Ubuntu2004 stig profile v1r9 update #10738
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Hi @dexterle. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
dexterle
force-pushed
the
ubuntu2004-stig-profile-v1r8-update
branch
3 times, most recently
from
b2cf308 to
2f0a233
Compare
dexterle
force-pushed
the
ubuntu2004-stig-profile-v1r8-update
branch
from
2f0a233 to
b8711ab
Compare
dexterle
force-pushed
the
ubuntu2004-stig-profile-v1r8-update
branch
from
74b7885 to
22bdf64
Compare
dexterle
force-pushed
the
ubuntu2004-stig-profile-v1r8-update
branch
from
4628554 to
4c4c8ae
Compare
openshift-merge-robot
added
needs-rebase
|
This datastream diff is auto generated by the check Click here to see the trimmed diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_clean_components_post_updating' differs.
--- xccdf_org.ssgproject.content_rule_clean_components_post_updating
+++ xccdf_org.ssgproject.content_rule_clean_components_post_updating
@@ -16,8 +16,9 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure YUM Removes Previous Package Versions
- lineinfile:
+- name: Ensure yum Removes Previous Package Versions - Ensure YUM Removes Previous
+ Package Versions
+ ansible.builtin.lineinfile:
dest: /etc/yum.conf
regexp: ^#?clean_requirements_on_remove
line: clean_requirements_on_remove=1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
@@ -8,6 +8,7 @@
screen by setting banner-message-enable to true.
To enable, add or edit banner-message-enable to
+
/etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
@@ -15,6 +16,7 @@
/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-enable
+
After the settings have been set, run dconf update.
The banner text must also be set.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled' differs.
--- ocil:ssg-dconf_gnome_banner_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_banner_enabled_ocil:questionnaire:1
@@ -1,4 +1,5 @@
To ensure a login warning banner is enabled, run the following:
+
$ grep banner-message-enable /etc/dconf/db/gdm.d/*
If properly configured, the output should be true.
To ensure a login warning banner is locked and cannot be changed by a user, run the following:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -12,7 +12,22 @@
- no_reboot_needed
- restrict_strategy
-- name: Account Lockouts Must Be Logged - Remediation where authselect tool is present
+- name: Account Lockouts Must Be Logged - Set /etc/pam.d/ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ tags:
+ - CCE-86107-0
+ - NIST-800-53-AC-7 (a)
+ - account_passwords_pam_faillock_audit
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Account Lockouts Must Be Logged - Remediation Where Authselect Tool Is Present
block:
- name: Account Lockouts Must Be Logged - Check integrity of authselect current
@@ -73,11 +88,11 @@
- no_reboot_needed
- restrict_strategy
-- name: Account Lockouts Must Be Logged - Remediation where authselect tool is not
- present
+- name: Account Lockouts Must Be Logged - Remediation Where Authselect Tool Is Not
+ Present
block:
- - name: Account Lockouts Must Be Logged - Check if pam_faillock.so is already enabled
+ - name: Account Lockouts Must Be Logged - Check if pam_faillock.so Is Already Enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
@@ -86,57 +101,66 @@
changed_when: false
register: result_pam_faillock_is_enabled
- - name: Account Lockouts Must Be Logged - Enable pam_faillock.so preauth editing
- PAM files
+ - name: Account Lockouts Must Be Logged - Enable pam_faillock.so preauth Editing
+ PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- - name: Account Lockouts Must Be Logged - Enable pam_faillock.so authfail editing
- PAM files
+ - name: Account Lockouts Must Be Logged - Enable pam_faillock.so authfail Editing
+ PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- - name: Account Lockouts Must Be Logged - Enable pam_faillock.so account section
- editing PAM files
+ - name: Account Lockouts Must Be Logged - Enable pam_faillock.so account Section
+ Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
- loop:
+ loop: '{{ pam_path }}'
+ when:
+ - result_pam_faillock_is_enabled.found == 0
+ when: not result_authselect_present.stat.exists
+ tags:
+ - CCE-86107-0
+ - NIST-800-53-AC-7 (a)
+ - account_passwords_pam_faillock_audit
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Account Lockouts Must Be Logged - Set /etc/pam.d/ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- when:
- - result_pam_faillock_is_enabled.found == 0
- when: not result_authselect_present.stat.exists
- tags:
- - CCE-86107-0
- - NIST-800-53-AC-7 (a)
- - account_passwords_pam_faillock_audit
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Account Lockouts Must Be Logged - Check the presence of /etc/security/faillock.conf
- file
+ tags:
+ - CCE-86107-0
+ - NIST-800-53-AC-7 (a)
+ - account_passwords_pam_faillock_audit
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Account Lockouts Must Be Logged - Check The Presence of /etc/security/faillock.conf
+ File
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
@@ -150,7 +174,7 @@
- no_reboot_needed
- restrict_strategy
-- name: Account Lockouts Must Be Logged - Ensure the pam_faillock.so audit parameter
+- name: Account Lockouts Must Be Logged - Ensure The pam_faillock.so audit Parameter
in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
@@ -168,8 +192,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Account Lockouts Must Be Logged - Ensure the pam_faillock.so audit parameter
- not in PAM files
+- name: Account Lockouts Must Be Logged - Ensure The pam_faillock.so audit Parameter
+ Not in PAM Files
block:
- name: Account Lockouts Must Be Logged - Check if /etc/pam.d/system-auth file is
@@ -516,8 +540,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Account Lockouts Must Be Logged - Ensure the pam_faillock.so audit parameter
- in PAM files
+- name: Account Lockouts Must Be Logged - Ensure The pam_faillock.so audit Parameter
+ in PAM Files
block:
- name: Account Lockouts Must Be Logged - Check if pam_faillock.so audit parameter
@@ -530,17 +554,15 @@
changed_when: false
register: result_pam_faillock_audit_parameter_is_present
- - name: Account Lockouts Must Be Logged - Ensure the inclusion of pam_faillock.so
- preauth audit parameter in auth section
+ - name: Account Lockouts Must Be Logged - Ensure The Inclusion of pam_faillock.so
+ preauth audit Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 audit
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_audit_parameter_is_present.found == 0
when: not result_faillock_conf_check.stat.exists
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
@@ -15,7 +15,25 @@
- no_reboot_needed
- restrict_strategy
-- name: Account Lockouts Must Be Logged - Remediation where authselect tool is present
+- name: Account Lockouts Must Be Logged - Set /etc/pam.d/ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: ansible_distribution == 'RedHat' and ansible_distribution_version is version('8.2',
+ '>=')
+ tags:
+ - CCE-86099-9
+ - DISA-STIG-RHEL-08-020021
+ - NIST-800-53-AC-7 (a)
+ - accounts_passwords_pam_faillock_audit
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Account Lockouts Must Be Logged - Remediation Where Authselect Tool Is Present
block:
- name: Account Lockouts Must Be Logged - Check integrity of authselect current
@@ -80,11 +98,11 @@
- no_reboot_needed
- restrict_strategy
-- name: Account Lockouts Must Be Logged - Remediation where authselect tool is not
- present
+- name: Account Lockouts Must Be Logged - Remediation Where Authselect Tool Is Not
+ Present
block:
- - name: Account Lockouts Must Be Logged - Check if pam_faillock.so is already enabled
+ - name: Account Lockouts Must Be Logged - Check if pam_faillock.so Is Already Enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
@@ -93,42 +111,36 @@
changed_when: false
register: result_pam_faillock_is_enabled
- - name: Account Lockouts Must Be Logged - Enable pam_faillock.so preauth editing
- PAM files
+ - name: Account Lockouts Must Be Logged - Enable pam_faillock.so preauth Editing
+ PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- - name: Account Lockouts Must Be Logged - Enable pam_faillock.so authfail editing
- PAM files
+ - name: Account Lockouts Must Be Logged - Enable pam_faillock.so authfail Editing
+ PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- - name: Account Lockouts Must Be Logged - Enable pam_faillock.so account section
- editing PAM files
+ - name: Account Lockouts Must Be Logged - Enable pam_faillock.so account Section
+ Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
when:
@@ -146,8 +158,26 @@
- no_reboot_needed
- restrict_strategy
-- name: Account Lockouts Must Be Logged - Check the presence of /etc/security/faillock.conf
- file
+- name: Account Lockouts Must Be Logged - Set /etc/pam.d/ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: ansible_distribution == 'RedHat' and ansible_distribution_version is version('8.2',
+ '>=')
+ tags:
+ - CCE-86099-9
+ - DISA-STIG-RHEL-08-020021
+ - NIST-800-53-AC-7 (a)
+ - accounts_passwords_pam_faillock_audit
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Account Lockouts Must Be Logged - Check The Presence of /etc/security/faillock.conf
+ File
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
@@ -164,7 +194,7 @@
- no_reboot_needed
- restrict_strategy
-- name: Account Lockouts Must Be Logged - Ensure the pam_faillock.so audit parameter
+- name: Account Lockouts Must Be Logged - Ensure The pam_faillock.so audit Parameter
in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
@@ -186,8 +216,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Account Lockouts Must Be Logged - Ensure the pam_faillock.so audit parameter
- not in PAM files
+- name: Account Lockouts Must Be Logged - Ensure The pam_faillock.so audit Parameter
+ Not in PAM Files
block:
- name: Account Lockouts Must Be Logged - Check if /etc/pam.d/system-auth file is
@@ -538,8 +568,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Account Lockouts Must Be Logged - Ensure the pam_faillock.so audit parameter
- in PAM files
+- name: Account Lockouts Must Be Logged - Ensure The pam_faillock.so audit Parameter
+ in PAM Files
block:
- name: Account Lockouts Must Be Logged - Check if pam_faillock.so audit parameter
@@ -552,17 +582,15 @@
changed_when: false
register: result_pam_faillock_audit_parameter_is_present
- - name: Account Lockouts Must Be Logged - Ensure the inclusion of pam_faillock.so
- preauth audit parameter in auth section
+ - name: Account Lockouts Must Be Logged - Ensure The Inclusion of pam_faillock.so
+ preauth audit Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 audit
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_audit_parameter_is_present.found == 0
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -39,8 +39,30 @@
- no_reboot_needed
- restrict_strategy
-- name: Lock Accounts After Failed Password Attempts - Remediation where authselect
- tool is present
+- name: Lock Accounts After Failed Password Attempts - Set /etc/pam.d/ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: '"pam" in ansible_facts.packages'
+ tags:
+ - CCE-80667-9
+ - CJIS-5.5.3
+ - DISA-STIG-RHEL-08-020011
+ - NIST-800-171-3.1.8
+ - NIST-800-53-AC-7(a)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.1.6
+ - PCI-DSSv4-8.3.4
+ - accounts_passwords_pam_faillock_deny
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Lock Accounts After Failed Password Attempts - Remediation Where Authselect
+ Tool Is Present
block:
- name: Lock Accounts After Failed Password Attempts - Check integrity of authselect
@@ -110,12 +132,12 @@
- no_reboot_needed
- restrict_strategy
-- name: Lock Accounts After Failed Password Attempts - Remediation where authselect
- tool is not present
+- name: Lock Accounts After Failed Password Attempts - Remediation Where Authselect
+ Tool Is Not Present
block:
- name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so
- is already enabled
+ Is Already Enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
@@ -125,41 +147,35 @@
register: result_pam_faillock_is_enabled
- name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so preauth
- editing PAM files
+ Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so authfail
- editing PAM files
+ Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so account
- section editing PAM files
+ Section Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
when:
@@ -186,8 +202,30 @@
tags:
- always
-- name: Lock Accounts After Failed Password Attempts - Check the presence of /etc/security/faillock.conf
- file
+- name: Lock Accounts After Failed Password Attempts - Set /etc/pam.d/ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: '"pam" in ansible_facts.packages'
+ tags:
+ - CCE-80667-9
+ - CJIS-5.5.3
+ - DISA-STIG-RHEL-08-020011
+ - NIST-800-171-3.1.8
+ - NIST-800-53-AC-7(a)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.1.6
+ - PCI-DSSv4-8.3.4
+ - accounts_passwords_pam_faillock_deny
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Lock Accounts After Failed Password Attempts - Check The Presence of /etc/security/faillock.conf
+ File
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
@@ -208,8 +246,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
- deny parameter in /etc/security/faillock.conf
+- name: Lock Accounts After Failed Password Attempts - Ensure The pam_faillock.so
+ deny Parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*deny\s*=
@@ -234,8 +272,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
- deny parameter not in PAM files
+- name: Lock Accounts After Failed Password Attempts - Ensure The pam_faillock.so
+ deny Parameter Not in PAM Files
block:
- name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/system-auth
@@ -600,8 +638,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
- deny parameter in PAM files
+- name: Lock Accounts After Failed Password Attempts - Ensure The pam_faillock.so
+ deny Parameter in PAM Files
block:
- name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so
@@ -614,59 +652,51 @@
changed_when: false
register: result_pam_faillock_deny_parameter_is_present
- - name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of pam_faillock.so
- preauth deny parameter in auth section
+ - name: Lock Accounts After Failed Password Attempts - Ensure The Inclusion of pam_faillock.so
+ preauth deny Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }}
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_deny_parameter_is_present.found == 0
- - name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of pam_faillock.so
- authfail deny parameter in auth section
+ - name: Lock Accounts After Failed Password Attempts - Ensure The Inclusion of pam_faillock.so
+ authfail deny Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }}
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_deny_parameter_is_present.found == 0
- - name: Lock Accounts After Failed Password Attempts - Ensure the desired value
- for pam_faillock.so preauth deny parameter in auth section
+ - name: Lock Accounts After Failed Password Attempts - Ensure The Desired Value
+ for pam_faillock.so preauth deny Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(deny)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_deny_parameter_is_present.found > 0
- - name: Lock Accounts After Failed Password Attempts - Ensure the desired value
- for pam_faillock.so authfail deny parameter in auth section
+ - name: Lock Accounts After Failed Password Attempts - Ensure The Desired Value
+ for pam_faillock.so authfail deny Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(deny)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_deny_parameter_is_present.found > 0
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -33,8 +33,28 @@
- no_reboot_needed
- restrict_strategy
-- name: Configure the root Account for Failed Password Attempts - Remediation where
- authselect tool is present
+- name: Configure the root Account for Failed Password Attempts - Set /etc/pam.d/
+ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: '"pam" in ansible_facts.packages'
+ tags:
+ - CCE-80668-7
+ - DISA-STIG-RHEL-08-020023
+ - NIST-800-53-AC-7(b)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-5(c)
+ - accounts_passwords_pam_faillock_deny_root
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Configure the root Account for Failed Password Attempts - Remediation Where
+ Authselect Tool Is Present
block:
- name: Configure the root Account for Failed Password Attempts - Check integrity
@@ -102,12 +122,12 @@
- no_reboot_needed
- restrict_strategy
-- name: Configure the root Account for Failed Password Attempts - Remediation where
- authselect tool is not present
+- name: Configure the root Account for Failed Password Attempts - Remediation Where
+ Authselect Tool Is Not Present
block:
- name: Configure the root Account for Failed Password Attempts - Check if pam_faillock.so
- is already enabled
+ Is Already Enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
@@ -117,41 +137,35 @@
register: result_pam_faillock_is_enabled
- name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so
- preauth editing PAM files
+ preauth Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so
- authfail editing PAM files
+ authfail Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so
- account section editing PAM files
+ account Section Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
when:
@@ -170,8 +184,28 @@
- no_reboot_needed
- restrict_strategy
-- name: Configure the root Account for Failed Password Attempts - Check the presence
- of /etc/security/faillock.conf file
+- name: Configure the root Account for Failed Password Attempts - Set /etc/pam.d/
+ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: '"pam" in ansible_facts.packages'
+ tags:
+ - CCE-80668-7
+ - DISA-STIG-RHEL-08-020023
+ - NIST-800-53-AC-7(b)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-5(c)
+ - accounts_passwords_pam_faillock_deny_root
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Configure the root Account for Failed Password Attempts - Check The Presence
+ of /etc/security/faillock.conf File
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
@@ -189,8 +223,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so
- even_deny_root parameter in /etc/security/faillock.conf
+- name: Configure the root Account for Failed Password Attempts - Ensure The pam_faillock.so
+ even_deny_root Parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*even_deny_root
@@ -212,8 +246,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so
- even_deny_root parameter not in PAM files
+- name: Configure the root Account for Failed Password Attempts - Ensure The pam_faillock.so
+ even_deny_root Parameter Not in PAM Files
block:
- name: Configure the root Account for Failed Password Attempts - Check if /etc/pam.d/system-auth
@@ -575,8 +609,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so
- even_deny_root parameter in PAM files
+- name: Configure the root Account for Failed Password Attempts - Ensure The pam_faillock.so
+ even_deny_root Parameter in PAM Files
block:
- name: Configure the root Account for Failed Password Attempts - Check if pam_faillock.so
@@ -589,31 +623,27 @@
changed_when: false
register: result_pam_faillock_even_deny_root_parameter_is_present
- - name: Configure the root Account for Failed Password Attempts - Ensure the inclusion
- of pam_faillock.so preauth even_deny_root parameter in auth section
+ - name: Configure the root Account for Failed Password Attempts - Ensure The Inclusion
+ of pam_faillock.so preauth even_deny_root Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 even_deny_root
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_even_deny_root_parameter_is_present.found == 0
- - name: Configure the root Account for Failed Password Attempts - Ensure the inclusion
- of pam_faillock.so authfail even_deny_root parameter in auth section
+ - name: Configure the root Account for Failed Password Attempts - Ensure The Inclusion
+ of pam_faillock.so authfail even_deny_root Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
line: \1required\3 even_deny_root
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_even_deny_root_parameter_is_present.found == 0
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -34,7 +34,27 @@
- medium_severity
- no_reboot_needed
-- name: Lock Accounts Must Persist - Remediation where authselect tool is present
+- name: Lock Accounts Must Persist - Set /etc/pam.d/ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: '"pam" in ansible_facts.packages'
+ tags:
+ - CCE-86067-6
+ - DISA-STIG-RHEL-08-020016
+ - DISA-STIG-RHEL-08-020017
+ - NIST-800-53-AC-7(a)
+ - NIST-800-53-AC-7(b)
+ - NIST-800-53-AC-7.1(ii)
+ - accounts_passwords_pam_faillock_dir
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Lock Accounts Must Persist - Remediation Where Authselect Tool Is Present
block:
- name: Lock Accounts Must Persist - Check integrity of authselect current profile
@@ -100,10 +120,10 @@
- medium_severity
- no_reboot_needed
-- name: Lock Accounts Must Persist - Remediation where authselect tool is not present
+- name: Lock Accounts Must Persist - Remediation Where Authselect Tool Is Not Present
block:
- - name: Lock Accounts Must Persist - Check if pam_faillock.so is already enabled
+ - name: Lock Accounts Must Persist - Check if pam_faillock.so Is Already Enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
@@ -112,42 +132,36 @@
changed_when: false
register: result_pam_faillock_is_enabled
- - name: Lock Accounts Must Persist - Enable pam_faillock.so preauth editing PAM
- files
+ - name: Lock Accounts Must Persist - Enable pam_faillock.so preauth Editing PAM
+ Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- - name: Lock Accounts Must Persist - Enable pam_faillock.so authfail editing PAM
- files
+ - name: Lock Accounts Must Persist - Enable pam_faillock.so authfail Editing PAM
+ Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- - name: Lock Accounts Must Persist - Enable pam_faillock.so account section editing
- PAM files
+ - name: Lock Accounts Must Persist - Enable pam_faillock.so account Section Editing
+ PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
when:
@@ -172,8 +186,28 @@
tags:
- always
-- name: Lock Accounts Must Persist - Check the presence of /etc/security/faillock.conf
- file
+- name: Lock Accounts Must Persist - Set /etc/pam.d/ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: '"pam" in ansible_facts.packages'
+ tags:
+ - CCE-86067-6
+ - DISA-STIG-RHEL-08-020016
+ - DISA-STIG-RHEL-08-020017
+ - NIST-800-53-AC-7(a)
+ - NIST-800-53-AC-7(b)
+ - NIST-800-53-AC-7.1(ii)
+ - accounts_passwords_pam_faillock_dir
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Lock Accounts Must Persist - Check The Presence of /etc/security/faillock.conf
+ File
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
@@ -192,7 +226,7 @@
- medium_severity
- no_reboot_needed
-- name: Lock Accounts Must Persist - Ensure the pam_faillock.so dir parameter in /etc/security/faillock.conf
+- name: Lock Accounts Must Persist - Ensure The pam_faillock.so dir Parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*dir\s*=
@@ -215,8 +249,8 @@
- medium_severity
- no_reboot_needed
-- name: Lock Accounts Must Persist - Ensure the pam_faillock.so dir parameter not
- in PAM files
+- name: Lock Accounts Must Persist - Ensure The pam_faillock.so dir Parameter Not
+ in PAM Files
block:
- name: Lock Accounts Must Persist - Check if /etc/pam.d/system-auth file is present
@@ -563,8 +597,8 @@
- medium_severity
- no_reboot_needed
-- name: Lock Accounts Must Persist - Ensure the pam_faillock.so dir parameter in PAM
- files
+- name: Lock Accounts Must Persist - Ensure The pam_faillock.so dir Parameter in PAM
+ Files
block:
- name: Lock Accounts Must Persist - Check if pam_faillock.so dir parameter is already
@@ -577,59 +611,51 @@
changed_when: false
register: result_pam_faillock_dir_parameter_is_present
- - name: Lock Accounts Must Persist - Ensure the inclusion of pam_faillock.so preauth
- dir parameter in auth section
+ - name: Lock Accounts Must Persist - Ensure The Inclusion of pam_faillock.so preauth
+ dir Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 dir={{ var_accounts_passwords_pam_faillock_dir }}
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_dir_parameter_is_present.found == 0
- - name: Lock Accounts Must Persist - Ensure the inclusion of pam_faillock.so authfail
- dir parameter in auth section
+ - name: Lock Accounts Must Persist - Ensure The Inclusion of pam_faillock.so authfail
+ dir Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
line: \1required\3 dir={{ var_accounts_passwords_pam_faillock_dir }}
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_dir_parameter_is_present.found == 0
- - name: Lock Accounts Must Persist - Ensure the desired value for pam_faillock.so
- preauth dir parameter in auth section
+ - name: Lock Accounts Must Persist - Ensure The Desired Value for pam_faillock.so
+ preauth dir Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(dir)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_dir }}\5
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_dir_parameter_is_present.found > 0
- - name: Lock Accounts Must Persist - Ensure the desired value for pam_faillock.so
- authfail dir parameter in auth section
+ - name: Lock Accounts Must Persist - Ensure The Desired Value for pam_faillock.so
+ authfail dir Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(dir)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_dir }}\5
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_dir_parameter_is_present.found > 0
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -27,8 +27,24 @@
- no_reboot_needed
- restrict_strategy
-- name: Enforce pam_faillock for Local Accounts Only - Remediation where authselect
- tool is present
+- name: Enforce pam_faillock for Local Accounts Only - Set /etc/pam.d/ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: '"pam" in ansible_facts.packages'
+ tags:
+ - CCE-83401-0
+ - NIST-800-53-AC-2(1)
+ - accounts_passwords_pam_faillock_enforce_local
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Enforce pam_faillock for Local Accounts Only - Remediation Where Authselect
+ Tool Is Present
block:
- name: Enforce pam_faillock for Local Accounts Only - Check integrity of authselect
@@ -92,12 +108,12 @@
- no_reboot_needed
- restrict_strategy
-- name: Enforce pam_faillock for Local Accounts Only - Remediation where authselect
- tool is not present
+- name: Enforce pam_faillock for Local Accounts Only - Remediation Where Authselect
+ Tool Is Not Present
block:
- name: Enforce pam_faillock for Local Accounts Only - Check if pam_faillock.so
- is already enabled
+ Is Already Enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
@@ -107,41 +123,35 @@
register: result_pam_faillock_is_enabled
- name: Enforce pam_faillock for Local Accounts Only - Enable pam_faillock.so preauth
- editing PAM files
+ Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- name: Enforce pam_faillock for Local Accounts Only - Enable pam_faillock.so authfail
- editing PAM files
+ Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- name: Enforce pam_faillock for Local Accounts Only - Enable pam_faillock.so account
- section editing PAM files
+ Section Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
when:
@@ -157,8 +167,24 @@
- no_reboot_needed
- restrict_strategy
-- name: Enforce pam_faillock for Local Accounts Only - Check the presence of /etc/security/faillock.conf
- file
+- name: Enforce pam_faillock for Local Accounts Only - Set /etc/pam.d/ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: '"pam" in ansible_facts.packages'
+ tags:
+ - CCE-83401-0
+ - NIST-800-53-AC-2(1)
+ - accounts_passwords_pam_faillock_enforce_local
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Enforce pam_faillock for Local Accounts Only - Check The Presence of /etc/security/faillock.conf
+ File
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
@@ -173,8 +199,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Enforce pam_faillock for Local Accounts Only - Ensure the pam_faillock.so
- local_users_only parameter in /etc/security/faillock.conf
+- name: Enforce pam_faillock for Local Accounts Only - Ensure The pam_faillock.so
+ local_users_only Parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*local_users_only
@@ -193,8 +219,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Enforce pam_faillock for Local Accounts Only - Ensure the pam_faillock.so
- local_users_only parameter not in PAM files
+- name: Enforce pam_faillock for Local Accounts Only - Ensure The pam_faillock.so
+ local_users_only Parameter Not in PAM Files
block:
- name: Enforce pam_faillock for Local Accounts Only - Check if /etc/pam.d/system-auth
@@ -553,8 +579,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Enforce pam_faillock for Local Accounts Only - Ensure the pam_faillock.so
- local_users_only parameter in PAM files
+- name: Enforce pam_faillock for Local Accounts Only - Ensure The pam_faillock.so
+ local_users_only Parameter in PAM Files
block:
- name: Enforce pam_faillock for Local Accounts Only - Check if pam_faillock.so
@@ -567,31 +593,27 @@
changed_when: false
register: result_pam_faillock_local_users_only_parameter_is_present
- - name: Enforce pam_faillock for Local Accounts Only - Ensure the inclusion of pam_faillock.so
- preauth local_users_only parameter in auth section
+ - name: Enforce pam_faillock for Local Accounts Only - Ensure The Inclusion of pam_faillock.so
+ preauth local_users_only Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
line: \1required\3 local_users_only
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_local_users_only_parameter_is_present.found == 0
- - name: Enforce pam_faillock for Local Accounts Only - Ensure the inclusion of pam_faillock.so
- authfail local_users_only parameter in auth section
+ - name: Enforce pam_faillock for Local Accounts Only - Ensure The Inclusion of pam_faillock.so
+ authfail local_users_only Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
line: \1required\3 local_users_only
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_local_users_only_parameter_is_present.found == 0
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -33,8 +33,28 @@
- no_reboot_needed
- restrict_strategy
-- name: Set Interval For Counting Failed Password Attempts - Remediation where authselect
- tool is present
+- name: Set Interval For Counting Failed Password Attempts - Set /etc/pam.d/ Path
+ Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: '"pam" in ansible_facts.packages'
+ tags:
+ - CCE-80669-5
+ - DISA-STIG-RHEL-08-020012
+ - DISA-STIG-RHEL-08-020013
+ - NIST-800-53-AC-7(a)
+ - NIST-800-53-CM-6(a)
+ - accounts_passwords_pam_faillock_interval
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Set Interval For Counting Failed Password Attempts - Remediation Where Authselect
+ Tool Is Present
block:
- name: Set Interval For Counting Failed Password Attempts - Check integrity of
@@ -102,12 +122,12 @@
- no_reboot_needed
- restrict_strategy
-- name: Set Interval For Counting Failed Password Attempts - Remediation where authselect
- tool is not present
+- name: Set Interval For Counting Failed Password Attempts - Remediation Where Authselect
+ Tool Is Not Present
block:
- name: Set Interval For Counting Failed Password Attempts - Check if pam_faillock.so
- is already enabled
+ Is Already Enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
@@ -117,41 +137,35 @@
register: result_pam_faillock_is_enabled
- name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
- preauth editing PAM files
+ preauth Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
- authfail editing PAM files
+ authfail Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
- account section editing PAM files
+ account Section Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
when:
@@ -175,8 +189,28 @@
tags:
- always
-- name: Set Interval For Counting Failed Password Attempts - Check the presence of
- /etc/security/faillock.conf file
+- name: Set Interval For Counting Failed Password Attempts - Set /etc/pam.d/ Path
+ Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: '"pam" in ansible_facts.packages'
+ tags:
+ - CCE-80669-5
+ - DISA-STIG-RHEL-08-020012
+ - DISA-STIG-RHEL-08-020013
+ - NIST-800-53-AC-7(a)
+ - NIST-800-53-CM-6(a)
+ - accounts_passwords_pam_faillock_interval
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Set Interval For Counting Failed Password Attempts - Check The Presence of
+ /etc/security/faillock.conf File
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
@@ -194,8 +228,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
- fail_interval parameter in /etc/security/faillock.conf
+- name: Set Interval For Counting Failed Password Attempts - Ensure The pam_faillock.so
+ fail_interval Parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*fail_interval\s*=
@@ -217,8 +251,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
- fail_interval parameter not in PAM files
+- name: Set Interval For Counting Failed Password Attempts - Ensure The pam_faillock.so
+ fail_interval Parameter Not in PAM Files
block:
- name: Set Interval For Counting Failed Password Attempts - Check if /etc/pam.d/system-auth
@@ -580,8 +614,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
- fail_interval parameter in PAM files
+- name: Set Interval For Counting Failed Password Attempts - Ensure The pam_faillock.so
+ fail_interval Parameter in PAM Files
block:
- name: Set Interval For Counting Failed Password Attempts - Check if pam_faillock.so
@@ -594,8 +628,8 @@
changed_when: false
register: result_pam_faillock_fail_interval_parameter_is_present
- - name: Set Interval For Counting Failed Password Attempts - Ensure the inclusion
- of pam_faillock.so preauth fail_interval parameter in auth section
+ - name: Set Interval For Counting Failed Password Attempts - Ensure The Inclusion
+ of pam_faillock.so preauth fail_interval Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
@@ -603,14 +637,12 @@
line: \1required\3 fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
}}
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_fail_interval_parameter_is_present.found == 0
- - name: Set Interval For Counting Failed Password Attempts - Ensure the inclusion
- of pam_faillock.so authfail fail_interval parameter in auth section
+ - name: Set Interval For Counting Failed Password Attempts - Ensure The Inclusion
+ of pam_faillock.so authfail fail_interval Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
@@ -618,37 +650,31 @@
line: \1required\3 fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
}}
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_fail_interval_parameter_is_present.found == 0
- - name: Set Interval For Counting Failed Password Attempts - Ensure the desired
- value for pam_faillock.so preauth fail_interval parameter in auth section
+ - name: Set Interval For Counting Failed Password Attempts - Ensure The Desired
+ Value for pam_faillock.so preauth fail_interval Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(fail_interval)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_fail_interval }}\5
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_fail_interval_parameter_is_present.found > 0
- - name: Set Interval For Counting Failed Password Attempts - Ensure the desired
- value for pam_faillock.so authfail fail_interval parameter in auth section
+ - name: Set Interval For Counting Failed Password Attempts - Ensure The Desired
+ Value for pam_faillock.so authfail fail_interval Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(fail_interval)=[0-9]+(.*)
line: \1required\3\4={{ var_accounts_passwords_pam_faillock_fail_interval }}\5
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_fail_interval_parameter_is_present.found > 0
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent
@@ -29,8 +29,26 @@
- no_reboot_needed
- restrict_strategy
+- name: Do Not Show System Messages When Unsuccessful Logon Attempts Occur - Set /etc/pam.d/
+ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: '"pam" in ansible_facts.packages'
+ tags:
+ - CCE-87096-4
+ - DISA-STIG-RHEL-08-020018
+ - DISA-STIG-RHEL-08-020019
+ - accounts_passwords_pam_faillock_silent
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
- name: Do Not Show System Messages When Unsuccessful Logon Attempts Occur - Remediation
- where authselect tool is present
+ Where Authselect Tool Is Present
block:
- name: Do Not Show System Messages When Unsuccessful Logon Attempts Occur - Check
@@ -97,11 +115,11 @@
- restrict_strategy
- name: Do Not Show System Messages When Unsuccessful Logon Attempts Occur - Remediation
- where authselect tool is not present
+ Where Authselect Tool Is Not Present
block:
- name: Do Not Show System Messages When Unsuccessful Logon Attempts Occur - Check
- if pam_faillock.so is already enabled
+ if pam_faillock.so Is Already Enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
@@ -111,41 +129,35 @@
register: result_pam_faillock_is_enabled
- name: Do Not Show System Messages When Unsuccessful Logon Attempts Occur - Enable
- pam_faillock.so preauth editing PAM files
+ pam_faillock.so preauth Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- name: Do Not Show System Messages When Unsuccessful Logon Attempts Occur - Enable
- pam_faillock.so authfail editing PAM files
+ pam_faillock.so authfail Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- name: Do Not Show System Messages When Unsuccessful Logon Attempts Occur - Enable
- pam_faillock.so account section editing PAM files
+ pam_faillock.so account Section Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -41,8 +41,31 @@
- no_reboot_needed
- restrict_strategy
-- name: Set Lockout Time for Failed Password Attempts - Remediation where authselect
- tool is present
+- name: Set Lockout Time for Failed Password Attempts - Set /etc/pam.d/ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: '"pam" in ansible_facts.packages'
+ tags:
+ - CCE-80670-3
+ - CJIS-5.5.3
+ - DISA-STIG-RHEL-08-020014
+ - DISA-STIG-RHEL-08-020015
+ - NIST-800-171-3.1.8
+ - NIST-800-53-AC-7(b)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.1.7
+ - PCI-DSSv4-8.3.4
+ - accounts_passwords_pam_faillock_unlock_time
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Set Lockout Time for Failed Password Attempts - Remediation Where Authselect
+ Tool Is Present
block:
- name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect
@@ -113,12 +136,12 @@
- no_reboot_needed
- restrict_strategy
-- name: Set Lockout Time for Failed Password Attempts - Remediation where authselect
- tool is not present
+- name: Set Lockout Time for Failed Password Attempts - Remediation Where Authselect
+ Tool Is Not Present
block:
- name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so
- is already enabled
+ Is Already Enabled
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: .*auth.*pam_faillock\.so (preauth|authfail)
@@ -128,41 +151,35 @@
register: result_pam_faillock_is_enabled
- name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so preauth
- editing PAM files
+ Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so preauth
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so authfail
- editing PAM files
+ Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: auth required pam_faillock.so authfail
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
- name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so account
- section editing PAM files
+ Section Editing PAM Files
ansible.builtin.lineinfile:
path: '{{ item }}'
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
when:
@@ -190,8 +207,31 @@
tags:
- always
-- name: Set Lockout Time for Failed Password Attempts - Check the presence of /etc/security/faillock.conf
- file
+- name: Set Lockout Time for Failed Password Attempts - Set /etc/pam.d/ Path Facts
+ ansible.builtin.set_fact:
+ pam_path:
+ - /etc/pam.d/system-auth
+ - /etc/pam.d/password-auth
+ when: '"pam" in ansible_facts.packages'
+ tags:
+ - CCE-80670-3
+ - CJIS-5.5.3
+ - DISA-STIG-RHEL-08-020014
+ - DISA-STIG-RHEL-08-020015
+ - NIST-800-171-3.1.8
+ - NIST-800-53-AC-7(b)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.1.7
+ - PCI-DSSv4-8.3.4
+ - accounts_passwords_pam_faillock_unlock_time
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Set Lockout Time for Failed Password Attempts - Check The Presence of /etc/security/faillock.conf
+ File
ansible.builtin.stat:
path: /etc/security/faillock.conf
register: result_faillock_conf_check
@@ -213,8 +253,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
- unlock_time parameter in /etc/security/faillock.conf
+- name: Set Lockout Time for Failed Password Attempts - Ensure The pam_faillock.so
+ unlock_time Parameter in /etc/security/faillock.conf
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: ^\s*unlock_time\s*=
@@ -240,8 +280,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
- unlock_time parameter not in PAM files
+- name: Set Lockout Time for Failed Password Attempts - Ensure The pam_faillock.so
+ unlock_time Parameter Not in PAM Files
block:
- name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/system-auth
@@ -607,8 +647,8 @@
- no_reboot_needed
- restrict_strategy
-- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
- unlock_time parameter in PAM files
+- name: Set Lockout Time for Failed Password Attempts - Ensure The pam_faillock.so
+ unlock_time Parameter in PAM Files
block:
- name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so
@@ -621,8 +661,8 @@
changed_when: false
register: result_pam_faillock_unlock_time_parameter_is_present
- - name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of
- pam_faillock.so preauth unlock_time parameter in auth section
+ - name: Set Lockout Time for Failed Password Attempts - Ensure The Inclusion of
+ pam_faillock.so preauth unlock_time Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
@@ -630,14 +670,12 @@
line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
}}
state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
+ loop: '{{ pam_path }}'
when:
- result_pam_faillock_unlock_time_parameter_is_present.found == 0
- - name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of
- pam_faillock.so authfail unlock_time parameter in auth section
+ - name: Set Lockout Time for Failed Password Attempts - Ensure The Inclusion of
+ pam_faillock.so authfail unlock_time Parameter in auth Section
ansible.builtin.lineinfile:
path: '{{ item }}'
backrefs: true
@@ -6
... The diff is trimmed here ... |
dexterle
force-pushed
the
ubuntu2004-stig-profile-v1r8-update
branch
2 times, most recently
from
662eef6 to
5ae3fa9
Compare
dexterle
force-pushed
the
ubuntu2004-stig-profile-v1r8-update
branch
from
5ae3fa9 to
0397b8c
Compare
|
FYI @dodys |
dexterle
force-pushed
the
ubuntu2004-stig-profile-v1r8-update
branch
from
d6d085b to
9a5f8b4
Compare
dexterle
force-pushed
the
ubuntu2004-stig-profile-v1r8-update
branch
from
9a5f8b4 to
8a3b201
Compare
dexterle
force-pushed
the
ubuntu2004-stig-profile-v1r8-update
branch
3 times, most recently
from
cca7280 to
5387b17
Compare
|
DISA has release v1r9 STIG, though running The following STIGs only have modified descriptions. |
dexterle
changed the title
This was referenced Sep 11, 2023
|
Will be closing this PR as it has been broken up into smaller PRs. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale: