From 3c4025a3ccd504e0d33cd6ac57c4f41188607cfe Mon Sep 17 00:00:00 2001 From: Daniel Shepherd Date: Wed, 27 Sep 2017 16:53:01 -0400 Subject: [PATCH] V1r16 updates (#114) * removed V-38635 per V1R16 * add vagrant testing for local dev/etc * add fix for #112 - non idempotent task * update README to reflect V1R16 change --- README.md | 2 +- tasks/cat3.yml | 32 +++++------- tasks/prelim.yml | 11 ---- tests/README.md | 91 +++++++++++++++++++++++++++++++++ tests/apply_role.yml | 18 +++++++ tests/deregister.yml | 11 ++++ tests/extra_vars_vagrant.yml | 5 ++ tests/requirements.yml | 2 + tests/role_idempotent_check.yml | 34 ++++++++++++ tests/vagrant-inventory | 7 +++ tests/vagrant_provision.yml | 18 +++++++ 11 files changed, 200 insertions(+), 31 deletions(-) create mode 100644 tests/README.md create mode 100644 tests/apply_role.yml create mode 100644 tests/deregister.yml create mode 100644 tests/extra_vars_vagrant.yml create mode 100644 tests/requirements.yml create mode 100644 tests/role_idempotent_check.yml create mode 100644 tests/vagrant-inventory create mode 100644 tests/vagrant_provision.yml diff --git a/README.md b/README.md index c80f4e5..4a6a21c 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ To install this role with `ansible-galaxy` use the following command: `ansible-galaxy install -p roles nousdefions.STIG-RHEL6` -Based on [Red Hat Enterprise Linux 6 STIG Version 1 Release 15 - 2017-04-28](http://iasecontent.disa.mil/stigs/zip/U_RedHat_6_V1R15_STIG.zip). +Based on [Red Hat Enterprise Linux 6 STIG Version 1 Release 16 - 2017-07-28](http://iasecontent.disa.mil/stigs/zip/U_RedHat_6_V1R16_STIG.zip). This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-rhel6stig) diff --git a/tasks/cat3.yml b/tasks/cat3.yml index 67b1c7a..1098671 100644 --- a/tasks/cat3.yml +++ b/tasks/cat3.yml @@ -1154,12 +1154,18 @@ - access - patch -- name: "LOW | V-38567 | PATCH | The audit system must be configured to audit all use of setuid and setgid programs." - lineinfile: - line: "-a always,exit -F path={{ item }} -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" - state: present - dest: /etc/audit/audit.rules - with_items: "{{ setugid_programs.stdout_lines }}" +- block: + - name: "LOW | V-38567 | PATCH | The audit system must be configured to audit all use of setuid and setgid programs." + shell: find $(lsblk -o MOUNTPOINT -n | grep '^/') -xdev -type f -perm /6000 2>/dev/null + changed_when: false + register: setugid_programs + + - name: "LOW | V-38567 | PATCH | The audit system must be configured to audit all use of setuid and setgid programs." + lineinfile: + line: "-a always,exit -F path={{ item }} -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" + state: present + dest: /etc/audit/audit.rules + with_items: "{{ setugid_programs.stdout_lines }}" tags: - cat3 - low @@ -1456,19 +1462,6 @@ - openldap_server - audit -- name: "LOW | V-38635 | PATCH | The audit system must be configured to audit all attempts to alter system time through adjtimex." - lineinfile: - line: -a always,exit -F arch={{ audit_arch }} -S adjtimex -k audit_time_rules - dest: /etc/audit/audit.rules - state: present - tags: - - cat3 - - low - - V-38627 - - auditd - - system_time - - patch - - name: "LOW | V-38639 | AUDIT | The system must display a publicly-viewable pattern during a graphical desktop environment session lock." command: gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode register: gconftool_pattern_audit @@ -2306,6 +2299,7 @@ - name: "LOW | V-51369 | PATCH | The system must use a Linux Security Module configured to limit the privileges of system services." selinux: + conf: /etc/selinux/config policy: "{{ rhel6stig_selinux_pol }}" state: enforcing tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index da3f3f8..935ae91 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -210,17 +210,6 @@ - auditd - patch -- name: "PRELIM | List setuid / setgid programs on all mounted filesystems" - shell: find $(lsblk -o MOUNTPOINT -n | grep '^/') -xdev -type f -perm /6000 2>/dev/null - changed_when: false - register: setugid_programs - tags: - - cat3 - - low - - V-38567 - - auditd - - patch - - name: "PRELIM | List /etc/fstab mount points" shell: 'awk ''/^[^#]/ { print $2; }'' /etc/fstab' changed_when: false diff --git a/tests/README.md b/tests/README.md new file mode 100644 index 0000000..6f52f67 --- /dev/null +++ b/tests/README.md @@ -0,0 +1,91 @@ +RHEL 6 DISA STIG Testing +================ +Local testing of this role can be accomplished easily by using Vagrant. The included Vagrantfile has box definitions for a CentOS 6 and RHEL 6 based test machine. Additionally there are various playbooks in this directory for applying the STIG role to the boxes and there is a provision step in the Vagrantfile that will apply the role when the machine boots. + +Testing the idempotence of the role can be acomplished by running the role_idempotent_check.yml playbook + +Requirements +------------ +vagrant>=2.0 + +ansible>=2.4.0.0 + +Galaxy Roles + +samdoran.redhat-subscription + +```shell +ansible-galaxy install -r requirements.yml +``` + +`vagrant-inventory` file with proper values in it. +```ini +[baseline_hosts] +centos6 ansible_port=2200 ansible_ssh_private_key_file=.vagrant/machines/centos6-stig/virtualbox/private_key +rhel6 ansible_port=2201 ansible_ssh_private_key_file=.vagrant/machines/rhel6-stig/virtualbox/private_key + +[baseline_hosts:vars] +ansible_host=127.0.0.1 +ansible_user=vagrant +``` + +Example Testing +----------------- + +Spin up a new CentOS and RHEL box in Vagrant to run the tests on and apply the STIG. + +```shell +vagrant up +``` + +Or if you don't want to run the initial provision steps at this time. + +```shell +vagrant up --no-provision +``` + +Not running the provision steps in vagrant is sometimes preferred because vagrant will not run the play in parallel on both hosts, it will run on each host in serial. + +If you did not provision in the above step then run Ansible to provision the host. + +```shell +ansible-playbook -i vagrant-inventory apply_role.yml -e @extra_vars_vagrant.yml +``` + +If there are no failures then we want apply the role again and test for idempotence. + +```shell +ansible-playbook -i vagrant-inventory role_idempotent_check.yml +``` +The idempotence check playbook runs the STIG role in silent mode (redirecting play/task output to JSON). You will not see each individual task run and it will take ~5min to complete. + +After you are done you may see output like below if the idempotence check fails. The `assert` tasks give pass or fail for CentOS 6 and RHEL 6 respectively and give a list of the non-idempotent tasks from the run. + +``` +TASK [assert] ****************************************************************** +fatal: [centos6]: FAILED! => { + "assertion": "play_output.stats.centos6.changed == 0", + "changed": false, + "evaluated_to": false, + "failed": true, + "msg": "Role FAILED idempotent test on CentOS6: [u'MEDIUM | V-51363 | PATCH | The system must use a Linux Security Module configured to enforce limits on system services.', u'LOW | V-51369 | PATCH | The system must use a Linux Security Module configured to limit the privileges of system services.'] tasks reported change on second run." +} +fatal: [rhel6]: FAILED! => { + "assertion": "play_output.stats.centos6.changed == 0", + "changed": false, + "evaluated_to": false, + "failed": true, + "msg": "Role FAILED idempotent test on CentOS6: [u'MEDIUM | V-51363 | PATCH | The system must use a Linux Security Module configured to enforce limits on system services.', u'LOW | V-38567 | PATCH | The audit system must be configured to audit all use of setuid and setgid programs.', u'LOW | V-51369 | PATCH | The system must use a Linux Security Module configured to limit the privileges of system services.'] tasks reported change on second run." +} + +PLAY RECAP ****************************************************************** +centos6 : ok=5 changed=1 unreachable=0 failed=1 +rhel6 : ok=5 changed=1 unreachable=0 failed=1 +``` + +After you are done you should clean up. + +```shell +ansible-playbook -i vagrant-inventory deregister.yml +vagrant destroy -f +``` diff --git a/tests/apply_role.yml b/tests/apply_role.yml new file mode 100644 index 0000000..619bc88 --- /dev/null +++ b/tests/apply_role.yml @@ -0,0 +1,18 @@ +- name: Apply STIG + hosts: baseline_hosts + become: yes + + tasks: + - name: Register system with RedHat + include_role: + name: redhat-subscription + when: ansible_distribution == 'RedHat' + + - name: Remove EPEL + yum: + name: epel-release + state: absent + + - name: Apply STIG + include_role: + name: ../../RHEL6-STIG \ No newline at end of file diff --git a/tests/deregister.yml b/tests/deregister.yml new file mode 100644 index 0000000..2290518 --- /dev/null +++ b/tests/deregister.yml @@ -0,0 +1,11 @@ +- name: Red Hat subscription state + hosts: all + become: yes + + vars: + rhsub_state: absent + + tasks: + - include_role: + name: redhat-subscription + when: ansible_distribution == 'RedHat' \ No newline at end of file diff --git a/tests/extra_vars_vagrant.yml b/tests/extra_vars_vagrant.yml new file mode 100644 index 0000000..7e8a7b7 --- /dev/null +++ b/tests/extra_vars_vagrant.yml @@ -0,0 +1,5 @@ +rhel6stig_cat1: yes +rhel6stig_cat2: yes +rhel6stig_cat3: yes + +rhel6stig_antivirus_required: no diff --git a/tests/requirements.yml b/tests/requirements.yml new file mode 100644 index 0000000..1850208 --- /dev/null +++ b/tests/requirements.yml @@ -0,0 +1,2 @@ +- src: samdoran.redhat-subscription + name: redhat-subscription diff --git a/tests/role_idempotent_check.yml b/tests/role_idempotent_check.yml new file mode 100644 index 0000000..12ca7a0 --- /dev/null +++ b/tests/role_idempotent_check.yml @@ -0,0 +1,34 @@ +- name: Tets role idempotence + hosts: baseline_hosts + become: yes + + vars: + extra_vars_file: extra_vars_vagrant.yml + + tasks: + - name: Apply STIG - idempotence test - SILENT OUTPUT + shell: "ansible-playbook -i vagrant-inventory apply_role.yml -e @{{extra_vars_file}}" + environment: + ANSIBLE_STDOUT_CALLBACK: json + delegate_to: localhost + become: no + register: run_result + + - set_fact: + play_output: "{{run_result.stdout|from_json}}" + + - set_fact: + centos6_changed: "{{play_output|json_query('plays[].tasks[?hosts.centos6.changed].task.name')}}" + + - set_fact: + rhel6_changed: "{{play_output|json_query('plays[].tasks[?hosts.centos6.changed].task.name')}}" + + - assert: + that: + - "play_output.stats.centos6.changed == 0" + msg: "Role FAILED idempotent test on CentOS6: {{centos6_changed|join('\n')}} tasks reported change on second run." + + - assert: + that: + - "play_output.stats.rhel6.changed == 0" + msg: "Role FAILED idempotent test on RHEL6: {{rhel6_changed|join('\n')}} tasks reported change on second run." diff --git a/tests/vagrant-inventory b/tests/vagrant-inventory new file mode 100644 index 0000000..e9b008c --- /dev/null +++ b/tests/vagrant-inventory @@ -0,0 +1,7 @@ +[baseline_hosts] +centos6 ansible_port=2200 ansible_ssh_private_key_file=.vagrant/machines/centos6-stig/virtualbox/private_key +rhel6 ansible_port=2201 ansible_ssh_private_key_file=.vagrant/machines/rhel6-stig/virtualbox/private_key + +[baseline_hosts:vars] +ansible_host=127.0.0.1 +ansible_user=vagrant diff --git a/tests/vagrant_provision.yml b/tests/vagrant_provision.yml new file mode 100644 index 0000000..4603495 --- /dev/null +++ b/tests/vagrant_provision.yml @@ -0,0 +1,18 @@ +- name: Setup hosts and apply STIG + hosts: all + become: yes + + tasks: + - name: Register system with RedHat + include_role: + name: redhat-subscription + when: ansible_distribution == 'RedHat' + + - name: Remove EPEL + yum: + name: epel-release + state: absent + + - name: Apply STIG + include_role: + name: ../../RHEL6-STIG