Skip to content

Commit

Permalink
V1r16 updates (ansible-lockdown#114)
Browse files Browse the repository at this point in the history
* removed V-38635 per V1R16

* add vagrant testing for local dev/etc

* add fix for ansible-lockdown#112 - non idempotent task

* update README to reflect V1R16 change
  • Loading branch information
shepdelacreme authored Sep 27, 2017
1 parent e4e266f commit 3c4025a
Show file tree
Hide file tree
Showing 11 changed files with 200 additions and 31 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ To install this role with `ansible-galaxy` use the following command:

`ansible-galaxy install -p roles nousdefions.STIG-RHEL6`

Based on [Red Hat Enterprise Linux 6 STIG Version 1 Release 15 - 2017-04-28](http://iasecontent.disa.mil/stigs/zip/U_RedHat_6_V1R15_STIG.zip).
Based on [Red Hat Enterprise Linux 6 STIG Version 1 Release 16 - 2017-07-28](http://iasecontent.disa.mil/stigs/zip/U_RedHat_6_V1R16_STIG.zip).

This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-rhel6stig)

Expand Down
32 changes: 13 additions & 19 deletions tasks/cat3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1154,12 +1154,18 @@
- access
- patch

- name: "LOW | V-38567 | PATCH | The audit system must be configured to audit all use of setuid and setgid programs."
lineinfile:
line: "-a always,exit -F path={{ item }} -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged"
state: present
dest: /etc/audit/audit.rules
with_items: "{{ setugid_programs.stdout_lines }}"
- block:
- name: "LOW | V-38567 | PATCH | The audit system must be configured to audit all use of setuid and setgid programs."
shell: find $(lsblk -o MOUNTPOINT -n | grep '^/') -xdev -type f -perm /6000 2>/dev/null
changed_when: false
register: setugid_programs

- name: "LOW | V-38567 | PATCH | The audit system must be configured to audit all use of setuid and setgid programs."
lineinfile:
line: "-a always,exit -F path={{ item }} -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged"
state: present
dest: /etc/audit/audit.rules
with_items: "{{ setugid_programs.stdout_lines }}"
tags:
- cat3
- low
Expand Down Expand Up @@ -1456,19 +1462,6 @@
- openldap_server
- audit

- name: "LOW | V-38635 | PATCH | The audit system must be configured to audit all attempts to alter system time through adjtimex."
lineinfile:
line: -a always,exit -F arch={{ audit_arch }} -S adjtimex -k audit_time_rules
dest: /etc/audit/audit.rules
state: present
tags:
- cat3
- low
- V-38627
- auditd
- system_time
- patch

- name: "LOW | V-38639 | AUDIT | The system must display a publicly-viewable pattern during a graphical desktop environment session lock."
command: gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode
register: gconftool_pattern_audit
Expand Down Expand Up @@ -2306,6 +2299,7 @@

- name: "LOW | V-51369 | PATCH | The system must use a Linux Security Module configured to limit the privileges of system services."
selinux:
conf: /etc/selinux/config
policy: "{{ rhel6stig_selinux_pol }}"
state: enforcing
tags:
Expand Down
11 changes: 0 additions & 11 deletions tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -210,17 +210,6 @@
- auditd
- patch

- name: "PRELIM | List setuid / setgid programs on all mounted filesystems"
shell: find $(lsblk -o MOUNTPOINT -n | grep '^/') -xdev -type f -perm /6000 2>/dev/null
changed_when: false
register: setugid_programs
tags:
- cat3
- low
- V-38567
- auditd
- patch

- name: "PRELIM | List /etc/fstab mount points"
shell: 'awk ''/^[^#]/ { print $2; }'' /etc/fstab'
changed_when: false
Expand Down
91 changes: 91 additions & 0 deletions tests/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
RHEL 6 DISA STIG Testing
================
Local testing of this role can be accomplished easily by using Vagrant. The included Vagrantfile has box definitions for a CentOS 6 and RHEL 6 based test machine. Additionally there are various playbooks in this directory for applying the STIG role to the boxes and there is a provision step in the Vagrantfile that will apply the role when the machine boots.

Testing the idempotence of the role can be acomplished by running the role_idempotent_check.yml playbook

Requirements
------------
vagrant>=2.0

ansible>=2.4.0.0

Galaxy Roles

samdoran.redhat-subscription

```shell
ansible-galaxy install -r requirements.yml
```

`vagrant-inventory` file with proper values in it.
```ini
[baseline_hosts]
centos6 ansible_port=2200 ansible_ssh_private_key_file=.vagrant/machines/centos6-stig/virtualbox/private_key
rhel6 ansible_port=2201 ansible_ssh_private_key_file=.vagrant/machines/rhel6-stig/virtualbox/private_key

[baseline_hosts:vars]
ansible_host=127.0.0.1
ansible_user=vagrant
```

Example Testing
-----------------

Spin up a new CentOS and RHEL box in Vagrant to run the tests on and apply the STIG.

```shell
vagrant up
```

Or if you don't want to run the initial provision steps at this time.

```shell
vagrant up --no-provision
```

Not running the provision steps in vagrant is sometimes preferred because vagrant will not run the play in parallel on both hosts, it will run on each host in serial.

If you did not provision in the above step then run Ansible to provision the host.

```shell
ansible-playbook -i vagrant-inventory apply_role.yml -e @extra_vars_vagrant.yml
```

If there are no failures then we want apply the role again and test for idempotence.

```shell
ansible-playbook -i vagrant-inventory role_idempotent_check.yml
```
The idempotence check playbook runs the STIG role in silent mode (redirecting play/task output to JSON). You will not see each individual task run and it will take ~5min to complete.

After you are done you may see output like below if the idempotence check fails. The `assert` tasks give pass or fail for CentOS 6 and RHEL 6 respectively and give a list of the non-idempotent tasks from the run.

```
TASK [assert] ******************************************************************
fatal: [centos6]: FAILED! => {
"assertion": "play_output.stats.centos6.changed == 0",
"changed": false,
"evaluated_to": false,
"failed": true,
"msg": "Role FAILED idempotent test on CentOS6: [u'MEDIUM | V-51363 | PATCH | The system must use a Linux Security Module configured to enforce limits on system services.', u'LOW | V-51369 | PATCH | The system must use a Linux Security Module configured to limit the privileges of system services.'] tasks reported change on second run."
}
fatal: [rhel6]: FAILED! => {
"assertion": "play_output.stats.centos6.changed == 0",
"changed": false,
"evaluated_to": false,
"failed": true,
"msg": "Role FAILED idempotent test on CentOS6: [u'MEDIUM | V-51363 | PATCH | The system must use a Linux Security Module configured to enforce limits on system services.', u'LOW | V-38567 | PATCH | The audit system must be configured to audit all use of setuid and setgid programs.', u'LOW | V-51369 | PATCH | The system must use a Linux Security Module configured to limit the privileges of system services.'] tasks reported change on second run."
}
PLAY RECAP ******************************************************************
centos6 : ok=5 changed=1 unreachable=0 failed=1
rhel6 : ok=5 changed=1 unreachable=0 failed=1
```

After you are done you should clean up.

```shell
ansible-playbook -i vagrant-inventory deregister.yml
vagrant destroy -f
```
18 changes: 18 additions & 0 deletions tests/apply_role.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
- name: Apply STIG
hosts: baseline_hosts
become: yes

tasks:
- name: Register system with RedHat
include_role:
name: redhat-subscription
when: ansible_distribution == 'RedHat'

- name: Remove EPEL
yum:
name: epel-release
state: absent

- name: Apply STIG
include_role:
name: ../../RHEL6-STIG
11 changes: 11 additions & 0 deletions tests/deregister.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
- name: Red Hat subscription state
hosts: all
become: yes

vars:
rhsub_state: absent

tasks:
- include_role:
name: redhat-subscription
when: ansible_distribution == 'RedHat'
5 changes: 5 additions & 0 deletions tests/extra_vars_vagrant.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
rhel6stig_cat1: yes
rhel6stig_cat2: yes
rhel6stig_cat3: yes

rhel6stig_antivirus_required: no
2 changes: 2 additions & 0 deletions tests/requirements.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
- src: samdoran.redhat-subscription
name: redhat-subscription
34 changes: 34 additions & 0 deletions tests/role_idempotent_check.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
- name: Tets role idempotence
hosts: baseline_hosts
become: yes

vars:
extra_vars_file: extra_vars_vagrant.yml

tasks:
- name: Apply STIG - idempotence test - SILENT OUTPUT
shell: "ansible-playbook -i vagrant-inventory apply_role.yml -e @{{extra_vars_file}}"
environment:
ANSIBLE_STDOUT_CALLBACK: json
delegate_to: localhost
become: no
register: run_result

- set_fact:
play_output: "{{run_result.stdout|from_json}}"

- set_fact:
centos6_changed: "{{play_output|json_query('plays[].tasks[?hosts.centos6.changed].task.name')}}"

- set_fact:
rhel6_changed: "{{play_output|json_query('plays[].tasks[?hosts.centos6.changed].task.name')}}"

- assert:
that:
- "play_output.stats.centos6.changed == 0"
msg: "Role FAILED idempotent test on CentOS6: {{centos6_changed|join('\n')}} tasks reported change on second run."

- assert:
that:
- "play_output.stats.rhel6.changed == 0"
msg: "Role FAILED idempotent test on RHEL6: {{rhel6_changed|join('\n')}} tasks reported change on second run."
7 changes: 7 additions & 0 deletions tests/vagrant-inventory
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
[baseline_hosts]
centos6 ansible_port=2200 ansible_ssh_private_key_file=.vagrant/machines/centos6-stig/virtualbox/private_key
rhel6 ansible_port=2201 ansible_ssh_private_key_file=.vagrant/machines/rhel6-stig/virtualbox/private_key

[baseline_hosts:vars]
ansible_host=127.0.0.1
ansible_user=vagrant
18 changes: 18 additions & 0 deletions tests/vagrant_provision.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
- name: Setup hosts and apply STIG
hosts: all
become: yes

tasks:
- name: Register system with RedHat
include_role:
name: redhat-subscription
when: ansible_distribution == 'RedHat'

- name: Remove EPEL
yum:
name: epel-release
state: absent

- name: Apply STIG
include_role:
name: ../../RHEL6-STIG

0 comments on commit 3c4025a

Please sign in to comment.