From 04ea5d52d47e54ee8394576501d60b51e3dcea13 Mon Sep 17 00:00:00 2001 From: Sam Doran Date: Thu, 2 Feb 2017 23:32:03 -0500 Subject: [PATCH] Merge PR (#104) * Remove templates that are no longer used * Increase default min password length to 15 * Add pam tag to tasks * Update README Use variable for graphical login banner --- LICENSE | 4 +- README.md | 37 +++--- defaults/main.yml | 4 +- tasks/cat2.yml | 21 ++-- tasks/cat3.yml | 7 +- templates/audit.rules.j2 | 237 ------------------------------------- templates/auditd.conf.j2 | 31 ----- templates/issue.j2 | 1 - templates/password-auth.j2 | 29 ----- templates/system-auth.j2 | 30 ----- 10 files changed, 40 insertions(+), 361 deletions(-) delete mode 100644 templates/audit.rules.j2 delete mode 100644 templates/auditd.conf.j2 delete mode 100644 templates/issue.j2 delete mode 100644 templates/password-auth.j2 delete mode 100644 templates/system-auth.j2 diff --git a/LICENSE b/LICENSE index 1dcee63..ee34df4 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ The MIT License -Copyright (c) 2015 MindPoint Group http://www.mindpointgroup.com +Copyright (c) 2017 MindPoint Group http://www.mindpointgroup.com Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal @@ -18,4 +18,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. \ No newline at end of file +THE SOFTWARE. diff --git a/README.md b/README.md index d53dd39..2aa9bda 100644 --- a/README.md +++ b/README.md @@ -8,11 +8,11 @@ Not all findings can be remediated automatically, or they require more complex a This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted, though auditing functionality is in the works. -## IMPORTANT INSTALL STEP ## +## Installing from Ansible Galaxy ## To install this role with `ansible-galaxy` use the following command: -`ansible-galaxy install -p roles nousdefions.STIG-RHEL6,$TAG` Where `$TAG` represents a git tag of this repo, for example `v0.9` +`ansible-galaxy install -p roles nousdefions.STIG-RHEL6` Based on [Red Hat Enterprise Linux 6 STIG Version 1 Release 6 - 2015-01-23](http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx). @@ -25,22 +25,23 @@ You should have a general understanding of the nature of the changes this role w Role Variables -------------- -There are many role variables defined in defaults/main.yml. Here are the most important ones. Feel free to look through `defaults/main.yml` to see what other configuration options are available. +There are many role variables defined in `defaults/main.yml`. Here are the most important ones. Feel free to look through `defaults/main.yml` to see what other configuration options are available. | Name | Default Value | Description | |-------------------|---------------------|----------------------| -| `rhel6stig_cat1` | `yes` | Correct CAT I findings | -| `rhel6stig_cat2` | `no` | Correct CAT II findings | -| `rhel6stig_cat3` | `no` | Correct CAT III findings | +| `rhel6stig_cat1` | `yes` | Correct CAT I findings | +| `rhel6stig_cat2` | `no` | Correct CAT II findings | +| `rhel6stig_cat3` | `no` | Correct CAT III findings | | `rhel6stig_use_dhcp` | `yes` | Whether the system should use DHCP or Static IPs. | -| `rhel6stig_system_is_router` | `no` | Whether on not the target system is acting as a router. Disables settings that would break the system if it is a acting as a router | +| `rhel6stig_system_is_router` | `no` | Whether on not the target system is acting as a router. Skips tasks that would break the system if it is a acting as a router | | `rhel6stig_root_email_address` | `foo@baz.com` | Address where system email is sent. | -| `rhel6stig_xwindows_required` | `no` | Whether or not X Windows is is use on taregt systems. Disables some changes if X Windows is not in use. | -| `rhel6stig_ipv6_in_use` | `no` | Whether or not ipv6 is in use of the target system. This is set automatically to 'yes' if ipv6 is found to be in use. (Default: false) | +| `rhel6stig_xwindows_required` | `no` | Whether or not X Windows is is use on target systems. Disables some changes if X Windows is not in use. | +| `rhel6stig_ipv6_in_use` | `no` | Whether or not IPv6 is in use of the target system. This is set automatically to `yes` if IPv6 is found to be in use. (Default: `no`) | | `rhel6stig_tftp_required` | `no` | Whether or not TFTP is required. If set to `yes`, this will prevent the removal of `tftp` and `tftp-server` packages. It will also reconfigure the `tftp-server` to run securely. | | `rhel6stig_rhnsatellite_required` | `no` | Whether or not Red Hat Satellite is required in the environment. If not required, `rhnsd` will be stopped and disabled. | -| `rhel6stig_bootloader_password` | [Randomly generated and encrypted string] | The new grub password to use if `rhel6stig_change_grub_password` is **True** | +| `rhel6stig_bootloader_password` | [Randomly generated and encrypted string] | The new GRUB password to use if `rhel6stig_change_grub_password` is `yes` | | `rhel6stig_update_all_packages` | `yes` | Whether to install all system updates. | +| `rhel6stig_login_banner` | `[DOD banner]` | Banner used in `/etc/issue` and `/etc/issue.net` | Dependencies @@ -61,11 +62,13 @@ Correct CAT I and CAT II findings but don't apply all updates. rhel6stig_update_all_packages: no roles: - - { role: nousdefions.STIG-RHEL6, - rhel6stig_cat1: yes, - rhel6stig_cat2: yes, - rhel6stig_cat3: no - } + - role: nousdefions.STIG-RHEL6 + rhel6stig_cat1: yes + rhel6stig_cat2: yes + rhel6stig_cat3: no + when: + - ansible_os_family == 'RedHat' + - ansible_distribution_major_version | version_compare('6', '=') ``` Prompt for the GRUB password. @@ -97,11 +100,11 @@ Tags ---- Each task is tagged with its category, severity, whether or not it is a patch or audit task, and the finding ID, e.g., V-38462. In addition to these four basic tags that all tasks have, there are human-friendly tags such as "ssh" or "dod_logon_banner". -A number of prilimary tasks that do things such as enumerate services on the system and check for the existence of various file will _always_ run unless explicitly skipped by using `--skip tags prelim_tasks`. +A number of preliminary tasks that do things such as enumerate services on the system and check for the existence of various file will _always_ run unless explicitly skipped by using `--skip tags prelim_tasks`. Some examples of using tags: - # Only remediate ssh + # Only run tasks that secure ssh ansible-playbook site.yml --tags ssh # Don't change SNMP or postfix diff --git a/defaults/main.yml b/defaults/main.yml index bd25969..c37e1d4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -8,7 +8,7 @@ rhel6stig_cat3: no # Changing system defaults rhel6stig_snmp_community: B0re4lis -rhel6stig_pass_min_length: 14 +rhel6stig_pass_min_length: 15 rhel6stig_pass_min_days: 1 rhel6stig_pass_max_days: 60 rhel6stig_pass_reuse: 5 # V-38658 Number of passwords to remember to prevent reuse. @@ -163,3 +163,5 @@ rhel6stig_login_banner: | * ASSISTANTS. SUCH COMMUNICATIONS AND WORK PRODUCT ARE PRIVATE AND * * CONFIDENTIAL. SEE USER AGREEMENT FOR DETAILS. * ******************************************************************************* + +rhel6stig_graphical_login_banner: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.' diff --git a/tasks/cat2.yml b/tasks/cat2.yml index e11ca61..0237215 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -2100,12 +2100,12 @@ - medium - V-38593 - logon_settings - - dod_logon_banner + - dod_login_banner - audit - name: "MEDIUM | V-38593 | PATCH | The Department of Defense (DoD) login banner must be displayed immediately prior to or as part of console login prompts" - template: - src: issue.j2 + copy: + content: "{{ rhel6stig_login_banner }}" dest: /etc/{{ item }} owner: root group: root @@ -2119,7 +2119,7 @@ - medium - V-38593 - logon_settings - - dod_logon_banner + - dod_login_banner - patch # Not automated @@ -2195,7 +2195,7 @@ - medium - V-38599 - vsftp - - dod_logon_banner + - dod_login_banner - logon_settings - audit @@ -2213,7 +2213,7 @@ - medium - V-38599 - vsftp - - dod_logon_banner + - dod_login_banner - logon_settings - patch @@ -2515,7 +2515,7 @@ - V-38615 - sshd - logon_settings - - dod_logon_banner + - dod_login_banner - name: "MEDIUM | V-38617 | AUDIT | The SSH daemon must be configured to use only FIPS 140-2 approved ciphers." command: grep Ciphers /etc/ssh/sshd_config @@ -3213,7 +3213,7 @@ - scif_banner - name: "MEDIUM | V-38689 | PATCH | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts" - command: "gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gdm/simple-greeter/banner_message_text ' You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'" + command: "gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gdm/simple-greeter/banner_message_text ' {{ rhel6stig_graphical_login_banner }}'" when: rhel6stig_xwindows_required notify: restart gdm tags: @@ -3222,11 +3222,11 @@ - logon_settings - xwindows - gui - - dod_logon_banner + - dod_login_banner - patch - name: "MEDIUM | V-38689 | PATCH | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts" - command: "gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gdm/simple-greeter/banner_message_text ' You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'" + command: "gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gdm/simple-greeter/banner_message_text ' {{ rhel6stig_graphical_login_banner }}'" when: rhel6stig_xwindows_required notify: restart gdm tags: @@ -3320,6 +3320,7 @@ - V-51875 - pam - patch + - pam - name: 'MEDIUM | V-51391 | AUDIT | A file integrity baseline must be created.' stat: diff --git a/tasks/cat3.yml b/tasks/cat3.yml index 0847b7f..4c0eb14 100644 --- a/tasks/cat3.yml +++ b/tasks/cat3.yml @@ -17,7 +17,7 @@ name: autofs state: stopped enabled: no - when: "':on' in autofs_service_audit.stdout" + when: "'autofs' in sysv_services.stdout" tags: - cat3 - low @@ -357,6 +357,7 @@ - V-38693 - passwords - patch + - pam - name: "LOW | V-38487 | AUDIT | The system package management tool must cryptographically verify the authenticity of all software packages during installation." command: find /etc/yum.repos.d/ -exec grep -ls '^gpgcheck=0' {} \; @@ -2057,7 +2058,7 @@ - cat3 - low - V-38684 - - logon_settings + - login_settings - audit - name: "LOW | V-38684 | PATCH | The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements." @@ -2071,7 +2072,7 @@ - cat3 - low - V-38684 - - logon_settings + - login_settings - patch - name: "LOW | V-38685 | AUDIT | Temporary accounts must be provisioned with an expiration date." diff --git a/templates/audit.rules.j2 b/templates/audit.rules.j2 deleted file mode 100644 index e85360c..0000000 --- a/templates/audit.rules.j2 +++ /dev/null @@ -1,237 +0,0 @@ -# DISA STIG Audit Rules -# {{ ansible_managed }} -## Add keys to the audit rules below using the -k option to allow for more -## organized and quicker searches with the ausearch tool. See auditctl(8) -## and ausearch(8) for more information. - -# Remove any existing rules --D - -# Increase kernel buffer size --b 8192 - -# Failure of auditd can cause a kernel panic (2) or stops auditing (1) --f {{ rhel6stig_auditd_config['auditd_failure_flag'] }} - -########################### -## DISA STIG Audit Rules ## -########################### - -# Watch syslog configuration --w /etc/syslog.conf - -# Watch PAM and authentication configuration --w /etc/pam.d/ --w /etc/nsswitch.conf - -# Watch system log files --w /var/log/messages --w /var/log/audit/audit.log --w /var/log/audit/audit[1-4].log - -# Watch audit configuration files --w /etc/audit/auditd.conf -p wa --w /etc/audit/audit.rules -p wa - -# Watch login configuration --w /etc/login.defs --w /etc/securetty --w /etc/resolv.conf - -# Watch cron and at --w /etc/at.allow --w /etc/at.deny --w /var/spool/at/ --w /etc/crontab --w /etc/anacrontab --w /etc/cron.allow --w /etc/cron.deny --w /etc/cron.d/ --w /etc/cron.hourly/ --w /etc/cron.weekly/ --w /etc/cron.monthly/ - -# Watch shell configuration --w /etc/profile.d/ --w /etc/profile --w /etc/shells --w /etc/bashrc --w /etc/csh.cshrc --w /etc/csh.login - -# Watch kernel configuration --w /etc/sysctl.conf --w /etc/modprobe.conf - -# Watch linked libraries --w /etc/ld.so.conf -p wa --w /etc/ld.so.conf.d/ -p wa - -# Watch init configuration --w /etc/rc.d/init.d/ --w /etc/sysconfig/ --w /etc/inittab -p wa --w /etc/rc.local --w /etc/rc.sysinit - -# Watch filesystem and NFS exports --w /etc/fstab --w /etc/exports - -# Watch xinetd configuration --w /etc/xinetd.conf --w /etc/xinetd.d/ - -# Watch TCP_WRAPPERS configuration --w /etc/hosts.allow --w /etc/hosts.deny - -# Watch sshd configuration --w /etc/ssh/sshd_config - -# Audit system events --a always,exit -F arch=b32 -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setrlimit -S swapon --a always,exit -F arch=b64 -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setrlimit -S swapon - -# Audit any link creation --a always,exit -F arch=b32 -S link -S symlink --a always,exit -F arch=b64 -S link -S symlink - -############################## -## NIST 800-53 Requirements ## -############################## - -#2.6.2.4.1 Records Events that Modify Date and Time Information --a always,exit -F arch=b32 -S adjtimex -S stime -S settimeofday -k audit_time_rules --a always,exit -F arch=b32 -S clock_settime -k audit_time_rules --a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules --a always,exit -F arch=b64 -S clock_settime -k audit_time_rules --w /etc/localtime -p wa -k audit_time_rules - -#2.6.2.4.2 Record Events that Modify User/Group Information --w /etc/group -p wa -k identity --w /etc/passwd -p wa -k identity --w /etc/gshadow -p wa -k identity --w /etc/shadow -p wa -k identity --w /etc/security/opasswd -p wa -k identity --w /etc/sudoers - -#2.6.2.4.3 Record Events that Modify the Systems Network Environment --a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_network_modifications --a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications --w /etc/issue -p wa -k audit_network_modifications --w /etc/issue.net -p wa -k audit_network_modifications --w /etc/hosts -p wa -k audit_network_modifications --w /etc/sysconfig/network -p wa -k audit_network_modifications - -#2.6.2.4.4 Record Events that Modify the System Mandatory Access Controls --w /etc/selinux/ -p wa -k MAC-policy - -#2.6.2.4.5 Ensure auditd Collects Logon and Logout Events --w /var/log/faillog -p wa -k logins --w /var/log/lastlog -p wa -k logins - -#2.6.2.4.6 Ensure auditd Collects Process and Session Initiation Information --w /var/run/utmp -p wa -k session --w /var/log/btmp -p wa -k session --w /var/log/wtmp -p wa -k session - -#2.6.2.4.7 Ensure auditd Collects Discretionary Access Control Permission Modification Events --a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S fchmod -F auid=0 -k perm_mod --a always,exit -F arch=b32 -S chmod -F auid=0 -k perm_mod --a always,exit -F arch=b32 -S fchmodat -F auid=0 -k perm_mod --a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S lchown -F auid=0 -k perm_mod --a always,exit -F arch=b32 -S fchownat -F auid=0 -k perm_mod --a always,exit -F arch=b32 -S fchown -F auid=0 -k perm_mod --a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod --a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod --a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod --a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod - -#2.6.2.4.8 Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access - -#2.6.2.4.9 Ensure auditd Collects Information on the Use of Privileged Commands --a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/bin/chgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/sbin/pwck -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/sbin/suexec -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/sbin/useradd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/sbin/userdel -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/sbin/newusers -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/sbin/groupadd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/sbin/groupdel -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/sbin/groupmod -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/sbin/semangae -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/sbin/ccreds_validate -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/Xorg -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/rlogin -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/rsh -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/kgrantpty -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/rcp -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/newrole -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged --a always,exit -F path=/usr/bin/kpac_dhcp_helper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged - -#2.6.2.4.10 Ensure auditd Collects Information on Exporting to Media (successful) --a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export --a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export - -#2.6.2.4.11 Ensure auditd Collects Files Deletion Events by User (successful and unsuccessful) --a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete --a always,exit -F arch=b32 -S unlink -S rmdir -S unlinkat -S rename -S renameat -F auid=0 -k delete --a always,exit -F arch=b64 -S unlink -S rmdir -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete --a always,exit -F arch=b64 -S unlink -S rmdir -S unlinkat -S rename -S renameat -F auid=0 -k delete - -#2.6.2.4.12 Ensure auditd Collects System Administrator Actions --w /etc/sudoers -p wa -k actions - -#2.6.2.4.13 Make the auditd Configuration Immutable --w /sbin/insmod -p x -k modules --w /sbin/rmmod -p x -k modules --w /sbin/modprobe -p x -k modules --a always,exit -F arch=b32 -S init_module -S delete_module -k modules --a always,exit -F arch=b64 -S init_module -S delete_module -k modules - -#2.6.2.4.14 Make the auditd Configuration Immutable --e 2 diff --git a/templates/auditd.conf.j2 b/templates/auditd.conf.j2 deleted file mode 100644 index 73d685f..0000000 --- a/templates/auditd.conf.j2 +++ /dev/null @@ -1,31 +0,0 @@ -# -# This file controls the configuration of the audit daemon -# -log_file = /var/log/audit/audit.log -log_format = RAW -log_group = root -priority_boost = 5 -flush = INCREMENTAL -freq = 20 -num_logs = {{ rhel6stig_auditd_config['num_logs'] }} -disp_qos = lossy -dispatcher = /sbin/audispd -name_format = NONE -##name = mydomain -max_log_file = {{ rhel6stig_auditd_config['max_log_file'] }} -max_log_file_action = {{ rhel6stig_auditd_config['max_log_file_action'] }} -space_left = {{ rhel6stig_auditd_config['space_left'] }} -space_left_action = {{ rhel6stig_auditd_config['space_left_action'] }} -action_mail_acct = {{ rhel6stig_auditd_config['action_mail_acct'] }} -admin_space_left = 50 -admin_space_left_action = {{ rhel6stig_auditd_config['admin_space_left_action'] }} -disk_full_action = {{ rhel6stig_auditd_config['disk_full_action'] }} -disk_error_action = {{ rhel6stig_auditd_config['disk_error_action'] }} -##tcp_listen_port = -tcp_listen_queue = 5 -tcp_max_per_addr = 1 -##tcp_client_ports = 1024-65535 -tcp_client_max_idle = 0 -enable_krb5 = no -krb5_principal = auditd -##krb5_key_file = /etc/audit/audit.key diff --git a/templates/issue.j2 b/templates/issue.j2 deleted file mode 100644 index 7116a79..0000000 --- a/templates/issue.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ rhel6stig_login_banner }} diff --git a/templates/password-auth.j2 b/templates/password-auth.j2 deleted file mode 100644 index 9e38e5d..0000000 --- a/templates/password-auth.j2 +++ /dev/null @@ -1,29 +0,0 @@ -#%PAM-1.0 -# This file is being managed by Ansible. Please make any desired changes to the template. Any changes made here will be likely overwritten. -auth required pam_env.so -{% if login_failures_interval_audit is defined or logon_attempts_audit is defined %} -auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 -{% endif %} -auth sufficient pam_unix.so nullok try_first_pass -{% if login_failures_interval_audit is defined or logon_attempts_audit is defined %} -auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 -{% endif %} -auth requisite pam_succeed_if.so uid >= 500 quiet -auth required pam_deny.so - -{% if login_failures_interval_audit is defined or logon_attempts_audit is defined %} -account required pam_faillock.so -{% endif %} -account required pam_unix.so -account sufficient pam_localuser.so -account sufficient pam_succeed_if.so uid < 500 quiet -account required pam_permit.so - -password requisite pam_cracklib.so try_first_pass retry=3 type= -password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok -password required pam_deny.so - -session optional pam_keyinit.so revoke -session required pam_limits.so -ap -session required pam_unix.so \ No newline at end of file diff --git a/templates/system-auth.j2 b/templates/system-auth.j2 deleted file mode 100644 index 44b8a64..0000000 --- a/templates/system-auth.j2 +++ /dev/null @@ -1,30 +0,0 @@ -#%PAM-1.0 -# This file is being managed by Ansible. Please make any desired changes to the template. Any changes made here will be likely overwritten. -auth required pam_env.so -auth sufficient pam_fprintd.so -{% if login_failures_interval_audit is defined or logon_attempts_audit is defined %} -auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 -{% endif %} -auth sufficient pam_unix.so nullok try_first_pass -{% if login_failures_interval_audit is defined or logon_attempts_audit is defined %} -auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 -{% endif %} -auth requisite pam_succeed_if.so uid >= 500 quiet -auth required pam_deny.so - -{% if login_failures_interval_audit is defined or logon_attempts_audit is defined %} -account required pam_faillock.so -{% endif %} -account required pam_unix.so -account sufficient pam_localuser.so -account sufficient pam_succeed_if.so uid < 500 quiet -account required pam_permit.so - -password requisite pam_cracklib.so try_first_pass retry=3 type= -password sufficient pam_unix.so {% if pam_pwd_hash_audit is defined %}sha512{% else %}md5{% endif %} shadow nullok try_first_pass use_authtok -password required pam_deny.so - -session optional pam_keyinit.so revoke -session required pam_limits.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so \ No newline at end of file