Merge PR (ansible-lockdown#104)

* Remove templates that are no longer used

* Increase default min password length to 15

* Add pam tag to tasks

* Update README

Use variable for graphical login banner

LICENSE

@@ -1,6 +1,6 @@
 The MIT License
 
-Copyright (c) 2015     MindPoint Group http://www.mindpointgroup.com
+Copyright (c) 2017     MindPoint Group http://www.mindpointgroup.com
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -18,4 +18,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
+THE SOFTWARE.

README.md

@@ -8,11 +8,11 @@ Not all findings can be remediated automatically, or they require more complex a
 
 This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted, though auditing functionality is in the works.
 
-## IMPORTANT INSTALL STEP ##
+## Installing from Ansible Galaxy ##
 
 To install this role with `ansible-galaxy` use the following command:
 
-`ansible-galaxy install -p roles nousdefions.STIG-RHEL6,$TAG` Where `$TAG` represents a git tag of this repo, for example `v0.9`
+`ansible-galaxy install -p roles nousdefions.STIG-RHEL6`
 
 Based on [Red Hat Enterprise Linux 6 STIG Version 1 Release 6 - 2015-01-23](http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx).
 
@@ -25,22 +25,23 @@ You should have a general understanding of the nature of the changes this role w
 
 Role Variables
 --------------
-There are many role variables defined in defaults/main.yml. Here are the most important ones. Feel free to look through `defaults/main.yml` to see what other configuration options are available.
+There are many role variables defined in `defaults/main.yml`. Here are the most important ones. Feel free to look through `defaults/main.yml` to see what other configuration options are available.
 
 | Name              | Default Value       | Description          |
 |-------------------|---------------------|----------------------|
-| `rhel6stig_cat1` | `yes` | Correct CAT I findings |
-| `rhel6stig_cat2` | `no` | Correct CAT II findings |
-| `rhel6stig_cat3` | `no` | Correct CAT III findings |
+| `rhel6stig_cat1`  | `yes`               | Correct CAT I findings |
+| `rhel6stig_cat2`  | `no`                | Correct CAT II findings |
+| `rhel6stig_cat3`  | `no`                | Correct CAT III findings |
 | `rhel6stig_use_dhcp` | `yes` | Whether the system should use DHCP or Static IPs. |
-| `rhel6stig_system_is_router` | `no` | Whether on not the target system is acting as a router. Disables settings that would break the system if it is a acting as a router |
+| `rhel6stig_system_is_router` | `no` | Whether on not the target system is acting as a router. Skips tasks that would break the system if it is a acting as a router |
 | `rhel6stig_root_email_address` | `[email protected]` | Address where system email is sent. |
-| `rhel6stig_xwindows_required` | `no` | Whether or not X Windows is is use on taregt systems. Disables some changes if X Windows is not in use. |
-| `rhel6stig_ipv6_in_use` | `no` | Whether or not ipv6 is in use of the target system. This is set automatically to 'yes' if ipv6 is found to be in use. (Default: false) |
+| `rhel6stig_xwindows_required` | `no` | Whether or not X Windows is is use on target systems. Disables some changes if X Windows is not in use. |
+| `rhel6stig_ipv6_in_use` | `no` | Whether or not IPv6 is in use of the target system. This is set automatically to `yes` if IPv6 is found to be in use. (Default: `no`) |
 | `rhel6stig_tftp_required` | `no` |  Whether or not TFTP is required. If set to `yes`, this will prevent the removal of `tftp` and `tftp-server` packages. It will also  reconfigure the `tftp-server` to run securely. |
 | `rhel6stig_rhnsatellite_required` | `no` | Whether or not Red Hat Satellite is required in the environment. If not required, `rhnsd` will be stopped and disabled. |
-| `rhel6stig_bootloader_password` | [Randomly generated and encrypted string] | The new grub password to use if `rhel6stig_change_grub_password` is **True** |
+| `rhel6stig_bootloader_password` | [Randomly generated and encrypted string] | The new GRUB password to use if `rhel6stig_change_grub_password` is `yes` |
 | `rhel6stig_update_all_packages` | `yes` | Whether to install all system updates. |
+| `rhel6stig_login_banner` | `[DOD banner]` | Banner used in `/etc/issue` and `/etc/issue.net` |
 
 
 Dependencies
@@ -61,11 +62,13 @@ Correct CAT I and CAT II findings but don't apply all updates.
     rhel6stig_update_all_packages: no
 
   roles:
-    - { role: nousdefions.STIG-RHEL6,
-        rhel6stig_cat1: yes,
-        rhel6stig_cat2: yes,
-        rhel6stig_cat3: no
-      }
+    - role: nousdefions.STIG-RHEL6
+      rhel6stig_cat1: yes
+      rhel6stig_cat2: yes
+      rhel6stig_cat3: no
+      when:
+          - ansible_os_family == 'RedHat'
+          - ansible_distribution_major_version | version_compare('6', '=')
 ```
 
 Prompt for the GRUB password.
@@ -97,11 +100,11 @@ Tags
 ----
 Each task is tagged with its category, severity, whether or not it is a patch or audit task, and the finding ID, e.g., V-38462. In addition to these four basic tags that all tasks have, there are human-friendly tags such as "ssh" or "dod_logon_banner".
 
-A number of prilimary tasks that do things such as enumerate services on the system and check for the existence of various file will _always_ run unless explicitly skipped by using `--skip tags prelim_tasks`.
+A number of preliminary tasks that do things such as enumerate services on the system and check for the existence of various file will _always_ run unless explicitly skipped by using `--skip tags prelim_tasks`.
 
 Some examples of using tags:
 
-    # Only remediate ssh
+    # Only run tasks that secure ssh
     ansible-playbook site.yml --tags ssh
 
     # Don't change SNMP or postfix

defaults/main.yml

@@ -8,7 +8,7 @@ rhel6stig_cat3: no
 
 # Changing system defaults
 rhel6stig_snmp_community: B0re4lis
-rhel6stig_pass_min_length: 14
+rhel6stig_pass_min_length: 15
 rhel6stig_pass_min_days: 1
 rhel6stig_pass_max_days: 60
 rhel6stig_pass_reuse: 5         # V-38658 Number of passwords to remember to prevent reuse.
@@ -163,3 +163,5 @@ rhel6stig_login_banner: |
     * ASSISTANTS.   SUCH   COMMUNICATIONS  AND  WORK   PRODUCT  ARE  PRIVATE  AND *
     * CONFIDENTIAL. SEE USER AGREEMENT FOR DETAILS.                               *
     *******************************************************************************
+
+rhel6stig_graphical_login_banner: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.  By using this IS (which includes any device attached to this IS), you consent to the following conditions:  The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.  At any time, the USG may inspect and seize data stored on this IS.  Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.  This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.  Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'

tasks/cat2.yml

@@ -2100,12 +2100,12 @@
       - medium
       - V-38593
       - logon_settings
-      - dod_logon_banner
+      - dod_login_banner
       - audit
 
 - name: "MEDIUM | V-38593 | PATCH |  The Department of Defense (DoD) login banner must be displayed immediately prior to or as part of console login prompts"
-  template:
-      src: issue.j2
+  copy:
+      content: "{{ rhel6stig_login_banner }}"
       dest: /etc/{{ item }}
       owner: root
       group: root
@@ -2119,7 +2119,7 @@
       - medium
       - V-38593
       - logon_settings
-      - dod_logon_banner
+      - dod_login_banner
       - patch
 
 # Not automated
@@ -2195,7 +2195,7 @@
       - medium
       - V-38599
       - vsftp
-      - dod_logon_banner
+      - dod_login_banner
       - logon_settings
       - audit
 
@@ -2213,7 +2213,7 @@
       - medium
       - V-38599
       - vsftp
-      - dod_logon_banner
+      - dod_login_banner
       - logon_settings
       - patch
 
@@ -2515,7 +2515,7 @@
       - V-38615
       - sshd
       - logon_settings
-      - dod_logon_banner
+      - dod_login_banner
 
 - name: "MEDIUM | V-38617 | AUDIT | The SSH daemon must be configured to use only FIPS 140-2 approved ciphers."
   command: grep Ciphers /etc/ssh/sshd_config
@@ -3213,7 +3213,7 @@
       - scif_banner
 
 - name: "MEDIUM | V-38689 | PATCH | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts"
-  command: "gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gdm/simple-greeter/banner_message_text '  You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.  By using this IS (which includes any device attached to this IS), you consent to the following conditions:  The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.  At any time, the USG may inspect and seize data stored on this IS.  Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.  This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.  Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'"
+  command: "gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gdm/simple-greeter/banner_message_text '  {{ rhel6stig_graphical_login_banner }}'"
   when: rhel6stig_xwindows_required
   notify: restart gdm
   tags:
@@ -3222,11 +3222,11 @@
       - logon_settings
       - xwindows
       - gui
-      - dod_logon_banner
+      - dod_login_banner
       - patch
 
 - name: "MEDIUM | V-38689 | PATCH | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts"
-  command: "gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gdm/simple-greeter/banner_message_text '  You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.  By using this IS (which includes any device attached to this IS), you consent to the following conditions:  The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.  At any time, the USG may inspect and seize data stored on this IS.  Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.  This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.  Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'"
+  command: "gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gdm/simple-greeter/banner_message_text '  {{ rhel6stig_graphical_login_banner }}'"
   when: rhel6stig_xwindows_required
   notify: restart gdm
   tags:
@@ -3320,6 +3320,7 @@
       - V-51875
       - pam
       - patch
+      - pam
 
 - name: 'MEDIUM | V-51391 | AUDIT | A file integrity baseline must be created.'
   stat:

tasks/cat3.yml

@@ -17,7 +17,7 @@
       name: autofs
       state: stopped
       enabled: no
-  when: "':on' in autofs_service_audit.stdout"
+  when: "'autofs' in sysv_services.stdout"
   tags:
       - cat3
       - low
@@ -357,6 +357,7 @@
       - V-38693
       - passwords
       - patch
+      - pam
 
 - name: "LOW | V-38487 | AUDIT | The system package management tool must cryptographically verify the authenticity of all software packages during installation."
   command: find /etc/yum.repos.d/ -exec grep -ls '^gpgcheck=0' {} \;
@@ -2057,7 +2058,7 @@
       - cat3
       - low
       - V-38684
-      - logon_settings
+      - login_settings
       - audit
 
 - name: "LOW | V-38684 | PATCH | The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements."
@@ -2071,7 +2072,7 @@
       - cat3
       - low
       - V-38684
-      - logon_settings
+      - login_settings
       - patch
 
 - name: "LOW | V-38685 | AUDIT | Temporary accounts must be provisioned with an expiration date."