diff --git a/.gitignore b/.gitignore index 1377554..31e087b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,5 @@ *.swp +*.pyc +*.retry +Vagrantfile +.vagrant diff --git a/README.md b/README.md index 2aa9bda..c80f4e5 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,9 @@ RHEL 6 DISA STIG Configure RHEL 6 to be DISA STIG compliant. CAT I findings will be corrected by default. CAT II and CAT III findings can be corrected by setting the appropriate variable to enable those tasks. -Not all findings can be remediated automatically, or they require more complex automation specific to your environment in order to be remediated appropriately. See `tasks/not_automated.yml` for these findings. +Not all findings can be remediated automatically, or they require more complex automation specific to your environment in order to be remediated appropriately. See comments in `tasks/cat1.yml, tasks/cat2.yml, tasks/cat3.yml` for these findings. -This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted, though auditing functionality is in the works. +This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used for system hardening before or after an audit has been conducted. ## Installing from Ansible Galaxy ## @@ -14,7 +14,7 @@ To install this role with `ansible-galaxy` use the following command: `ansible-galaxy install -p roles nousdefions.STIG-RHEL6` -Based on [Red Hat Enterprise Linux 6 STIG Version 1 Release 6 - 2015-01-23](http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx). +Based on [Red Hat Enterprise Linux 6 STIG Version 1 Release 15 - 2017-04-28](http://iasecontent.disa.mil/stigs/zip/U_RedHat_6_V1R15_STIG.zip). This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-rhel6stig) @@ -32,15 +32,28 @@ There are many role variables defined in `defaults/main.yml`. Here are the most | `rhel6stig_cat1` | `yes` | Correct CAT I findings | | `rhel6stig_cat2` | `no` | Correct CAT II findings | | `rhel6stig_cat3` | `no` | Correct CAT III findings | +| `rhel6stig_snmp_community` | `B0re4lis` | SNMP community string | +| `rhel6stig_pass_min_length` | `15` | Minimum password length | +| `rhel6stig_pass_min_days` | `1` | Minimum password age in days | +| `rhel6stig_pass_max_days` | `60` | Maximum password age in days | +| `rhel6stig_pass_reuse` | `60` | Maximum password age in days | +| `rhel6stig_pam_unix_params` | `sha512 shadow try_first_pass use_authtok remember=24` | PAM auth parameters | +| `rhel6stig_pam_cracklib_params` | `pam_unix.so try_first_pass` | PAM auth parameters | +| `rhel6stig_pam_auth_sufficient` | `try_first_pass retry=3 maxrepeat=3 minlen={{ rhel6stig_pass_min_length }} dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4` | PAM cracklib parameters | +| `rhel6stig_selinux_pol` | `targeted` | SELinux policy to apply | +| `rhel6stig_antivirus_required` | `no` | Whether Anti-virus is required. To enable this you should configure the AV package settings as well. | +| `rhel6stig_av_package` | `complex` | AV Package settings | +| `rhel6stig_gpg_key_loc` | `complex` | GPG Key Location (URL or on disk) | | `rhel6stig_use_dhcp` | `yes` | Whether the system should use DHCP or Static IPs. | -| `rhel6stig_system_is_router` | `no` | Whether on not the target system is acting as a router. Skips tasks that would break the system if it is a acting as a router | +| `rhel6stig_update_all_packages` | `yes` | Perform a yum update for all packages. | +| `rhel6stig_maxlogins` | `10` | Max number of simultaneous system logins. | | `rhel6stig_root_email_address` | `foo@baz.com` | Address where system email is sent. | | `rhel6stig_xwindows_required` | `no` | Whether or not X Windows is is use on target systems. Disables some changes if X Windows is not in use. | -| `rhel6stig_ipv6_in_use` | `no` | Whether or not IPv6 is in use of the target system. This is set automatically to `yes` if IPv6 is found to be in use. (Default: `no`) | +| `rhel6stig_ipv6_required` | `yes` | Whether or not IPv6 is in use of the target system. | | `rhel6stig_tftp_required` | `no` | Whether or not TFTP is required. If set to `yes`, this will prevent the removal of `tftp` and `tftp-server` packages. It will also reconfigure the `tftp-server` to run securely. | | `rhel6stig_rhnsatellite_required` | `no` | Whether or not Red Hat Satellite is required in the environment. If not required, `rhnsd` will be stopped and disabled. | -| `rhel6stig_bootloader_password` | [Randomly generated and encrypted string] | The new GRUB password to use if `rhel6stig_change_grub_password` is `yes` | -| `rhel6stig_update_all_packages` | `yes` | Whether to install all system updates. | +| `rhel6stig_system_is_router` | `no` | Whether on not the target system is acting as a router. Skips tasks that would break the system if it is a acting as a router | +| `rhel6stig_bootloader_password` | [Randomly generated and encrypted string] | The new GRUB password to use. | | `rhel6stig_login_banner` | `[DOD banner]` | Banner used in `/etc/issue` and `/etc/issue.net` | @@ -116,4 +129,3 @@ License MIT -[1](#note1): A web based STIG viewer is available [here](https://stigviewer.com/stig/red_hat_enterprise_linux_6/). They are not associated in any way with DISA but have provided a useful tool for viewing the STIGs. diff --git a/defaults/main.yml b/defaults/main.yml index c37e1d4..f666c2b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,4 @@ -# Generate an audit report -make_audit_report: no +rhel6stig_min_ansible_version: 2.2 # Enable or disable remediation for each category rhel6stig_cat1: yes @@ -11,7 +10,8 @@ rhel6stig_snmp_community: B0re4lis rhel6stig_pass_min_length: 15 rhel6stig_pass_min_days: 1 rhel6stig_pass_max_days: 60 -rhel6stig_pass_reuse: 5 # V-38658 Number of passwords to remember to prevent reuse. +# V-38658 Number of passwords to remember to prevent reuse. +rhel6stig_pass_reuse: 5 rhel6stig_pam_unix_params: sha512 shadow try_first_pass use_authtok remember=24 rhel6stig_pam_auth_sufficient: pam_unix.so try_first_pass rhel6stig_pam_cracklib_params: try_first_pass retry=3 maxrepeat=3 minlen={{ rhel6stig_pass_min_length }} dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 @@ -19,6 +19,26 @@ rhel6stig_pam_cracklib_params: try_first_pass retry=3 maxrepeat=3 minlen={{ rhel # SELinux settings rhel6stig_selinux_pol: targeted +# Only set this to true if you have a valid +# antivirus solution in your repositories, else it will fail every time. +rhel6stig_antivirus_required: no + +# AV settings +rhel6stig_av_package: + package: + - clamav + - clamav-scanner + - clamav-server + service: clamav-daemon + +# GPG Key locations +# These are the standard URL locations for GPG keys for RH and Cent. +# If running this against offline systems then specify an accessible +# location where the key is stored. +rhel6stig_gpg_key_loc: + centos: http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6 + redhat: https://www.redhat.com/security/fd431d51.txt + # Network Settings # WARNING! # Setting this to false will cause the playbook to execute tasks @@ -40,7 +60,16 @@ rhel6stig_xwindows_required: no # Assume ipv6 is not needed on the target system and disable it. # This will also skip tasks related to configuring ip6tables. -rhel6stig_ipv6_required: no +rhel6stig_ipv6_required: yes + +# If wireless interface is required and documented then enalbe this +# to avoid removing all wireless interfaces +rhel6stig_wireless_required: no + +# Whether or not XINETD is required +# If you are using tftp-server or other xinetd services +# THIS MUST ALSO be ENABLED +rhel6stig_xinetd_required: no # Whether or not TFTP is required # This will prevent the removal of tftp and tftp-server packages @@ -101,23 +130,37 @@ rhel6stig_temporary_users: [] # - user: foo # expiration: 1632441600 # 2021-09-24. Time mush be in epoch. +# V-58901 The sudo command must require authentication +# This fix requires passwords when using sudo and breaks many use-cases +# Cloud images, Vagrant boxes, etc will no longer allow sudo without a password +# Set this to "no" to enable the fix for V-58901 +rhel6stig_allow_sudo_without_password: yes + # Auditd.conf settings rhel6stig_auditd_config: - disk_error_action: syslog # V-38464 - compliant options SYSLOG|EXEC|SINGLE|HALT - disk_full_action: syslog # V-38468 - compliant options SYSLOG|EXEC|SINGLE|HALT - space_left_action: email # V-38470 - compliant options EMAIL|SYSLOG - max_log_file: 6 # V-38633 - compliant options 6 or higher (MB) - max_log_file_action: rotate # V-38634 - compliant options ROTATE - num_logs: 5 # V-38636 - compliant options 5 or higher - space_left: 75 # V-38678 - must be set to locally defined value - default 75 MB - action_mail_acct: root # V-38680 - compliant options - admin account to email - + # V-38464 - compliant options SYSLOG|EXEC|SINGLE|HALT + disk_error_action: syslog + # V-38468 - compliant options SYSLOG|EXEC|SINGLE|HALT + disk_full_action: syslog + # V-38470 - compliant options EMAIL|SYSLOG + space_left_action: email + # V-38633 - compliant options 6 or higher (MB) + max_log_file: 6 + # V-38634 - compliant options ROTATE + max_log_file_action: rotate + # V-38636 - compliant options 5 or higher + num_logs: 5 + # V-38678 - must be set to locally defined value - default 75 MB + space_left: 75 + # V-38680 - compliant options - admin account to email + action_mail_acct: root # Guidance says that anything but SINGLE results in finding # then says SUSPEND or HALT are acceptable and that # system where availability need is high will need to set this to # something else entirely. # NOTE: SINGLE user mode setting will break cloud systems. - admin_space_left_action: halt # V-54381 - compliant options SINGLE|SUSPEND|HALT|EXEC|SYSLOG + # V-54381 - compliant options SINGLE|SUSPEND|HALT|EXEC|SYSLOG + admin_space_left_action: halt # auditd_failure_flag # 2 Tells your system to perform an immediate shutdown without # flushing any pending data to disk when the limits of your @@ -128,6 +171,10 @@ rhel6stig_auditd_config: auditd_failure_flag: 2 # AIDE settings +rhel6stig_aide_dbdir: /var/lib/aide +rhel6stig_aide_dbfile: aide.db.gz +rhel6stig_aide_dbnewfile: aide.db.new.gz + rhel6stig_aide_cron: cron_user: root cron_file: /etc/crontab @@ -138,6 +185,9 @@ rhel6stig_aide_cron: aide_month: '*' aide_weekday: '*' +# Firewall settings +rhel6stig_firewall: iptables + rhel6stig_login_banner: | ******************************************************************************* * YOU ARE ACCESSING A U.S. GOVERNMENT (USG) INFORMATION SYSTEM (IS) * diff --git a/files/etc_sysconfig_ip6tables b/files/etc_sysconfig_ip6tables new file mode 100644 index 0000000..78880d8 --- /dev/null +++ b/files/etc_sysconfig_ip6tables @@ -0,0 +1,10 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p icmpv6 -j ACCEPT +-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited +COMMIT diff --git a/files/etc_sysconfig_iptables b/files/etc_sysconfig_iptables new file mode 100644 index 0000000..26c4ad3 --- /dev/null +++ b/files/etc_sysconfig_iptables @@ -0,0 +1,10 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT +-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +COMMIT diff --git a/handlers/main.yml b/handlers/main.yml index 176c1d1..a3a9f8b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,7 +3,7 @@ name: ntpd state: restarted -- name: restart ssh +- name: restart sshd service: name: sshd state: restarted @@ -49,11 +49,23 @@ name: iptables state: restarted +- name: save iptables rules + shell: iptables-save > /etc/sysconfig/iptables + args: + warn: no + notify: restart iptables + - name: restart ip6tables service: name: ip6tables state: restarted +- name: save ip6tables rules + shell: ip6tables-save > /etc/sysconfig/ip6tables + args: + warn: no + notify: restart ip6tables + - name: restart vsftpd service: name: vsftpd @@ -71,9 +83,13 @@ state: restarted - name: init aide - command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + command: "/usr/sbin/aide --init -B 'database_out=file:{{rhel6stig_aide_dbdir}}/{{rhel6stig_aide_dbnewfile}}'" async: 45 poll: 0 + notify: move new aide db into place + +- name: move new aide db into place + command: "mv {{rhel6stig_aide_dbdir}}/{{rhel6stig_aide_dbnewfile}} {{rhel6stig_aide_dbdir}}/{{rhel6stig_aide_dbfile}}" - name: reset audit pkg ugids command: rpm --setugids audit diff --git a/tasks/audit-cat1.yml b/tasks/audit-cat1.yml new file mode 100644 index 0000000..66ab05a --- /dev/null +++ b/tasks/audit-cat1.yml @@ -0,0 +1,243 @@ +- name: "HIGH | V-38476 | AUDIT | Vendor-provided cryptographic certificates must be installed to verify the integrity of system software" + command: rpm -q gpg-pubkey + register: rpm_key_audit + check_mode: no + changed_when: no + tags: + - cat1 + - high + - V-38476 + - audit + - rpm + +- name: "HIGH | V-38491 | AUDIT | There must be no hosts.equiv on the system" + stat: + path: /etc/hosts.equiv + register: hosts_equiv_audit + check_mode: no + tags: + - cat1 + - high + - V-38491 + - audit + - hosts_equiv + +- name: "HIGH | V-38491 | AUDIT | There must be no .rhosts files on the system" + stat: + path: ~{{ item }}/.rhosts + register: rhosts_audit + check_mode: no + with_items: "{{ users.stdout_lines }}" + tags: + - cat1 + - high + - V-38491 + - audit + - hosts_equiv + +- name: "HIGH | V-38497 | AUDIT | The system must not have accounts configured with blank or null passwords" + command: grep nullok /etc/pam.d/system-auth + changed_when: false + check_mode: no + ignore_errors: yes + register: nullok_audit + tags: + - cat1 + - high + - V-38497 + - audit + - passwords + +- name: "HIGH | V-38587 | AUDIT | The telnet-server package must not be installed" + command: rpm -q telnet-server + ignore_errors: yes + check_mode: no + changed_when: no + register: telnet_server_audit + tags: + - cat1 + - high + - V-38587 + - audit + - telnet + - unsecure_services + +- name: "HIGH | V-38589 | AUDIT | The telnet daemon must not be running" + command: chkconfig telnet --list + register: telnet_service_audit + changed_when: false + check_mode: no + ignore_errors: yes + tags: + - cat1 + - high + - V-38589 + - audit + - telnet + - unsecure_services + +- name: "HIGH | V-38591 | AUDIT | The rsh-server package must not be installed" + command: rpm -q rsh-server + check_mode: no + register: rsh_server_audit + changed_when: no + ignore_errors: yes + +- name: "HIGH | V-38594 | AUDIT | The rshd service must not be running" + command: chkconfig rsh --list + register: rsh_service_audit + changed_when: false + check_mode: no + ignore_errors: yes + tags: + - cat1 + - high + - V-38594 + - audit + - rsh + - rlogin + - unsecure_services + +- name: "HIGH | V-38598 | AUDIT | The rexecd service must not be running" + command: service rexec status + ignore_errors: yes + register: rexec_status_audit + check_mode: no + changed_when: no + tags: + - cat1 + - high + - V-38598 + - audit + - rexec + +- name: "HIGH | V-38602 | AUDIT | The rlogind service must not be running" + command: service rlogin status + ignore_errors: yes + register: rlogin_status_audit + check_mode: no + changed_when: no + tags: + - cat1 + - high + - V-38602 + - audit + - rlogin + +- name: "HIGH | V-38607 | AUDIT | The SSH daemon must be configured to use only the SSHv2 protocol" + command: grep "Protocol 2" /etc/ssh/sshd_config + register: proto2_audit + ignore_errors: yes + check_mode: no + changed_when: no + tags: + - cat1 + - high + - V-38607 + - audit + - ssh + +- name: "HIGH | V-38614 | AUDIT | The SSH daemon must not allow authentication using an empty password" + command: grep "PermitEmptyPasswords yes" /etc/ssh/sshd_config + ignore_errors: yes + check_mode: no + changed_when: false + register: ssh_empty_pass_audit + tags: + - cat1 + - high + - V-38614 + - audit + - ssh + +- name: "HIGH | V-38653 | AUDIT | The snmpd service must not use a default password" + shell: grep -v "^#" /etc/snmp/snmpd.conf| grep public + register: snmpd_audit + failed_when: snmpd_audit.rc not in [0,1] + check_mode: no + when: snmpconf_test.stat.exists + changed_when: no + tags: + - cat1 + - high + - V-38653 + - audit + - snmp + +- name: "HIGH | V-38666 | AUDIT | The system must use and update a DoD-approved virus scan program" + command: /etc/init.d/nails status + ignore_errors: yes + check_mode: no + changed_when: no + register: av_nails_status_audit + tags: + - cat1 + - high + - V-38666 + - antivirus + - audit + +- name: "HIGH | V-38666 | AUDIT | The system must use and update a DoD-approved virus scan program" + shell: grep uvscan /etc/cron* /var/spool/cron/* + register: av_uvscan_cron_audit + ignore_errors: yes + check_mode: no + changed_when: no + tags: + - cat1 + - V-38666 + - antivirus + - audit + - high + +- name: "HIGH | V-38666 | AUDIT | The system must use and update a DoD-approved virus scan program. Looking for virus definitions older than seven days." + command: find /usr/local/uvscan -type f -mtime +7 + register: av_defs_audit + changed_when: no + ignore_errors: yes + check_mode: no + tags: + - cat1 + - V-38666 + - antivirus + - high + - audit + +- name: "HIGH | V-38668 | AUDIT | The x86 Ctrl-Alt-Delete key sequence must be disabled" + command: grep "exec /sbin/shutdown" /etc/init/control-alt-delete.override + register: ctrl_alt_del_audit + ignore_errors: yes + check_mode: no + changed_when: no + tags: + - cat1 + - high + - V-38668 + - audit + - ctrl_alt_delete + +- name: "HIGH | V-38677 | AUDIT | The NFS server must not have the insecure file locking option enabled" + command: grep insecure_locks /etc/exports + register: nfs_insecure_locking_audit + ignore_errors: yes + changed_when: no + check_mode: no + tags: + - cat1 + - high + - V-38677 + - audit + - nfs + +- name: "HIGH | V-38701 | AUDIT | The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system" + command: grep "server_args = -s" /etc/xinetd.d/tftp + register: tftp_audit + check_mode: no + when: "'tftp' in xinetd_services.stdout_lines" + ignore_errors: yes + tags: + - cat1 + - high + - V-38701 + - audit + - tftp diff --git a/tasks/audit-cat2.yml b/tasks/audit-cat2.yml new file mode 100644 index 0000000..c1134c1 --- /dev/null +++ b/tasks/audit-cat2.yml @@ -0,0 +1,1438 @@ +- name: "MEDIUM | V-38443, V-38448, V-38449 | AUDIT | The /etc/gshadow file must be owned by root. The /etc/gshadow file must be group-owned by root. The /etc/gshadow file must have mode 0000" + stat: + path: /etc/gshadow + register: gshadow_stat + tags: + - cat2 + - medium + - V-38443 + - V-38448 + - V-38449 + - audit + - file_perms + +- name: "MEDIUM | V-38444 | AUDIT | The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets." + shell: 'grep ":INPUT" /etc/sysconfig/ip6tables | awk ''{print $2}''' + register: ipv6_inbound_packets_audit + changed_when: no + failed_when: no + tags: + - cat2 + - medium + - V-38444 + - audit + - ipv6 + - iptables + +- name: "MEDIUM | V-38446 | AUDIT | The mail system must forward all mail for root to one or more system administrators." + command: postmap -q root /etc/aliases + register: postmap_root_audit + changed_when: no + failed_when: no + tags: + - cat2 + - medium + - V-38446 + - sendmail + - mail + - audit + +- name: "MEDIUM | V-38450, V-38451, V-38457 | AUDIT | The /etc/passwd file must be owned by root. The /etc/passwd file must be group-owned by root.The /etc/passwd file must have mode 0644 or less permissive" + stat: + path: /etc/passwd + register: /etc/passwd_stat + tags: + - cat2 + - medium + - V-38450 + - V-38451 + - V-38457 + - audit + - file_perms + +- name: "MEDIUM | V-38458, V-38459, V-38461 | AUDIT | The /etc/group file must be owned by root. The /etc/group file must be group-owned by root.The /etc/group file must have mode 0644 or less permissive" + stat: + path: /etc/group + register: /etc/group_stat + tags: + - cat2 + - medium + - V-38458 + - V-38459 + - V-38461 + - audit + - file_perms + +- name: "MEDIUM | V-38464 | AUDIT | The audit system must take appropriate action when there are disk errors on the audit storage volume." + shell: grep disk_error_action /etc/audit/auditd.conf | cut -d = -f 2 | xargs basename + register: disk_err_action_audit + changed_when: no + check_mode: no + tags: + - cat2 + - medium + - V-38464 + - audit + - auditd + +- name: "MEDIUM | V-38468 | AUDIT | The audit system must take appropriate action when the audit storage volume is full." + shell: grep disk_full_action /etc/audit/auditd.conf | cut -d = -f 2 | xargs basename + register: disk_full_action_audit + changed_when: no + check_mode: no + tags: + - cat2 + - medium + - V-38468 + - audit + - auditd + +- name: "MEDIUM | V-38469 | AUDIT | All system command files must have mode 755 or less permissive." + script: sys_command_files_with_bad_perms.sh + become_user: root + register: system_files_perms_audit + changed_when: no + check_mode: no + tags: + - cat2 + - medium + - V-38469 + - audit + - file_perms + +- name: "MEDIUM | V-38470 | AUDIT | The audit system must alert designated staff members when the audit storage volume approaches capacity." + shell: grep space_left_action /etc/audit/auditd.conf | cut -d = -f 2 | xargs basename + register: space_left_action_audit + changed_when: no + check_mode: no + tags: + - cat2 + - medium + - V-38470 + - audit + - auditd + +- name: "MEDIUM | V-38472 | AUDIT | All system command files must be owned by root" + script: sys_command_files_with_bad_owner.sh + become_user: root + register: sys_commands_owner_audit + check_mode: no + changed_when: no + tags: + - cat2 + - medium + - V-38472 + - audit + - file_perms + +- name: "MEDIUM | V-38475 | AUDIT | The system must require passwords to contain a minimum of 14 characters." + shell: grep -E '^PASS_MIN_LEN' /etc/login.defs | awk '{print $2}' + register: min_pwd_len_audit + changed_when: no + check_mode: no + tags: + - cat2 + - medium + - V-38475 + - audit + - passwords + +- name: "MEDIUM | V-38477 | AUDIT | Users must not be able to change passwords more than once every 24 hours." + shell: grep -E '^PASS_MIN_DAYS' /etc/login.defs | awk '{print $2}' + register: pwd_min_days_audit + changed_when: no + check_mode: no + tags: + - cat2 + - medium + - V-38477 + - audit + - passwords + +- name: "MEDIUM | V-38479 | AUDIT | User passwords must be changed at least every 60 days." + shell: "grep -E '^PASS_MAX_DAYS' /etc/login.defs | awk '{print $2}'" + register: pwd_max_days_audit + changed_when: no + check_mode: no + tags: + - cat2 + - medium + - V-38479 + - audit + - passwords + +- name: "MEDIUM | V-38481 | AUDIT | System security patches and updates must be installed and up-to-date." + command: yum check-update + failed_when: no + changed_when: no + register: yum_pkgs_update_audit + when: rhel6stig_update_all_packages + tags: + - cat2 + - medium + - V-38481 + - audit + - yum + - updates + +- name: "MEDIUM | V-38483 | AUDIT | The system package management tool must cryptographically verify the authenticity of system software packages during installation." + shell: find /etc/yum{.conf,.repos.d/} -exec grep -ls '^gpgcheck=0' {} \; + changed_when: false + check_mode: no + register: repo_crypto_check_audit + tags: + - cat2 + - medium + - V-38483 + - audit + - rpm + - yum + - gpgcheck + +- name: "MEDIUM | V-38484 | AUDIT | The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh." + shell: "grep -i '^PrintLastLog' /etc/ssh/sshd_config | awk '{ print $2 }'" + register: last_log_audit + changed_when: no + check_mode: no + tags: + - cat2 + - medium + - audit + - V-38484 + - sshd + +- name: "MEDIUM | V-38489 | AUDIT | A file integrity tool must be installed." + command: rpm -q aide + failed_when: no + register: aide_installed_audit + changed_when: no + check_mode: no + tags: + - cat2 + - medium + - V-38489 + - audit + - aide + - integrity + +- name: "MEDIUM | V-38490 | AUDIT | The operating system must enforce requirements for the connection of mobile devices to operating systems" + command: grep -rs usb-storage /etc/modprobe.conf /etc/modprobe.d + register: usb_reqs_audit + failed_when: no + check_mode: no + changed_when: no + tags: + - cat2 + - medium + - V-38490 + - mobile_devices + - usb_devices + - kernel_modules + - audit + +- name: "MEDIUM | V-38492 | AUDIT | The system must prevent the root account from logging in from virtual consoles." + command: grep '^vc/[0-9]' /etc/securetty + register: vc_root_login_audit + failed_when: no + check_mode: no + changed_when: no + tags: + - cat2 + - medium + - V-38492 + - audit + - virtual_consoles + - logon_settings + - tty + - root_access + +- name: "MEDIUM | V-38493 | AUDIT | Audit log directories must have mode 0755 or less permissive." + shell: grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//' | xargs -I % find % -type d -perm /022 + changed_when: no + check_mode: no + failed_when: no + register: audit_log_dir_perms_audit + tags: + - cat2 + - medium + - V-38493 + - audit + - medium + - file_perms + - auditd + - audit_permissions + +- name: "MEDIUM | V-38495 | AUDIT | Audit log files must be owned by root." + shell: grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//' | xargs -I % find % -type f ! -user root + changed_when: no + check_mode: no + failed_when: no + register: audit_log_dir_owner_audit + tags: + - cat2 + - medium + - V-38495 + - audit + - file_perms + - auditd + - audit_permissions + + +- name: "MEDIUM | V-38496 | AUDIT | Default system accounts, other than root, must be locked" + shell: > + awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow | xargs -I{} grep {} /etc/passwd | awk -F: '$3 < 500 {print $1}' + register: unlocked_sys_accounts_audit + changed_when: false + check_mode: no + tags: + - cat2 + - medium + - V-38496 + - audit + - accounts + - system_accounts + + +- name: "MEDIUM | V-38498 | AUDIT | Audit log files must have mode 0640 or less permissive." + shell: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %n | xargs -I % find % -perm /137 + register: audit_log_file_perms_audit + changed_when: no + check_mode: no + tags: + - cat2 + - medium + - V-38498 + - audit + - auditd + - logs + - V-38498 + - file_perms + +- name: "MEDIUM | V-38499 | AUDIT | The /etc/passwd file must not contain password hashes" + shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd" + changed_when: false + check_mode: no + register: etc_password_hash_audit + tags: + - cat2 + - V-38499 + - medium + - passwords + - audit + +- name: "MEDIUM | V-38500 | AUDIT | The root account must be the only account having a UID of 0" + shell: "awk -F: '($3 == \"0\") {print}' /etc/passwd | grep -v root" + changed_when: no + check_mode: no + ignore_errors: yes + register: users_uid_0_audit + tags: + - cat2 + - medium + - V-38500 + - accounts + - audit + +- name: "MEDIUM | V-38501 | AUDIT | The system must disable accounts after excessive login failures within a 15-minute interval." + shell: "grep -h pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth | grep fail_interval | awk -F'=' '{print $NF}'" + changed_when: no + check_mode: no + failed_when: no + register: login_failures_interval_audit + tags: + - medium + - cat2 + - logon_settings + - audit + - V-38501 + - pam + + +- name: "MEDIUM | V-38501 | AUDIT | The system must disable accounts after excessive login failures within a 15-minute interval." + shell: grep -h '^account\s*required\s*pam_faillock\.so' /etc/pam.d/system-auth /etc/pam.d/password-auth + changed_when: no + check_mode: no + failed_when: no + register: login_failures_account_require + tags: + - medium + - cat2 + - logon_settings + - audit + - V-38501 + - pam + + +- name: "MEDIUM | V-38501 | AUDIT | The system must disable accounts after excessive login failures within a 15-minute interval." + assert: + that: + - "{{ item | int }} >= 900" + - "{{ login_failures_account_require.stdout_lines | length }} == 2" + with_items: "{{ login_failures_interval_audit.stdout_lines }}" + failed_when: no + register: login_failures_interval_audit + tags: + - medium + - cat2 + - logon_settings + - audit + - V-38501 + - pam + +- name: | + + MEDIUM | V-38502 | AUDIT | The /etc/shadow file must be owned by root. + MEDIUM | V-38503 | AUDIT | The /etc/shadow file must be group-owned by root. + MEDIUM | V-38504 | AUDIT | The /etc/shadow file must have mode 0000. + stat: + path: /etc/shadow + register: shadow_owner_audit + tags: + - medium + - cat2 + - V-38502 + - V-38503 + - V-38504 + - shadow + - file_perms + - audit + +- name: "MEDIUM | V-38511 | AUDIT | IP forwarding for IPv4 must not be enabled, unless the system is a router." + shell: "sysctl net.ipv4.ip_forward | awk '{print $3}'" + changed_when: no + check_mode: no + register: ipv4_ip_forwarding_audit + tags: + - V-38511 + - cat2 + - medium + - ip_forward + - ipv4 + - audit + + +- name: "MEDIUM | V-38511 | AUDIT | IP forwarding for IPv4 must not be enabled, unless the system is a router." + shell: "sysctl net.ipv4.ip_forward | awk '{print $3}'" + changed_when: no + check_mode: no + register: ipv4_ip_forwarding_audit + tags: + - V-38511 + - cat2 + - medium + - ip_forward + - ipv4 + - audit + +- name: "MEDIUM | V-38512 | AUDIT | The operating system must prevent public IPv4 access into an organizations internal networks except as appropriately mediated by managed interfaces employing boundary protection devices" + command: service iptables status + check_mode: no + changed_when: no + failed_when: no + register: iptables_audit + tags: + - cat2 + - medium + - audit + - V-38512 + - ipv4 + - network + - firewall + +- name: "MEDIUM | V-38513 | AUDIT | The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets." + shell: "grep ':INPUT' /etc/sysconfig/iptables | awk '{print $2}'" + changed_when: no + check_mode: no + register: ipv4_fw_deny_all_audit + tags: + - V-38513 + - ipv4 + - network + - firewall + - medium + - cat2 + - audit + +- name: "MEDIUM | V-38514 | AUDIT | The Datagram Congestion Control Protocol (DCCP) must be disabled unless required." + command: grep -rse "^install\s*dccp\s*/bin/true$" /etc/modprobe.conf /etc/modprobe.d + changed_when: no + check_mode: no + failed_when: no + register: dccp_audit + tags: + - V-38514 + - cat2 + - medium + - dccp + - transport + - audit + + +- name: "MEDIUM | V-38515 | AUDIT | The Stream Control Transmission Protocol (SCTP) must be disabled unless required." + command: grep -rse "^install\s*sctp\s*/bin/true$" /etc/modprobe.conf /etc/modprobe.d + changed_when: no + check_mode: no + failed_when: no + register: sctp_audit + tags: + - V-38515 + - cat2 + - medium + - sctp + - transport + - audit + + +- name: "MEDIUM | V-38516 | AUDIT | The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required." + command: grep -rse "^install\s*tipc\s*/bin/true$" /etc/modprobe.conf /etc/modprobe.d + changed_when: no + check_mode: no + failed_when: no + register: tipc_audit + tags: + - V-38516 + - cat2 + - medium + - tipc + - transport + - audit + + +- name: "MEDIUM | V-38517 | AUDIT | The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required." + command: grep -rse "^install\s*tipc\s*/bin/true$" /etc/modprobe.conf /etc/modprobe.d + register: tipc_audit + changed_when: false + failed_when: false + check_mode: no + tags: + - cat2 + - medium + - V-38516 + - tipc + - transport + - audit + + +- name: "MEDIUM | V-38518 | AUDIT | All rsyslog-generated log files must be owned by root." + stat: + path: "{{ item }}" + with_items: "{{ rsyslog_logfiles.stdout_lines }}" + register: rsyslog_logfiles_audit + tags: + - cat2 + - medium + - V-38518 + - log_files + - rsyslog + - audit + +- name: "MEDIUM | V-38520 | AUDIT | The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.\n + MEDIUM | V-38521 | AUDIT | The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components." + shell: grep -E '^\*\.\*\s*[@:]{1,2}[a-z.:]*' /etc/rsyslog.conf + changed_when: no + ignore_errors: yes + check_mode: no + register: rsyslog_log_mgmt_audit + tags: + - audit + - V-38520 + - V-38521 + - rsyslog + - logging + - cat2 + - medium + +- name: "MEDIUM | V-38523 | AUDIT | The system must not accept IPv4 source-routed packets on any interface." + shell: "sysctl net.ipv4.conf.all.accept_source_route | awk '{print $3}'" + changed_when: no + check_mode: no + register: ipv4_source_routed_packets_any_int_audit + tags: + - cat2 + - medium + - V-38523 + - audit + - ipv4 + - sysctl + - kernel_parameters + - network + + +- name: "MEDIUM | V-38524 | AUDIT | The system must not accept ICMPv4 redirect packets on any interface." + shell: "sysctl net.ipv4.conf.all.accept_redirects | awk '{print $3}'" + changed_when: no + check_mode: no + register: icmpv4_redirect_packets_any_int_audit + tags: + - cat2 + - medium + - V-38524 + - audit + - ICMPv4 + - sysctl + - kernel_parameters + - network + + +- name: "MEDIUM | V-38526 | AUDIT | The system must not accept ICMPv4 secure redirect packets on any interface." + shell: "sysctl net.ipv4.conf.all.secure_redirects | awk '{print $3}'" + changed_when: no + check_mode: no + register: icmpv4_secure_redirect_packets_any_int_audit + tags: + - cat2 + - medium + - V-38526 + - audit + - ICMPv4 + - sysctl + - kernel_parameters + - network + + +- name: "MEDIUM | V-38529 | AUDIT | The system must not accept IPv4 source-routed packets by default." + shell: "sysctl net.ipv4.conf.default.accept_source_route | awk '{print $3}'" + changed_when: no + check_mode: no + register: ipv4_source_routed_packets_default_audit + tags: + - cat2 + - medium + - V-38529 + - audit + - ipv4 + - sysctl + - kernel_parameters + - network + + +- name: "MEDIUM | V-38532 | AUDIT | The system must not accept ICMPv4 secure redirect packets by default." + shell: "sysctl net.ipv4.conf.default.secure_redirects | awk '{print $3}'" + changed_when: no + check_mode: no + register: icmpv4_secure_redirects_default_audit + tags: + - medium + - cat2 + - V-38532 + - audit + - ICMPv4 + - sysctl + - kernel_parameters + - network + + +- name: "MEDIUM | V-38539 | AUDIT | The system must be configured to use TCP syncookies when experiencing a TCP SYN flood." + shell: "sysctl net.ipv4.tcp_syncookies | awk '{print $3}'" + changed_when: no + check_mode: no + register: tcp_syncookies_audit + tags: + - cat2 + - medium + - V-38539 + - audit + - tcp + - sysctl + - kernel_parameters + - network + + +- name: "MEDIUM | V-38542 | AUDIT | The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces." + shell: "sysctl net.ipv4.conf.all.rp_filter | awk '{print $3}'" + changed_when: no + check_mode: no + register: ipv4_reverse_path_filter_all_int_audit + tags: + - cat2 + - medium + - V-38542 + - audit + - ipv4 + - sysctl + - kernel_parameters + - network + + +- name: "MEDIUM | V-38544 | AUDIT | The system must use a reverse-path filter for IPv4 network traffic when possible by default." + shell: "sysctl net.ipv4.conf.default.rp_filter | awk '{print $3}'" + changed_when: no + check_mode: no + register: ipv4_reverse_path_filter_default_audit + tags: + - cat2 + - medium + - V-38544 + - audit + - ipv4 + - sysctl + - kernel_parameters + - network + + +- name: "MEDIUM | V-38548 | AUDIT | The system must ignore ICMPv6 redirects by default." + shell: "sysctl net.ipv6.conf.default.accept_redirects | awk '{print $3}'" + changed_when: no + check_mode: no + register: icmpv6_ignore_redirects_default_audit + tags: + - cat2 + - medium + - V-38548 + - audit + - ICMPv4 + - sysctl + - kernel_parameters + - network + +- name: | + + MEDIUM | V-38549 | AUDIT | The system must employ a local IPv6 firewall. + MEDIUM | V-38551 | AUDIT | The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. + MEDIUM | V-38553 | AUDIT | The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. + command: service ip6tables status + when: rhel6stig_ipv6_required + failed_when: no + changed_when: no + check_mode: no + register: ip6tables_audit + tags: + - cat2 + - medium + - iptables + - ip6tables + - V-38549 + - V-38553 + - audit + +- name: | + + MEDIUM | V-38555 | AUDIT | The system must employ a local IPv4 firewall. + MEDIUM | V-38560 | AUDIT | The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. + command: service iptables status + failed_when: no + changed_when: no + check_mode: no + register: iptables_audit + tags: + - cat2 + - medium + - iptables + - V-38555 + - xwindows + - V-38560 + - audit + +- name: "MEDIUM | V-38573 | AUDIT | The system must disable accounts after three consecutive unsuccessful logon attempts." + shell: grep -h pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth | grep deny=3 + changed_when: no + check_mode: no + register: logon_attempts_audit + tags: + - cat2 + - medium + - V-38573 + - logon_settings + - accounts + - gui + - audit + - pam + +- name: "MEDIUM | V-38574 | AUDIT | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth)." + shell: find /etc/pam.d/ -type f -not -name '*.*' + changed_when: no + register: pamd_files + failed_when: no + tags: + - cat2 + - medium + - V-38574 + - logon_settings + - accounts + - passwords + - audit + - pam + + +- name: "MEDIUM | V-38574 | AUDIT | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth)." + shell: "grep password -h /etc/pam.d/* | grep pam_unix.so | awk '{print $4}'" + changed_when: no + check_mode: no + register: pam_pwd_hash_audit + tags: + - cat2 + - medium + - V-38574 + - logon_settings + - accounts + - passwords + - audit + + +- name: "MEDIUM | V-38576 | AUDIT | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs)" + shell: "grep ENCRYPT_METHOD /etc/login.defs | awk '{print $2}'" + check_mode: no + changed_when: no + register: login_defs_audit + tags: + - audit + - medium + - cat2 + - V-38576 + - passwords + + +- name: "MEDIUM | V-38577 | AUDIT | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf)" + shell: "grep crypt_style /etc/libuser.conf | awk '{print $3}'" + check_mode: no + changed_when: no + register: libuser_audit + tags: + - cat2 + - medium + - audit + - V-38577 + - passwords + + +- name: | + + MEDIUM | V-38579 | AUDIT | The system boot loader configuration file(s) must be owned by root. + MEDIUM | V-38581 | AUDIT | The system boot loader configuration file(s) must be group-owned by root. + MEDIUM | V-38583 | AUDIT | The system boot loader configuration file(s) must have mode 0600 or less permissive. + stat: + path: /etc/grub.conf + register: grub_conf_audit + check_mode: no + tags: + - cat2 + - medium + - V-38579 + - V-38581 + - V-38583 + - file_perms + - grub + - audit + +- name: "MEDIUM | V-38580 | AUDIT | The audit system must be configured to audit the loading and unloading of dynamic kernel modules." + shell: egrep -e "(-w |-F path=)/sbin/insmod" /etc/audit/audit.rules; egrep -e "(-w |-F path=)/sbin/modprobe" /etc/audit/audit.rules; egrep -e "(-w |-F path=)/sbin/rmmod" /etc/audit/audit.rules;grep -w "init_module" /etc/audit/audit.rules; grep -w "init_module" /etc/audit/audit.rules + check_mode: no + changed_when: False + failed_when: no + register: dynamic_kernel_loading_audit + tags: + - cat2 + - medium + - audit + - kernel + - auditd + - V-38580 + + +- name: "MEDIUM | V-38582 | AUDIT | The xinetd service must be disabled if no network services utilizing it are enabled" + shell: "chkconfig --list | sed -n '/xinetd based services/,$p'" + changed_when: no + check_mode: no + register: xinetd_services + tags: + - cat2 + - V-38582 + - medium + - xinetd + - services + - audit + + +- name: "MEDIUM | V-38582 | AUDIT | The xinetd service must be disabled if no network services utilizing it are enabled" + command: chkconfig "xinetd" --list + check_mode: no + failed_when: no + changed_when: no + register: xinetd_audit + tags: + - cat2 + - medium + - V-38582 + - xinetd + - services + - audit + + +- name: "MEDIUM | V-38585 | AUDIT | The system boot loader must require authentication." + command: grep password /etc/grub.conf + check_mode: no + failed_when: no + changed_when: no + register: grub_auth_audit + tags: + - cat2 + - medium + - V-38585 + - grub + - passwords + - audit + + +- name: "MEDIUM | V-38586 | AUDIT | The system must require authentication upon booting into single-user and maintenance modes." + command: grep SINGLE /etc/sysconfig/init + changed_when: no + check_mode: no + register: single_user_mode_auth_audit + tags: + - cat2 + - medium + - V-38586 + - root_access + - audit + + +- name: "MEDIUM | V-38588 | AUDIT | The system must not permit interactive boot." + command: grep PROMPT /etc/sysconfig/init + check_mode: no + changed_when: no + failed_when: no + register: interactive_boot_audit + tags: + - cat2 + - medium + - V-38588 + - interactive_boot + - audit + + +- name: "MEDIUM | V-38592 | AUDIT | The system must require administrator action to unlock an account locked by excessive failed login attempts." + shell: grep -h pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth | grep unlock_time + changed_when: no + check_mode: no + register: admin_unlock_audit + tags: + - cat2 + - medium + - V-38592 + - accounts + - logon_settings + - audit + + +- name: "MEDIUM | V-38593 | AUDIT | The Department of Defense (DoD) login banner must be displayed immediately prior to or as part of console login prompts" + command: cat /etc/issue + changed_when: no + check_mode: no + register: login_banner_audit + tags: + - cat2 + - medium + - V-38593 + - logon_settings + - dod_login_banner + - audit + + +- name: "MEDIUM | V-38596 | AUDIT | The system must implement virtual address space randomization." + shell: "sysctl kernel.randomize_va_space | awk '{print $3}'" + changed_when: no + check_mode: no + register: virt_addr_space_randomization_audit + tags: + - cat2 + - audit + - medium + - sysctl + - kernel + - V-38596 + + +- name: "MEDIUM | V-38597 | AUDIT | The system must limit the ability of processes to have simultaneous write and execute access to memory." + shell: "sysctl kernel.exec-shield | awk '{print $3}'" + changed_when: no + check_mode: no + register: simultaneous_wr_memory_audit + tags: + - cat2 + - audit + - medium + - sysctl + - kernel + - V-38597 + + +- name: "MEDIUM | V-38599 | AUDIT | The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner" + shell: grep banner_file /etc/vsftpd/vsftpd.conf | cut -f2- -d'=' | xargs cat + failed_when: no + changed_when: no + check_mode: no + register: vsftpd_banner_audit + tags: + - cat2 + - medium + - V-38599 + - vsftp + - dod_login_banner + - logon_settings + - audit + + +- name: "MEDIUM | V-38600 | AUDIT | The system must not send ICMPv4 redirects by default." + shell: "sysctl net.ipv4.conf.default.send_redirects | awk '{print $3}'" + changed_when: no + check_mode: no + register: icmpv4_redirects_audit + tags: + - cat2 + - medium + - V-38600 + - icmp + - sysctl + - audit + + +- name: "MEDIUM | V-38601 | AUDIT | The system must not send ICMPv4 redirects from any interface." + shell: "sysctl net.ipv4.conf.all.send_redirects | awk '{print $3}'" + changed_when: no + check_mode: no + register: any_iface_icmp_redirect_audit + tags: + - medium + - cat2 + - V-38601 + - icmp + - sysctl + - audit + + +- name: "MEDIUM | V-38603 | AUDIT | The ypserv package must not be installed." + command: rpm -q ypserv + check_mode: no + changed_when: no + register: ypserv_audit + failed_when: no + tags: + - medium + - V-38603 + - audit + - cat2 + - ypserv + - packages + + +- name: "MEDIUM | V-38604 | AUDIT | The ypbind service must not be running." + command: chkconfig ypbind --list + changed_when: no + failed_when: no + check_mode: no + register: ypbind_service_audit + when: "'ypbind' in sysv_services.stdout" + tags: + - medium + - V-38604 + - patch + - cat2 + - ypbind + - services + + +- name: "MEDIUM | V-38605 | AUDIT | The cron service must be running" + command: service crond status + changed_when: no + check_mode: no + failed_when: no + register: crond_status_audit + when: "'crond' in sysv_services.stdout" + tags: + - medium + - cat2 + - cron + - audit + - network + - V-38605 + - services + + +- name: "MEDIUM | V-38606 | AUDIT | The tftp-server package must not be installed unless required." + command: rpm -q tftp-server + failed_when: no + check_mode: no + changed_when: no + register: tftp_server_install_audit + when: not rhel6stig_tftp_required + tags: + - medium + - cat2 + - V-38606 + - tftp + - packages + - audit + + +- name: "MEDIUM | V-38609 | AUDIT | The TFTP service must not be running." + command: chkconfig tftp --list + failed_when: no + check_mode: no + changed_when: no + register: tftp_service_audit + when: not rhel6stig_tftp_required and 'tftp' in xinetd_services.stdout + tags: + - medium + - cat2 + - V-38609 + - audit + - tftp + - services + + +- name: "MEDIUM | V-38611 | AUDIT | The SSH daemon must ignore .rhosts files." + command: grep -i IgnoreRhosts /etc/ssh/sshd_config + check_mode: no + failed_when: no + changed_when: no + register: sshd_rhosts_ignore_audit + tags: + - medium + - cat2 + - V-38611 + - ssh + - rhosts + - sshd + - audit + + +- name: "MEDIUM | V-38612 | AUDIT | The SSH daemon must not allow host-based authentication." + command: grep -i HostbasedAuthentication /etc/ssh/sshd_config + register: sshd_host_based_authentication_audit + failed_when: no + changed_when: no + tags: + - cat2 + - medium + - audit + - V-38612 + - sshd + + +- name: "MEDIUM | V-38613 | AUDIT | The system must not permit root logins using remote access programs such as ssh." + command: grep -i PermitRootLogin /etc/ssh/sshd_config + failed_when: no + changed_when: no + register: sshd_root_login_audit + tags: + - cat2 + - MEDIUM + - audit + - V-38613 + - sshd + + +- name: "MEDIUM | V-38617 | AUDIT | The SSH daemon must be configured to use only FIPS 140-2 approved ciphers." + command: grep Ciphers /etc/ssh/sshd_config + register: sshd_ciphers_audit + failed_when: no + changed_when: no + tags: + - cat2 + - medium + - audit + - V-38617 + - sshd + + +- name: "MEDIUM | V-38619 | AUDIT | There must be no .netrc files on the system." + command: find /root /home -xdev -name .netrc + register: netrc_files_audit + failed_when: no + changed_when: no + tags: + - cat2 + - MEDIUM + - audit + - V-38619 + - netrc + + +- name: "MEDIUM | V-38620 | AUDIT | The system clock must be synchronized continuously or at least daily." + command: service ntpd status + register: ntpd_service_status_audit + failed_when: no + changed_when: no + tags: + - cat2 + - medium + - audit + - V-38620 + - ntp + + +- name: "MEDIUM | V-38621 | AUDIT | The system clock must be synchronized to an authoritative DoD time source." + command: grep -E '^server' /etc/ntp.conf + register: ntp_server_audit + failed_when: no + changed_when: no + tags: + - cat2 + - medium + - audit + - V-38621 + - ntp + + +- name: "MEDIUM | V-38622 | AUDIT | Mail relaying must be restricted." + command: grep ^inet_interfaces /etc/postfix/main.cf + register: mail_relay_audit + failed_when: no + changed_when: no + when: not rhel6stig_is_mail_relay + tags: + - cat2 + - medium + - audit + - V-38622 + - postfix + + +- name: "MEDIUM | V-38624 | AUDIT | System logs must be rotated daily." + shell: grep logrotate /var/log/cron* + changed_when: no + failed_when: no + register: logrotate_audit + tags: + - cat2 + - medium + - audit + - V-38624 + - logrotate + - syslog + + +- name: "MEDIUM | V-38637 | AUDIT | The system package management tool must verify contents of all files associated with the audit package." + shell: "rpm -V audit | awk '$1 ~ /..5/ && $2 != \"c\"'" + changed_when: false + register: audit_package_integrity_check_audit + failed_when: audit_package_integrity_check_audit.stderr + tags: + - cat2 + - medium + - audit + - V-38637 + - auditd + - rpm + +- name: "MEDIUM | V-38643 | AUDIT | There must be no world-writable files on the system." + command: find / -xdev -type f -perm -002 + register: world_writable_files + changed_when: false + tags: + - cat2 + - medium + - audit + - V-38643 + - file_perms + +- name: "MEDIUM | V-38652 | AUDIT | Remote file systems must be mounted with the 'nodev' option" + shell: mount | grep 'type nfs' | grep -v 'nodev' + args: + warn: no + changed_when: false + register: nfs_mounts_missing_nodev + failed_when: nfs_mounts_missing_nodev.stderr + tags: + - cat2 + - medium + - audit + - V-38652 + - nfs + +- name: "MEDIUM | V-38654 | PATCH | Remote file systems must be mounted with the nosuid option" + shell: mount | grep 'type nfs' | grep -v 'nosuid' + changed_when: false + failed_when: nfs_mounts_missing_nosuid.stderr + register: nfs_mounts_missing_nosuid + tags: + - cat2 + - medium + - audit + - V-38654 + - nfs + +- name: "MEDIUM | V-38658 | AUDIT | The system must prohibit the reuse of passwords within five iterations." + command: grep remember /etc/pam.d/system-auth + register: password_reuse_audit + failed_when: no + changed_when: no + tags: + - cat2 + - medium + - audit + - V-38658 + - pam + + +- name: "MEDIUM | V-38660 | AUDIT | The snmpd service must use only SNMP protocol version 3 or newer." + shell: 'grep ''v1\|v2c\|com2sec'' /etc/snmp/snmpd.conf | grep -v ''^#''' + register: snmpd_version_audit + changed_when: no + failed_when: no + tags: + - cat2 + - medium + - audit + - V-38660 + - snmpd + + +- name: "MEDIUM | V-38663 | AUDIT | The system package management tool must verify permissions on all files and directories associated with the audit package." + shell: rpm -V audit | grep '^.M' + register: audit_package_permissions_audit + failed_when: no + changed_when: no + tags: + - cat2 + - medium + - audit + - V-38663 + - auditd + - file_perms + - rpm + + +- name: "MEDIUM | V-38664 | AUDIT | The system package management tool must verify ownership on all files and directories associated with the audit package." + shell: rpm -V audit | grep '^.....U' + register: audit_package_ownership_audit + failed_when: no + changed_when: no + tags: + - cat2 + - medium + - audit + - V-38664 + - auditd + - file_perms + - rpm + + +- name: "MEDIUM | V-38665 | AUDIT | The system package management tool must verify group-ownership on all files and directories associated with the audit package." + shell: rpm -V audit | grep '^......G' + register: audit_package_group_ownership_audit + failed_when: no + changed_when: no + tags: + - cat2 + - medium + - audit + - V-38665 + - auditd + - file_perms + - rpm + +- name: | + + MEDIUM | V-38670 | AUDIT | The operating system must detect unauthorized changes to software and information. + MEDIUM | V-38673 | AUDIT | The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked. + MEDIUM | V-38695 | AUDIT | A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. + MEDIUM | V-38696 | AUDIT | The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system. + MEDIUM | V-38698 | AUDIT | The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency. + MEDIUM | V-38700 | AUDIT | The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. + shell: grep aide {{ rhel6stig_aide_cron['cron_file'] }} /etc/cron.*/* + register: aide_cron_audit + failed_when: no + changed_when: no + tags: + - cat2 + - medium + - audit + - V-38670 + - V-38673 + - V-38695 + - V-38696 + - V-38698 + - V-38700 + - file_integrity + - aide + +- name: "MEDIUM | V-38674 | AUDIT | X Windows must not be enabled unless required." + command: grep initdefault /etc/inittab + register: runlevel_audit + failed_when: no + changed_when: no + tags: + - cat2 + - medium + - audit + - V-38674 + - xwindows + - gui + + +- name: "MEDIUM | V-38691 | AUDIT | The Bluetooth service must be disabled" + command: chkconfig bluetooth --list + register: bluetooth_service_audit + changed_when: false + failed_when: false + check_mode: no + tags: + - cat2 + - medium + - V-38691 + - bluetooth + - services + - audit + +- name: 'MEDIUM | V-51391 | AUDIT | A file integrity baseline must be created.' + stat: + path: /var/lib/aide/aide.db.gz + register: aide_db + tags: + - cat2 + - medium + - V-51391 + - aide + - audit + +- name: "MEDIUM | V-57569 | AUDIT | The noexec option must be added to the /tmp partition." + command: egrep '^([^#[:space:]]+[[:space:]]+/tmp[[:space:]]+[^[:space:]]+[[:space:]]+)([^[:space:]]+)([[:space:]]+.*)$' /etc/fstab + register: fstab_tmp_audit + changed_when: no + failed_when: no + check_mode: no + tags: + - cat2 + - medium + - V-57569 + - fstab + - tmpdir + - audit + +- name: 'MEDIUM | V-58901 | AUDIT | The sudo command must require authentication.' + # find included configs + shell: cat /etc/sudoers | grep -w '^#include' | awk '{print $2}' + register: sudoers_include_audit + check_mode: no + changed_when: no + tags: + - cat2 + - medium + - V-58901 + - sudoers + - audit + +- name: 'MEDIUM | V-58901 | AUDIT | The sudo command must require authentication.' + # Find files found in the dirs of #includedir directives + shell: cat /etc/sudoers | grep -w '^#includedir' | awk '{print $2}' | xargs -i find {} -type f + register: sudoers_includedirs_files + check_mode: no + changed_when: no + tags: + - cat2 + - medium + - V-58901 + - sudoers + - audit + +- name: 'MEDIUM | V-58901 | AUDIT | The sudo command must require authentication.' + # Combine lists + set_fact: + sudoer_configs: "{{ sudoers_include_audit.stdout_lines + sudoers_includedirs_files.stdout_lines + ['/etc/sudoers'] }}" + tags: + - cat2 + - medium + - V-58901 + - sudoers + - audit diff --git a/tasks/audit-cat3.yml b/tasks/audit-cat3.yml new file mode 100644 index 0000000..e69de29 diff --git a/tasks/cat1.yml b/tasks/cat1.yml index dd093ae..9e66a01 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -1,51 +1,15 @@ -- name: "HIGH | V-38462 | AUDIT | The RPM package management tool must cryptographically verify the authenticity of all software packages during installation" - command: grep nosignature /etc/rpmrc /usr/lib/rpm/rpmrc /usr/lib/rpm/redhat/rpmrc ~root/.rpmrc - register: rpm_sig_audit - always_run: yes - changed_when: no - ignore_errors: yes - tags: - - cat1 - - high - - V-38462 - - audit - - rpm - - packages - -- name: "HIGH | V-38462 | AUDIT | The RPM package management tool must cryptographically verify the authenticity of all software packages during installation" - lineinfile: - state: absent - dest: "{{ item }}" - regexp: nosignature - with_items: - - /etc/rpmrc - - /usr/lib/rpm/rpmrc - - /usr/lib/rpm/redhat/rpmrc - - ~root/.rpmrc - tags: - - cat1 - - high - - V-38462 - - patch - - rpm - - packages - -- name: "HIGH | V-38476 | AUDIT | Vendor-provided cryptographic certificates must be installed to verify the integrity of system software" - command: rpm -q gpg-pubkey - register: rpm_key_audit - always_run: yes - changed_when: no - tags: - - cat1 - - high - - V-38476 - - audit - - rpm - -- name: "HIGH | V-38476 | PATCH | Vendor-provided cryptographic certificates must be installed to verify the integrity of system software" - rpm_key: - state: present - key: "{{ gpg_key_url }}" +- block: + - name: "HIGH | V-38476 | PATCH | Vendor-provided cryptographic certificates must be installed to verify the integrity of system software" + rpm_key: + state: present + key: "{{ rhel6stig_gpg_key_loc.redhat }}" + when: "ansible_distribution == 'RedHat'" + + - name: "HIGH | V-38476 | PATCH | Vendor-provided cryptographic certificates must be installed to verify the integrity of system software" + rpm_key: + state: present + key: "{{ rhel6stig_gpg_key_loc.centos }}" + when: "ansible_distribution == 'CentOS'" tags: - cat1 - high @@ -53,66 +17,26 @@ - patch - rpm -- name: "HIGH | V-38491 | AUDIT | There must be no hosts.equiv on the system" - stat: - path: /etc/hosts.equiv - register: hosts_equiv_audit - always_run: yes - tags: - - cat1 - - high - - V-38491 - - audit - - hosts_equiv - -- name: "HIGH | V-38491 | PATCH | There must be no hosts.equiv on the system" - file: - state: absent - dest: /etc/hosts.equiv +- block: + - name: "HIGH | V-38491 | PATCH | There must be no hosts.equiv on the system" + file: + state: absent + dest: /etc/hosts.equiv + tags: + - hosts_equiv + + - name: "HIGH | V-38491 | PATCH | There must be no .rhosts files on the system" + file: + state: absent + dest: ~{{ item }}/.rhosts + with_items: "{{ users.stdout_lines }}" + tags: + - rhosts tags: - cat1 - high - V-38491 - patch - - hosts_equiv - -- name: "HIGH | V-38491 | AUDIT | There must be no .rhosts files on the system" - stat: - path: ~{{ item }}/.rhosts - register: rhosts_audit - always_run: yes - with_items: "{{ users.stdout_lines }}" - tags: - - cat1 - - high - - V-38491 - - audit - - hosts_equiv - -- name: "HIGH | V-38491 | PATCH | There must be no .rhosts files on the system" - file: - state: absent - dest: ~{{ item }}/.rhosts - with_items: "{{ users.stdout_lines }}" - tags: - - cat1 - - high - - V-38491 - - patch - - rhosts - -- name: "HIGH | V-38497 | AUDIT | The system must not have accounts configured with blank or null passwords" - command: grep nullok /etc/pam.d/system-auth - changed_when: false - always_run: yes - ignore_errors: yes - register: nullok_audit - tags: - - cat1 - - high - - V-38497 - - audit - - passwords - name: "HIGH | V-38497 | PATCH | The system must not have accounts configured with blank or null passwords" replace: @@ -125,20 +49,6 @@ - patch - passwords -- name: "HIGH | V-38587 | AUDIT | The telnet-server package must not be installed" - command: rpm -q telnet-server - ignore_errors: yes - always_run: yes - changed_when: no - register: telnet_server_audit - tags: - - cat1 - - high - - V-38587 - - audit - - telnet - - unsecure_services - - name: "HIGH | V-38587 | PATCH | The telnet-server package must not be installed" yum: name: telnet-server @@ -151,26 +61,20 @@ - telnet - unsecure_services -- name: "HIGH | V-38589 | AUDIT | The telnet daemon must not be running" - command: chkconfig "telnet" --list - register: telnet_service_audit - changed_when: false - always_run: yes - ignore_errors: yes - tags: - - cat1 - - high - - V-38589 - - audit - - telnet - - unsecure_services - -- name: "HIGH | V-38589 | PATCH | The telnet daemon must not be running" - service: - name: telnet - state: stopped - enabled: no - ignore_errors: yes +- block: + - name: "HIGH | V-38589 | PATCH | The telnet daemon must not be running" + command: chkconfig telnet --list + register: telnet_service_check + changed_when: no + check_mode: no + failed_when: no + + - name: "HIGH | V-38589 | PATCH | The telnet daemon must not be running" + service: + name: telnet + state: stopped + enabled: no + when: telnet_service_check.rc == 0 tags: - cat1 - high @@ -179,13 +83,6 @@ - telnet - unsecure_services -- name: "HIGH | V-38591 | AUDIT | The rsh-server package must not be installed" - command: rpm -q rsh-server - always_run: yes - register: rsh_server_audit - changed_when: no - ignore_errors: yes - - name: "HIGH | V-38591 | PATCH | The rsh-server package must not be installed" yum: name: rsh-server @@ -198,27 +95,20 @@ - rsh - unsecure_services -- name: "HIGH | V-38594 | AUDIT | The rshd service must not be running" - command: chkconfig 'rsh' --list - register: rsh_service_audit - changed_when: false - always_run: yes - ignore_errors: yes - tags: - - cat1 - - high - - V-38594 - - audit - - rsh - - rlogin - - unsecure_services - -- name: "HIGH | V-38594 | PATCH | The rshd service must not be running" - service: - name: rsh - state: stopped - enabled: no - when: rsh_service_audit.rc == 0 +- block: + - name: "HIGH | V-38594 | AUDIT | The rshd service must not be running" + command: chkconfig rsh --list + register: rsh_service_check + changed_when: no + check_mode: no + failed_when: no + + - name: "HIGH | V-38594 | PATCH | The rshd service must not be running" + service: + name: rsh + state: stopped + enabled: no + when: rsh_service_check.rc == 0 tags: - cat1 - high @@ -227,24 +117,19 @@ - rsh - unsecure_services -- name: "HIGH | V-38598 | AUDIT | The rexecd service must not be running" - command: service rexec status - ignore_errors: yes - register: rexec_status_audit - always_run: yes - changed_when: no - tags: - - cat1 - - high - - V-38598 - - audit - - rexec - -- name: "HIGH | V-38598 | PATCH | The rexecd service must not be running" - service: - name: rexec - state: stopped - when: rexec_status_audit.rc == 0 +- block: + - name: "HIGH | V-38598 | PATCH | The rexecd service must not be running" + command: chkconfig rexec --list + register: rexec_service_check + changed_when: no + check_mode: no + failed_when: no + + - name: "HIGH | V-38598 | PATCH | The rexecd service must not be running" + service: + name: rexec + state: stopped + when: rexec_service_check.rc == 0 tags: - cat1 - high @@ -252,24 +137,19 @@ - patch - rexec -- name: "HIGH | V-38602 | AUDIT | The rlogind service must not be running" - command: service rlogin status - ignore_errors: yes - register: rlogin_status_audit - always_run: yes - changed_when: no - tags: - - cat1 - - high - - V-38602 - - audit - - rlogin - -- name: "HIGH | V-38602 | PATCH | The rlogind service must not be running" - service: - name: rlogin - enabled: no - when: rlogin_status_audit.rc == 0 +- block: + - name: "HIGH | V-38602 | PATCH | The rlogind service must not be running" + command: chkconfig rlogin --list + register: rlogin_service_check + changed_when: no + check_mode: no + failed_when: no + + - name: "HIGH | V-38602 | PATCH | The rlogind service must not be running" + service: + name: rlogin + enabled: no + when: rlogin_service_check.rc == 0 tags: - cat1 - high @@ -277,26 +157,13 @@ - patch - rlogin -- name: "HIGH | V-38607 | AUDIT | The SSH daemon must be configured to use only the SSHv2 protocol" - command: grep "Protocol 2" /etc/ssh/sshd_config - register: proto2_audit - ignore_errors: yes - always_run: yes - changed_when: no - tags: - - cat1 - - high - - V-38607 - - audit - - ssh - - name: "HIGH | V-38607 | PATCH | The SSH daemon must be configured to use only the SSHv2 protocol" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^(#)?Protocol \d' line: 'Protocol 2' - notify: restart ssh + notify: restart sshd tags: - cat1 - high @@ -304,19 +171,6 @@ - patch - ssh -- name: "HIGH | V-38614 | AUDIT | The SSH daemon must not allow authentication using an empty password" - command: grep "PermitEmptyPasswords yes" /etc/ssh/sshd_config - ignore_errors: yes - always_run: yes - changed_when: false - register: ssh_empty_pass_audit - tags: - - cat1 - - high - - V-38614 - - audit - - ssh - - name: "HIGH | V-38614 | PATCH | The SSH daemon must not allow authentication using an empty password" lineinfile: state: present @@ -330,28 +184,23 @@ - patch - ssh -- name: "HIGH | V-38653 | AUDIT | The snmpd service must not use a default password" - shell: grep -v "^#" /etc/snmp/snmpd.conf| grep public - register: snmpd_audit - failed_when: snmpd_audit.rc not in [0,1] - always_run: yes - when: snmpconf_test.stat.exists - changed_when: no - tags: - - cat1 - - high - - V-38653 - - audit - - snmp - -- name: "HIGH | V-38653 | PATCH | The snmpd service must not use a default password" - replace: - backup: yes - dest: /etc/snmp/snmpd.conf - regexp: (^com2sec.*default\s+)public - replace: \1{{ rhel6stig_snmp_community }} - when: snmpconf_test.stat.exists and snmpd_audit.stdout != [] - notify: restart snmpd +- block: + - name: "HIGH | V-38653 | PATCH | The snmpd service must not use a default password" + shell: grep -v "^#" /etc/snmp/snmpd.conf | grep public + register: snmpd_audit + changed_when: no + check_mode: no + failed_when: no + + - name: "HIGH | V-38653 | PATCH | The snmpd service must not use a default password" + replace: + backup: yes + dest: /etc/snmp/snmpd.conf + regexp: (^com2sec.*default\s+)public + replace: \1{{ rhel6stig_snmp_community }} + when: + - "'public' in snmpd_audit.stdout" + notify: restart snmpd tags: - cat1 - high @@ -359,20 +208,25 @@ - patch - snmp -# V-38666 checks can be found in not_automated.yml - -- name: "HIGH | V-38668 | AUDIT | The x86 Ctrl-Alt-Delete key sequence must be disabled" - command: grep "exec /sbin/shutdown" /etc/init/control-alt-delete.override - register: ctrl_alt_del_audit - ignore_errors: yes - always_run: yes - changed_when: no +- block: + - name: HIGH | V-38666 | AUDIT | The system must use and update a DoD-approved virus scan program" + yum: + name: "{{ rhel6stig_av_package.package }}" + state: present + + - name: HIGH | V-38666 | AUDIT | The system must use and update a DoD-approved virus scan program" + service: + name: "{{ rhel6stig_av_package.service }}" + state: started + enabled: yes + when: + - rhel6stig_antivirus_required tags: - cat1 - high - - V-38668 - - audit - - ctrl_alt_delete + - patch + - V-38666 + - antivirus - name: "HIGH | V-38668 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled" copy: @@ -388,31 +242,27 @@ - patch - ctrl_alt_delete -# V-38677 can be found in not_automated.yml - -- name: "HIGH | V-38701 | AUDIT | The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system" - command: grep "server_args = -s" /etc/xinetd.d/tftp - register: tftp_audit - always_run: yes - when: "'tftp' in xinetd_services.stdout_lines" - ignore_errors: yes - tags: - - cat1 - - high - - V-38701 - - audit - - tftp - -- name: "HIGH | V-38701 | PATCH | The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system" - lineinfile: - state: present - backup: yes - dest: /etc/xinetd.d/tftp - regexp: 'server_args\s+=\s+(/.*$)' - line: '\tserver_args\t\t= -s \1' - backrefs: yes - when: "rhel6stig_tftp_required and 'tftp' in xinetd_services.stdout_lines" - ignore_errors: yes +# Not automated +# - name: "HIGH | V-38677 | AUDIT | The NFS server must not have the insecure file locking option enabled" + +- block: + - name: "HIGH | V-38701 | PATCH | The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system" + command: chkconfig tftp --list + register: tftp_service_check + changed_when: no + check_mode: no + failed_when: no + + - name: "HIGH | V-38701 | PATCH | The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system" + lineinfile: + state: present + backup: yes + dest: /etc/xinetd.d/tftp + regexp: 'server_args\s+=\s+(/.*$)' + line: '\tserver_args\t\t= -s \1' + backrefs: yes + when: "rhel6stig_tftp_required and 'tftp' in tftp_service_check.rc == 0" + notify: reload xinetd tags: - cat1 - high @@ -421,5 +271,4 @@ - tftp - tftp-server - unsecure_services - notify: reload xinetd diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 0237215..89a436c 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1,24 +1,10 @@ # Not automated #- name: "MEDIUM | V-38439 | The system must provide automated support for account management functions." -- name: "MEDIUM | V-38443, V-38448, V-38449 | AUDIT | The /etc/gshadow file must be owned by root. The /etc/gshadow file must be group-owned by root. The /etc/gshadow file must have mode 0000" - stat: - path: /etc/gshadow - register: gshadow_stat - tags: - - cat2 - - medium - - V-38443 - - V-38448 - - V-38449 - - audit - - file_perms - - name: "MEDIUM | V-38443 | PATCH | The /etc/gshadow file must be owned by root." file: path: /etc/gshadow owner: root - register: gshadow_stat tags: - cat2 - medium @@ -26,34 +12,41 @@ - patch - file_perms -- name: "MEDIUM | V-38444 | AUDIT | The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets." - shell: 'grep ":INPUT" /etc/sysconfig/ip6tables | awk ''{print $2}''' - register: ipv6_inbound_packets_audit - changed_when: no - failed_when: no +- block: + - name: "MEDIUM | V-38444 | AUDIT | iptables module is not idempotent for Policy actions currently" + shell: ip6tables -S | grep '\-P INPUT' | cut -d ' ' -f 3 + changed_when: no + failed_when: no + check_mode: no + register: ip6tables_input_chain_policy_check + + - name: "MEDIUM | V-38444 | PATCH | The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets." + iptables: + chain: INPUT + ip_version: ipv6 + policy: DROP + when: "ip6tables_input_chain_policy_check.stdout != 'DROP'" + notify: save ip6tables rules tags: - cat2 - medium - V-38444 - - audit - ipv6 - - iptables + - firewall + - network + - patch -- name: "MEDIUM | V-38444 | PATCH | The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets." - lineinfile: - dest: /etc/sysconfig/ip6tables - line: ":INPUT DROP [0:0]" - regexp: '^:INPUT\s*.*\s*\[0:0\]' - when: - - "ipv6_inbound_packets_audit.stdout != 'DROP'" - - "'No such file or directory' not in ipv6_inbound_packets_audit.stderr" - tags: - - cat2 +- block: + - name: "PRELIM | Get path of auditd log file" + shell: "grep '^log_file' /etc/audit/auditd.conf | sed s/^[^\\/]*//" + changed_when: no + check_mode: no + register: auditd_logfile -- name: "MEDIUM | V-38445 | PATCH | Audit log files must be group-owned by root." - file: - path: "{{ auditd_logfile.stdout }}" - group: root + - name: "MEDIUM | V-38445 | PATCH | Audit log files must be group-owned by root." + file: + path: "{{ auditd_logfile.stdout }}" + group: root tags: - cat2 - medium @@ -62,19 +55,6 @@ - auditd - patch -- name: "MEDIUM | V-38446 | AUDIT | The mail system must forward all mail for root to one or more system administrators." - command: postmap -q root /etc/aliases - register: postmap_root_audit - changed_when: no - failed_when: no - tags: - - cat2 - - medium - - V-38446 - - sendmail - - mail - - audit - - name: "MEDIUM | V-38446 | PATCH | The mail system must forward all mail for root to one or more system administrators." lineinfile: dest: /etc/aliases @@ -85,11 +65,11 @@ - medium - V-38446 - sendmail + - name: "MEDIUM | V-38448 | PATCH | The /etc/gshadow file must be group-owned by root." file: path: /etc/gshadow group: root - register: gshadow_stat tags: - cat2 - medium @@ -101,7 +81,6 @@ file: path: /etc/gshadow mode: "0000" - register: gshadow_stat tags: - cat2 - medium @@ -109,19 +88,6 @@ - patch - file_perms -- name: "MEDIUM | V-38450, V-38451, V-38457 | AUDIT | The /etc/passwd file must be owned by root. The /etc/passwd file must be group-owned by root.The /etc/passwd file must have mode 0644 or less permissive" - stat: - path: /etc/passwd - register: /etc/passwd_stat - tags: - - cat2 - - medium - - V-38450 - - V-38451 - - V-38457 - - audit - - file_perms - - name: "MEDIUM | V-38450 | PATCH | The /etc/passwd file be owned by root" file: path: /etc/passwd @@ -155,19 +121,6 @@ - patch - file_perms -- name: "MEDIUM | V-38458, V-38459, V-38461 | AUDIT | The /etc/group file must be owned by root. The /etc/group file must be group-owned by root.The /etc/group file must have mode 0644 or less permissive" - stat: - path: /etc/group - register: /etc/group_stat - tags: - - cat2 - - medium - - V-38458 - - V-38459 - - V-38461 - - audit - - file_perms - - name: "MEDIUM | V-38458 | PATCH | The /etc/group file be owned by root" file: path: /etc/group @@ -201,18 +154,6 @@ - patch - file_perms -- name: "MEDIUM | V-38464 | AUDIT | The audit system must take appropriate action when there are disk errors on the audit storage volume." - shell: grep disk_error_action /etc/audit/auditd.conf | cut -d = -f 2 | xargs basename - register: disk_err_action_audit - changed_when: no - always_run: yes - tags: - - cat2 - - medium - - V-38464 - - audit - - auditd - - name: "MEDIUM | V-38464 | PATCH | The audit system must take appropriate action when there are disk errors on the audit storage volume." lineinfile: regexp: '(^disk_error_action\s*=)(\s*)' @@ -226,25 +167,21 @@ - patch - auditd -- name: "MEDIUM | V-38465 | AUDIT | Library files must have mode 0755 or less permissive" - become_user: root - script: sys_libs_with_bad_perms.sh - register: library_perms_audit - changed_when: no - tags: - - cat2 - - medium - - V-38465 - - audit - - file_perms +- block: + - name: "MEDIUM | V-38465 | AUDIT | Library files must have mode 0755 or less permissive" + shell: find -L /{lib,lib64,usr/{lib,lib64}/,usr/local/{lib,lib64}}/ -type f -links -2 -perm /022 -exec readlink -f {} \; + check_mode: no + changed_when: no + failed_when: no + register: sys_lib_perms_audit -- name: "MEDIUM | V-38465 | PATCH | Library files must have mode 0755 or less permissive" - file: - state: file - mode: "go-w" - path: "{{ item }}" - when: library_perms_audit.stdout - with_items: "{{ library_perms_audit.stdout_lines }}" + - name: "MEDIUM | V-38465 | PATCH | Library files must have mode 0755 or less permissive" + file: + state: file + mode: "go-w" + path: "{{ item }}" + when: sys_lib_perms_audit.stdout + with_items: "{{ sys_lib_perms_audit.stdout_lines }}" tags: - cat2 - medium @@ -252,25 +189,21 @@ - patch - file_perms -- name: "MEDIUM | V-38466 | AUDIT | Library files must be owned by root" - become_user: root - script: sys_libs_with_bad_owner.sh - register: library_owner_audit - changed_when: no - tags: - - cat2 - - medium - - V-38466 - - audit - - file_perms +- block: + - name: "MEDIUM | V-38466 | AUDIT | Library files must be owned by root" + shell: find -L /{lib,lib64,usr/{lib,lib64}/,usr/local/{lib,lib64}}/ -type f -links -2 \! -user root -exec readlink -f {} \; + check_mode: no + changed_when: no + failed_when: no + register: sys_lib_owner_audit -- name: "MEDIUM | V-38466 | PATCH | Library files must be owned by root" - file: - state: file - owner: "root" - path: "{{ item }}" - when: library_owner_audit.stdout - with_items: "{{ library_owner_audit.stdout_lines }}" + - name: "MEDIUM | V-38466 | PATCH | Library files must be owned by root" + file: + state: file + owner: "root" + path: "{{ item }}" + when: sys_lib_owner_audit.stdout + with_items: "{{ sys_lib_owner_audit.stdout_lines }}" tags: - cat2 - medium @@ -278,18 +211,6 @@ - patch - file_perms -- name: "MEDIUM | V-38468 | AUDIT | The audit system must take appropriate action when the audit storage volume is full." - shell: grep disk_full_action /etc/audit/auditd.conf | cut -d = -f 2 | xargs basename - register: disk_full_action_audit - changed_when: no - always_run: yes - tags: - - cat2 - - medium - - V-38468 - - audit - - auditd - - name: "MEDIUM | V-38468 | PATCH | The audit system must take appropriate action when the audit storage volume is full." lineinfile: regexp: '(^disk_full_action\s*=)(\s*)' @@ -303,26 +224,21 @@ - patch - auditd -- name: "MEDIUM | V-38469 | AUDIT | All system command files must have mode 755 or less permissive." - script: sys_command_files_with_bad_perms.sh - become_user: root - register: system_files_perms_audit - changed_when: no - always_run: yes - tags: - - cat2 - - medium - - V-38469 - - audit - - file_perms +- block: + - name: "MEDIUM | V-38469 | AUDIT | All system command files must have mode 755 or less permissive." + shell: find -L /{sbin,bin,usr/{sbin,bin}/,usr/local/{sbin,bin}}/ -type f -links -2 -perm /022 -exec readlink -f {} \; + check_mode: no + changed_when: no + failed_when: no + register: sys_command_perms_audit -- name: "MEDIUM | V-38469 | PATCH | All system command files must have mode 755 or less permissive" - file: - state: file - mode: "og-w" - path: "{{ item }}" - when: system_files_perms_audit.stdout - with_items: "{{ system_files_perms_audit.stdout_lines }}" + - name: "MEDIUM | V-38469 | PATCH | All system command files must have mode 755 or less permissive" + file: + state: file + mode: "og-w" + path: "{{ item }}" + when: sys_command_perms_audit.stdout + with_items: "{{ sys_command_perms_audit.stdout_lines }}" tags: - cat2 - medium @@ -330,18 +246,6 @@ - patch - file_perms -- name: "MEDIUM | V-38470 | AUDIT | The audit system must alert designated staff members when the audit storage volume approaches capacity." - shell: grep space_left_action /etc/audit/auditd.conf | cut -d = -f 2 | xargs basename - register: space_left_action_audit - changed_when: no - always_run: yes - tags: - - cat2 - - medium - - V-38470 - - audit - - auditd - - name: "MEDIUM | V-38470 | PATCH | The audit system must alert designated staff members when the audit storage volume approaches capacity." lineinfile: regexp: '(^space_left_action\s*=)(\s*)' @@ -355,25 +259,21 @@ - patch - auditd -- name: "MEDIUM | V-38472 | AUDIT | All system command files must be owned by root" - script: sys_command_files_with_bad_owner.sh - become_user: root - register: sys_commands_owner_audit - always_run: yes - changed_when: no - tags: - - cat2 - - medium - - V-38472 - - audit - - file_perms +- block: + - name: "MEDIUM | V-38472 | AUDIT | All system command files must be owned by root" + shell: find -L /{sbin,bin,usr/{sbin,bin}/,usr/local/{sbin,bin}}/ -type f -links -2 \! -user root -exec readlink -f {} \; + check_mode: no + changed_when: no + failed_when: no + register: sys_command_owner_audit -- name: "MEDIUM | V-38472 | PATCH | All system command files must be owned by root" - file: - state: file - owner: root - when: sys_commands_owner_audit.stdout - with_items: "{{ sys_commands_owner_audit.stdout_lines }}" + - name: "MEDIUM | V-38472 | PATCH | All system command files must be owned by root" + file: + state: file + path: "{{item}}" + owner: root + when: sys_command_owner_audit.stdout + with_items: "{{ sys_command_owner_audit.stdout_lines }}" tags: - cat2 - medium @@ -381,18 +281,6 @@ - patch - file_perms -- name: "MEDIUM | V-38475 | AUDIT | The system must require passwords to contain a minimum of 14 characters." - shell: grep -E '^PASS_MIN_LEN' /etc/login.defs | awk '{print $2}' - register: min_pwd_len_audit - changed_when: no - always_run: yes - tags: - - cat2 - - medium - - V-38475 - - audit - - passwords - - name: "MEDIUM | V-38475 | PATCH | The system must require passwords to contain a minimum of 14 characters." lineinfile: regexp: '(^PASS_MIN_LEN)\s*(\d*)' @@ -406,18 +294,6 @@ - patch - passwords -- name: "MEDIUM | V-38477 | AUDIT | Users must not be able to change passwords more than once every 24 hours." - shell: grep -E '^PASS_MIN_DAYS' /etc/login.defs | awk '{print $2}' - register: pwd_min_days_audit - changed_when: no - always_run: yes - tags: - - cat2 - - medium - - V-38477 - - audit - - passwords - - name: "MEDIUM | V-38477 | PATCH | The system must require passwords to contain a minimum of 14 characters." lineinfile: regexp: '(^PASS_MIN_DAYS)\s*(\d*)' @@ -431,18 +307,6 @@ - patch - passwords -- name: "MEDIUM | V-38479 | AUDIT | User passwords must be changed at least every 60 days." - shell: "grep -E '^PASS_MAX_DAYS' /etc/login.defs | awk '{print $2}'" - register: pwd_max_days_audit - changed_when: no - always_run: yes - tags: - - cat2 - - medium - - V-38479 - - audit - - passwords - - name: "MEDIUM | V-38479 | PATCH | User passwords must be changed at least every 60 days." lineinfile: regexp: '(^PASS_MAX_DAYS)\s*(\d*)' @@ -456,20 +320,6 @@ - patch - passwords -- name: "MEDIUM | V-38481 | AUDIT | System security patches and updates must be installed and up-to-date." - command: yum check-update - failed_when: no - changed_when: no - register: yum_pkgs_update_audit - when: rhel6stig_update_all_packages - tags: - - cat2 - - medium - - V-38481 - - audit - - yum - - updates - - name: "MEDIUM | V-38481 | PATCH | System security patches and updates must be installed and up-to-date." yum: name: '*' @@ -484,29 +334,22 @@ - yum - updates -- name: "MEDIUM | V-38483 | AUDIT | The system package management tool must cryptographically verify the authenticity of system software packages during installation." - shell: find /etc/yum{.conf,.repos.d/} -exec grep -ls '^gpgcheck=0' {} \; - changed_when: false - always_run: yes - register: repo_crypto_check_audit - tags: - - cat2 - - medium - - V-38483 - - audit - - rpm - - yum - - gpgcheck +- block: + - name: "MEDIUM | V-38483 | AUDIT | The system package management tool must cryptographically verify the authenticity of system software packages during installation." + shell: find /etc/yum{.conf,.repos.d/} -exec grep -ls '^gpgcheck=0' {} \; + changed_when: false + check_mode: no + register: repo_crypto_check_audit -- name: "MEDIUM | V-38483 | PATCH | The system package management tool must cryptographically verify the authenticity of system software packages during installation." - replace: - backup: yes - dest: '{{ item }}' - regexp: '^gpgcheck=0' - replace: 'gpgcheck=1' - with_flattened: - - /etc/yum.conf - - "{{ repo_crypto_check_audit.stdout_lines }}" + - name: "MEDIUM | V-38483 | PATCH | The system package management tool must cryptographically verify the authenticity of system software packages during installation." + replace: + backup: yes + dest: '{{ item }}' + regexp: '^gpgcheck=0' + replace: 'gpgcheck=1' + with_flattened: + - /etc/yum.conf + - "{{ repo_crypto_check_audit.stdout_lines }}" tags: - cat2 - medium @@ -515,18 +358,6 @@ - rpm - gpgcheck -- name: "MEDIUM | V-38484 | AUDIT | The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh." - shell: "grep -i '^PrintLastLog' /etc/ssh/sshd_config | awk '{ print $2 }'" - register: last_log_audit - changed_when: no - always_run: yes - tags: - - cat2 - - medium - - audit - - V-38484 - - sshd - - name: "MEDIUM | V-38484 | PATCH | The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh." lineinfile: state: present @@ -541,30 +372,17 @@ - V-38484 - sshd -# Cannot be automated +# Not automated #- name: "MEDIUM | V-38486 | The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives." -# Cannot be automated +# Not automated #- name: "MEDIUM | V-38488 | The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives." -- name: "MEDIUM | V-38489 | AUDIT | A file integrity tool must be installed." - command: rpm -q aide - failed_when: no - register: aide_installed_audit - changed_when: no - always_run: yes - tags: - - cat2 - - medium - - V-38489 - - audit - - aide - - integrity - - name: "MEDIUM | V-38489 | PATCH | A file integrity tool must be installed." yum: name: aide state: present + notify: init aide tags: - cat2 - medium @@ -573,21 +391,6 @@ - aide - integrity -- name: "MEDIUM | V-38490 | AUDIT | The operating system must enforce requirements for the connection of mobile devices to operating systems" - command: grep -rs usb-storage /etc/modprobe.conf /etc/modprobe.d - register: usb_reqs_audit - failed_when: no - always_run: yes - changed_when: no - tags: - - cat2 - - medium - - V-38490 - - mobile_devices - - usb_devices - - kernel_modules - - audit - - name: "MEDIUM | V-38490 | PATCH | The operating system must enforce requirements for the connection of mobile devices to operating systems." copy: content: install usb-storage /bin/true @@ -604,22 +407,6 @@ - kernel_modules - patch -- name: "MEDIUM | V-38492 | AUDIT | The system must prevent the root account from logging in from virtual consoles." - command: grep '^vc/[0-9]' /etc/securetty - register: vc_root_login_audit - failed_when: no - always_run: yes - changed_when: no - tags: - - cat2 - - medium - - V-38492 - - audit - - virtual_consoles - - logon_settings - - tty - - root_access - - name: "MEDIUM | V-38492 | PATCH | The system must prevent the root account from logging in from virtual consoles" lineinfile: state: absent @@ -637,29 +424,21 @@ - medium - patch -- name: "MEDIUM | V-38493 | AUDIT | Audit log directories must have mode 0755 or less permissive." - shell: grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//' | xargs -I % find % -type d -perm /022 - changed_when: no - always_run: yes - failed_when: no - register: audit_log_dir_perms_audit - tags: - - cat2 - - medium - - V-38493 - - audit - - medium - - file_perms - - auditd - - audit_permissions +- block: + - name: "MEDIUM | V-38493 | AUDIT | Audit log directories must have mode 0755 or less permissive." + shell: grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//' | xargs -I % find % -type d -perm /022 + changed_when: no + check_mode: no + failed_when: no + register: audit_log_dir_perms_audit -- name: "MEDIUM | V-38493 | PATCH | Audit log directories must have mode 0755 or less permissive." - file: - state: directory - mode: "go-w" - path: "{{ item }}" - with_items: "{{ audit_log_dir_perms_audit.stdout_lines }}" - when: audit_log_dir_perms_audit.stdout + - name: "MEDIUM | V-38493 | PATCH | Audit log directories must have mode 0755 or less permissive." + file: + state: directory + mode: "go-w" + path: "{{ item }}" + with_items: "{{ audit_log_dir_perms_audit.stdout_lines }}" + when: audit_log_dir_perms_audit.stdout tags: - cat2 - medium @@ -669,28 +448,21 @@ - auditd - audit_permissions -- name: "MEDIUM | V-38495 | AUDIT | Audit log files must be owned by root." - shell: grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//' | xargs -I % find % -type f ! -user root - changed_when: no - always_run: yes - failed_when: no - register: audit_log_dir_owner_audit - tags: - - cat2 - - medium - - V-38495 - - audit - - file_perms - - auditd - - audit_permissions +- block: + - name: "MEDIUM | V-38495 | AUDIT | Audit log files must be owned by root." + shell: grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//' | xargs -I % find % -type f ! -user root + changed_when: no + check_mode: no + failed_when: no + register: audit_log_dir_owner_audit -- name: "MEDIUM | V-38495 | PATCH | Audit log files must be owned by root." - file: - state: file - owner: root - path: "{{ item }}" - with_items: "{{ audit_log_dir_owner_audit.stdout_lines }}" - when: audit_log_dir_owner_audit.stdout + - name: "MEDIUM | V-38495 | PATCH | Audit log files must be owned by root." + file: + state: file + owner: root + path: "{{ item }}" + with_items: "{{ audit_log_dir_owner_audit.stdout_lines }}" + when: audit_log_dir_owner_audit.stdout tags: - cat2 - medium @@ -700,27 +472,22 @@ - auditd - audit_permissions -- name: "MEDIUM | V-38496 | AUDIT | Default system accounts, other than root, must be locked" - shell: > - awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow | xargs -I{} grep {} /etc/passwd | awk -F: '$3 < 500 {print $1}' - register: unlocked_sys_accounts_audit - changed_when: false - always_run: yes - tags: - - cat2 - - medium - - V-38496 - - audit - - accounts - - system_accounts +- block: + - name: "MEDIUM | V-38496 | AUDIT | Default system accounts, other than root, must be locked" + shell: > + awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow | xargs -I{} grep {} /etc/passwd | awk -F: '$3 < 500 {print $1}' + changed_when: no + failed_when: no + check_mode: no + register: unlocked_sys_accounts_audit -- name: "MEDIUM | V-38496 | PATCH | Default system accounts, other than root, must be locked" - user: - name: "{{ item }}" - state: present - expires: 1412541480 - with_items: "{{ unlocked_sys_accounts_audit.stdout_lines }}" - when: unlocked_sys_accounts_audit.stdout + - name: "MEDIUM | V-38496 | PATCH | Default system accounts, other than root, must be locked" + user: + name: "{{ item }}" + state: present + expires: 1412541480 + with_items: "{{ unlocked_sys_accounts_audit.stdout_lines }}" + when: unlocked_sys_accounts_audit.stdout tags: - cat2 - medium @@ -729,27 +496,20 @@ - accounts - system_accounts -- name: "MEDIUM | V-38498 | AUDIT | Audit log files must have mode 0640 or less permissive." - shell: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %n | xargs -I % find % -perm /137 - register: audit_log_file_perms_audit - changed_when: no - always_run: yes - tags: - - cat2 - - medium - - V-38498 - - audit - - auditd - - logs - - V-38498 - - file_perms +- block: + - name: "MEDIUM | V-38498 | AUDIT | Audit log files must have mode 0640 or less permissive." + shell: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %n | xargs -I % find % -perm /137 + changed_when: no + failed_when: no + check_mode: no + register: audit_log_file_perms_audit -- name: "MEDIUM | V-38498 | PATCH | Audit log files must have mode 0640 or less permissive." - file: - state: file - path: "{{ item }}" - mode: "u-x,g-wx,o-rwx" - with_items: "{{ audit_log_file_perms_audit.stdout_lines }}" + - name: "MEDIUM | V-38498 | PATCH | Audit log files must have mode 0640 or less permissive." + file: + state: file + path: "{{ item }}" + mode: "u-x,g-wx,o-rwx" + with_items: "{{ audit_log_file_perms_audit.stdout_lines }}" tags: - cat2 - medium @@ -760,52 +520,11 @@ - V-38498 - file_perms -# V-38499 is checked but not automatically patched, please see not_automated.yml -# V-38500 is checked but not automatically patched, please see not_automated.yml - -- name: "MEDIUM | V-38501 | AUDIT | The system must disable accounts after excessive login failures within a 15-minute interval." - shell: "grep -h pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth | grep fail_interval | awk -F'=' '{print $NF}'" - changed_when: no - always_run: yes - failed_when: no - register: login_failures_interval_audit - tags: - - medium - - cat2 - - logon_settings - - audit - - V-38501 - - pam - -- name: "MEDIUM | V-38501 | AUDIT | The system must disable accounts after excessive login failures within a 15-minute interval." - shell: grep -h '^account\s*required\s*pam_faillock\.so' /etc/pam.d/system-auth /etc/pam.d/password-auth - changed_when: no - always_run: yes - failed_when: no - register: login_failures_account_require - tags: - - medium - - cat2 - - logon_settings - - audit - - V-38501 - - pam +# Not automated +# - name: "MEDIUM | V-38499 | AUDIT | The /etc/passwd file must not contain password hashes" -- name: "MEDIUM | V-38501 | AUDIT | The system must disable accounts after excessive login failures within a 15-minute interval." - assert: - that: - - "{{ item | int }} >= 900" - - "{{ login_failures_account_require.stdout_lines | length }} == 2" - with_items: "{{ login_failures_interval_audit.stdout_lines }}" - failed_when: no - register: login_failures_interval_audit - tags: - - medium - - cat2 - - logon_settings - - audit - - V-38501 - - pam +# Not automated +# - name: "MEDIUM | V-38500 | AUDIT | The root account must be the only account having a UID of 0" - name: "MEDIUM | V-38501 | PATCH | The system must disable accounts after excessive login failures within a 15-minute interval." pam: @@ -866,24 +585,6 @@ - V-38501 - pam -- name: | - - MEDIUM | V-38502 | AUDIT | The /etc/shadow file must be owned by root. - MEDIUM | V-38503 | AUDIT | The /etc/shadow file must be group-owned by root. - MEDIUM | V-38504 | AUDIT | The /etc/shadow file must have mode 0000. - stat: - path: /etc/shadow - register: shadow_owner_audit - tags: - - medium - - cat2 - - V-38502 - - V-38503 - - V-38504 - - shadow - - file_perms - - audit - - name: "MEDIUM | V-38502 | PATCH | The /etc/shadow file must be owned by root." file: state: file @@ -924,32 +625,6 @@ - file_perms - patch -- name: "MEDIUM | V-38511 | AUDIT | IP forwarding for IPv4 must not be enabled, unless the system is a router." - shell: "sysctl net.ipv4.ip_forward | awk '{print $3}'" - changed_when: no - always_run: yes - register: ipv4_ip_forwarding_audit - tags: - - V-38511 - - cat2 - - medium - - ip_forward - - ipv4 - - audit - -- name: "MEDIUM | V-38511 | AUDIT | IP forwarding for IPv4 must not be enabled, unless the system is a router." - shell: "sysctl net.ipv4.ip_forward | awk '{print $3}'" - changed_when: no - always_run: yes - register: ipv4_ip_forwarding_audit - tags: - - V-38511 - - cat2 - - medium - - ip_forward - - ipv4 - - audit - - name: "MEDIUM | V-38511 | PATCH | IP forwarding for IPv4 must not be enabled unless the system is a router" sysctl: name: net.ipv4.ip_forward @@ -967,28 +642,18 @@ - medium - patch -- name: "MEDIUM | V-38512 | AUDIT | The operating system must prevent public IPv4 access into an organizations internal networks except as appropriately mediated by managed interfaces employing boundary protection devices" - command: service iptables status - always_run: yes - changed_when: no - failed_when: no - register: iptables_audit - tags: - - cat2 - - medium - - audit - - V-38512 - - ipv4 - - network - - firewall - -- name: "MEDIUM | V-38512 | PATCH | The operating system must prevent public IPv4 access into an organizations internal networks except as appropriately mediated by managed interfaces employing boundary protection devices" +- name: | + MEDIUM | V-38512 | PATCH | The operating system must prevent public IPv4 access into an organizations internal networks except as appropriately mediated by managed interfaces employing boundary protection devices + MEDIUM | V-38555 | PATCH | The system must employ a local IPv4 firewall. + MEDIUM | V-38560 | PATCH | The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. service: name: iptables enabled: yes state: started tags: - V-38512 + - V-38555 + - V-38560 - ipv4 - network - firewall @@ -996,27 +661,21 @@ - cat2 - patch -- name: "MEDIUM | V-38513 | AUDIT | The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets." - shell: "grep ':INPUT' /etc/sysconfig/iptables | awk '{print $2}'" - changed_when: no - always_run: yes - register: ipv4_fw_deny_all_audit - tags: - - V-38513 - - ipv4 - - network - - firewall - - medium - - cat2 - - audit +- block: + - name: "MEDIUM | V-38513 | AUDIT | iptables module is not idempotent for Policy actions currently" + shell: iptables -S | grep '\-P INPUT' | cut -d ' ' -f 3 + changed_when: no + failed_when: no + check_mode: no + register: iptables_input_chain_policy_check -- name: "MEDIUM | V-38513 | PATCH | The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets." - lineinfile: - state: present - dest: /etc/sysconfig/iptables - regexp: ':INPUT' - line: ':INPUT DROP [0:0]' - notify: restart iptables + - name: "MEDIUM | V-38513 | PATCH | The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets." + iptables: + chain: INPUT + ip_version: ipv4 + policy: DROP + when: "iptables_input_chain_policy_check.stdout != 'DROP'" + notify: save iptables rules tags: - cat2 - medium @@ -1026,20 +685,6 @@ - network - patch -- name: "MEDIUM | V-38514 | AUDIT | The Datagram Congestion Control Protocol (DCCP) must be disabled unless required." - command: grep -rse "^install\s*dccp\s*/bin/true$" /etc/modprobe.conf /etc/modprobe.d - changed_when: no - always_run: yes - failed_when: no - register: dccp_audit - tags: - - V-38514 - - cat2 - - medium - - dccp - - transport - - audit - - name: "MEDIUM | V-38514 | PATCH | The Datagram Congestion Control Protocol (DCCP) must be disabled unless required." lineinfile: state: present @@ -1057,20 +702,6 @@ - transport - patch -- name: "MEDIUM | V-38515 | AUDIT | The Stream Control Transmission Protocol (SCTP) must be disabled unless required." - command: grep -rse "^install\s*sctp\s*/bin/true$" /etc/modprobe.conf /etc/modprobe.d - changed_when: no - always_run: yes - failed_when: no - register: sctp_audit - tags: - - V-38515 - - cat2 - - medium - - sctp - - transport - - audit - - name: "MEDIUM | V-38515 | PATCH | The Stream Control Transmission Protocol (SCTP) must be disabled unless required." lineinfile: state: present @@ -1088,20 +719,6 @@ - transport - patch -- name: "MEDIUM | V-38516 | AUDIT | The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required." - command: grep -rse "^install\s*tipc\s*/bin/true$" /etc/modprobe.conf /etc/modprobe.d - changed_when: no - always_run: yes - failed_when: no - register: tipc_audit - tags: - - V-38516 - - cat2 - - medium - - tipc - - transport - - audit - - name: "MEDIUM | V-38516 | PATCH | The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required." lineinfile: state: present @@ -1119,20 +736,6 @@ - transport - patch -- name: "MEDIUM | V-38517 | AUDIT | The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required." - command: grep -rse "^install\s*tipc\s*/bin/true$" /etc/modprobe.conf /etc/modprobe.d - register: tipc_audit - changed_when: false - failed_when: false - always_run: yes - tags: - - cat2 - - medium - - V-38516 - - tipc - - transport - - audit - - name: "MEDIUM | V-38517 | PATCH | The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required." lineinfile: state: present @@ -1150,66 +753,47 @@ - transport - patch -- name: "MEDIUM | V-38518 | AUDIT | All rsyslog-generated log files must be owned by root." - stat: - path: "{{ item }}" - with_items: "{{ rsyslog_logfiles.stdout_lines }}" - register: rsyslog_logfiles_audit - tags: - - cat2 - - medium - - V-38518 - - log_files - - rsyslog - - audit - -- name: "MEDIUM | V-38518 | PATCH | All rsyslog-generated log files must be owned by root." - file: - path: "{{ item }}" - owner: root - follow: yes - state: file - with_items: "{{ rsyslog_logfiles.stdout_lines }}" - tags: - - cat2 - - medium - - V-38518 - - log_files - - rsyslog - - patch - -- name: "MEDIUM | V-38519 | PATCH | All rsyslog-generated log files must be group-owned by root." - file: - dest: "{{ item }}" - group: root - state: file - follow: yes - with_items: "{{ rsyslog_logfiles.stdout_lines }}" +- block: + - name: "MEDIUM | V-38518 | AUDIT | All rsyslog-generated log files must be owned by root." + stat: + path: "{{ item }}" + with_items: "{{ rsyslog_logfiles.stdout_lines }}" + register: rsyslog_logfiles_audit + tags: + - V-38518 + - V-38519 + + - name: "MEDIUM | V-38518 | PATCH | All rsyslog-generated log files must be owned by root." + file: + path: "{{ item }}" + owner: root + follow: yes + state: file + with_items: "{{ rsyslog_logfiles.stdout_lines }}" + tags: + - V-38518 + + - name: "MEDIUM | V-38519 | PATCH | All rsyslog-generated log files must be group-owned by root." + file: + dest: "{{ item }}" + group: root + state: file + follow: yes + with_items: "{{ rsyslog_logfiles.stdout_lines }}" + tags: + - V-38519 tags: - cat2 - medium - - V-38519 - log_files - rsyslog - patch # V-38520 not automatically remediated. See not_automated.yml -# V-38521 not automatically remediated. See not_automated.yml +# - name: "MEDIUM | V-38520 | AUDIT | The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited." -- name: "MEDIUM | V-38523 | AUDIT | The system must not accept IPv4 source-routed packets on any interface." - shell: "sysctl net.ipv4.conf.all.accept_source_route | awk '{print $3}'" - changed_when: no - always_run: yes - register: ipv4_source_routed_packets_any_int_audit - tags: - - cat2 - - medium - - V-38523 - - audit - - ipv4 - - sysctl - - kernel_parameters - - network +# V-38521 not automatically remediated. See not_automated.yml +# - name: "MEDIUM | V-38521 | AUDIT | The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components." - name: "MEDIUM | V-38523 | PATCH | The system must not accept IPv4 source-routed packets on any interface." sysctl: @@ -1229,21 +813,6 @@ - kernel_parameters - network -- name: "MEDIUM | V-38524 | AUDIT | The system must not accept ICMPv4 redirect packets on any interface." - shell: "sysctl net.ipv4.conf.all.accept_redirects | awk '{print $3}'" - changed_when: no - always_run: yes - register: icmpv4_redirect_packets_any_int_audit - tags: - - cat2 - - medium - - V-38524 - - audit - - ICMPv4 - - sysctl - - kernel_parameters - - network - - name: "MEDIUM | V-38524 | PATCH | The system must not accept ICMPv4 redirect packets on any interface." sysctl: name: net.ipv4.conf.all.accept_redirects @@ -1262,21 +831,6 @@ - kernel_parameters - network -- name: "MEDIUM | V-38526 | AUDIT | The system must not accept ICMPv4 secure redirect packets on any interface." - shell: "sysctl net.ipv4.conf.all.secure_redirects | awk '{print $3}'" - changed_when: no - always_run: yes - register: icmpv4_secure_redirect_packets_any_int_audit - tags: - - cat2 - - medium - - V-38526 - - audit - - ICMPv4 - - sysctl - - kernel_parameters - - network - - name: "MEDIUM | V-38526 | PATCH | The system must not accept ICMPv4 secure redirect packets on any interface." sysctl: name: net.ipv4.conf.all.secure_redirects @@ -1295,21 +849,6 @@ - kernel_parameters - network -- name: "MEDIUM | V-38529 | AUDIT | The system must not accept IPv4 source-routed packets by default." - shell: "sysctl net.ipv4.conf.default.accept_source_route | awk '{print $3}'" - changed_when: no - always_run: yes - register: ipv4_source_routed_packets_default_audit - tags: - - cat2 - - medium - - V-38529 - - audit - - ipv4 - - sysctl - - kernel_parameters - - network - - name: "MEDIUM | V-38529 | PATCH | The system must not accept IPv4 source-routed packets by default." sysctl: name: net.ipv4.conf.default.accept_source_route @@ -1328,21 +867,6 @@ - kernel_parameters - network -- name: "MEDIUM | V-38532 | AUDIT | The system must not accept ICMPv4 secure redirect packets by default." - shell: "sysctl net.ipv4.conf.default.secure_redirects | awk '{print $3}'" - changed_when: no - always_run: yes - register: icmpv4_secure_redirects_default_audit - tags: - - medium - - cat2 - - V-38532 - - audit - - ICMPv4 - - sysctl - - kernel_parameters - - network - - name: "MEDIUM | V-38532 | PATCH | The system must not accept ICMPv4 secure redirect packets by default." sysctl: name: net.ipv4.conf.default.secure_redirects @@ -1361,21 +885,6 @@ - kernel_parameters - network -- name: "MEDIUM | V-38539 | AUDIT | The system must be configured to use TCP syncookies when experiencing a TCP SYN flood." - shell: "sysctl net.ipv4.tcp_syncookies | awk '{print $3}'" - changed_when: no - always_run: yes - register: tcp_syncookies_audit - tags: - - cat2 - - medium - - V-38539 - - audit - - tcp - - sysctl - - kernel_parameters - - network - - name: "MEDIUM | V-38539 | PATCH | The system must be configured to use TCP syncookies when experiencing a TCP SYN flood." sysctl: name: net.ipv4.tcp_syncookies @@ -1394,21 +903,6 @@ - kernel_parameters - network -- name: "MEDIUM | V-38542 | AUDIT | The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces." - shell: "sysctl net.ipv4.conf.all.rp_filter | awk '{print $3}'" - changed_when: no - always_run: yes - register: ipv4_reverse_path_filter_all_int_audit - tags: - - cat2 - - medium - - V-38542 - - audit - - ipv4 - - sysctl - - kernel_parameters - - network - - name: "MEDIUM | V-38542 | PATCH | The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces." sysctl: name: net.ipv4.conf.all.rp_filter @@ -1428,21 +922,6 @@ - network - dhcp -- name: "MEDIUM | V-38544 | AUDIT | The system must use a reverse-path filter for IPv4 network traffic when possible by default." - shell: "sysctl net.ipv4.conf.default.rp_filter | awk '{print $3}'" - changed_when: no - always_run: yes - register: ipv4_reverse_path_filter_default_audit - tags: - - cat2 - - medium - - V-38544 - - audit - - ipv4 - - sysctl - - kernel_parameters - - network - - name: "MEDIUM | V-38544 | PATCH | The system must use a reverse-path filter for IPv4 network traffic when possible by default." sysctl: name: net.ipv4.conf.default.rp_filter @@ -1461,52 +940,6 @@ - kernel_parameters - network -- name: "MEDIUM | V-38546 | AUDIT | The IPv6 protocol handler must not be bound to the network stack unless needed." - shell: 'grep -rsE ''^options\s*ipv6\s*disable=1'' /etc/modprobe.conf /etc/modprobe.d | awk -F '':'' ''{print $2}'' | awk -F ''='' ''{print $2}''' - register: ipv6_protocol_handler_bound_network_stack_audit - changed_when: no - always_run: yes - tags: - - V-38546 - - cat2 - - medium - - ipv6 - - network - - audit - -- name: "MEDIUM | V-38546 | PATCH | The IPv6 protocol handler must not be bound to the network stack unless needed." - lineinfile: - state: present - create: yes - regexp: '^options ipv6 disable=' - line: options ipv6 disable={{ (not rhel6stig_ipv6_required) | bool | int }} - dest: /etc/modprobe.d/disable-ipv6.conf - when: - - ipv6_protocol_handler_bound_network_stack_audit is defined - - ipv6_protocol_handler_bound_network_stack_audit.stdout != 1 - tags: - - cat2 - - medium - - patch - - V-38546 - - ipv6 - - network - -- name: "MEDIUM | V-38548 | AUDIT | The system must ignore ICMPv6 redirects by default." - shell: "sysctl net.ipv6.conf.default.accept_redirects | awk '{print $3}'" - changed_when: no - always_run: yes - register: icmpv6_ignore_redirects_default_audit - tags: - - cat2 - - medium - - V-38548 - - audit - - ICMPv4 - - sysctl - - kernel_parameters - - network - - name: "MEDIUM | V-38548 | PATCH | The system must ignore ICMPv6 redirects by default." sysctl: name: net.ipv6.conf.default.accept_redirects @@ -1527,28 +960,8 @@ - network - name: | - - MEDIUM | V-38549 | AUDIT | The system must employ a local IPv6 firewall. - MEDIUM | V-38551 | AUDIT | The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. - MEDIUM | V-38553 | AUDIT | The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. - command: service ip6tables status - when: rhel6stig_ipv6_required - failed_when: no - changed_when: no - always_run: yes - register: ip6tables_audit - tags: - - cat2 - - medium - - iptables - - ip6tables - - V-38549 - - V-38553 - - audit - -- name: | - MEDIUM | V-38549 | PATCH | The system must employ a local IPv6 firewall. + MEDIUM | V-38551 | PATCH | The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. MEDIUM | V-38553 | PATCH | The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. service: name: ip6tables @@ -1558,62 +971,14 @@ tags: - cat2 - medium - - iptables - - ip6tables + - ipv6 - V-38549 + - V-38551 - V-38553 + - firewall + - network - patch -- name: | - - MEDIUM | V-38555 | AUDIT | The system must employ a local IPv4 firewall. - MEDIUM | V-38560 | AUDIT | The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. - command: service iptables status - failed_when: no - changed_when: no - always_run: yes - register: iptables_audit - tags: - - cat2 - - medium - - iptables - - V-38555 - - xwindows - - V-38560 - - audit - -- name: | - - MEDIUM | V-38555 | PATCH | The system must employ a local IPv4 firewall. - MEDIUM | V-38560 | PATCH | The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. - service: - name: iptables - state: started - enabled: yes - tags: - - cat2 - - medium - - iptables - - V-38555 - - xwindows - - V-38560 - - patch - -- name: "MEDIUM | V-38573 | AUDIT | The system must disable accounts after three consecutive unsuccessful logon attempts." - shell: grep -h pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth | grep deny=3 - changed_when: no - always_run: yes - register: logon_attempts_audit - tags: - - cat2 - - medium - - V-38573 - - logon_settings - - accounts - - gui - - audit - - pam - - name: "MEDIUM | V-38573 | PATCH | The system must disable accounts after three consecutive unsuccessful logon attempts." pam: service: "{{ item }}" @@ -1676,44 +1041,22 @@ - patch - pam -- name: "MEDIUM | V-38574 | AUDIT | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth)." - shell: find /etc/pam.d/ -type f -not -name '*.*' - changed_when: no - register: pamd_files - failed_when: no - tags: - - cat2 - - medium - - V-38574 - - logon_settings - - accounts - - passwords - - audit - - pam - -- name: "MEDIUM | V-38574 | AUDIT | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth)." - shell: "grep password -h /etc/pam.d/* | grep pam_unix.so | awk '{print $4}'" - changed_when: no - always_run: yes - register: pam_pwd_hash_audit - tags: - - cat2 - - medium - - V-38574 - - logon_settings - - accounts - - passwords - - audit +- block: + - name: "MEDIUM | V-38574 | AUDIT | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth)." + shell: find /etc/pam.d/ -type f -not -name '*.*' + changed_when: no + failed_when: no + register: pamd_files -- name: "MEDIUM | V-38574 | PATCH | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth)." - # The PAM module doesn't make sense for this particular rule. Lineinfile works perfectly here. - lineinfile: - dest: "{{ item }}" - backrefs: yes - regexp: (^password\s*.*pam_unix.so.*)(md5|sha256|blowfish|bigcrypt)(.*) - line: \1sha512\3 - backup: yes - with_items: "{{ pamd_files.stdout_lines }}" + - name: "MEDIUM | V-38574 | PATCH | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth)." + # The PAM module doesn't make sense for this particular rule. Lineinfile works perfectly here. + lineinfile: + dest: "{{ item }}" + backrefs: yes + regexp: (^password\s*.*pam_unix.so.*)(md5|sha256|blowfish|bigcrypt)(.*) + line: \1sha512\3 + backup: yes + with_items: "{{ pamd_files.stdout_lines }}" tags: - cat2 - medium @@ -1723,18 +1066,6 @@ - passwords - patch -- name: "MEDIUM | V-38576 | AUDIT | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs)" - shell: "grep ENCRYPT_METHOD /etc/login.defs | awk '{print $2}'" - always_run: yes - changed_when: no - register: login_defs_audit - tags: - - audit - - medium - - cat2 - - V-38576 - - passwords - - name: "MEDIUM | V-38576 | PATCH | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs)" lineinfile: state: present @@ -1749,18 +1080,6 @@ - V-38576 - passwords -- name: "MEDIUM | V-38577 | AUDIT | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf)" - shell: "grep crypt_style /etc/libuser.conf | awk '{print $3}'" - always_run: yes - changed_when: no - register: libuser_audit - tags: - - cat2 - - medium - - audit - - V-38577 - - passwords - - name: "MEDIUM | V-38577 | PATCH | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf)" ini_file: state: present @@ -1777,25 +1096,6 @@ - V-38577 - passwords -- name: | - - MEDIUM | V-38579 | AUDIT | The system boot loader configuration file(s) must be owned by root. - MEDIUM | V-38581 | AUDIT | The system boot loader configuration file(s) must be group-owned by root. - MEDIUM | V-38583 | AUDIT | The system boot loader configuration file(s) must have mode 0600 or less permissive. - stat: - path: /etc/grub.conf - register: grub_conf_audit - always_run: yes - tags: - - cat2 - - medium - - V-38579 - - V-38581 - - V-38583 - - file_perms - - grub - - audit - - name: "MEDIUM | V-38579 | PATCH | The system boot loader configuration file(s) must be owned by root." file: dest: /etc/grub.conf @@ -1810,20 +1110,6 @@ - grub - patch -- name: "MEDIUM | V-38580 | AUDIT | The audit system must be configured to audit the loading and unloading of dynamic kernel modules." - shell: egrep -e "(-w |-F path=)/sbin/insmod" /etc/audit/audit.rules; egrep -e "(-w |-F path=)/sbin/modprobe" /etc/audit/audit.rules; egrep -e "(-w |-F path=)/sbin/rmmod" /etc/audit/audit.rules;grep -w "init_module" /etc/audit/audit.rules; grep -w "init_module" /etc/audit/audit.rules - always_run: yes - changed_when: False - failed_when: no - register: dynamic_kernel_loading_audit - tags: - - cat2 - - medium - - audit - - kernel - - auditd - - V-38580 - - name: "MEDIUM | V-38580 | PATCH | The audit system must be configured to audit the loading and unloading of dynamic kernel modules." lineinfile: backup: yes @@ -1859,42 +1145,22 @@ # List all xinetd services then look for 'on' in the output # If any xinted service is found to be on, skip these tasks since xinetd can be on if a service is using it -- name: "MEDIUM | V-38582 | AUDIT | The xinetd service must be disabled if no network services utilizing it are enabled" - shell: "chkconfig --list | sed -n '/xinetd based services/,$p'" - changed_when: no - always_run: yes - register: xinetd_services - tags: - - cat2 - - V-38582 - - medium - - xinetd - - services - - audit - -- name: "MEDIUM | V-38582 | AUDIT | The xinetd service must be disabled if no network services utilizing it are enabled" - command: chkconfig "xinetd" --list - always_run: yes - failed_when: no - changed_when: no - register: xinetd_audit - tags: - - cat2 - - medium - - V-38582 - - xinetd - - services - - audit +- block: + - name: "MEDIUM | V-38582 | AUDIT | The xinetd service must be disabled if no network services utilizing it are enabled" + command: chkconfig xinetd --list + check_mode: no + failed_when: no + changed_when: no + register: xinetd_service_check -- name: "MEDIUM | V-38582 | PATCH | The xinetd service must be disabled if no network services utilizing it are enabled" - service: - name: xinetd - enabled: no - state: stopped - when: - - xinetd_audit.rc == 0 - - xinetd_services.stdout - - "not xinetd_services.stdout | search(': +\ton')" + - name: "MEDIUM | V-38582 | PATCH | The xinetd service must be disabled if no network services utilizing it are enabled" + service: + name: xinetd + enabled: no + state: stopped + when: + - xinetd_service_check.rc == 0 + - not rhel6stig_xinetd_required tags: - cat2 - medium @@ -1917,25 +1183,36 @@ - patch - grub -- name: "MEDIUM | V-38585 | AUDIT | The system boot loader must require authentication." - command: grep password /etc/grub.conf - always_run: yes - failed_when: no - changed_when: no - register: grub_auth_audit - tags: - - cat2 - - medium - - V-38585 - - grub - - passwords - - audit - -- name: "MEDIUM | V-38585 | PATCH | The system boot loader must require authentication." - grub_crypt: - password: "{{ rhel6stig_bootloader_password }}" - register: grub_pass - when: grub_auth_audit|failed +- block: + - name: "MEDIUM | V-38585 | AUDIT | The system boot loader must require authentication." + command: grep password /etc/grub.conf + check_mode: no + failed_when: no + changed_when: no + register: grub_auth_audit + + - name: "MEDIUM | V-38585 | PATCH | The system boot loader must require authentication." + grub_crypt: + password: "{{ rhel6stig_bootloader_password }}" + register: grub_pass + when: grub_auth_audit.rc == 1 + tags: + - cat2 + - medium + - V-38585 + - grub + - passwords + - patch + + - name: "MEDIUM | V-38585 | PATCH | The system boot loader must require authentication." + lineinfile: + state: present + line: password --encrypted {{ grub_pass.passhash }} + dest: /etc/grub.conf + follow: yes + insertafter: '^#\s' + regexp: password + when: grub_auth_audit.rc == 1 tags: - cat2 - medium @@ -1944,35 +1221,6 @@ - passwords - patch -- name: "MEDIUM | V-38585 | PATCH | The system boot loader must require authentication." - lineinfile: - state: present - line: password --encrypted {{ grub_pass.passhash }} - dest: /etc/grub.conf - follow: yes - insertafter: '^#\s' - regexp: password - when: grub_auth_audit|failed - tags: - - cat2 - - medium - - V-38585 - - grub - - passwords - - patch - -- name: "MEDIUM | V-38586 | AUDIT | The system must require authentication upon booting into single-user and maintenance modes." - command: grep SINGLE /etc/sysconfig/init - changed_when: no - always_run: yes - register: single_user_mode_auth_audit - tags: - - cat2 - - medium - - V-38586 - - root_access - - audit - - name: "MEDIUM | V-38586 | PATCH | The system must require authentication upon booting into single-user and maintenance modes." lineinfile: state: present @@ -1988,19 +1236,6 @@ - V-38503 - patch -- name: "MEDIUM | V-38588 | AUDIT | The system must not permit interactive boot." - command: grep PROMPT /etc/sysconfig/init - always_run: yes - changed_when: no - failed_when: no - register: interactive_boot_audit - tags: - - cat2 - - medium - - V-38588 - - interactive_boot - - audit - - name: "MEDIUM | V-38588 | PATCH | The system must not permit interactive boot." lineinfile: state: present @@ -2015,19 +1250,6 @@ - interactive_boot - patch -- name: "MEDIUM | V-38592 | AUDIT | The system must require administrator action to unlock an account locked by excessive failed login attempts." - shell: grep -h pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth | grep unlock_time - changed_when: no - always_run: yes - register: admin_unlock_audit - tags: - - cat2 - - medium - - V-38592 - - accounts - - logon_settings - - audit - - name: "MEDIUM | V-38592 | PATCH | The system must require administrator action to unlock an account locked by excessive failed login attempts." pam: service: "{{ item }}" @@ -2090,19 +1312,6 @@ - patch - pam -- name: "MEDIUM | V-38593 | AUDIT | The Department of Defense (DoD) login banner must be displayed immediately prior to or as part of console login prompts" - command: cat /etc/issue - changed_when: no - always_run: yes - register: login_banner_audit - tags: - - cat2 - - medium - - V-38593 - - logon_settings - - dod_login_banner - - audit - - name: "MEDIUM | V-38593 | PATCH | The Department of Defense (DoD) login banner must be displayed immediately prior to or as part of console login prompts" copy: content: "{{ rhel6stig_login_banner }}" @@ -2123,20 +1332,7 @@ - patch # Not automated -#- name: "MEDIUM | V-38595 | The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication." - -- name: "MEDIUM | V-38596 | AUDIT | The system must implement virtual address space randomization." - shell: "sysctl kernel.randomize_va_space | awk '{print $3}'" - changed_when: no - always_run: yes - register: virt_addr_space_randomization_audit - tags: - - cat2 - - audit - - medium - - sysctl - - kernel - - V-38596 +# - name: "MEDIUM | V-38595 | The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication." - name: "MEDIUM | V-38596 | PATCH | The system must implement virtual address space randomization." sysctl: @@ -2154,19 +1350,6 @@ - kernel - V-38596 -- name: "MEDIUM | V-38597 | AUDIT | The system must limit the ability of processes to have simultaneous write and execute access to memory." - shell: "sysctl kernel.exec-shield | awk '{print $3}'" - changed_when: no - always_run: yes - register: simultaneous_wr_memory_audit - tags: - - cat2 - - audit - - medium - - sysctl - - kernel - - V-38597 - - name: "MEDIUM | V-38597 | PATCH | The system must limit the ability of processes to have simultaneous write and execute access to memory." sysctl: name: kernel.exec-shield @@ -2184,21 +1367,6 @@ - V-38597 - kernel_parameters -- name: "MEDIUM | V-38599 | AUDIT | The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner" - shell: grep banner_file /etc/vsftpd/vsftpd.conf | cut -f2- -d'=' | xargs cat - failed_when: no - changed_when: no - always_run: yes - register: vsftpd_banner_audit - tags: - - cat2 - - medium - - V-38599 - - vsftp - - dod_login_banner - - logon_settings - - audit - - name: "MEDIUM | V-38599 | PATCH | The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner" lineinfile: state: present @@ -2218,19 +1386,6 @@ - patch -- name: "MEDIUM | V-38600 | AUDIT | The system must not send ICMPv4 redirects by default." - shell: "sysctl net.ipv4.conf.default.send_redirects | awk '{print $3}'" - changed_when: no - always_run: yes - register: icmpv4_redirects_audit - tags: - - cat2 - - medium - - V-38600 - - icmp - - sysctl - - audit - - name: "MEDIUM | V-38600 | PATCH | The system must not send ICMPv4 redirects by default." sysctl: name: net.ipv4.conf.default.send_redirects @@ -2246,19 +1401,6 @@ - sysctl - patch -- name: "MEDIUM | V-38601 | AUDIT | The system must not send ICMPv4 redirects from any interface." - shell: "sysctl net.ipv4.conf.all.send_redirects | awk '{print $3}'" - changed_when: no - always_run: yes - register: any_iface_icmp_redirect_audit - tags: - - medium - - cat2 - - V-38601 - - icmp - - sysctl - - audit - - name: "MEDIUM | V-38601 | PATCH | The system must not send ICMPv4 redirects from any interface." sysctl: name: net.ipv4.conf.all.send_redirects @@ -2274,20 +1416,6 @@ - sysctl - patch -- name: "MEDIUM | V-38603 | AUDIT | The ypserv package must not be installed." - command: rpm -q ypserv - always_run: yes - changed_when: no - register: ypserv_audit - failed_when: no - tags: - - medium - - V-38603 - - audit - - cat2 - - ypserv - - packages - - name: "MEDIUM | V-38603 | PATCH | The ypserv package must not be installed." yum: name: ypserv @@ -2300,27 +1428,20 @@ - ypserv - packages -- name: "MEDIUM | V-38604 | AUDIT | The ypbind service must not be running." - command: chkconfig ypbind --list - changed_when: no - failed_when: no - always_run: yes - register: ypbind_service_audit - when: "'ypbind' in sysv_services.stdout" - tags: - - medium - - V-38604 - - patch - - cat2 - - ypbind - - services +- block: + - name: "MEDIUM | V-38604 | AUDIT | The ypbind service must not be running." + command: chkconfig ypbind --list + changed_when: no + failed_when: no + check_mode: no + register: ypbind_service_check -- name: "MEDIUM | V-38604 | PATCH | The ypbind service must not be running." - service: - name: ypbind - state: stopped - enabled: no - when: "'ypbind' in sysv_services.stdout" + - name: "MEDIUM | V-38604 | PATCH | The ypbind service must not be running." + service: + name: ypbind + state: stopped + enabled: no + when: ypbind_service_check.rc == 0 tags: - medium - V-38604 @@ -2329,28 +1450,20 @@ - ypbind - services -- name: "MEDIUM | V-38605 | AUDIT | The cron service must be running" - command: service crond status - changed_when: no - always_run: yes - failed_when: no - register: crond_status_audit - when: "'crond' in sysv_services.stdout" - tags: - - medium - - cat2 - - cron - - audit - - network - - V-38605 - - services +- block: + - name: "MEDIUM | V-38605 | AUDIT | Make sure the cron package is installed" + yum: + name: "{{item}}" + state: present + with_items: + - cronie + - cronie-anacron -- name: "MEDIUM | V-38605 | PATCH | The cron service must be running" - service: - name: crond - state: started - enabled: yes - when: "'crond' in sysv_services.stdout" + - name: "MEDIUM | V-38605 | PATCH | The cron service must be running" + service: + name: crond + state: started + enabled: yes tags: - medium - cat2 @@ -2359,21 +1472,6 @@ - V-38605 - services -- name: "MEDIUM | V-38606 | AUDIT | The tftp-server package must not be installed unless required." - command: rpm -q tftp-server - failed_when: no - always_run: yes - changed_when: no - register: tftp_server_install_audit - when: not rhel6stig_tftp_required - tags: - - medium - - cat2 - - V-38606 - - tftp - - packages - - audit - - name: "MEDIUM | V-38606 | PATCH | The tftp-server packages must not be intalled unless required." yum: name: tftp-server @@ -2387,26 +1485,22 @@ - packages - patch -- name: "MEDIUM | V-38609 | AUDIT | The TFTP service must not be running." - command: chkconfig tftp --list - failed_when: no - always_run: yes - changed_when: no - register: tftp_service_audit - when: not rhel6stig_tftp_required and 'tftp' in xinetd_services.stdout - tags: - - medium - - cat2 - - V-38609 - - audit - - tftp - - services - # Use command instead of service since the service module fails when trying # to manage xined services -- name: "MEDIUM | V-38609 | PATCH | The TFTP service must not be running." - command: chkconfig tftp off - when: not rhel6stig_tftp_required and 'tftp' in xinetd_services.stdout and 'on' in tftp_service_audit.stdout +- block: + - name: "MEDIUM | V-38609 | AUDIT | The tftp service must not be running unless required." + command: chkconfig tftp --list + changed_when: no + check_mode: no + failed_when: no + register: tftp_service_check + + - name: "MEDIUM | V-38609 | PATCH | The TFTP service must not be running." + command: chkconfig tftp off + when: + - not rhel6stig_tftp_required + - "tftp_service_check.rc == 0" + - "'on' in tftp_service_check.stdout" tags: - medium - cat2 @@ -2415,21 +1509,6 @@ - services - patch -- name: "MEDIUM | V-38611 | AUDIT | The SSH daemon must ignore .rhosts files." - command: grep -i IgnoreRhosts /etc/ssh/sshd_config - always_run: yes - failed_when: no - changed_when: no - register: sshd_rhosts_ignore_audit - tags: - - medium - - cat2 - - V-38611 - - ssh - - rhosts - - sshd - - audit - - name: "MEDIUM | V-38611 | PATCH | The SSH daemon must ignore .rhosts files." lineinfile: state: present @@ -2437,7 +1516,7 @@ line: IgnoreRhosts yes dest: /etc/ssh/sshd_config validate: sshd -t -f %s - notify: restart ssh + notify: restart sshd tags: - cat2 - medium @@ -2446,18 +1525,6 @@ - rhosts - sshd -- name: "MEDIUM | V-38612 | AUDIT | The SSH daemon must not allow host-based authentication." - command: grep -i HostbasedAuthentication /etc/ssh/sshd_config - register: sshd_host_based_authentication_audit - failed_when: no - changed_when: no - tags: - - cat2 - - medium - - audit - - V-38612 - - sshd - - name: "MEDIUM | V-38612 | PATCH | The SSH daemon must not allow host-based authentication." lineinfile: state: present @@ -2465,7 +1532,7 @@ line: HostbasedAuthentication no dest: /etc/ssh/sshd_config validate: sshd -t -f %s - notify: restart ssh + notify: restart sshd tags: - cat2 - medium @@ -2474,18 +1541,6 @@ - sshd -- name: "MEDIUM | V-38613 | AUDIT | The system must not permit root logins using remote access programs such as ssh." - command: grep -i PermitRootLogin /etc/ssh/sshd_config - failed_when: no - changed_when: no - register: sshd_root_login_audit - tags: - - cat2 - - MEDIUM - - audit - - V-38613 - - sshd - - name: "MEDIUM | V-38613 | PATCH | The system must not permit root logins using remote access programs such as ssh." lineinfile: state: present @@ -2493,7 +1548,7 @@ regexp: '^#?PermitRootLogin' line: 'PermitRootLogin no' validate: sshd -t -f %s - notify: restart ssh + notify: restart sshd tags: - cat2 - medium @@ -2508,7 +1563,7 @@ regexp: '^#?Banner' line: Banner /etc/issue validate: sshd -t -f %s - notify: restart ssh + notify: restart sshd tags: - cat2 - medium @@ -2517,18 +1572,6 @@ - logon_settings - dod_login_banner -- name: "MEDIUM | V-38617 | AUDIT | The SSH daemon must be configured to use only FIPS 140-2 approved ciphers." - command: grep Ciphers /etc/ssh/sshd_config - register: sshd_ciphers_audit - failed_when: no - changed_when: no - tags: - - cat2 - - medium - - audit - - V-38617 - - sshd - - name: "MEDIUM | V-38617 | PATCH | The SSH daemon must be configured to use only FIPS 140-2 approved ciphers." lineinfile: state: present @@ -2536,7 +1579,7 @@ regexp: '^#?Ciphers' line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc validate: sshd -t -f %s - notify: restart ssh + notify: restart sshd tags: - cat2 - medium @@ -2544,18 +1587,6 @@ - V-38617 - sshd -- name: "MEDIUM | V-38619 | AUDIT | There must be no .netrc files on the system." - command: find /root /home -xdev -name .netrc - register: netrc_files_audit - failed_when: no - changed_when: no - tags: - - cat2 - - MEDIUM - - audit - - V-38619 - - netrc - - name: "MEDIUM | V-38619 | PATCH | There must be no .netrc files on the system" file: state: absent @@ -2568,82 +1599,39 @@ - V-38619 - netrc -- name: MEDIUM | V-38620, V-38621 | Ensure NTP is installed - yum: - name: ntp - state: present - tags: - - cat2 - - medium - - patch - - V-38620 - - V-38621 - - ntp - -- name: "MEDIUM | V-38620 | AUDIT | The system clock must be synchronized continuously or at least daily." - command: service ntpd status - register: ntpd_service_status_audit - failed_when: no - changed_when: no - tags: - - cat2 - - medium - - audit - - V-38620 - - ntp - -- name: "MEDIUM | V-38620 | PATCH | The system clock must be synchronized continuously or at least daily." - service: - name: ntpd - state: started - enabled: yes - tags: - - cat2 - - medium - - patch - - V-38620 - - ntp - -- name: "MEDIUM | V-38621 | AUDIT | The system clock must be synchronized to an authoritative DoD time source." - command: grep -E '^server' /etc/ntp.conf - register: ntp_server_audit - failed_when: no - changed_when: no - tags: - - cat2 - - medium - - audit - - V-38621 - - ntp - -- name: "MEDIUM | V-38621 | PATCH | The system clock must be synchronized to an authoritative DoD time source." - template: - src: ntp.conf.j2 - dest: /etc/ntp.conf - owner: root - group: root - mode: 0644 - notify: restart ntpd +- block: + - name: MEDIUM | V-38620, V-38621 | Ensure NTP is installed + yum: + name: ntp + state: present + tags: + - V-38620 + - V-38621 + + - name: "MEDIUM | V-38620 | PATCH | The system clock must be synchronized continuously or at least daily." + service: + name: ntpd + state: started + enabled: yes + tags: + - V-38620 + + - name: "MEDIUM | V-38621 | PATCH | The system clock must be synchronized to an authoritative DoD time source." + template: + src: ntp.conf.j2 + dest: /etc/ntp.conf + owner: root + group: root + mode: 0644 + notify: restart ntpd + tags: + - V-38621 tags: - cat2 - medium - patch - - V-38621 - ntp -- name: "MEDIUM | V-38622 | AUDIT | Mail relaying must be restricted." - command: grep ^inet_interfaces /etc/postfix/main.cf - register: mail_relay_audit - failed_when: no - changed_when: no - when: not rhel6stig_is_mail_relay - tags: - - cat2 - - medium - - audit - - V-38622 - - postfix - - name: "MEDIUM | V-38622 | PATCH | Mail relaying must be restricted." lineinfile: state: present @@ -2661,27 +1649,21 @@ - V-38622 - postfix -- name: "MEDIUM | V-38623 | PATCH | All rsyslog-generated log files must have mode 0600 or less permissive." - file: - dest: "{{ item }}" - mode: 0600 - state: file - with_items: "{{ rsyslog_logfiles .stdout_lines }}" - tags: - - cat2 - - medium - - patch - - V-38623 - - file_perms - - rsyslog +- block: + - name: "MEDIUM | V-38623 | PATCH | All rsyslog-generated log files must have mode 0600 or less permissive." + file: + dest: "{{ item }}" + mode: 0600 + state: file + with_items: "{{ rsyslog_logfiles.stdout_lines }}" -# As described in https://access.redhat.com/solutions/66805, the -# permissions for /var/log/boot.log have to be changed each time the -# system is rebooted. -- name: "MEDIUM | V-38623 | PATCH | All rsyslog-generated log files must have mode 0600 or less permissive." - lineinfile: - dest: /etc/rc.d/rc.local - line: chmod u-x,go-rwx /var/log/boot.log + # As described in https://access.redhat.com/solutions/66805, the + # permissions for /var/log/boot.log have to be changed each time the + # system is rebooted. + - name: "MEDIUM | V-38623 | PATCH | All rsyslog-generated log files must have mode 0600 or less permissive." + lineinfile: + dest: /etc/rc.d/rc.local + line: chmod u-x,go-rwx /var/log/boot.log tags: - cat2 - medium @@ -2690,83 +1672,25 @@ - rsyslog - patch -- name: "MEDIUM | V-38624 | AUDIT | System logs must be rotated daily." - shell: grep logrotate /var/log/cron* - changed_when: no - failed_when: no - register: logrotate_audit - tags: - - cat2 - - medium - - audit - - V-38624 - - logrotate - - syslog - -- name: "MEDIUM | V-38624 | PATCH | System logs must be rotated daily." - yum: - name: logrotate - state: present - tags: - - cat2 - - medium - - patch - - V-38624 - - logrotate - - syslog - -# V-38625 is checked but not automatically patched, please see not_automated.yml - -- name: "MEDIUM | V-38626 | AUDIT | The LDAP client must use a TLS connection using trust certificates signed by the site CA." - command: grep tls_cacert /etc/pam_ldap.conf - register: ldap_tls_audit - when: pam_ldap_test.stat.exists - failed_when: no - changed_when: no - tags: - - cat2 - - medium - - audit - - V-38626 - - ldap - -- name: "MEDIUM | V-38626 | PATCH | The LDAP client must use a TLS connection using trust certificates signed by the site CA." - lineinfile: - state: present - backup: yes - dest: /etc/pam_ldap.conf - regexp: '^#?tls_cacertdir' - line: 'tls_cacertdir /etc/ssl/certs' - when: pam_ldap_test.stat.exists - tags: - - cat2 - - medium - - patch - - V-38626 - - ldap - -- name: "MEDIUM | V-38627 | PATCH | The openldap-servers package must not be installed unless required." - yum: - name: openldap-servers - state: absent - when: not rhel6stig_ldap_server - tags: - - cat2 - - medium - - patch - - V-38627 - - ldap - +- block: + - name: MEDIUM | V-38628, V-38631, V-38632 | Ensure audit package is installed + yum: + name: audit + state: present + tags: + - V-38628 + - V-38631 + - V-38632 -- name: | + - name: | - MEDIUM | V-38628 | PATCH | The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event - MEDIUM | V-38631 | PATCH | The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods - MEDIUM | V-38632 | PATCH | The operating system must produce audit records containing sufficient information to establish what type of events occurred. - service: - name: auditd - state: started - enabled: yes + MEDIUM | V-38628 | PATCH | The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event + MEDIUM | V-38631 | PATCH | The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods + MEDIUM | V-38632 | PATCH | The operating system must produce audit records containing sufficient information to establish what type of events occurred. + service: + name: auditd + state: started + enabled: yes tags: - cat2 - medium @@ -2843,22 +1767,20 @@ - V-38636 - auditd -- name: "MEDIUM | V-38637 | AUDIT | The system package management tool must verify contents of all files associated with the audit package." - shell: "rpm -V audit | awk '$1 ~ /..5/ && $2 != \"c\"'" - changed_when: false - register: audit_package_integrity_check_audit - failed_when: audit_package_integrity_check_audit.stderr - tags: - - cat2 - - medium - - audit - - V-38637 - - auditd - - rpm +- block: + - name: "MEDIUM | V-38637 | AUDIT | The system package management tool must verify contents of all files associated with the audit package." + shell: "rpm -V audit | awk '$1 ~ /..5/ && $2 != \"c\"'" + args: + warn: no + changed_when: no + failed_when: audit_package_integrity_check_audit.stderr + register: audit_package_integrity_check_audit -- name: "MEDIUM | V-38637 | PATCH | The system package management tool must verify contents of all files associated with the audit package." - command: yum -y reinstall audit - when: audit_package_integrity_check_audit.stdout + - name: "MEDIUM | V-38637 | PATCH | The system package management tool must verify contents of all files associated with the audit package." + command: yum -y reinstall audit + args: + warn: no + when: audit_package_integrity_check_audit.stdout tags: - cat2 - medium @@ -2882,17 +1804,10 @@ - gui - screen_lock -- name: "MEDIUM | V-38658 | AUDIT | The system must prohibit the reuse of passwords within five iterations." - command: grep remember /etc/pam.d/system-auth - register: password_reuse_audit - failed_when: no - changed_when: no - tags: - - cat2 - - medium - - audit - - V-38658 - - pam +# Not automated +# - name: "MEDIUM | V-38643 | AUDIT | There must be no world-writable files on the system." +# - name: "MEDIUM | V-38652 | AUDIT | Remote file systems must be mounted with the 'nodev' option" +# - name: "MEDIUM | V-38654 | AUDIT | Remote file systems must be mounted with the nosuid option" - name: "MEDIUM | V-38658 | PATCH | The system must prohibit the reuse of passwords within five iterations." pam: @@ -2911,45 +1826,39 @@ - V-38658 - pam -- name: "MEDIUM | V-38660 | AUDIT | The snmpd service must use only SNMP protocol version 3 or newer." - shell: 'grep ''v1\|v2c\|com2sec'' /etc/snmp/snmpd.conf | grep -v ''^#''' - register: snmpd_version_audit - changed_when: no - failed_when: no +- block: + - name: "MEDIUM | V-38660 | AUDIT | The snmpd service must use only SNMP protocol version 3 or newer." + shell: grep 'v1\|v2c\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#' + changed_when: no + failed_when: no + register: snmpd_version_audit + + - name: "MEDIUM | V-38660 | PATCH | The snmpd service must use only SNMP protocol version 3 or newer." + lineinfile: + dest: /etc/snmp/snmpd.conf + state: absent + regexp: '^.*(v1|v2c|com2sec).*' + when: snmpd_version_audit.rc == 0 + notify: restart snmpd tags: - cat2 - medium - - audit + - patch - V-38660 - - snmpd - -- name: "MEDIUM | V-38660 | PATCH | The snmpd service must use only SNMP protocol version 3 or newer." - lineinfile: - dest: /etc/snmp/snmpd.conf - state: absent - regexp: '^.*(v1|v2c|com2sec).*' - failed_when: no - tags: - - cat2 + - snmp -- name: "MEDIUM | V-38663 | AUDIT | The system package management tool must verify permissions on all files and directories associated with the audit package." - shell: rpm -V audit | grep '^.M' - register: audit_package_permissions_audit - failed_when: no - changed_when: no - tags: - - cat2 - - medium - - audit - - V-38663 - - auditd - - file_perms - - rpm +- block: + - name: "MEDIUM | V-38663 | AUDIT | The system package management tool must verify permissions on all files and directories associated with the audit package." + shell: rpm -V audit | grep '^.M' + args: + warn: no + register: audit_package_permissions_audit + failed_when: no + changed_when: no -- name: "MEDIUM | V-38663 | PATCH | The system package management tool must verify permissions on all files and directories associated with the audit package." - command: rpm --setperms audit - register: audit_package_permissions_audit - when: audit_package_permissions_audit.stdout + - name: "MEDIUM | V-38663 | PATCH | The system package management tool must verify permissions on all files and directories associated with the audit package." + command: rpm --setperms audit + when: audit_package_permissions_audit.stdout tags: - cat2 - medium @@ -2959,23 +1868,18 @@ - auditd - rpm -- name: "MEDIUM | V-38664 | AUDIT | The system package management tool must verify ownership on all files and directories associated with the audit package." - shell: rpm -V audit | grep '^.....U' - register: audit_package_ownership_audit - failed_when: no - changed_when: no - tags: - - cat2 - - medium - - audit - - V-38664 - - auditd - - file_perms - - rpm +- block: + - name: "MEDIUM | V-38664 | AUDIT | The system package management tool must verify ownership on all files and directories associated with the audit package." + shell: rpm -V audit | grep '^.....U' + args: + warn: no + failed_when: no + changed_when: no + register: audit_package_ownership_audit -- name: "MEDIUM | V-38664 | PATCH | The system package management tool must verify ownership on all files and directories associated with the audit package." - command: rpm --setugids audit - when: audit_package_ownership_audit.stdout + - name: "MEDIUM | V-38664 | PATCH | The system package management tool must verify ownership on all files and directories associated with the audit package." + command: rpm --setugids audit + when: audit_package_ownership_audit.stdout tags: - cat2 - medium @@ -2985,23 +1889,16 @@ - file_perms - rpm -- name: "MEDIUM | V-38665 | AUDIT | The system package management tool must verify group-ownership on all files and directories associated with the audit package." - shell: rpm -V audit | grep '^......G' - register: audit_package_group_ownership_audit - failed_when: no - changed_when: no - tags: - - cat2 - - medium - - audit - - V-38665 - - auditd - - file_perms - - rpm +- block: + - name: "MEDIUM | V-38665 | AUDIT | The system package management tool must verify group-ownership on all files and directories associated with the audit package." + shell: rpm -V audit | grep '^......G' + failed_when: no + changed_when: no + register: audit_package_group_ownership_audit -- name: "MEDIUM | V-38665 | PATCH | The system package management tool must verify group-ownership on all files and directories associated with the audit package." - command: rpm --setugids audit - when: audit_package_group_ownership_audit.stdout + - name: "MEDIUM | V-38665 | PATCH | The system package management tool must verify group-ownership on all files and directories associated with the audit package." + command: rpm --setugids audit + when: audit_package_group_ownership_audit.stdout tags: - cat2 - medium @@ -3012,32 +1909,7 @@ - rpm # Not automated -#- name: "MEDIUM | V-38667 | Inspect the system to determine if intrusion detection software has been installed." - -- name: | - - MEDIUM | V-38670 | AUDIT | The operating system must detect unauthorized changes to software and information. - MEDIUM | V-38673 | AUDIT | The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked. - MEDIUM | V-38695 | AUDIT | A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. - MEDIUM | V-38696 | AUDIT | The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system. - MEDIUM | V-38698 | AUDIT | The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency. - MEDIUM | V-38700 | AUDIT | The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. - shell: grep aide {{ rhel6stig_aide_cron['cron_file'] }} /etc/cron.*/* - register: aide_cron_audit - failed_when: no - changed_when: no - tags: - - cat2 - - medium - - audit - - V-38670 - - V-38673 - - V-38695 - - V-38696 - - V-38698 - - V-38700 - - file_integrity - - aide +# - name: "MEDIUM | V-38667 | Inspect the system to determine if intrusion detection software has been installed." - name: | @@ -3070,22 +1942,16 @@ - file_integrity - aide -- name: "MEDIUM | V-38671 | PATCH | The sendmail package must be removed." - yum: - name: postfix - state: present - tags: - - cat2 - - medium - - patch - - V-38671 - - sendmail - - unauthorized_packages +- block: + - name: "MEDIUM | V-38671 | PATCH | Postfix must be installed before removing sendmail." + yum: + name: postfix + state: present -- name: "MEDIUM | V-38671 | PATCH | The sendmail package must be removed" - yum: - name: sendmail - state: absent + - name: "MEDIUM | V-38671 | PATCH | The sendmail package must be removed" + yum: + name: sendmail + state: absent tags: - cat2 - medium @@ -3094,19 +1960,6 @@ - sendmail - unauthorized_packages -- name: "MEDIUM | V-38674 | AUDIT | X Windows must not be enabled unless required." - command: grep initdefault /etc/inittab - register: runlevel_audit - failed_when: no - changed_when: no - tags: - - cat2 - - medium - - audit - - V-38674 - - xwindows - - gui - - name: "MEDIUM | V-38674 | PATCH | X Windows must not be enabled unless required" lineinfile: state: present @@ -3142,7 +1995,6 @@ regexp: ^BOOTPROTO= line: 'BOOTPROTO="none"' with_items: "{{ interface_config_files.files }}" - register: dhcp_change when: - interface_config_files.matched > 0 - not rhel6stig_use_dhcp @@ -3184,13 +2036,21 @@ - kernel_modules - patch -- name: "MEDIUM | V-38686 | PATCH | The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets." - lineinfile: - state: present - dest: /etc/sysconfig/iptables - regexp: ':FORWARD' - line: ':FORWARD DROP [0:0]' - notify: restart iptables +- block: + - name: "MEDIUM | V-38686 | AUDIT | iptables module is not idempotent for Policy actions currently" + shell: iptables -S | grep '\-P FORWARD' | cut -d ' ' -f 3 + changed_when: no + failed_when: no + check_mode: no + register: iptables_forward_chain_policy_check + + - name: "MEDIUM | V-38686 | PATCH | The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets." + iptables: + chain: FORWARD + ip_version: ipv4 + policy: DROP + when: "iptables_forward_chain_policy_check.stdout != 'DROP'" + notify: save iptables rules tags: - cat2 - medium @@ -3210,18 +2070,6 @@ - logon_settings - xwindows - gui - - scif_banner - -- name: "MEDIUM | V-38689 | PATCH | The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts" - command: "gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gdm/simple-greeter/banner_message_text ' {{ rhel6stig_graphical_login_banner }}'" - when: rhel6stig_xwindows_required - notify: restart gdm - tags: - - cat2 - - V-38689 - - logon_settings - - xwindows - - gui - dod_login_banner - patch @@ -3235,29 +2083,23 @@ - logon_settings - xwindows - gui - - SCIF_logon_banner + - dod_login_banner - patch -- name: "MEDIUM | V-38691 | AUDIT | The Bluetooth service must be disabled" - command: chkconfig bluetooth --list - register: bluetooth_service_audit - changed_when: false - failed_when: false - always_run: yes - tags: - - cat2 - - medium - - V-38691 - - bluetooth - - services - - audit +- block: + - name: "MEDIUM | V-38691 | AUDIT | The Bluetooth service must be disabled" + command: chkconfig bluetooth --list + check_mode: no + failed_when: no + changed_when: no + register: bluetooth_service_check -- name: "MEDIUM | V-38691 | PATCH | The Bluetooth service must be disabled" - service: - name: bluetooth - state: stopped - enabled: no - when: "':on' in bluetooth_service_audit.stdout" + - name: "MEDIUM | V-38691 | PATCH | The Bluetooth service must be disabled" + service: + name: bluetooth + state: stopped + enabled: no + when: bluetooth_service_check.rc == 0 tags: - cat2 - medium @@ -3305,6 +2147,19 @@ - selinux - patch +- name: "MEDIUM | V-51391 | AUDIT | A file integrity baseline must be created." + stat: + path: "{{rhel6stig_aide_dbdir}}/{{rhel6stig_aide_dbfile}}" + register: aide_dbfile + changed_when: not aide_dbfile.stat.exists + notify: init aide + tags: + - cat2 + - medium + - V-51391 + - aide + - patch + - name: "MEDIUM | V-51875 | PATCH | The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access." pam: service: system-auth-ac @@ -3322,27 +2177,6 @@ - patch - pam -- name: 'MEDIUM | V-51391 | AUDIT | A file integrity baseline must be created.' - stat: - path: /var/lib/aide/aide.db.gz - register: aide_db - tags: - - cat2 - - medium - - V-51391 - - aide - - audit - -- name: 'MEDIUM | V-51391 | PATCH | A file integrity baseline must be created.' - shell: /usr/sbin/aide --init && cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz - when: not aide_db.stat.exists - tags: - - cat2 - - medium - - V-51391 - - aide - - patch - - name: "MEDIUM | V-54381 | PATCH | The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low." lineinfile: regexp: '^admin_space_left_action' @@ -3355,29 +2189,23 @@ - auditd - patch -- name: "MEDIUM | V-57569 | AUDIT | The noexec option must be added to the /tmp partition." - command: egrep '^([^#[:space:]]+[[:space:]]+/tmp[[:space:]]+[^[:space:]]+[[:space:]]+)([^[:space:]]+)([[:space:]]+.*)$' /etc/fstab - register: fstab_tmp_audit - changed_when: no - failed_when: no - always_run: yes - tags: - - cat2 - - medium - - V-57569 - - fstab - - tmpdir - - audit +- block: + - name: "MEDIUM | V-57569 | AUDIT | The noexec option must be added to the /tmp partition." + command: egrep '^([^#[:space:]]+[[:space:]]+/tmp[[:space:]]+[^[:space:]]+[[:space:]]+)([^[:space:]]+)([[:space:]]+.*)$' /etc/fstab + changed_when: no + failed_when: no + check_mode: no + register: fstab_tmp_audit -- name: "MEDIUM | V-57569 | PATCH | The noexec option must be added to the /tmp partition." - lineinfile: - regexp: '^([^\s]+\s+/tmp\s+[^\s]+\s+)([^\s]+)(\s+.*)$' - line: '\1\2,noexec\3' - backrefs: yes - dest: /etc/fstab - backup: yes - when: "'/tmp' in fstab_mountpoints.stdout_lines and 'noexec' not in fstab_tmp_audit.stdout" - notify: remount /tmp + - name: "MEDIUM | V-57569 | PATCH | The noexec option must be added to the /tmp partition." + lineinfile: + regexp: '^([^\s]+\s+/tmp\s+[^\s]+\s+)([^\s]+)(\s+.*)$' + line: '\1\2,noexec\3' + backrefs: yes + dest: /etc/fstab + backup: yes + when: "'/tmp' in fstab_mountpoints.stdout_lines and 'noexec' not in fstab_tmp_audit.stdout" + notify: remount /tmp tags: - cat2 - medium @@ -3386,54 +2214,62 @@ - tmpdir - patch -- name: 'MEDIUM | V-58901 | AUDIT | The sudo command must require authentication.' - # find included configs - shell: cat /etc/sudoers | grep -w '^#include' | awk '{print $2}' - register: sudoers_include_audit - always_run: yes - changed_when: no - tags: - - cat2 - - medium - - V-58901 - - sudoers - - audit +- block: + - name: "MEDIUM | V-58901 | AUDIT | The sudo command must require authentication." + # find included configs + shell: cat /etc/sudoers | grep -w '^#include' | awk '{print $2}' + check_mode: no + changed_when: no + register: sudoers_include_audit + - name: "MEDIUM | V-58901 | AUDIT | The sudo command must require authentication." + # Find files found in the dirs of #includedir directives + shell: cat /etc/sudoers | grep -w '^#includedir' | awk '{print $2}' | xargs -i find {} -type f + check_mode: no + changed_when: no + register: sudoers_includedirs_files -- name: 'MEDIUM | V-58901 | AUDIT | The sudo command must require authentication.' - # Find files found in the dirs of #includedir directives - shell: cat /etc/sudoers | grep -w '^#includedir' | awk '{print $2}' | xargs -i find {} -type f - register: sudoers_includedirs_files - always_run: yes - changed_when: no - tags: - - cat2 - - medium - - V-58901 - - sudoers - - audit + - name: "MEDIUM | V-58901 | AUDIT | The sudo command must require authentication." + # Combine lists + set_fact: + sudoer_configs: "{{ sudoers_include_audit.stdout_lines + sudoers_includedirs_files.stdout_lines + ['/etc/sudoers'] }}" -- name: 'MEDIUM | V-58901 | AUDIT | The sudo command must require authentication.' - # Combine lists - set_fact: - sudoer_configs: "{{ sudoers_include_audit.stdout_lines + sudoers_includedirs_files.stdout_lines + ['/etc/sudoers'] }}" + - name: "MEDIUM | V-58901 | PATCH | The sudo command must require authentication." + lineinfile: + dest: "{{ item }}" + line: \1\2 + regexp: (.*)(!authenticate|NOPASSWD)(.*) + state: absent + with_items: "{{ sudoer_configs }}" + when: not rhel6stig_allow_sudo_without_password tags: - cat2 - medium - V-58901 - sudoers - - audit + - patch -- name: 'MEDIUM | V-58901 | PATCH | The sudo command must require authentication.' - lineinfile: - dest: "{{ item }}" - line: \1\2 - regexp: (.*)(!authenticate|NOPASSWD)(.*) - state: absent - with_items: "{{ sudoer_configs }}" +- block: + - name: "MEDIUM | V-72817 | AUDIT | Wireless network adapters must be disabled." + find: + paths: /etc/sysconfig/network-scripts + file_type: file + patterns: ifcfg-wlan* + check_mode: no + register: wireless_interface_config_files + + - name: "MEDIUM | V-72817 | PATCH | Wireless network adapters must be disabled." + file: + path: "{{item}}" + state: absent + backup: yes + with_items: "{{ wireless_interface_config_files.files }}" + when: + - wireless_interface_config_files.matched > 0 + - not rhel6stig_wireless_required tags: - cat2 - medium - - V-58901 - - sudoers + - V-72817 + - wireless - patch diff --git a/tasks/cat3.yml b/tasks/cat3.yml index 4c0eb14..cd34aeb 100644 --- a/tasks/cat3.yml +++ b/tasks/cat3.yml @@ -3,7 +3,7 @@ register: autofs_service_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -31,7 +31,7 @@ register: grub_audit_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -65,7 +65,7 @@ changed_when: false failed_when: false register: rpm_verify_packages - always_run: yes + check_mode: no tags: - cat3 - low @@ -80,7 +80,7 @@ register: rpm_integrity_audit when: item | match("^..5......[^c]*/.+$") with_items: "{{ rpm_verify_packages.stdout_lines }}" - always_run: yes + check_mode: no tags: - cat3 - low @@ -104,7 +104,7 @@ when: item | match("^.M.......\\s+.*?/.+$") register: rpm_file_permissions_audit with_items: "{{ rpm_verify_packages.stdout_lines }}" - always_run: yes + check_mode: no tags: - cat3 - low @@ -128,7 +128,7 @@ when: item | match("^......G..\\s+.*?/.+$") register: rpm_group_ownership_audit with_items: "{{ rpm_verify_packages.stdout_lines }}" - always_run: yes + check_mode: no tags: - cat3 - low @@ -152,7 +152,7 @@ when: item | match("^.....U...\\s+.*?/.+$") register: rpm_group_ownership_audit with_items: "{{ rpm_verify_packages.stdout_lines }}" - always_run: yes + check_mode: no tags: - cat3 - low @@ -176,7 +176,7 @@ register: nfs_all_squash_disabled_audit failed_when: nfs_all_squash_disabled_audit.rc == 2 changed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -202,7 +202,7 @@ register: auditd_syslog_output_audit failed_when: auditd_syslog_output_audit.rc == 2 changed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -229,7 +229,7 @@ command: gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome_settings_daemon/keybindings/screensaver when: rhel6stig_xwindows_required register: gui_screen_lock_hotkey_audit - always_run: yes + check_mode: no tags: - cat3 - low @@ -250,7 +250,7 @@ - name: "LOW | V-38478 | AUDIT | The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite." command: chkconfig 'rhnsd' --list register: rhnsd_service_audit - always_run: yes + check_mode: no changed_when: false ignore_errors: yes failed_when: no @@ -281,7 +281,7 @@ register: logindefs_pass_warn_age_audit failed_when: logindefs_pass_warn_age_audit.rc == 2 changed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -313,7 +313,7 @@ LOW | V-38693 | AUDIT | The system must require passwords to contain no more than three consecutive repeating characters. command: grep pam_cracklib /etc/pam.d/system-auth register: cracklib_audit - always_run: yes + check_mode: no changed_when: no failed_when: no tags: @@ -362,7 +362,7 @@ - name: "LOW | V-38487 | AUDIT | The system package management tool must cryptographically verify the authenticity of all software packages during installation." command: find /etc/yum.repos.d/ -exec grep -ls '^gpgcheck=0' {} \; changed_when: false - always_run: yes + check_mode: no register: repo_d_gpgcheck_check_audit tags: - cat3 @@ -392,7 +392,7 @@ register: securetty_serial_consoles_audit failed_when: securetty_serial_consoles_audit.rc == 2 changed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -418,7 +418,7 @@ register: modprobe_disable_rds_audit failed_when: false changed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -505,7 +505,7 @@ register: sysctl_log_martians_audit failed_when: false changed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -577,7 +577,7 @@ register: sysctl_accept_redirects_audit failed_when: false changed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -609,7 +609,7 @@ register: sysctl_ignore_broadcasts_audit failed_when: false changed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -641,7 +641,7 @@ register: sysctl_ignore_bogus_error_responses_audit failed_when: false changed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -691,7 +691,7 @@ register: mac_policy_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1171,7 +1171,7 @@ command: grep -w "mount" /etc/audit/audit.rules register: auditd_mount_audit changed_when: no - always_run: yes + check_mode: no failed_when: no tags: - cat3 @@ -1197,7 +1197,7 @@ - name: "LOW | V-38575 | AUDIT | The audit system must be configured to audit user deletions of files and programs." command: grep -w "rmdir" /etc/audit/audit.rules - always_run: yes + check_mode: no changed_when: no failed_when: no register: auditd_rmdir_audit @@ -1231,7 +1231,7 @@ register: auditd_sudoers_audit changed_when: no failed_when: no - always_run: yes + check_mode: no tags: - cat3 - low @@ -1258,7 +1258,7 @@ register: pkgs_xinetd_installed_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1271,7 +1271,7 @@ register: pkgs_xinetd_services_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1296,7 +1296,7 @@ register: pkgs_screen_installed_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1320,7 +1320,7 @@ - name: "LOW | V-38608 | AUDIT | The SSH daemon must set a timeout interval on idle sessions." shell: grep ClientAliveInterval /etc/ssh/sshd_config | awk '{print $2}' register: sshd_client_alive_interval_audit - always_run: yes + check_mode: no changed_when: no tags: - cat3 @@ -1343,7 +1343,7 @@ - V-38608 - ssh - patch - notify: restart ssh + notify: restart sshd - name: "LOW | V-38610 | PATCH | The SSH daemon must set a timeout count on idle sessions." lineinfile: @@ -1358,7 +1358,7 @@ - V-38610 - ssh - patch - notify: restart ssh + notify: restart sshd - name: "LOW | V-38616 | PATCH | The SSH daemon must not permit user environment settings." lineinfile: @@ -1373,14 +1373,14 @@ - V-38616 - ssh - patch - notify: restart ssh + notify: restart sshd - name: "LOW | V-38618 | AUDIT | The avahi service must be disabled." command: chkconfig 'avahi-daemon' --list register: avahi_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1391,10 +1391,12 @@ - name: "LOW | V-38618 | AUDIT | The avahi service must be disabled." command: service avahi-daemon status + args: + warn: no register: avahi_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1417,12 +1419,24 @@ - services - patch +- name: "LOW | V-38624 | PATCH | System logs must be rotated daily." + yum: + name: logrotate + state: present + tags: + - cat3 + - low + - patch + - V-38624 + - logrotate + - syslog + - name: "LOW | V-38627 | AUDIT | The openldap-servers package must not be installed unless required." command: rpm -q openldap-servers register: pkgs_openldap_server_installed_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1458,7 +1472,7 @@ - name: "LOW | V-38639 | AUDIT | The system must display a publicly-viewable pattern during a graphical desktop environment session lock." command: gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode register: gconftool_pattern_audit - always_run: yes + check_mode: no changed_when: no when: rhel6stig_xwindows_required tags: @@ -1485,7 +1499,7 @@ register: abrtd_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1499,7 +1513,7 @@ register: abrtd_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1527,7 +1541,7 @@ register: atd_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1541,7 +1555,7 @@ register: atd_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1567,7 +1581,7 @@ - name: "LOW | V-38642 | AUDIT | The system default umask for daemons must be 027 or 022." shell: grep -e '^umask' /etc/init.d/functions | awk '{print $2}' register: daemon_umask_audit - always_run: yes + check_mode: no failed_when: no changed_when: no tags: @@ -1594,7 +1608,7 @@ register: ntpdate_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1608,7 +1622,7 @@ register: ntpdate_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1635,7 +1649,7 @@ shell: grep UMASK /etc/login.defs | awk '{print $2}' register: login_defs_umask_audit changed_when: no - always_run: yes + check_mode: no failed_when: no tags: - cat3 @@ -1661,7 +1675,7 @@ register: oddjobd_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1675,7 +1689,7 @@ register: oddjobd_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1703,7 +1717,7 @@ register: sys_default_umask_audit changed_when: no failed_when: no - always_run: yes + check_mode: no tags: - cat3 - low @@ -1728,7 +1742,7 @@ register: qpidd_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1742,7 +1756,7 @@ register: qpidd_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1770,7 +1784,7 @@ register: csh_umask_audit failed_when: no changed_when: no - always_run: yes + check_mode: no tags: - cat3 - low @@ -1797,7 +1811,7 @@ register: rdisc_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1811,7 +1825,7 @@ register: rdisc_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1860,7 +1874,7 @@ - name: "LOW | V-38655 | AUDIT | The noexec option must be added to removable media partitions." command: grep noexec /etc/fstab - always_run: yes + check_mode: no changed_when: no failed_when: no tags: @@ -1902,7 +1916,7 @@ register: postfix_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1916,7 +1930,7 @@ register: postfix_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1944,7 +1958,7 @@ register: netconsole_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1958,7 +1972,7 @@ register: netconsole_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -1984,7 +1998,7 @@ - name: "LOW | V-38675 | AUDIT | Process core dumps must be disabled unless needed." shell: grep -E "^\*\s*hard\s*core\s*" /etc/security/limits.conf | awk '{print $4}' register: processor_dumps_audit - always_run: yes + check_mode: no failed_when: no changed_when: no tags: @@ -2013,7 +2027,7 @@ register: pkgs_xwindows_installed_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -2051,7 +2065,7 @@ - name: "LOW | V-38684 | AUDIT | The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements." shell: grep -E "^\*\s*hard\s*maxlogins\s*" /etc/security/limits.conf | awk '{print $4}' register: max_logins_audit - always_run: yes + check_mode: no failed_when: no changed_when: no tags: @@ -2081,7 +2095,7 @@ when: rhel6stig_temporary_users | length > 0 register: temporary_account_expiry_audit changed_when: no - always_run: yes + check_mode: no tags: - cat3 - low @@ -2107,7 +2121,7 @@ register: pkgs_vpn_installed_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -2134,7 +2148,7 @@ when: rhel6stig_emergency_accounts | length > 0 register: emergency_account_expiry_audit changed_when: no - always_run: yes + check_mode: no tags: - cat3 - low @@ -2163,7 +2177,7 @@ register: inactive_useradd_audit changed_when: no failed_when: no - always_run: yes + check_mode: no tags: - cat3 - low @@ -2206,7 +2220,7 @@ register: vsftpd_service_installed_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -2220,7 +2234,7 @@ register: vsftpd_xinetd_startup_file_audit changed_when: false failed_when: false - always_run: yes + check_mode: no when: vsftpd_service_installed_audit.stdout.find('not installed') == -1 tags: - cat3 @@ -2236,7 +2250,7 @@ changed_when: false failed_when: false when: vsftpd_service_installed_audit.stdout.find('not installed') == -1 and vsftpd_xinetd_startup_file_audit.stdout - always_run: yes + check_mode: no tags: - cat3 - low @@ -2250,7 +2264,7 @@ register: vsftpd_xinetd_config_file_audit changed_when: false failed_when: false - always_run: yes + check_mode: no when: vsftpd_service_installed_audit.stdout.find('not installed') == -1 tags: - cat3 @@ -2282,7 +2296,7 @@ register: selinux_policy_audit failed_when: selinux_policy_audit.rc == 2 changed_when: false - always_run: yes + check_mode: no tags: - cat3 - low @@ -2306,7 +2320,7 @@ register: selinux_device_file_context_audit failed_when: false changed_when: false - always_run: yes + check_mode: no tags: - cat3 - low diff --git a/tasks/main.yml b/tasks/main.yml index f58149f..8980122 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,43 +1,36 @@ - name: Check OS version and family - fail: - msg: "This role can only be run agaist RHEL 6. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." - when: - - ansible_os_family == 'RedHat' - - ansible_distribution_major_version | version_compare('6', '!=') + assert: + that: ansible_os_family == 'RedHat' and ansible_distribution_major_version | version_compare('6', '==') + msg: "This role can only be run against RHEL/CENTOS 6. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." tags: - always - name: Check ansible version - fail: - msg: You must use ansible {{ rhel6stig_min_ansible_version }} or greater - when: not ansible_version.full | version_compare(rhel6stig_min_ansible_version, '>=') + assert: + that: ansible_version.full | version_compare(rhel6stig_min_ansible_version, '>=') + msg: You must use Ansible {{ rhel6stig_min_ansible_version }} or greater tags: - always - include: prelim.yml - static: no + become: yes tags: - prelim_tasks - always - include: cat1.yml static: no - when: rhel6stig_cat1 + when: rhel6stig_cat1 | bool - include: cat2.yml static: no - when: rhel6stig_cat2 + when: rhel6stig_cat2 | bool - include: cat3.yml static: no - when: rhel6stig_cat3 + when: rhel6stig_cat3 | bool - include: post.yml static: no tags: - post_tasks - -- include: not_automated.yml - static: no - tags: - - not_auto_fixed diff --git a/tasks/not_automated.yml b/tasks/not_automated.yml index b976a4f..c9ac381 100644 --- a/tasks/not_automated.yml +++ b/tasks/not_automated.yml @@ -1,164 +1,8 @@ -# CAT I -- name: "HIGH | V-38666 | AUDIT | The system must use and update a DoD-approved virus scan program" - command: /etc/init.d/nails status - ignore_errors: yes - always_run: yes - changed_when: no - register: av_nails_status_audit - tags: - - cat1 - - high - - V-38666 - - antivirus - - audit - -- name: "HIGH | V-38666 | AUDIT | The system must use and update a DoD-approved virus scan program" - shell: grep uvscan /etc/cron* /var/spool/cron/* - register: av_uvscan_cron_audit - ignore_errors: yes - always_run: yes - changed_when: no - tags: - - cat1 - - V-38666 - - antivirus - - audit - - high - -- name: "HIGH | V-38666 | AUDIT | The system must use and update a DoD-approved virus scan program. Looking for virus definitions older than seven days." - command: find /usr/local/uvscan -type f -mtime +7 - register: av_defs_audit - changed_when: no - ignore_errors: yes - always_run: yes - tags: - - cat1 - - V-38666 - - antivirus - - high - - audit - -- name: "HIGH | V-38677 | AUDIT | The NFS server must not have the insecure file locking option enabled" - command: grep insecure_locks /etc/exports - register: nfs_insecure_locking_audit - ignore_errors: yes - changed_when: no - always_run: yes - tags: - - cat1 - - high - - V-38677 - - audit - - nfs - -# CAT II -- name: "MEDIUM | V-38499 | AUDIT | The /etc/passwd file must not contain password hashes" - shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd" - changed_when: false - always_run: yes - register: etc_password_hash_audit - tags: - - cat2 - - V-38499 - - medium - - passwords - - audit - -- name: "MEDIUM | V-38500 | AUDIT | The root account must be the only account having a UID of 0" - shell: "awk -F: '($3 == \"0\") {print}' /etc/passwd | grep -v root" - changed_when: no - always_run: yes - ignore_errors: yes - register: users_uid_0_audit - tags: - - cat2 - - medium - - V-38500 - - accounts - - audit - -- name: "MEDIUM | V-38520 | AUDIT | The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.\n - MEDIUM | V-38521 | AUDIT | The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components." - shell: grep -E '^\*\.\*\s*[@:]{1,2}[a-z.:]*' /etc/rsyslog.conf - changed_when: no - ignore_errors: yes - always_run: yes - register: rsyslog_log_mgmt_audit - tags: - - audit - - V-38520 - - V-38521 - - rsyslog - - logging - - cat2 - - medium - -- name: "MEDIUM | V-38625 | AUDIT | If the system is using LDAP for authentication or account information the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms" - shell: ps -ef | grep [s]lapd - register: ldap_tls_audit - when: "'slapd' in sysv_services.stdout" - ignore_errors: yes - changed_when: no - tags: - - cat2 - - medium - - audit - - V-38625 - - ldap - -- name: "MEDIUM | V-38643 | AUDIT | There must be no world-writable files on the system." - command: find / -xdev -type f -perm -002 - register: world_writable_files - changed_when: false - tags: - - cat2 - - medium - - audit - - V-38643 - - file_perms - -- name: "MEDIUM | V-38652 | AUDIT | Remote file systems must be mounted with the 'nodev' option" - shell: mount | grep 'type nfs' | grep -v 'nodev' - changed_when: false - register: nfs_mounts_missing_nodev - failed_when: nfs_mounts_missing_nodev.stderr - tags: - - cat2 - - medium - - audit - - V-38652 - - nfs - -- name: "MEDIUM | V-38654 | PATCH | Remote file systems must be mounted with the nosuid option" - shell: mount | grep 'type nfs' | grep -v 'nosuid' - changed_when: false - failed_when: nfs_mounts_missing_nosuid.stderr - register: nfs_mounts_missing_nosuid - tags: - - cat2 - - medium - - audit - - V-38654 - - nfs - -- name: "MEDIUM | V-38660 | AUDIT | The snmpd service must use only SNMP protocol version 3 or newer." - shell: "grep -E 'v1|v2c|com2sec' /etc/snmp/snmpd.conf | grep -v '^#'" - changed_when: false - register: snmp_version_check - failed_when: '"FAIL" in snmp_version_check.stdout' - when: snmpconf_test.stat.exists - tags: - - cat2 - - medium - - audit - - V-38660 - - snmp - # CAT III - name: "LOW | V-38455 | AUDIT | The system must use a separate file system for /tmp" shell: mount | grep "on /tmp " register: tmp_mounted_audit - always_run: yes + check_mode: no ignore_errors: yes changed_when: no tags: @@ -173,7 +17,7 @@ register: var_mounted_audit changed_when: no ignore_errors: yes - always_run: yes + check_mode: no tags: - cat3 - V-38456 @@ -184,7 +28,7 @@ - name: "LOW | V-38463 | AUDIT | The system must use a separate file system for /var/log" shell: mount | grep "on /var/log " register: varlog_mounted_audit - always_run: yes + check_mode: no changed_when: no ignore_errors: yes tags: @@ -197,7 +41,7 @@ - name: "LOW | V-38467 | AUDIT | The system must use a separate file system for /var/log/audit" shell: mount | grep "on /var/log/audit " register: varlogaudit_mounted_audit - always_run: yes + check_mode: no changed_when: no ignore_errors: yes tags: @@ -210,7 +54,7 @@ - name: "LOW | V-38473 | AUDIT | The system must use a separate file system for user home directories" shell: mount | grep "on /home " register: home_mounted_audit - always_run: yes + check_mode: no changed_when: no ignore_errors: yes tags: @@ -225,7 +69,7 @@ changed_when: false failed_when: false register: missing_group_audit - always_run: yes + check_mode: no tags: - cat3 - low @@ -238,7 +82,7 @@ changed_when: false failed_when: false register: duplicate_account_audit - always_run: yes + check_mode: no tags: - cat3 - low @@ -250,7 +94,7 @@ shell: "lsblk | awk '$6 == \"part\" && $7 ~ /\\// {print $NF}' | xargs -I{} find {} -xdev -type d -perm -0002 \\! -perm -1000" changed_when: false register: stick_bit_public_dir_audit - always_run: yes + check_mode: no tags: - cat3 - low @@ -263,7 +107,7 @@ shell: "lsblk | awk '$6 == \"part\" && $7 ~ /\\// {print $NF}' | xargs -I{} find {} -xdev -type d -perm -0002 -uid +499 -print" changed_when: false register: system_account_public_dir_audit - always_run: yes + check_mode: no tags: - cat3 - low diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 42aa821..da3f3f8 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,39 +1,76 @@ --- # Preliminary tasks that should always be run -- name: "PRELIM | Check for /etc/snmp/snmpd.conf" - stat: - path: /etc/snmp/snmpd.conf - register: snmpconf_test - always_run: yes - tags: - - cat1 +- block: + - name: "PRELIM | Make sure iptables is installed." + yum: + name: iptables + state: present + + - name: "PRELIM | See if a default iptables config file exists" + stat: + path: /etc/sysconfig/iptables + register: iptables_config + + - name: "PRELIM | Copy up a sensible default firewall config" + copy: + src: etc_sysconfig_iptables + dest: /etc/sysconfig/iptables + owner: root + group: root + mode: 0644 + when: not iptables_config.stat.exists + notify: restart iptables + + - name: Flush handlers + meta: flush_handlers + + tags: + - V-38512 + - V-38513 + - V-38555 + - V-38560 + - V-38686 + - ipv4 + - network + - firewall - cat2 - - V-38653 - - snmp - - audit + - medium - patch -# Setup variables based on operating system -- name: "PRELIM | Set gpg_key_url for CentOS" - set_fact: - gpg_key_url: http://mirror.centos.org/centos/RPM-GPG-KEY-{{ ansible_distribution }}-{{ ansible_distribution_major_version }} - when: "ansible_distribution == 'CentOS'" - always_run: yes - tags: - - cat1 - - V-38476 - - audit - - patch +- block: + - name: "PRELIM | Make sure ip6tables is installed." + yum: + name: iptables-ipv6 + state: present + + - name: "PRELIM | See if a default ip6tables config file exists" + stat: + path: /etc/sysconfig/ip6tables + register: ip6tables_config + + - name: "PRELIM | Copy up a sensible default firewall config" + copy: + src: etc_sysconfig_ip6tables + dest: /etc/sysconfig/ip6tables + owner: root + group: root + mode: 0644 + when: not ip6tables_config.stat.exists and rhel6stig_ipv6_required + notify: restart ip6tables + + - name: Flush handlers + meta: flush_handlers -- name: "PRELIM | Set gpg_key_url for Red Hat 6" - set_fact: - gpg_key_url: https://www.redhat.com/security/fd431d51.txt - when: "ansible_distribution == 'RedHat'" - always_run: yes tags: - - cat1 - - V-38476 - - audit + - cat2 + - medium + - ipv6 + - V-38444 + - V-38549 + - V-38551 + - V-38553 + - firewall + - network - patch # List users in order to look files inside each home directory @@ -41,7 +78,7 @@ command: "awk -F: '{print $1}' /etc/passwd" register: users changed_when: false - always_run: yes + check_mode: no tags: - cat1 - cat2 @@ -51,7 +88,7 @@ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow register: unlocked_accounts changed_when: false - always_run: yes + check_mode: no tags: - cat1 - cat2 @@ -62,7 +99,7 @@ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow | xargs -I{} grep {} /etc/passwd | awk -F: '$3 < 500 {print $1}' register: unlocked_sys_accounts changed_when: false - always_run: yes + check_mode: no tags: - cat1 - cat2 @@ -72,7 +109,7 @@ shell: "grep -Ev '/home|root' /etc/passwd | cut -d : -f 1" register: system_users changed_when: false - always_run: yes + check_mode: no tags: - cat1 - cat2 @@ -83,7 +120,7 @@ shell: "chkconfig --list | sed '/^$/ d ; /xinetd based services:/ d ; /^\t/ d' | awk '{print $1}'" register: sysv_services changed_when: false - always_run: yes + check_mode: no tags: - cat1 - cat2 @@ -93,7 +130,7 @@ shell: "chkconfig --list | sed -n '/^\t/,$p' | sed 's/\t//' | cut -d : -f 1" register: xinetd_services changed_when: false - always_run: yes + check_mode: no tags: - cat1 - cat2 @@ -104,7 +141,7 @@ shell: grep -Pv "/(sh|nologin|dash)" /etc/shells | sed -r 's#/((bin|sbin|usr)/)+##' register: shells changed_when: false - always_run: yes + check_mode: no tags: - cat3 - umask @@ -129,7 +166,7 @@ - name: "PRELIM | Get list of rsyslog genarated log files" shell: "grep -e '/' /etc/rsyslog.conf /etc/rsyslog.d/* | grep -v IncludeConfig | sed 's/-//'| awk 'NF==2 {print $2}'" changed_when: no - always_run: yes + check_mode: no register: rsyslog_logfiles tags: - cat2 @@ -163,7 +200,7 @@ - name: "PRELIM | Get path of auditd log file" shell: "grep '^log_file' /etc/audit/auditd.conf | sed s/^[^\\/]*//" changed_when: no - always_run: yes + check_mode: no register: auditd_logfile tags: - cat2 @@ -173,18 +210,6 @@ - auditd - patch -- name: "PRELIM | List interface config files" - shell: ls /etc/sysconfig/network-scripts/ifcfg-eth* | grep -v $(date +%Y) - changed_when: false - register: interface_config_files - tags: - - cat2 - - medium - - V-38679 - - network - - dhcp - - patch - - name: "PRELIM | List setuid / setgid programs on all mounted filesystems" shell: find $(lsblk -o MOUNTPOINT -n | grep '^/') -xdev -type f -perm /6000 2>/dev/null changed_when: false @@ -212,6 +237,7 @@ paths: /etc/sysconfig/network-scripts file_type: file patterns: ifcfg-eth* + check_mode: no register: interface_config_files tags: - cat2 diff --git a/tests/ansible.cfg b/tests/ansible.cfg new file mode 100644 index 0000000..48bc18c --- /dev/null +++ b/tests/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +retry_files_enabled = False diff --git a/tests/inventory b/tests/inventory new file mode 100644 index 0000000..2fbb50c --- /dev/null +++ b/tests/inventory @@ -0,0 +1 @@ +localhost diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..04fbffc --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +- hosts: all + become: yes + become_method: sudo + roles: + - ../../RHEL6-STIG diff --git a/vars/main.yml b/vars/main.yml index aee1bc5..e69de29 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +0,0 @@ -rhel6stig_min_ansible_version: 2.1 -