIUM | RHEL-07-041002 | PATCH | The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)." - debug: + ansible.builtin.debug: msg: "WARNING: SSSD is in use and /etc/sssd/sssd.conf is not configured to use the PAM service (services = nss, pam)" changed_when: rhel7stig_audit_complex when: sssd_services_check.rc == 1 @@ -4298,7 +4299,7 @@ - sssd - name: "MEDIUM | RHEL-07-041003 | The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication." - replace: + ansible.builtin.replace: path: /etc/pam_pkcs11/pam_pkcs11.conf regexp: (?im)^([ \t]*cert_policy[ \t]*=(?:[^ \t\n]|[ \t](?!ocsp_on,))*?)(?:[ \t]ocsp_on,[ \t]*)?[ \t]*((?:[^,\n]|,(?![ \t]*ocsp_on,))*?)(?:,[ \t]*ocsp_on)?;$ replace: '\1 ocsp_on, \2;' @@ -4318,13 +4319,13 @@ - name: "MEDIUM | RHEL-07-041010 | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled." block: - name: "MEDIUM | RHEL-07-041010 | AUDIT | check if wifi is enabled" - command: nmcli radio wifi + ansible.builtin.shell: nmcli radio wifi changed_when: false check_mode: false register: rhel_07_wifi_enabled - name: "MEDIUM | RHEL-07-041010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled." - command: nmcli radio wifi off + ansible.builtin.shell: nmcli radio wifi off when: - "'enabled' in rhel_07_wifi_enabled.stdout" when: @@ -4343,7 +4344,7 @@ - networking - name: "MEDIUM | RHEL-07-020019 | AUDIT | The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed." - debug: + ansible.builtin.debug: msg: - "Please install and enable the latest McAfee HIPS package, available from USCYBERCOM." - "If the system does not support the McAfee HIPS package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official." @@ -4360,7 +4361,7 @@ - antivirus - name: "MEDIUM | RHEL-07-010062 | The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/locks/session_rhel_07_010062 content: | /org/gnome/desktop/screensaver/lock-enabled @@ -4379,7 +4380,7 @@ - dconf - name: "MEDIUM | RHEL-07-020111 | PATCH | The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-No-Automount content: | [org/gnome/desktop/media-handling] @@ -4405,7 +4406,7 @@ - name: "MEDIUM | RHEL-07-021031 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user." block: - name: "MEDIUM | RHEL-07-021031 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | Get world-writable files" - shell: "find {{ item.mount }} -xdev -type d -perm -0002 -uid +999 -print" + ansible.builtin.shell: "find {{ item.mount }} -xdev -type d -perm -0002 -uid +999 -print" changed_when: false failed_when: false register: rhel_07_021031_world_writable_files @@ -4413,11 +4414,11 @@ - "{{ ansible_facts.mounts }}" - name: "MEDIUM | RHEL-07-021031 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | Flatten results" - set_fact: + ansible.builtin.set_fact: rhel_07_021031_world_writable_files_flat: "{{ rhel_07_021031_world_writable_files.results | map(attribute='stdout_lines') | flatten }}" - name: "MEDIUM | RHEL-07-021031 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | List world-writable files" - debug: + ansible.builtin.debug: msg: - "Below are the world-writable files" - "{{ rhel_07_021031_world_writable_files_flat }}" @@ -4425,14 +4426,14 @@ - rhel_07_021031_world_writable_files_flat != [] - name: "MEDIUM | RHEL-07-021031 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | Alert on no world-writable files" - debug: + ansible.builtin.debug: msg: - "Good News! No world-writable files detected" when: - rhel_07_021031_world_writable_files_flat == [] - name: "MEDIUM | RHEL-07-021031 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | Adjust world-writable files" - file: + ansible.builtin.file: path: "{{ item }}" owner: root with_items: @@ -4455,12 +4456,12 @@ - name: "MEDIUM | RHEL-07-910055 | PATCH | The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion" block: - name: "MEDIUM | RHEL-07-910055 | AUDIT | The Red Hat EnterpriseLinux operating system must protect audit information from unauthorized read, modification, or deletion | Get log files" - find: + ansible.builtin.find: paths: /var/log/audit register: rhel_07_910055_audit_log_files - name: "MEDIUM | RHEL-07-910055 | PATCH | The Red Hat EnterpriseLinux operating system must protect audit information from unauthorized read, modification, or deletion | Apply permissions" - file: + ansible.builtin.file: path: "{{ item.path }}" owner: root group: root @@ -4483,7 +4484,7 @@ - logs - name: "MEDIUM | RHEL-07-040711 | PATCH | The Red Hat Enterprise Linux operating system must prevent remote hosts from connecting to the proxy display." - lineinfile: + ansible.builtin.lineinfile: create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?X11UseLocalhost" @@ -4505,13 +4506,13 @@ - name: "MEDIUM | RHEL-07-010341 | PATCH | The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel." block: - name: "MEDIUM | RHEL-07-010341 | AUDIT | The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel. | Get ALL settings" - shell: grep -iws 'ALL' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + ansible.builtin.shell: grep -iws 'ALL' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false register: rhel_07_010341_sudoers_all - name: "MEDIUM | RHEL-07-010341 | PATCH | The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel. | Remove format 1" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'ALL ALL=(ALL) ALL' state: absent @@ -4521,7 +4522,7 @@ when: rhel_07_010341_sudoers_all.stdout | length > 0 - name: "MEDIUM | RHEL-07-010341 | PATCH | The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel. | Remove format 2" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'ALL\s+ALL=(ALL:ALL)\s+ALL' state: absent @@ -4544,13 +4545,13 @@ - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo." block: - name: "MEDIUM | RHEL-07-010342 | AUDIT | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Get privilege escalation" - shell: grep -Eirs '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d":" -f1 | sort --uniq + ansible.builtin.shell: grep -Eirs '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d":" -f1 | sort --uniq changed_when: false failed_when: false register: rhel_07_010342_priv_escalation - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for no findings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers line: "{{ item }}" validate: '/usr/sbin/visudo -cf %s' @@ -4561,7 +4562,7 @@ when: rhel_07_010342_priv_escalation.stdout | length == 0 - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for targetpw with findings" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults !targetpw' line: 'Defaults !targetpw' @@ -4572,7 +4573,7 @@ - rhel_07_010342_priv_escalation.stdout | length > 0 - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for rootpw with findings" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults !rootpw' line: 'Defaults !rootpw' @@ -4583,7 +4584,7 @@ - rhel_07_010342_priv_escalation.stdout | length > 0 - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for runaspw with findings" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults !runaspw' line: 'Defaults !runaspw' @@ -4607,13 +4608,13 @@ - name: "MEDIUM | RHEL-07-010343 | PATCH | The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command." block: - name: "MEDIUM | RHEL-07-010343 | PATCH | The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command. | Get files with timeout set" - shell: grep -irs 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + ansible.builtin.shell: grep -irs 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false register: rhel_07_010343_timeout_files - name: "MEDIUM | RHEL-07-010343 | PATCH | The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command. | Set value if no results" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regexp: 'Defaults timestamp_timeout=' line: "Defaults timestamp_timeout={{ rhel7stig_sudo_timestamp_timeout }}" @@ -4621,7 +4622,7 @@ when: rhel_07_010343_timeout_files.stdout | length == 0 - name: "MEDIUM | RHEL-07-010343 | PATCH | The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command. | Set value if has results" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults timestamp_timeout=' line: "Defaults timestamp_timeout={{ rhel7stig_sudo_timestamp_timeout }}" @@ -4644,18 +4645,18 @@ - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege." block: - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Get SELinux Role mappings" - shell: semanage user -l + ansible.builtin.shell: semanage user -l changed_when: false failed_when: false register: rhel_07_020021_sel_role_mappings - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Show SELinux Role mappings" - debug: + ansible.builtin.debug: msg: "Warning! Below are your SELinux Role mappings. Please review the mappings with your SA to determine validity of the mappings" when: rhel_07_020021_sel_role_mappings.stdout | length > 0 - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Warning!! that semanage is not installed" - debug: + ansible.builtin.debug: msg: "Warning!! You do not have semanage installed! Please installed the needed packages" when: "'command not found' in rhel_07_020021_sel_role_mappings.stderr" when: @@ -4688,13 +4689,13 @@ - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command" block: - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command | Get sysadm_r sudoers status" - shell: grep -rs sysadm_r /etc/sudoers /etc/sudoers.d/* + ansible.builtin.shell: grep -rs sysadm_r /etc/sudoers /etc/sudoers.d/* changed_when: false failed_when: false register: rhel_07_020023_sel_admin_sudo_status - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command" - debug: + ansible.builtin.debug: msg: - "Warning!! Below is your sysadm_r settings in your sudoers file." - "Please review to confirm a designated sudoers admin group or account(s) is not configured to eleveate the SELinux type and role to sysadm_t and sysadm_r with the use of the sudo command | Display if entry exists" @@ -4702,7 +4703,7 @@ when: rhel_07_020023_sel_admin_sudo_status.stdout | length > 0 - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command" - debug: + ansible.builtin.debug: msg: - "Warning!! You do not have sysadm_r configured in your sudoers file(s_" - "Please configure to designate sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to sysadm_t and sysadm_r with the use of the sudo command | Warning!! that on entry exists" From 376d23e5b4ee00c9bd257b82dc18896ff4e7a47e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 12:00:55 +0000 Subject: [PATCH 109/126] FQCN Signed-off-by: Mark Bolwell --- handlers/main.yml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 63671263..b39b6b24 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,31 +1,31 @@ --- - name: restart sshd - service: + ansible.builtin.service: name: sshd state: restarted when: - not rhel7stig_system_is_chroot - name: reboot system - shell: sleep 3; reboot + ansible.builtin.shell: sleep 3; reboot async: 15 poll: 0 - name: restart snmpd - service: + ansible.builtin.service: name: snmpd state: restarted when: - not rhel7stig_system_is_chroot - name: confirm grub2 user cfg - stat: + ansible.builtin.stat: path: /boot/grub2/user.cfg register: rhel7stig_grub2_user_cfg notify: make grub2 config - name: make grub2 config - command: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_grub_cfg_path }} + ansible.builtin.shell: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_grub_cfg_path }} when: - rhel7stig_grub2_user_cfg.stat.exists - not rhel7stig_skip_for_travis @@ -33,7 +33,7 @@ - name: copy grub2 config to BIOS/UEFI to satisfy benchmark listen: make grub2 config - copy: + ansible.builtin.copy: src: "{{ rhel7stig_grub_cfg_path | dirname }}/{{ item }}" dest: "{{ rhel7stig_grub_cfg_path_invalid | dirname }}/{{ item }}" remote_src: true @@ -48,7 +48,7 @@ - not rhel7stig_system_is_container - name: "restart {{ rhel7stig_time_service }}" - service: + ansible.builtin.service: name: "{{ rhel7stig_time_service }}" state: restarted when: @@ -57,22 +57,22 @@ - not rhel7stig_system_is_container - name: restart auditd - command: /usr/sbin/service "{{ rhel7stig_audit_daemon }}" restart + ansible.builtin.shell: /usr/sbin/service "{{ rhel7stig_audit_daemon }}" restart args: warn: false - name: rebuild initramfs - command: dracut -f + ansible.builtin.shell: dracut -f - name: undo existing prelinking - command: prelink -ua + ansible.builtin.shell: prelink -ua - name: update running audit failure mode - command: auditctl -f {{ rhel7stig_auditd_failure_flag }} + ansible.builtin.shell: auditctl -f {{ rhel7stig_auditd_failure_flag }} failed_when: false - name: clean up ssh host key - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: @@ -80,27 +80,27 @@ - /etc/ssh/ssh_host_rsa_key.pub - name: init aide and wait - command: /usr/sbin/aide --init -B 'database_out=file:{{ rhel7stig_aide_temp_db_file }}' + ansible.builtin.shell: /usr/sbin/aide --init -B 'database_out=file:{{ rhel7stig_aide_temp_db_file }}' notify: move aide db - name: init aide - shell: nohup /usr/sbin/aide --init -B 'database_out=file:{{ rhel7stig_aide_temp_db_file }}' > /dev/null & + ansible.builtin.shell: nohup /usr/sbin/aide --init -B 'database_out=file:{{ rhel7stig_aide_temp_db_file }}' > /dev/null & notify: move aide db - name: move aide db - command: "mv {{ rhel7stig_aide_temp_db_file }} {{ rhel7stig_aide_db_file }}" + ansible.builtin.shell: "mv {{ rhel7stig_aide_temp_db_file }} {{ rhel7stig_aide_db_file }}" when: not rhel7stig_aide_db_status.stat.exists or rhel7stig_overwrite_aide_db - name: dconf update - command: dconf update + ansible.builtin.shell: dconf update when: rhel7stig_has_dconf_command - name: prereport score - debug: + ansible.builtin.debug: msg: "Pre-run OpenSCAP score is {{ rhel7stig_prescanresults.Benchmark.TestResult.score['#text'] }}" when: rhel7stig_oscap_scan - name: postreport score - debug: + ansible.builtin.debug: msg: "Post-run OpenSCAP score is {{ rhel7stig_postscanresults.Benchmark.TestResult.score['#text'] }}" when: rhel7stig_oscap_scan From 36e932ca573970ae941468fec36d4009a2de895e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 12:01:10 +0000 Subject: [PATCH 110/126] update audit example Signed-off-by: Mark Bolwell --- README.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index a26f7b09..7250a235 100644 --- a/README.md +++ b/README.md @@ -99,15 +99,16 @@ tags: ## Example Audit Summary -This is based on a vagrant image with selections enabled. e.g. No Gui or firewall. +This is based on a vagrant image with selections enabled. e.g. No Gui iptables firewall + Note: More tests are run during audit as we check config and running state. ```sh -ok: [rhel7test] => { +ok: [cent7_bios] => { "msg": [ - "The pre remediation results are: Count: 308, Failed: 156, Duration: 44.108s.", - "The post remediation results are: Count: 308, Failed: 14, Duration: 37.647s.", - "Full breakdown can be found in /var/tmp", + "The pre remediation results are: Count: 505, Failed: 214, Duration: 14.808s.", + "The post remediation results are: Count: 505, Failed: 34, Duration: 43.593s.", + "Full breakdown can be found in /opt", "" ] } From e733fcd205df9f0c108ca8f229c0e7e0f9287485 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 12:11:50 +0000 Subject: [PATCH 111/126] updated Signed-off-by: Mark Bolwell --- ChangeLog.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog.md b/ChangeLog.md index 44c4720d..c740f3f8 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -2,6 +2,13 @@ ## Release 2.0.0 +Lint work +FQCN +Testing +workflow updates +audit version alignment +README + ### Issues - Thanks to @Joseph Hoffman From fcfb58f87046d4ad19f4bea1ad0277aaf4532828 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 14:03:00 +0000 Subject: [PATCH 112/126] skip password change Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 16dfdf69..f836aa9c 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -77,6 +77,7 @@ resource "local_file" "inventory" { setup_audit: true run_audit: true system_is_ec2: true + rhel_07_010340: false EOF } From bd7b0d228e902cc288bb1343be99da8233196238 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 14:10:20 +0000 Subject: [PATCH 113/126] added dummy bootloader passwd Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index f836aa9c..0e5660c3 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -78,6 +78,7 @@ resource "local_file" "inventory" { run_audit: true system_is_ec2: true rhel_07_010340: false + rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.somethingnewhere' EOF } From a02f7e3d18037b6824f5e4081d33f62f085c0559 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Mar 2023 09:53:20 +0000 Subject: [PATCH 114/126] Tidy up warning standard Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 950a55fd..110b469d 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4180,7 +4180,7 @@ - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." ansible.builtin.debug: - msg: "Could not pull configuration rules for RHEL-07-040810 {{ rhel7stig_firewall_service }}, but you have set the variable rhel7stig_start_firewall_service to false." + msg: "Warning!! The variable rhel7stig_start_firewall_service to false, but unable to pull configuration rules for RHEL-07-040810 {{ rhel7stig_firewall_service }}" changed_when: true when: not rhel7stig_start_firewall_service when: @@ -4279,7 +4279,7 @@ - name: "MEDIUM | RHEL-07-041002 | PATCH | The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)." ansible.builtin.debug: - msg: "WARNING: SSSD is in use and /etc/sssd/sssd.conf is not configured to use the PAM service (services = nss, pam)" + msg: "Warning!! SSSD is in use and /etc/sssd/sssd.conf is not configured to use the PAM service (services = nss, pam)" changed_when: rhel7stig_audit_complex when: sssd_services_check.rc == 1 when: @@ -4652,7 +4652,7 @@ - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Show SELinux Role mappings" ansible.builtin.debug: - msg: "Warning! Below are your SELinux Role mappings. Please review the mappings with your SA to determine validity of the mappings" + msg: "Warning!! Below are your SELinux Role mappings. Please review the mappings with your SA to determine validity of the mappings" when: rhel_07_020021_sel_role_mappings.stdout | length > 0 - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Warning!! that semanage is not installed" From 871987ae65a77ef404a6d8e36f2b3453f30c5d70 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Mar 2023 09:53:30 +0000 Subject: [PATCH 115/126] Standard PRELIM Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index b085dba4..a733c03b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,6 +1,6 @@ --- -- name: "PREREQ | Check required packages installed | Python2" +- name: "PRELIM | Check required packages installed | Python2" ansible.builtin.package: list: "{{ item }}" state: present @@ -11,7 +11,7 @@ ansible_python_interpreter: "{{ python2_bin }}" when: ansible_python.version.major == 2 -- name: "PREREQ | Add the required packages | Python 3" +- name: "PRELIM | Add the required packages | Python 3" block: - name: Check if python36-rpm package installed ansible.builtin.shell: rpm -q python36-rpm @@ -21,7 +21,7 @@ args: warn: false - - name: Add the EPEL repository required for the python36-rpm pkg + - name: "PRELIM | Add the EPEL repository required for the python36-rpm pkg" ansible.builtin.package: name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm state: present @@ -29,7 +29,7 @@ when: - python36_rpm_present.rc != '0' - - name: "PREREQ | Check required packages installed | Python3 " + - name: "PRELIM | Check required packages installed | Python3 " ansible.builtin.package: name: "{{ item }}" state: present @@ -38,7 +38,7 @@ - python36-rpm - libselinux-python3 - - name: Disable Epel repo if installed earlier + - name: "PRELIM | Disable Epel repo if installed earlier" ansible.builtin.shell: yum-config-manager disable epel when: epel_installed.changed when: @@ -98,7 +98,7 @@ - RHEL-07-010110 - RHEL-07-020230 -- name: "MEDIUM | RHEL-07-020710 | RHEL-07-020720 | RHEL-07-020730 | AUDIT | Find ini files for interactive users." +- name: "PRELIM | RHEL-07-020710 | RHEL-07-020720 | RHEL-07-020730 | AUDIT | Find ini files for interactive users." ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | awk -F"/" '$NF ~ /^\..*$/ {print $NF}' | grep -v history changed_when: false failed_when: false @@ -117,7 +117,7 @@ - RHEL-07-020730 - complexity-high -- name: "MEDIUM | RHEL-07-020710 | RHEL-07-020720 | RHEL-07-020730 | Set fact for home directory paths for interactive users" +- name: "PRELIM | RHEL-07-020710 | RHEL-07-020720 | RHEL-07-020730 | Set fact for home directory paths for interactive users" ansible.builtin.set_fact: rhel_07_stig_interactive_homedir_inifiles: "{{ rhel_07_020710_ini_file_list.results | map(attribute='stdout_lines') | list }}" when: @@ -210,7 +210,7 @@ tags: - always -- name: ensure cronie is available +- name: "PRELIM | ensure cronie is available" ansible.builtin.package: name: cronie vars: From 43218e687210f3b1fdab99281c703bceb26e591e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Mar 2023 09:54:27 +0000 Subject: [PATCH 116/126] removed good new statements Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 110b469d..58db8d43 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1819,14 +1819,6 @@ changed_when: false register: rhel_07_020730_perms_results - # Now let's see if those come up in any interactive users' home directory ini files. - - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." - ansible.builtin.debug: - msg: "Good news! We have not found any world-writable exeutable programs on your system." - failed_when: false - changed_when: false - when: rhel_07_020730_perms_results.stdout_lines | length == 0 - - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." include_tasks: audit_homedirinifiles.yml loop: @@ -4425,13 +4417,6 @@ when: - rhel_07_021031_world_writable_files_flat != [] - - name: "MEDIUM | RHEL-07-021031 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | Alert on no world-writable files" - ansible.builtin.debug: - msg: - - "Good News! No world-writable files detected" - when: - - rhel_07_021031_world_writable_files_flat == [] - - name: "MEDIUM | RHEL-07-021031 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | Adjust world-writable files" ansible.builtin.file: path: "{{ item }}" From fa8ea6ec95268f5affdf17fefda900faa568b6e4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Mar 2023 09:56:25 +0000 Subject: [PATCH 117/126] Added warning to manual messages Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 58db8d43..e8a440e8 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1368,7 +1368,7 @@ - name: "MEDIUM | RHEL-07-020320 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." ansible.builtin.debug: - msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + msg: "Warning!! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" changed_when: rhel7stig_audit_complex with_items: - "{{ rhel_07_020320_audit.results }}" @@ -1401,7 +1401,7 @@ - name: "MEDIUM | RHEL-07-020330 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." ansible.builtin.debug: - msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + msg: "Warning!! Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" changed_when: rhel7stig_audit_complex with_items: - "{{ rhel_07_020330_audit.results }}" From df0c75b5e6d3ebb4089fa14c1c949b9046e9f019 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Mar 2023 10:07:07 +0000 Subject: [PATCH 118/126] lineinfile uses path and option ordering Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e8a440e8..05b6b970 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -457,7 +457,7 @@ - name: "MEDIUM | RHEL-07-010210 | PATCH | The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords." ansible.builtin.lineinfile: - dest: /etc/login.defs + path: /etc/login.defs regexp: ^#?ENCRYPT_METHOD line: "ENCRYPT_METHOD {{ rhel7stig_login_defaults.encrypt_method | default('SHA512') }}" when: @@ -473,7 +473,7 @@ - name: "MEDIUM | RHEL-07-010220 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords." ansible.builtin.lineinfile: - dest: /etc/libuser.conf + path: /etc/libuser.conf regexp: ^#?crypt_style line: crypt_style = sha512 when: @@ -667,7 +667,7 @@ - name: "MEDIUM | RHEL-07-010310 | PATCH | The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires." ansible.builtin.lineinfile: - dest: /etc/default/useradd + path: /etc/default/useradd regexp: ^#?INACTIVE line: INACTIVE=35 when: @@ -874,7 +874,7 @@ - name: "MEDIUM | RHEL-07-010430 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds." ansible.builtin.lineinfile: - dest: /etc/login.defs + path: /etc/login.defs regexp: ^#?FAIL_DELAY line: "FAIL_DELAY {{ rhel7stig_login_defaults.fail_delay_secs | default('4') }}" when: @@ -890,7 +890,7 @@ - name: "MEDIUM | RHEL-07-010460 | PATCH | The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables." ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "(?i)^#?PermitUserEnvironment" line: PermitUserEnvironment no validate: /usr/sbin/sshd -t -f %s @@ -909,7 +909,7 @@ - name: "MEDIUM | RHEL-07-010470 | PATCH | The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system." ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "(?i)^#?HostbasedAuthentication" line: HostbasedAuthentication no validate: /usr/sbin/sshd -t -f %s @@ -1170,10 +1170,10 @@ - name: "MEDIUM | RHEL-07-020100 | PATCH | The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage." ansible.builtin.lineinfile: - dest: "{{ item.file }}" - insertafter: "{{ item.insertafter }}" + path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" create: true owner: root group: root @@ -1202,10 +1202,10 @@ - name: "MEDIUM | RHEL-07-020101 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required." ansible.builtin.lineinfile: - dest: "{{ item.file }}" - insertafter: "{{ item.insertafter }}" + path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" create: true owner: root group: root @@ -1286,7 +1286,7 @@ - name: "MEDIUM | RHEL-07-020240 | PATCH | The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." ansible.builtin.lineinfile: - dest: /etc/login.defs + path: /etc/login.defs regexp: ^#?UMASK line: "UMASK {{ rhel7stig_login_defaults.umask | default('077') }}" when: @@ -1422,7 +1422,7 @@ - name: "MEDIUM | RHEL-07-020610 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory." ansible.builtin.lineinfile: - dest: /etc/login.defs + path: /etc/login.defs regexp: ^#?CREATE_HOME line: "CREATE_HOME {{ rhel7stig_login_defaults.create_home | default('yes') }}" when: @@ -2065,10 +2065,10 @@ - name: "MEDIUM | RHEL-07-021100 | PATCH | The Red Hat Enterprise Linux operating system must have cron logging implemented." ansible.builtin.lineinfile: path: /etc/rsyslog.conf - state: present regexp: '^cron\.\*[ \t]+/var/log/cron$' line: 'cron.* /var/log/cron' insertafter: '#### RULES ####' + state: present failed_when: - result is failed - result.rc != 257 @@ -3167,7 +3167,7 @@ - name: "MEDIUM | RHEL-07-040110 | PATCH | The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections." ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "(?i)^#?Ciphers" line: "Ciphers {{ rhel7stig_ssh_ciphers }}" validate: /usr/sbin/sshd -t -f %s @@ -3217,7 +3217,7 @@ - name: "MEDIUM | RHEL-07-040170 | PATCH | The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts." ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "(?i)^#?Banner" line: Banner /etc/issue validate: /usr/sbin/sshd -tf %s @@ -3385,7 +3385,7 @@ - name: "MEDIUM | RHEL-07-040330 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication." ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "(?i)^#?RhostsRSAAuthentication" line: RhostsRSAAuthentication no validate: /usr/sbin/sshd -t -f %s @@ -3427,7 +3427,7 @@ - name: "MEDIUM | RHEL-07-040350 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication." ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: '(?i)^#?\s*IgnoreRhosts' line: IgnoreRhosts yes validate: /usr/sbin/sshd -t -f %s @@ -3446,7 +3446,7 @@ - name: "MEDIUM | RHEL-07-040360 | PATCH | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon." ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "(?i)^#?PrintLastLog" line: PrintLastLog yes validate: /usr/sbin/sshd -t -f %s @@ -3616,7 +3616,7 @@ - name: "MEDIUM | RHEL-07-040440 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed." ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "(?i)^#?KerberosAuthentication" line: KerberosAuthentication no validate: /usr/sbin/sshd -t -f %s @@ -3639,7 +3639,7 @@ - name: "MEDIUM | RHEL-07-040450 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files." ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "(?i)^#?StrictModes" line: StrictModes yes validate: /usr/sbin/sshd -t -f %s @@ -3658,7 +3658,7 @@ - name: "MEDIUM | RHEL-07-040460 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation." ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "(?i)^#?UsePrivilegeSeparation" line: UsePrivilegeSeparation sandbox validate: /usr/sbin/sshd -t -f %s @@ -3677,7 +3677,7 @@ - name: "MEDIUM | RHEL-07-040470 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication." ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "(?i)^#?Compression" line: Compression no validate: /usr/sbin/sshd -t -f %s From b66317ac27bbb29b26c5e47a7b90c63db63efac7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Mar 2023 10:12:19 +0000 Subject: [PATCH 119/126] lineinfile path and ordering Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 24 ++++++++++++------------ tasks/fix-cat3.yml | 10 +++++----- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 0fa0c31a..68156f16 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -124,11 +124,11 @@ - name: "HIGH | RHEL-07-010300 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password." ansible.builtin.lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "(?i)^#?PermitEmptyPasswords" line: PermitEmptyPasswords no validate: /usr/sbin/sshd -tf %s + state: present notify: restart sshd when: - rhel_07_010300 @@ -144,7 +144,7 @@ - name: "HIGH | RHEL-07-010440 | PATCH | The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface." ansible.builtin.lineinfile: - dest: /etc/gdm/custom.conf + path: /etc/gdm/custom.conf regexp: (?i)automaticloginenable line: AutomaticLoginEnable=false insertafter: '\[daemon\]' @@ -162,7 +162,7 @@ - name: "HIGH | RHEL-07-010450 | PATCH | The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system." ansible.builtin.lineinfile: - dest: /etc/gdm/custom.conf + path: /etc/gdm/custom.conf regexp: (?i)timedloginenable line: TimedLoginEnable=false insertafter: '\[daemon\]' @@ -184,10 +184,10 @@ - name: "HIGH | RHEL-07-010482 | Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." ansible.builtin.lineinfile: path: /boot/grub2/user.cfg - create: true - mode: '0644' regexp: ^GRUB2_PASSWORD= line: GRUB2_PASSWORD={{ rhel7stig_bootloader_password_hash }} + create: true + mode: '0644' notify: - confirm grub2 user cfg - make grub2 config @@ -198,10 +198,10 @@ - name: "HIGH | RHEL-07-010491 | Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." ansible.builtin.lineinfile: path: "{{ rhel7stig_bootloader_path }}/user.cfg" - create: true - mode: '0644' regexp: ^GRUB2_PASSWORD= line: GRUB2_PASSWORD={{ rhel7stig_bootloader_password_hash }} + create: true + mode: '0644' no_log: true notify: - confirm grub2 user cfg @@ -265,7 +265,7 @@ - name: "HIGH | RHEL-07-020050 | PATCH | The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." ansible.builtin.lineinfile: - dest: /etc/yum.conf + path: /etc/yum.conf regexp: ^gpgcheck line: gpgcheck=1 insertafter: '\[main\]' @@ -282,7 +282,7 @@ - name: "HIGH | RHEL-07-020060 | PATCH | The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." ansible.builtin.lineinfile: - dest: /etc/yum.conf + path: /etc/yum.conf regexp: ^localpkg_gpgcheck line: localpkg_gpgcheck=1 insertafter: '\[main\]' @@ -393,7 +393,7 @@ - name: "HIGH | RHEL-07-021350 | PATCH | Disable prelinking." ansible.builtin.lineinfile: - dest: /etc/sysconfig/prelink + path: /etc/sysconfig/prelink regexp: ^#?PRELINKING line: PRELINKING=no notify: undo existing prelinking @@ -546,7 +546,7 @@ - name: "HIGH | RHEL-07-040390 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol." ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "(?i)^#?Protocol" line: Protocol 2 validate: /usr/sbin/sshd -t -f %s diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 43c9a28f..501158cc 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -21,7 +21,7 @@ - name: "LOW | RHEL-07-020200 | PATCH | The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed." ansible.builtin.lineinfile: - dest: /etc/yum.conf + path: /etc/yum.conf regexp: ^#?clean_requirements_on_remove line: clean_requirements_on_remove=1 insertafter: '\[main\]' @@ -195,11 +195,11 @@ - name: "LOW | RHEL-07-040000 | PATCH | The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types." ansible.builtin.lineinfile: - state: present - dest: /etc/security/limits.conf - insertbefore: '^# End of file' + path: /etc/security/limits.conf regexp: '^\*.*maxlogins' line: '* hard maxlogins {{ rhel7stig_maxlogins }}' + insertbefore: '^# End of file' + state: present when: - rhel_07_040000 tags: @@ -289,7 +289,7 @@ # Set resolv.conf if dns is set in nsswitch.conf - name: "LOW | RHEL-07-040600 | PATCH | For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured." ansible.builtin.lineinfile: - dest: /etc/resolv.conf + path: /etc/resolv.conf regexp: '^nameserver {{ item }}' line: nameserver {{ item }} insertafter: '^search' From e9365d7fb349c168424d6dfb4842e041d5301049 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Mar 2023 10:12:28 +0000 Subject: [PATCH 120/126] warning update Signed-off-by: Mark Bolwell --- tasks/audit_iptables.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/audit_iptables.yml b/tasks/audit_iptables.yml index cca47c0d..d478dfa6 100644 --- a/tasks/audit_iptables.yml +++ b/tasks/audit_iptables.yml @@ -34,7 +34,7 @@ - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." ansible.builtin.debug: - msg: "WARNING! We could pull no configured rules for {{ rhel7stig_firewall_service }} on {{ ansible_hostname }}! This is a finding per RHEL-07-040810 - The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." + msg: "Warning!! We could pull no configured rules for {{ rhel7stig_firewall_service }} on {{ ansible_hostname }}! This is a finding per RHEL-07-040810 - The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." changed_when: true when: - rhel_07_040810_iptables_audit.stdout_lines is not defined From eadd7e1cc66c9746c9c03d0406df84222766cd5e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Mar 2023 10:33:23 +0000 Subject: [PATCH 121/126] removed file not required Signed-off-by: Mark Bolwell --- tasks/audit_homedirperms.yml | 46 ------------------------------------ 1 file changed, 46 deletions(-) delete mode 100644 tasks/audit_homedirperms.yml diff --git a/tasks/audit_homedirperms.yml b/tasks/audit_homedirperms.yml deleted file mode 100644 index 1292a60a..00000000 --- a/tasks/audit_homedirperms.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- name: "MEDIUM | RHEL-07-020680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - ansible.builtin.find: - paths: - - "{{ homedir }}" - recurse: true - file_type: any - register: rhel_07_020680_results - when: - - rhel_07_020680 - - rhel7stig_disruption_high - tags: - - RHEL-07-020680 - - complexity-high - -- name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - ansible.builtin.file: - path: "{{ line_item.path }}" - mode: 0640 - loop: "{{ rhel_07_020680_results.files }}" - loop_control: - label: "{{ line_item.path }}" - loop_var: line_item - when: - - rhel_07_020680_results.files.isreg is defined - - rhel_07_020710 - - rhel7stig_disruption_high - tags: - - RHEL-07-020680 - - complexity-high - -- name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - ansible.builtin.file: - path: "{{ line_item.path }}" - mode: 0750 - loop: "{{ rhel_07_020680_results.files }}" - loop_control: - label: "{{ line_item.path }}" - loop_var: line_item - when: - - rhel_07_020680_results.files.isdir is defined - - rhel_07_020680 - - rhel7stig_disruption_high - tags: - - RHEL-07-020680 - - complexity-high From 4e538eec3269b4142daeab62026657b27e284740 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Mar 2023 08:28:26 +0000 Subject: [PATCH 122/126] lint updated inline with galaxy Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 196 +++++++++--------- .github/workflows/update_galaxy.yml | 19 +- .yamllint | 42 ++-- 3 files changed, 124 insertions(+), 133 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 48e7eed3..f604e211 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -6,112 +6,106 @@ name: linux_benchmark_pipeline # Triggers the workflow on push or pull request # events but only for the devel branch on: - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - env: - ENABLE_DEBUG: false - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - -### Build out the server - - name: Terraform_Init - working-directory: .github/workflows - run: terraform init - - - name: Terraform_Validate - working-directory: .github/workflows - run: terraform validate - - - name: Terraform_Apply - working-directory: .github/workflows - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false - -## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: cat hosts.yml - -# Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep 60s - shell: bash - -# Set up requirements for random root password CIS 5.6.6 - - name: add urandom passwd to root account - shell: bash - run: | - ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i .github/workflows/hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" --private-key ${{ secrets.SSH_PRV_KEY }} -b - -# Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} -# verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - -# Remove test system - User secrets to keep if necessary + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest - - name: Terraform_Destroy - working-directory: .github/workflows - if: always() && env.ENABLE_DEBUG == 'false' env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false + ENABLE_DEBUG: false + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, + # so your job can access it + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + ### Build out the server + - name: Terraform_Init + working-directory: .github/workflows + run: terraform init + + - name: Terraform_Validate + working-directory: .github/workflows + run: terraform validate + + - name: Terraform_Apply + working-directory: .github/workflows + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + working-directory: .github/workflows + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + shell: bash + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + working-directory: .github/workflows + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 5d41affe..951a53cb 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -7,14 +7,15 @@ name: update galaxy # Controls when the action will run. # Triggers the workflow on merge request events to the main branch on: - push: - branches: - - main + push: + branches: + - main jobs: update_role: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - uses: hspaans/ansible-galaxy-action@master - with: - api_key: ${{ secrets.GALAXY_API_KEY }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: robertdebock/galaxy-action@master + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} + git_branch: main diff --git a/.yamllint b/.yamllint index 4823010f..5dc8a985 100644 --- a/.yamllint +++ b/.yamllint @@ -1,29 +1,25 @@ --- -ignore: | - tests/ - molecule/ - .github/ - .gitlab-ci.yml - *molecule.yml - +# Based on ansible-lint config extends: default rules: - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error + braces: {max-spaces-inside: 1, level: error} + brackets: {max-spaces-inside: 1, level: error} + colons: {max-spaces-after: -1, level: error} + commas: {max-spaces-after: -1, level: error} + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: {max: 3, level: error} + hyphens: {level: error} indentation: - indent-sequences: consistent - level: error - line-length: disable + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent key-duplicates: enable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - allowed-values: ['true', 'false'] - check-keys: true + line-length: disable + new-line-at-end-of-file: disable + new-lines: {type: unix} + trailing-spaces: disable + truthy: disable From cdd4f7b291923ca3353d3cfb388784d49c7eec27 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Mar 2023 09:43:30 +0000 Subject: [PATCH 123/126] Added nice to have lint Signed-off-by: Mark Bolwell --- .yamllint | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.yamllint b/.yamllint index 5dc8a985..72ac645b 100644 --- a/.yamllint +++ b/.yamllint @@ -19,7 +19,10 @@ rules: indent-sequences: consistent key-duplicates: enable line-length: disable - new-line-at-end-of-file: disable - new-lines: {type: unix} - trailing-spaces: disable - truthy: disable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: true From 469aa805982a6188bf50957d9dfbdc88f639896f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Mar 2023 09:43:54 +0000 Subject: [PATCH 124/126] Added yamllint skip for github actions Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 4 ++-- .github/workflows/update_galaxy.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index f604e211..591617f2 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -5,7 +5,7 @@ name: linux_benchmark_pipeline # Controls when the action will run. # Triggers the workflow on push or pull request # events but only for the devel branch -on: +on: # yamllint disable-line rule:truthy pull_request_target: types: [opened, reopened, synchronize] branches: @@ -42,7 +42,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, + # Checks-out your repository under $GITHUB_WORKSPACE, # so your job can access it - uses: actions/checkout@v3 with: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 951a53cb..2052b0a8 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -6,7 +6,7 @@ name: update galaxy # Controls when the action will run. # Triggers the workflow on merge request events to the main branch -on: +on: # yamllint disable-line rule:truthy push: branches: - main From ed7121b4d218817a2463f7855d6a12e8973d0d74 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Mar 2023 09:44:41 +0000 Subject: [PATCH 125/126] updated Signed-off-by: Mark Bolwell --- ChangeLog.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog.md b/ChangeLog.md index c740f3f8..b079e758 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,9 @@ # Changelog +## 2.0.1 + +update lint inline with galaxy requirements + ## Release 2.0.0 Lint work From a850083151647a058522acc7c7ecd6e6efd9bd5e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Mar 2023 09:47:35 +0000 Subject: [PATCH 126/126] updated Signed-off-by: Mark Bolwell --- ChangeLog.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog.md b/ChangeLog.md index b079e758..8112b081 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -3,6 +3,9 @@ ## 2.0.1 update lint inline with galaxy requirements +lint +goss version +goss url ## Release 2.0.0