Remove audit tasks, update to V1R15, and refactor cat 1 and 2 checks (a…

…nsible-lockdown#108)

* Fixes ansible-lockdown#105 ansible-lockdown#97  ansible-lockdown#103  ansible-lockdown#94  ansible-lockdown#48  ansible-lockdown#23 

* removal of audit tasks from cat 1 and v1R15 cleanup

* housekeeping items and cleanup

* replace always_run w/ check_mode, initial pass of V1R15 STIG updates for cat 2 and 3 tasks, fix some issues with iptables tasks

* bump minimum ansible version to 2.2

* add sensible default iptables configs so the role doesnt lock users out

* remove not automated tasks and redistribute to other locations

* add handlers for saving iptables rules to disk and fix up the aide init handler

* finish moving cat 1 and 2 audit files out of main task files

* add variables for various tasks

* remove not automated task file from main

* document a not automated stig check

* remove V-38624 for V1R15 revision and ignore an ansible warning

* cat 2 - remove audit tasks, more updates for V1R15 revision, and refactor tasks

* README updates and some default var changes

.gitignore

@@ -1 +1,5 @@
 *.swp
+*.pyc
+*.retry
+Vagrantfile
+.vagrant

README.md

@@ -4,17 +4,17 @@ RHEL 6 DISA STIG
 
 Configure RHEL 6 to be DISA STIG compliant. CAT I findings will be corrected by default. CAT II and CAT III findings can be corrected by setting the appropriate variable to enable those tasks.
 
-Not all findings can be remediated automatically, or they require more complex automation specific to your environment in order to be remediated appropriately. See `tasks/not_automated.yml` for these findings.
+Not all findings can be remediated automatically, or they require more complex automation specific to your environment in order to be remediated appropriately. See comments in `tasks/cat1.yml, tasks/cat2.yml, tasks/cat3.yml` for these findings.
 
-This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted, though auditing functionality is in the works.
+This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used for system hardening before or after an audit has been conducted.
 
 ## Installing from Ansible Galaxy ##
 
 To install this role with `ansible-galaxy` use the following command:
 
 `ansible-galaxy install -p roles nousdefions.STIG-RHEL6`
 
-Based on [Red Hat Enterprise Linux 6 STIG Version 1 Release 6 - 2015-01-23](http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx).
+Based on [Red Hat Enterprise Linux 6 STIG Version 1 Release 15 - 2017-04-28](http://iasecontent.disa.mil/stigs/zip/U_RedHat_6_V1R15_STIG.zip).
 
 This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-rhel6stig)
 
@@ -32,15 +32,28 @@ There are many role variables defined in `defaults/main.yml`. Here are the most
 | `rhel6stig_cat1`  | `yes`               | Correct CAT I findings |
 | `rhel6stig_cat2`  | `no`                | Correct CAT II findings |
 | `rhel6stig_cat3`  | `no`                | Correct CAT III findings |
+| `rhel6stig_snmp_community` | `B0re4lis` | SNMP community string |
+| `rhel6stig_pass_min_length` | `15` | Minimum password length |
+| `rhel6stig_pass_min_days` | `1` | Minimum password age in days |
+| `rhel6stig_pass_max_days` | `60` | Maximum password age in days |
+| `rhel6stig_pass_reuse` | `60` | Maximum password age in days |
+| `rhel6stig_pam_unix_params` | `sha512 shadow try_first_pass use_authtok remember=24` | PAM auth parameters |
+| `rhel6stig_pam_cracklib_params` | `pam_unix.so try_first_pass` | PAM auth parameters |
+| `rhel6stig_pam_auth_sufficient` | `try_first_pass retry=3 maxrepeat=3 minlen={{ rhel6stig_pass_min_length }} dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4` | PAM cracklib parameters |
+| `rhel6stig_selinux_pol` | `targeted` | SELinux policy to apply |
+| `rhel6stig_antivirus_required` | `no` | Whether Anti-virus is required. To enable this you should configure the AV package settings as well. |
+| `rhel6stig_av_package` | `complex` | AV Package settings |
+| `rhel6stig_gpg_key_loc` | `complex` | GPG Key Location (URL or on disk) |
 | `rhel6stig_use_dhcp` | `yes` | Whether the system should use DHCP or Static IPs. |
-| `rhel6stig_system_is_router` | `no` | Whether on not the target system is acting as a router. Skips tasks that would break the system if it is a acting as a router |
+| `rhel6stig_update_all_packages` | `yes` | Perform a yum update for all packages. |
+| `rhel6stig_maxlogins` | `10` | Max number of simultaneous system logins. |
 | `rhel6stig_root_email_address` | `[email protected]` | Address where system email is sent. |
 | `rhel6stig_xwindows_required` | `no` | Whether or not X Windows is is use on target systems. Disables some changes if X Windows is not in use. |
-| `rhel6stig_ipv6_in_use` | `no` | Whether or not IPv6 is in use of the target system. This is set automatically to `yes` if IPv6 is found to be in use. (Default: `no`) |
+| `rhel6stig_ipv6_required` | `yes` | Whether or not IPv6 is in use of the target system. |
 | `rhel6stig_tftp_required` | `no` |  Whether or not TFTP is required. If set to `yes`, this will prevent the removal of `tftp` and `tftp-server` packages. It will also  reconfigure the `tftp-server` to run securely. |
 | `rhel6stig_rhnsatellite_required` | `no` | Whether or not Red Hat Satellite is required in the environment. If not required, `rhnsd` will be stopped and disabled. |
-| `rhel6stig_bootloader_password` | [Randomly generated and encrypted string] | The new GRUB password to use if `rhel6stig_change_grub_password` is `yes` |
-| `rhel6stig_update_all_packages` | `yes` | Whether to install all system updates. |
+| `rhel6stig_system_is_router` | `no` | Whether on not the target system is acting as a router. Skips tasks that would break the system if it is a acting as a router |
+| `rhel6stig_bootloader_password` | [Randomly generated and encrypted string] | The new GRUB password to use. |
 | `rhel6stig_login_banner` | `[DOD banner]` | Banner used in `/etc/issue` and `/etc/issue.net` |
 
 
@@ -116,4 +129,3 @@ License
 
 MIT
 
-<span id="fn1">[1](#note1)</span>: A web based STIG viewer is available [here](https://stigviewer.com/stig/red_hat_enterprise_linux_6/). They are not associated in any way with DISA but have provided a useful tool for viewing the STIGs.

defaults/main.yml

@@ -1,5 +1,4 @@
-# Generate an audit report
-make_audit_report: no
+rhel6stig_min_ansible_version: 2.2
 
 # Enable or disable remediation for each category
 rhel6stig_cat1: yes
@@ -11,14 +10,35 @@ rhel6stig_snmp_community: B0re4lis
 rhel6stig_pass_min_length: 15
 rhel6stig_pass_min_days: 1
 rhel6stig_pass_max_days: 60
-rhel6stig_pass_reuse: 5         # V-38658 Number of passwords to remember to prevent reuse.
+# V-38658 Number of passwords to remember to prevent reuse.
+rhel6stig_pass_reuse: 5
 rhel6stig_pam_unix_params: sha512 shadow try_first_pass use_authtok remember=24
 rhel6stig_pam_auth_sufficient: pam_unix.so try_first_pass
 rhel6stig_pam_cracklib_params: try_first_pass retry=3 maxrepeat=3 minlen={{ rhel6stig_pass_min_length }} dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
 
 # SELinux settings
 rhel6stig_selinux_pol: targeted
 
+# Only set this to true if you have a valid
+# antivirus solution in your repositories, else it will fail every time.
+rhel6stig_antivirus_required: no
+
+# AV settings
+rhel6stig_av_package:
+    package:
+        - clamav
+        - clamav-scanner
+        - clamav-server
+    service: clamav-daemon
+
+# GPG Key locations
+# These are the standard URL locations for GPG keys for RH and Cent.
+# If running this against offline systems then specify an accessible
+# location where the key is stored.
+rhel6stig_gpg_key_loc:
+    centos: http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6
+    redhat: https://www.redhat.com/security/fd431d51.txt
+
 # Network Settings
 # WARNING!
 # Setting this to false will cause the playbook to execute tasks
@@ -40,7 +60,16 @@ rhel6stig_xwindows_required: no
 
 # Assume ipv6 is not needed on the target system and disable it.
 # This will also skip tasks related to configuring ip6tables.
-rhel6stig_ipv6_required: no
+rhel6stig_ipv6_required: yes
+
+# If wireless interface is required and documented then enalbe this
+# to avoid removing all wireless interfaces
+rhel6stig_wireless_required: no
+
+# Whether or not XINETD is required
+# If you are using tftp-server or other xinetd services
+# THIS MUST ALSO be ENABLED
+rhel6stig_xinetd_required: no
 
 # Whether or not TFTP is required
 # This will prevent the removal of tftp and tftp-server packages
@@ -101,23 +130,37 @@ rhel6stig_temporary_users: []
   # - user: foo
   #   expiration: 1632441600    # 2021-09-24. Time mush be in epoch.
 
+# V-58901 The sudo command must require authentication
+# This fix requires passwords when using sudo and breaks many use-cases
+# Cloud images, Vagrant boxes, etc will no longer allow sudo without a password
+# Set this to "no" to enable the fix for V-58901
+rhel6stig_allow_sudo_without_password: yes
+
 # Auditd.conf settings
 rhel6stig_auditd_config:
-  disk_error_action: syslog     # V-38464 - compliant options SYSLOG|EXEC|SINGLE|HALT
-  disk_full_action: syslog      # V-38468 - compliant options SYSLOG|EXEC|SINGLE|HALT
-  space_left_action: email      # V-38470 - compliant options EMAIL|SYSLOG
-  max_log_file: 6               # V-38633 - compliant options 6 or higher (MB)
-  max_log_file_action: rotate   # V-38634 - compliant options ROTATE
-  num_logs: 5                   # V-38636 - compliant options 5 or higher
-  space_left: 75                # V-38678 - must be set to locally defined value - default 75 MB
-  action_mail_acct: root        # V-38680 - compliant options - admin account to email
-
+  # V-38464 - compliant options SYSLOG|EXEC|SINGLE|HALT
+  disk_error_action: syslog
+  # V-38468 - compliant options SYSLOG|EXEC|SINGLE|HALT
+  disk_full_action: syslog
+  # V-38470 - compliant options EMAIL|SYSLOG
+  space_left_action: email
+  # V-38633 - compliant options 6 or higher (MB)
+  max_log_file: 6
+  # V-38634 - compliant options ROTATE
+  max_log_file_action: rotate
+  # V-38636 - compliant options 5 or higher
+  num_logs: 5
+  # V-38678 - must be set to locally defined value - default 75 MB
+  space_left: 75
+  # V-38680 - compliant options - admin account to email
+  action_mail_acct: root
   # Guidance says that anything but SINGLE results in finding
   # then says SUSPEND or HALT are acceptable and that
   # system where availability need is high will need to set this to
   # something else entirely.
   # NOTE: SINGLE user mode setting will break cloud systems.
-  admin_space_left_action: halt # V-54381 - compliant options SINGLE|SUSPEND|HALT|EXEC|SYSLOG
+  # V-54381 - compliant options SINGLE|SUSPEND|HALT|EXEC|SYSLOG
+  admin_space_left_action: halt
   # auditd_failure_flag
   # 2    Tells your system to perform an immediate shutdown without
   #      flushing any pending data to disk when the limits of your
@@ -128,6 +171,10 @@ rhel6stig_auditd_config:
   auditd_failure_flag: 2
 
 # AIDE settings
+rhel6stig_aide_dbdir: /var/lib/aide
+rhel6stig_aide_dbfile: aide.db.gz
+rhel6stig_aide_dbnewfile: aide.db.new.gz
+
 rhel6stig_aide_cron:
   cron_user: root
   cron_file: /etc/crontab
@@ -138,6 +185,9 @@ rhel6stig_aide_cron:
   aide_month: '*'
   aide_weekday: '*'
 
+# Firewall settings
+rhel6stig_firewall: iptables
+
 rhel6stig_login_banner: |
     *******************************************************************************
     *     YOU ARE ACCESSING A U.S. GOVERNMENT (USG) INFORMATION SYSTEM  (IS)      *

files/etc_sysconfig_ip6tables

@@ -0,0 +1,10 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmpv6 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT

files/etc_sysconfig_iptables

@@ -0,0 +1,10 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+COMMIT

handlers/main.yml

@@ -3,7 +3,7 @@
       name: ntpd
       state: restarted
 
-- name: restart ssh
+- name: restart sshd
   service:
       name: sshd
       state: restarted
@@ -49,11 +49,23 @@
       name: iptables
       state: restarted
 
+- name: save iptables rules
+  shell: iptables-save > /etc/sysconfig/iptables
+  args:
+      warn: no
+  notify: restart iptables
+
 - name: restart ip6tables
   service:
       name: ip6tables
       state: restarted
 
+- name: save ip6tables rules
+  shell: ip6tables-save  > /etc/sysconfig/ip6tables
+  args:
+      warn: no
+  notify: restart ip6tables
+
 - name: restart vsftpd
   service:
       name: vsftpd
@@ -71,9 +83,13 @@
       state: restarted
 
 - name: init aide
-  command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
+  command: "/usr/sbin/aide --init -B 'database_out=file:{{rhel6stig_aide_dbdir}}/{{rhel6stig_aide_dbnewfile}}'"
   async: 45
   poll: 0
+  notify: move new aide db into place
+
+- name: move new aide db into place
+  command: "mv {{rhel6stig_aide_dbdir}}/{{rhel6stig_aide_dbnewfile}} {{rhel6stig_aide_dbdir}}/{{rhel6stig_aide_dbfile}}"
 
 - name: reset audit pkg ugids
   command: rpm --setugids audit