diff --git a/.ansible-lint b/.ansible-lint index 01e7ca8c..e582a588 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,12 +1,20 @@ parseable: true quiet: true skip_list: - - '204' - - '208' - - '305' - - '303' - - '403' - - '306' - - '602' + - 'schema' + - 'no-changed-when' + - 'var-spacing' + - 'experimental' + - 'name[play]' + - 'name[casing]' + - 'name[template]' + - 'fqcn[action]' + - '204' + - '305' + - '303' + - '403' + - '306' + - '602' + - '208' use_default_rules: true verbosity: 0 diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index d70f1e36..325c24f2 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -5,5 +5,5 @@ ami_username = "centos" ami_user_home = "/home/centos" instance_tags = { Name = "RHEL7-STIG" - Environment = "lockdown_github_repo_workflow" + Environment = "github_test_pipeline" } diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf index d5a0db02..ba777642 100644 --- a/.github/workflows/github_networks.tf +++ b/.github/workflows/github_networks.tf @@ -1,11 +1,53 @@ resource "aws_vpc" "Main" { - cidr_block = var.main_vpc_cidr - tags = var.instance_tags + cidr_block = var.main_vpc_cidr + instance_tenancy = "default" + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-VPC" + } } resource "aws_internet_gateway" "IGW" { vpc_id = aws_vpc.Main.id tags = { - Name = "${var.namespace}-IGW" + Environment = "${var.environment}" + Name = "${var.namespace}-IGW" + } +} + +resource "aws_subnet" "publicsubnets" { + vpc_id = aws_vpc.Main.id + cidr_block = var.public_subnets + availability_zone = var.availability_zone + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-pubsub" + } +} + +resource "aws_subnet" "Main" { + vpc_id = aws_vpc.Main.id + cidr_block = var.private_subnets + availability_zone = var.availability_zone + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-prvsub" + } +} + +resource "aws_route_table" "PublicRT" { + vpc_id = aws_vpc.Main.id + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.IGW.id + } + tags = { + Environment = "${var.environment}" + Name = "${var.namespace}-publicRT" } } + +resource "aws_route_table_association" "rt_associate_public" { + subnet_id = aws_subnet.Main.id + route_table_id = aws_route_table.PublicRT.id +} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index 38be3edc..24daeca6 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -3,10 +3,12 @@ // Declared in variables.tf // -namespace = "github_actions" +namespace = "github_actions" +environment = "lockdown_github_repo_workflow" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" +private_key = ".ssh/github_actions.pem" main_vpc_cidr = "172.22.0.0/24" public_subnets = "172.22.0.128/26" -private_subnets = "172.22.0.192/26" \ No newline at end of file +private_subnets = "172.22.0.192/26" diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 3c4cf3f5..591617f2 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -5,116 +5,107 @@ name: linux_benchmark_pipeline # Controls when the action will run. # Triggers the workflow on push or pull request # events but only for the devel branch -on: - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' +on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@v1.1.0 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well. + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - env: - ENABLE_DEBUG: false - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it - - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - -### Build out the server - - name: Terraform_Init - working-directory: .github/workflows - run: terraform init - - - name: Terraform_Validate - working-directory: .github/workflows - run: terraform validate - - - name: Terraform_Apply - working-directory: .github/workflows - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false - -## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: cat hosts.yml - -# Centos 7 images take a while to come up insert sleep or playbook fails - - - name: Check if test os is rhel7 - working-directory: .github/workflows - id: test_os - run: >- - echo "::set-output name=RHEL7::$( - grep -c RHEL7 OS.tfvars - )" - - - name: if RHEL7 - Sleep for 60 seconds - if: steps.test_os.outputs.RHEL7 >= 1 - run: sleep 60s - shell: bash - -# Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} -# verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - -# Remove test system - User secrets to keep if necessary + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest - - name: Terraform_Destroy - working-directory: .github/workflows - if: always() && env.ENABLE_DEBUG == 'false' env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + ENABLE_DEBUG: false + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, + # so your job can access it + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + ### Build out the server + - name: Terraform_Init + working-directory: .github/workflows + run: terraform init + + - name: Terraform_Validate + working-directory: .github/workflows + run: terraform validate + + - name: Terraform_Apply + working-directory: .github/workflows + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + working-directory: .github/workflows + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + shell: bash + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + working-directory: .github/workflows + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 9ad9240b..0e5660c3 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -5,9 +5,6 @@ provider "aws" { // Create a security group with access to port 22 and port 80 open to serve HTTP traffic -data "aws_vpc" "default" { - default = true -} resource "random_id" "server" { keepers = { @@ -19,8 +16,8 @@ resource "random_id" "server" { } resource "aws_security_group" "github_actions" { - name = "${var.namespace}-${random_id.server.hex}" - vpc_id = data.aws_vpc.default.id + name = "${var.namespace}-${random_id.server.hex}-SG" + vpc_id = aws_vpc.Main.id ingress { from_port = 22 @@ -43,6 +40,7 @@ resource "aws_security_group" "github_actions" { cidr_blocks = ["0.0.0.0/0"] } tags = { + Environment = "${var.environment}" Name = "${var.namespace}-SG" } } @@ -51,11 +49,13 @@ resource "aws_security_group" "github_actions" { resource "aws_instance" "testing_vm" { ami = var.ami_id + availability_zone = var.availability_zone associate_public_ip_address = true key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs instance_type = var.instance_type tags = var.instance_tags vpc_security_group_ids = [aws_security_group.github_actions.id] + subnet_id = aws_subnet.Main.id root_block_device { delete_on_termination = true } @@ -77,7 +77,8 @@ resource "local_file" "inventory" { setup_audit: true run_audit: true system_is_ec2: true - audit_git_version: devel + rhel_07_010340: false + rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.somethingnewhere' EOF } diff --git a/.github/workflows/terraform.tfvars b/.github/workflows/terraform.tfvars index 6d98b8bb..31113784 100644 --- a/.github/workflows/terraform.tfvars +++ b/.github/workflows/terraform.tfvars @@ -1,4 +1,5 @@ // vars should be loaded by OSname.tfvars +availability_zone = "us-east-1b" aws_region = "us-east-1" ami_os = var.ami_os ami_username = var.ami_username diff --git a/.github/workflows/test.sh b/.github/workflows/test.sh deleted file mode 100644 index 1a7202a8..00000000 --- a/.github/workflows/test.sh +++ /dev/null @@ -1,6 +0,0 @@ -RHEL7=$(grep -c RHEL7 OS.tfvars) -if [ `echo $?` != 0 ]; then - exit 0 -fi - - diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml new file mode 100644 index 00000000..2052b0a8 --- /dev/null +++ b/.github/workflows/update_galaxy.yml @@ -0,0 +1,21 @@ +--- + +# This is a basic workflow to help you get started with Actions + +name: update galaxy + +# Controls when the action will run. +# Triggers the workflow on merge request events to the main branch +on: # yamllint disable-line rule:truthy + push: + branches: + - main +jobs: + update_role: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: robertdebock/galaxy-action@master + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} + git_branch: main diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf index eabec247..7e05228b 100644 --- a/.github/workflows/variables.tf +++ b/.github/workflows/variables.tf @@ -6,6 +6,12 @@ variable "aws_region" { type = string } +variable "availability_zone" { + description = "List of availability zone in the region" + default = "us-east-1b" + type = string +} + variable "instance_type" { description = "EC2 Instance Type" default = "t3.micro" @@ -22,6 +28,11 @@ variable "ami_key_pair_name" { type = string } +variable "private_key" { + description = "path to private key for ssh" + type = string +} + variable "ami_os" { description = "AMI OS Type" type = string @@ -29,7 +40,7 @@ variable "ami_os" { variable "ami_id" { description = "AMI ID reference" - type = string + type = string } variable "ami_username" { @@ -47,6 +58,11 @@ variable "namespace" { type = string } +variable "environment" { + description = "Env Name used across all tags" + type = string +} + // taken from github_vars.tfvars & variable "main_vpc_cidr" { @@ -62,4 +78,4 @@ variable "public_subnets" { variable "private_subnets" { description = "private subnet cidr block" type = string -} \ No newline at end of file +} diff --git a/.yamllint b/.yamllint index faa9773d..72ac645b 100644 --- a/.yamllint +++ b/.yamllint @@ -1,24 +1,28 @@ --- -ignore: | - tests/ - molecule/ - .github/ - .gitlab-ci.yml - *molecule.yml - +# Based on ansible-lint config extends: default rules: + braces: {max-spaces-inside: 1, level: error} + brackets: {max-spaces-inside: 1, level: error} + colons: {max-spaces-after: -1, level: error} + commas: {max-spaces-after: -1, level: error} + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: {max: 3, level: error} + hyphens: {level: error} indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - truthy: disable - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + key-duplicates: enable line-length: disable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: true diff --git a/ChangeLog.md b/ChangeLog.md index d825f81d..8112b081 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,109 @@ # Changelog +## 2.0.1 + +update lint inline with galaxy requirements +lint +goss version +goss url + +## Release 2.0.0 + +Lint work +FQCN +Testing +workflow updates +audit version alignment +README + +### Issues + +- Thanks to @Joseph Hoffman + - [#405](https://github.com/ansible-lockdown/RHEL7-STIG/issues/405) +- Thanks to @Bordenit + - [#412](https://github.com/ansible-lockdown/RHEL7-STIG/issues/412) + - #415 + +- Update to V3R10 - Jan 2023 + All controls have rules updated + - cat_1 + - 010010 + - 010290 + + - cat 2 + - 010060 + - 010062 + - 010070 + - 010081 + - 010082 + - 010090 Added back in for screen pkgs to be installed + - 010100 + - 010101 + - 010110 + - 010199 - new control + - 010200 + - 010270 + - 010320 + - 010330 + - 010342 - updated grep command to grep -E + - 020029 - added notify and updated rule + - 020030 - updated mail path in cron job + - 020040 + - 020650 + - 021620 + - 040201 + - 040420 + - 040470 - conditional added only pre 7.4 + - 040610 + - 040611 + - 040612 + - 040620 + - 040630 + - 040640 + - 040641 + - 040650 + - 040660 + - 040712 - new control ssh KEX + - 040740 + - 040830 + +- cat 3 + - 010375 - new control + - 021600 + - 021610 + +## Release 1.9.0 + +- RHEL-07-010271 - New Control Added +- Update to STIG V3R9 Oct 27th 2022 - Changes Listed Below + - RHEL-07-010342, RHEL-07-010343, RHEL- 07-020023, RHEL-07-030201 - Updated fix text. + - RHEL-07-021040, RHEL-07-021700 - Updated check text command to eliminate false positives. + - RHEL-07-030840 - Updated check and fix text. + - RHEL-07-040160 - Updated check text. + - RHEL-07-040310 - Corrected typo in the Vulnerability Discussion. + - RHEL-07-040360, RHEL-07-040530 - Updated CCI. +- Update to README and requirements +- RHEL-07-010010, RHEL-07-010020, RHEL-07-010291, RHEL-07-021030,RHEL-07-021040 - Updated Tag Information + +## Relase 1.7.0 + +- Update to STIG V3R8 Jul 27th 2022 - rule ID changes +- update to README and requirements +- thanks to @dirtyharrycallahan + - [ansible-lockdown/RHEL7-STIG#410](https://github.com/ansible-lockdown/RHEL7-STIG/issues/410) +- thanks to @dtm966 + - #404 updated clamav packages and service name +- thanks to @bordentit + - [ansible-lockdown/RHEL7-STIG#412](https://github.com/ansible-lockdown/RHEL7-STIG/issues/412) addressed slightly differently + - 010340 added disruption is high + - updated audit restart control + - README jmespath added back in + +## Release 1.6.0 + +- Update to STIG v3r7 Apr 27th 2022 +- Removed unnecessary local.yml + ## Release 1.3.3 - update to STIG v3r6 Jan 27th 2022 diff --git a/README.md b/README.md index 346aa8b8..7250a235 100644 --- a/README.md +++ b/README.md @@ -6,11 +6,11 @@ Configure a RHEL 7 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`. -This role is based on RHEL 7 DISA STIG: [Version 3, Rel 6 released on Jan 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R6_STIG.zip). +This role is based on RHEL 7 DISA STIG: [Version 3, Rel 10 released on Jan 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R10_STIG.zip). ## Join us -On our [Discord Server](https://discord.gg/JFxpSgPFEJ) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users ## Updating @@ -55,6 +55,11 @@ Access to download or add the goss binary and content to the system if using aud - Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/RHEL7-STIG/wiki/Main-Variables). - While check_mode may work, This is not supported. +### Please be aware + +- This does set the single user password for grub this does need to be defined - You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2' +- Some controls make changes to sudo, please ensure a sudo password is set for the user and it is added to the way to run your playbook. + ## Documentation - [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL7-STIG/) @@ -68,6 +73,7 @@ Access to download or add the goss binary and content to the system if using aud - Python3 (preferred) - Ansible 2.9+ +- jmespath Ansible is set to run in a python3 environment. @@ -93,15 +99,16 @@ tags: ## Example Audit Summary -This is based on a vagrant image with selections enabled. e.g. No Gui or firewall. +This is based on a vagrant image with selections enabled. e.g. No Gui iptables firewall + Note: More tests are run during audit as we check config and running state. ```sh -ok: [rhel7test] => { +ok: [cent7_bios] => { "msg": [ - "The pre remediation results are: Count: 308, Failed: 156, Duration: 44.108s.", - "The post remediation results are: Count: 308, Failed: 14, Duration: 37.647s.", - "Full breakdown can be found in /var/tmp", + "The pre remediation results are: Count: 505, Failed: 214, Duration: 14.808s.", + "The post remediation results are: Count: 505, Failed: 34, Duration: 43.593s.", + "Full breakdown can be found in /opt", "" ] } diff --git a/ansible-lint b/ansible-lint new file mode 100644 index 00000000..f21e1f44 --- /dev/null +++ b/ansible-lint @@ -0,0 +1,14 @@ +parseable: true +quiet: true +skip_list: + - 'schema' + - 'no-changed-when' + - 'fqcn-builtins' + - '204' + - '305' + - '303' + - '403' + - '306' + - '602' +use_default_rules: true +verbosity: 0 diff --git a/defaults/main.yml b/defaults/main.yml index 029b053a..d52299cc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -12,6 +12,8 @@ python2_bin: /bin/python2.7 ## Benchmark name used by auditing control role # audit variable found at the base benchmark: RHEL7-STIG +## metadata for Audit benchmark +benchmark_version: 'v3r10' # Whether to skip the reboot rhel7stig_skip_reboot: true @@ -129,6 +131,7 @@ rhel_07_010160: true rhel_07_010170: true rhel_07_010180: true rhel_07_010190: true +rhel_07_010199: true rhel_07_010200: true rhel_07_010210: true rhel_07_010220: true @@ -137,6 +140,7 @@ rhel_07_010240: true rhel_07_010250: true rhel_07_010260: true rhel_07_010270: true +rhel_07_010271: true rhel_07_010280: true rhel_07_010310: true rhel_07_010320: true @@ -301,6 +305,7 @@ rhel_07_040670: true rhel_07_040680: true rhel_07_040710: true rhel_07_040711: true +rhel_07_040712: true rhel_07_040720: true rhel_07_040730: true rhel_07_040740: true @@ -315,6 +320,7 @@ rhel_07_041010: true rhel_07_910055: true # CAT 3 rules +rhel_07_010375: true rhel_07_020200: true rhel_07_020300: true rhel_07_021024: true @@ -369,7 +375,7 @@ rhel_07_020730_WWP_Change: true # (Red Hat has support for older versions if you pay extra for it.) rhel7stig_min_supported_os_ver: RedHat: "7.9" - CentOS: "7.9.2009" + CentOS: "7.9" OracleLinux: "7.9" # RHEL-07-040740 @@ -388,9 +394,9 @@ rhel7stig_antivirus_required: false rhel7stig_av_package: package: - clamav - - clamav-scanner - - clamav-server - service: clamav-daemon + - clamav-update + - clamd + service: clamd rhel7stig_time_service: chronyd rhel7stig_time_service_configs: @@ -412,6 +418,11 @@ rhel7stig_firewall_service: firewalld # The toggle to start the firewall service. Set to true the role will start the service for you where needed rhel7stig_start_firewall_service: true +# allowed firewall ports and protocols as found in the command used to discover +rhel7stig_firewall_ports_protocols: + - '22/tcp' + - '546/udp' + # RHEL-07-031010 rhel7stig_system_is_log_aggregator: false @@ -419,12 +430,14 @@ rhel7stig_use_fips: true fips_value: '0' rhel7stig_FIPS_ciphers: aes256-ctr,aes192-ctr,aes128-ctr rhel7stig_FIPS_MACs: hmac-sha2-512,hmac-sha2-256 +rhel7stig_FIPS_KEX: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 # RHEL-07-040300 # RHEL-07-040310 # Install and enable ssh on networked systems rhel7stig_ssh_required: true rhel7stig_ssh_ciphers: "{{ rhel7stig_FIPS_ciphers }}" rhel7stig_ssh_macs: "{{ rhel7stig_FIPS_MACs }}" +rhel7stig_ssh_kex: "{{ rhel7stig_FIPS_KEX }}" # RHEL-07-040490 # If not required, remove vsftpd. @@ -454,7 +467,8 @@ rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' rhel7stig_boot_superuser: root # RHEL-07-021700 set the value for correctly configured grub bootloader sequence -rhel7stig_grub_bootloader_validorder: " set root='hd0,msdos1'" +# note this is different for bios and EFI boot types. so can be changed via the inventory or alternate vars +rhel7stig_grub_bootloader_validorder: "set root='hd0,1'" # RHEL-07-040200 Path for cacrt bundle that holds LDAP certs for tls transport rhel_07_040200_cabundle_path: etc/pki/tls/certs/ca-bundle.crt @@ -483,7 +497,7 @@ rhel7stig_aide_cron: special_time: daily # Disable the notification check rule to disable mailing notifications notify_by_mail: "{{ rhel_07_020040 }}" - notify_cmd: ' | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' + notify_cmd: ' | /var/spool/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' rhel7stig_cron_special_disable: "{{ rhel7stig_workaround_for_disa_benchmark or @@ -521,7 +535,7 @@ rhel7stig_logon_banner_nice: | -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - -notwithstanding the above, using this IS does not constitute consent to PM, LE + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such @@ -541,7 +555,7 @@ rhel7stig_password_complexity: minlen: 15 # RHEL-07-020022 -# rhel7stig_ssh_sysadm_login_state is the state for the ssh_sysadmin_login boolean. +# rhel7stig_ssh_sysadm_login_state is the state for the ssh_sysadmin_login boolean. # The value False will set the value to off, which does not allow privileged accounts to utilize SSH # The value True will set the value to on, which allows privileged accounts to utilize SSH # To confrom to STIG requirements use the value of false @@ -550,7 +564,7 @@ rhel7stig_ssh_sysadm_login_state: false # RHEL-07-040160 # Session timeout setting file (TMOUT setting can be set in multiple files) -# Timeout value is in seconds. (60 seconds * 15 = 600) +# Timeout value is in seconds. (60 seconds * 15 = 900) rhel7stig_shell_session_timeout: file: /etc/profile.d/tmout.sh timeout: 900 @@ -628,6 +642,9 @@ rhel7stig_login_defaults: umask: '077' create_home: 'yes' +# Default value - if control is enabled this will run for the valid controls. +update_audit_template: false + # RHEL-07-030300 uncomment and set the value to a remote IP address that can receive audit logs # rhel7stig_audisp_remote_server: 10.10.10.10 @@ -636,6 +653,7 @@ rhel7stig_auditd_space_left: "{{ ( ansible_mounts | json_query(rhel7stig_audit_d rhel7stig_audit_disk_size_query: "[?mount=='{{ rhel7stig_audit_part }}'].size_total | [0]" # RHEL-07-030350 +rhel7stig_audit_daemon: auditd rhel7stig_auditd_mail_acct: root # RHEL-07-020630 @@ -711,17 +729,22 @@ rhel7stig_world_write_files_owner_root: false rhel7stig_sudo_timestamp_timeout: 1 #### Audit Configuration Settings #### +# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +audit_run_script_environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_FILE: 'goss.yml' + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Audit binary settings ### audit_bin_version: - release: v0.3.16 - checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb' + release: v0.3.21 + checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json # if get_audit_binary_method == download change accordingly -audit_bin_url: "https://github.com/aelsabbahy/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64" +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64" ## if get_audit_binary_method - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node @@ -732,7 +755,7 @@ audit_bin_copy_location: /some/accessible/path ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: main +audit_git_version: "benchmark_{{ benchmark_version }}_rh7" # copy: audit_local_copy: "some path to copy from" @@ -742,13 +765,13 @@ audit_files_url: "some url maybe s3?" ## Goss configuration information # Where the goss configs and outputs are stored -audit_out_dir: '/var/tmp' +audit_out_dir: '/opt' # Where the goss audit configuration will be stored audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" ## The following should not need changing audit_control_file: "{{ audit_conf_dir }}goss.yml" diff --git a/handlers/main.yml b/handlers/main.yml index 90cc79c8..b39b6b24 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,31 +1,31 @@ --- - name: restart sshd - service: + ansible.builtin.service: name: sshd state: restarted when: - not rhel7stig_system_is_chroot - name: reboot system - shell: sleep 3; reboot + ansible.builtin.shell: sleep 3; reboot async: 15 poll: 0 - name: restart snmpd - service: + ansible.builtin.service: name: snmpd state: restarted when: - not rhel7stig_system_is_chroot - name: confirm grub2 user cfg - stat: + ansible.builtin.stat: path: /boot/grub2/user.cfg register: rhel7stig_grub2_user_cfg notify: make grub2 config - name: make grub2 config - command: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_grub_cfg_path }} + ansible.builtin.shell: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_grub_cfg_path }} when: - rhel7stig_grub2_user_cfg.stat.exists - not rhel7stig_skip_for_travis @@ -33,10 +33,10 @@ - name: copy grub2 config to BIOS/UEFI to satisfy benchmark listen: make grub2 config - copy: + ansible.builtin.copy: src: "{{ rhel7stig_grub_cfg_path | dirname }}/{{ item }}" dest: "{{ rhel7stig_grub_cfg_path_invalid | dirname }}/{{ item }}" - remote_src: yes + remote_src: true mode: 0600 with_items: - grub.cfg @@ -48,7 +48,7 @@ - not rhel7stig_system_is_container - name: "restart {{ rhel7stig_time_service }}" - service: + ansible.builtin.service: name: "{{ rhel7stig_time_service }}" state: restarted when: @@ -56,36 +56,23 @@ - not rhel7stig_system_is_chroot - not rhel7stig_system_is_container -- name: update auditd - template: - src: audit/99_auditd.rules.j2 - dest: /etc/audit/rules.d/99_auditd.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - - name: restart auditd - command: /usr/sbin/service auditd restart + ansible.builtin.shell: /usr/sbin/service "{{ rhel7stig_audit_daemon }}" restart args: - warn: no - when: - - not rhel7stig_skip_for_travis - - not rhel7stig_system_is_chroot - - not rhel7stig_system_is_container + warn: false - name: rebuild initramfs - command: dracut -f + ansible.builtin.shell: dracut -f - name: undo existing prelinking - command: prelink -ua + ansible.builtin.shell: prelink -ua - name: update running audit failure mode - command: auditctl -f {{ rhel7stig_auditd_failure_flag }} - failed_when: no + ansible.builtin.shell: auditctl -f {{ rhel7stig_auditd_failure_flag }} + failed_when: false - name: clean up ssh host key - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: @@ -93,27 +80,27 @@ - /etc/ssh/ssh_host_rsa_key.pub - name: init aide and wait - command: /usr/sbin/aide --init -B 'database_out=file:{{ rhel7stig_aide_temp_db_file }}' + ansible.builtin.shell: /usr/sbin/aide --init -B 'database_out=file:{{ rhel7stig_aide_temp_db_file }}' notify: move aide db - name: init aide - shell: nohup /usr/sbin/aide --init -B 'database_out=file:{{ rhel7stig_aide_temp_db_file }}' > /dev/null & + ansible.builtin.shell: nohup /usr/sbin/aide --init -B 'database_out=file:{{ rhel7stig_aide_temp_db_file }}' > /dev/null & notify: move aide db - name: move aide db - command: "mv {{ rhel7stig_aide_temp_db_file }} {{ rhel7stig_aide_db_file }}" + ansible.builtin.shell: "mv {{ rhel7stig_aide_temp_db_file }} {{ rhel7stig_aide_db_file }}" when: not rhel7stig_aide_db_status.stat.exists or rhel7stig_overwrite_aide_db - name: dconf update - command: dconf update + ansible.builtin.shell: dconf update when: rhel7stig_has_dconf_command - name: prereport score - debug: + ansible.builtin.debug: msg: "Pre-run OpenSCAP score is {{ rhel7stig_prescanresults.Benchmark.TestResult.score['#text'] }}" when: rhel7stig_oscap_scan - name: postreport score - debug: + ansible.builtin.debug: msg: "Post-run OpenSCAP score is {{ rhel7stig_postscanresults.Benchmark.TestResult.score['#text'] }}" when: rhel7stig_oscap_scan diff --git a/local.yml b/local.yml deleted file mode 100644 index 4d9e4862..00000000 --- a/local.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- hosts: localhost - connection: local - become: yes - vars: - is_container: false - roles: - - role: "{{ playbook_dir }}" - rhel7stig_system_is_container: "{{ is_container | default(false) }}" - rhel7stig_ssh_required: "{{ is_container == false }}" diff --git a/meta/main.yml b/meta/main.yml index b69ab484..40edc8c8 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,9 +5,12 @@ galaxy_info: company: "MindPoint Group" license: MIT role_name: rhel7_stig - min_ansible_version: 2.9 + namespace: mindpointgroup + min_ansible_version: 2.9.0 platforms: - name: EL + versions: + - 7 galaxy_tags: - system - security diff --git a/site.yml b/site.yml index efcfabb7..830c253d 100644 --- a/site.yml +++ b/site.yml @@ -1,5 +1,5 @@ --- -- hosts: all +- hosts: all # noqa: name[play] become: true vars: is_container: false diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 616edd8a..fd75cea5 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,7 +1,7 @@ --- - name: Download audit binary - get_url: + ansible.builtin.get_url: url: "{{ audit_bin_url }}" dest: "{{ audit_bin }}" owner: root @@ -12,11 +12,11 @@ - get_audit_binary_method == 'download' - name: copy audit binary - copy: + ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" mode: 0555 owner: root group: root when: - - get_audit_binary_method == 'copy' \ No newline at end of file + - get_audit_binary_method == 'copy' diff --git a/tasks/audit_command.yml b/tasks/audit_command.yml deleted file mode 100644 index 6bc823e2..00000000 --- a/tasks/audit_command.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# tasks/audit_command.yml - -- name: "MEDIUM | RHEL-07-{{ item.id }} | {{ audit_present | ternary('PATCH', 'REVERT') }} | The Red Hat Enterprise Linux operating system must audit all uses of the {{ item.path | basename }} command." - lineinfile: - path: "/etc/audit/rules.d/rhel7stig_commands.rules" - create: yes - owner: root - group: root - mode: 0600 - line: "{{ item.trivial | default(false) | ternary(trivial_audit, normal_audit) }}" - state: "{{ audit_present | ternary('present', 'absent') }}" - vars: - trivial_audit: "-w {{ item.path }} -p x -F auid!=4294967295 -k {{ item.key }}" - normal_audit: "-a always,exit -F path={{ item.path }} {% if not item.no_perm_x_filter is defined or not item.no_perm_x_filter %}-F perm=x {% endif %}-F auid>={{ rhel7stig_int_gid }} -F auid!=4294967295 -k {{ item.key }}" - audit_present: "{{ item.create | default(vars['rhel_07_' + item.id]) }}" - notify: restart auditd diff --git a/tasks/audit_file.yml b/tasks/audit_file.yml deleted file mode 100644 index b2aa0963..00000000 --- a/tasks/audit_file.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# tasks/audit_file.yml - -- name: "MEDIUM | RHEL-07-{{ item.id }} | {{ audit_present | ternary('PATCH', 'REVERT') }} | The Red Hat Enterprise Linux operating system must generate audit records for all {{ item.description }}." - lineinfile: - path: "/etc/audit/rules.d/rhel7stig_files.rules" - create: yes - owner: root - group: root - mode: 0600 - line: "-w {{ item.path }} -p wa -k {{ item.key }}" - state: "{{ audit_present | ternary('present', 'absent') }}" - vars: - audit_present: "{{ item.create | default(vars['rhel_07_' + item.id]) }}" - notify: restart auditd diff --git a/tasks/audit_firewalld.yml b/tasks/audit_firewalld.yml index 9ebe6930..ebfc496c 100644 --- a/tasks/audit_firewalld.yml +++ b/tasks/audit_firewalld.yml @@ -1,6 +1,7 @@ --- + - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - command: firewall-cmd --get-default-zone + ansible.builtin.shell: firewall-cmd --get-default-zone register: rhel_07_040810_firewalld_zone_audit changed_when: false failed_when: false @@ -9,9 +10,11 @@ tags: - RHEL-07-040810 - firewall + - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - command: firewall-cmd --list-all --zone="{{ rhel_07_040810_firewalld_zone_audit.stdout }}" + ansible.builtin.shell: firewall-cmd --list-all --zone="{{ rhel_07_040810_firewalld_zone_audit.stdout }}" register: rhel_07_040810_firewalld_zone_default_audit + changed_when: false when: - rhel_07_040810_firewalld_zone_audit.stdout | length > 0 - rhel7stig_start_firewall_service @@ -19,9 +22,8 @@ - RHEL-07-040810 - firewall - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - debug: + ansible.builtin.debug: msg: "The following task output is the firewalld settings for zone {{ rhel_07_040810_firewalld_zone_audit.stdout }} from {{ ansible_hostname }}:" - changed_when: true when: - rhel_07_040810_firewalld_zone_audit.stdout | length > 0 - rhel7stig_start_firewall_service @@ -29,7 +31,7 @@ - RHEL-07-040810 - firewall - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - debug: var=rhel_07_040810_firewalld_zone_default_audit.stdout_lines + ansible.builtin.debug: var=rhel_07_040810_firewalld_zone_default_audit.stdout_lines changed_when: true when: - rhel_07_040810_firewalld_zone_audit.stdout | length > 0 @@ -38,8 +40,8 @@ - RHEL-07-040810 - firewall - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - debug: - msg: "WARNING! We could pull no configured rules for {{ rhel7stig_firewall_service }} on {{ ansible_hostname }}! This is a finding per RHEL-07-040810 - The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." + ansible.builtin.debug: + msg: "Warning!! We could pull no configured rules for {{ rhel7stig_firewall_service }} on {{ ansible_hostname }}! This is a finding per RHEL-07-040810 - The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." changed_when: true when: - rhel_07_040810_firewalld_zone_audit.stdout | length == 0 diff --git a/tasks/audit_homedirinifiles.yml b/tasks/audit_homedirinifiles.yml index fcf7c63f..44c6b7a1 100644 --- a/tasks/audit_homedirinifiles.yml +++ b/tasks/audit_homedirinifiles.yml @@ -1,6 +1,6 @@ --- - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." - debug: + ansible.builtin.debug: msg: "You will need to audit {{ ini_item }} for reference to {{ item }}, which has been found with world-writable permissions. Those permissions will be changed in the next task to 0755." failed_when: false changed_when: false diff --git a/tasks/audit_homedirperms.yml b/tasks/audit_homedirperms.yml deleted file mode 100644 index 6ca917a7..00000000 --- a/tasks/audit_homedirperms.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- name: "MEDIUM | RHEL-07-020680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - find: - paths: - - "{{ homedir }}" - recurse: true - file_type: any - register: rhel_07_020680_results - when: - - rhel_07_020680 - - rhel7stig_disruption_high - tags: - - RHEL-07-020680 - - complexity-high - -- name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - file: - path: "{{ line_item.path }}" - mode: 0640 - loop: "{{ rhel_07_020680_results.files }}" - loop_control: - label: "{{ line_item.path }}" - loop_var: line_item - when: - - rhel_07_020680_results.files.isreg is defined - - rhel_07_020710 - - rhel7stig_disruption_high - tags: - - RHEL-07-020680 - - complexity-high - -- name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - file: - path: "{{ line_item.path }}" - mode: 0750 - loop: "{{ rhel_07_020680_results.files }}" - loop_control: - label: "{{ line_item.path }}" - loop_var: line_item - when: - - rhel_07_020680_results.files.isdir is defined - - rhel_07_020680 - - rhel7stig_disruption_high - tags: - - RHEL-07-020680 - - complexity-high diff --git a/tasks/audit_iptables.yml b/tasks/audit_iptables.yml index 4c03dd29..d478dfa6 100644 --- a/tasks/audit_iptables.yml +++ b/tasks/audit_iptables.yml @@ -1,6 +1,7 @@ --- + - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - command: iptables-save + ansible.builtin.shell: iptables-save register: rhel_07_040810_iptables_audit changed_when: false failed_when: false @@ -9,8 +10,9 @@ tags: - RHEL-07-040810 - firewall + - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - debug: + ansible.builtin.debug: msg: "The following task output is the iptables-save output in full from {{ ansible_hostname }}:" changed_when: true when: @@ -19,8 +21,9 @@ tags: - RHEL-07-040810 - firewall + - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - debug: var=rhel_07_040810_iptables_audit.stdout_lines + ansible.builtin.debug: var=rhel_07_040810_iptables_audit.stdout_lines changed_when: false when: - rhel_07_040810_iptables_audit.stdout_lines is defined @@ -28,9 +31,10 @@ tags: - RHEL-07-040810 - firewall + - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - debug: - msg: "WARNING! We could pull no configured rules for {{ rhel7stig_firewall_service }} on {{ ansible_hostname }}! This is a finding per RHEL-07-040810 - The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." + ansible.builtin.debug: + msg: "Warning!! We could pull no configured rules for {{ rhel7stig_firewall_service }} on {{ ansible_hostname }}! This is a finding per RHEL-07-040810 - The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." changed_when: true when: - rhel_07_040810_iptables_audit.stdout_lines is not defined diff --git a/tasks/audit_selinuxlocaluserdefs.yml b/tasks/audit_selinuxlocaluserdefs.yml deleted file mode 100644 index 1a0cb921..00000000 --- a/tasks/audit_selinuxlocaluserdefs.yml +++ /dev/null @@ -1,84 +0,0 @@ ---- -# # Let's now check to see what is mapped to selinux -- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - command: semanage login -l - register: rhel_07_020020_semanage_check - when: - - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive - tags: - - RHEL-07-020020 - -# find the local interactive staff -- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - shell: "awk -F: '/^{{ rhel_07_020020_selinux_local_interactive_staff_group }}/ {print $4;}' /etc/group | tr ',' '\n'" - register: rhel_07_020020_local_interactive_staff - when: - - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive - tags: - - RHEL-07-020020 - -- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - debug: - msg: "WARNING: There are no users configured to be part of the specified local interactive staff group {{ rhel_07_020020_selinux_local_interactive_staff_group }}. You must configure this group to satisfy requirements of this control." - changed_when: - - rhel7stig_audit_complex - when: - - not rhel_07_020020_local_interactive_staff.stdout_lines | length > 0 - - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive - tags: - - RHEL-07-020020 - -- name: "MEDIUM | RHEL-07-020020 | PATCH | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - shell: semanage login -m -s user_u "{{ item }}" - with_items: - - "{{ rhel_07_020020_local_interactive_staff.stdout_lines }}" - when: - - rhel_07_020020_local_interactive_staff.stdout_lines | length > 0 - - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive - tags: - - RHEL-07-020020 - -# find the local interactive users -- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - shell: "awk -F: '/^{{ rhel_07_020020_selinux_local_interactive_users_group }}/ {print $4;}' /etc/group | tr ',' '\n'" - register: rhel_07_020020_local_interactive_users - when: - - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive - tags: - - RHEL-07-020020 - -- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - debug: - msg: "WARNING: There are no users configured to be part of the specified local interactive user group {{ rhel_07_020020_selinux_local_interactive_users_group }}. You must configure this group to satisfy requirements of this control." - changed_when: - - rhel7stig_audit_complex - when: - - not rhel_07_020020_local_interactive_users.stdout_lines | length > 0 - - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive - tags: - - RHEL-07-020020 - -- name: "MEDIUM | RHEL-07-020020 | PATCH | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - shell: semanage login -m -s user_u "{{ item }}" - with_items: - - "{{ rhel_07_020020_local_interactive_users.stdout_lines }}" - when: - - rhel_07_020020_local_interactive_users.stdout_lines | length > 0 - - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive - tags: - - RHEL-07-020020 - diff --git a/tasks/audit_system_call.yml b/tasks/audit_system_call.yml deleted file mode 100644 index 92381f5d..00000000 --- a/tasks/audit_system_call.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# tasks/audit_system_call.yml - -- name: "MEDIUM | RHEL-07-{{ item.id }} | {{ audit_present | ternary('PATCH', 'REVERT') }} | The Red Hat Enterprise Linux operating system must audit all uses of the {{ item.call }} syscall." - lineinfile: - path: "/etc/audit/rules.d/rhel7stig_system_calls.rules" - create: yes - owner: root - group: root - mode: 0600 - line: "-a always,exit -F arch={{ arch }} -S {{ item.call }} {% if item.extra_fields is defined %}{{ item.extra_fields }} {% endif %}{{ item.include_all_auids | default(false) | ternary('', '-F auid>=1000 -F auid!=4294967295 ') }}-k {{ item.key }}" - state: "{{ audit_present | ternary('present', 'absent') }}" - with_items: - - b64 - - b32 - loop_control: - loop_var: arch - vars: - audit_present: "{{ item.create | default(vars['rhel_07_' + item.id]) }}" - notify: restart auditd diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 396f995d..68156f16 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -2,37 +2,29 @@ - name: "HIGH | RHEL-07-010010 | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." block: - name: "HIGH | RHEL-07-010010 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." - shell: | + ansible.builtin.shell: | rpm -Va --nolinkto --nofiledigest --nosize --nomtime --nodigest --nosignature | grep -E '^(.M|.....U|......G)' | tee /dev/stderr | cut -c13- | sed 's/^ //' | xargs rpm -qf --qf='%{name}\n' | sort -u args: warn: false check_mode: false failed_when: false - changed_when: rhel_07_010010_audit.stdout|length > 0 + changed_when: false register: rhel_07_010010_audit - - name: "HIGH | RHEL-07-010010 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." - debug: - msg: "{{ rhel_07_010010_audit.stdout_lines }}" - changed_when: true - when: rhel_07_010010_audit.stdout|length > 0 - - name: "HIGH | RHEL-07-010010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." - shell: > + ansible.builtin.shell: > ( rpm --setugids {{ item }}; rpm --setperms {{ item }} ) 2>&1 1>&2 | grep -v ': No such file or directory$' - args: - warn: false register: rhel_07_010010_patch - failed_when: rhel_07_010010_audit.stdout|length > 0 ignore_errors: true with_items: "{{ rhel_07_010010_audit.stdout_lines }}" + when: rhel_07_010010_audit.stdout_lines | length > 0 - - name: "HIGH | RHEL-07-010010 | AUDIT | WARNING: error during remediation" - debug: - msg: "{{ item.stdout_lines }}" + - name: "HIGH | RHEL-07-010010 | AUDIT | Error during remediation" + ansible.builtin.debug: + msg: "Warning!! The following package files have been reset to default {{ item }}" changed_when: true - with_items: "{{ rhel_07_010010_patch.results }}" + loop: "{{ rhel_07_010010_patch.results }}" loop_control: label: "{{ item.item }}" when: @@ -48,31 +40,27 @@ - CCI-002165 - CCI-002235 - SRG-OS-000257-GPOS-00098 - - SV-204392r646841_rule + - SV-204392r880752_rule - V-204392 - permissions - name: "HIGH | RHEL-07-010020 | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." block: - name: "HIGH | RHEL-07-010020 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." - shell: 'rpm -Va --noconfig --nolinkto --nosize --nouser --nogroup --nomtime --nomode --nodigest --nosignature | grep ''^..5'' | tee /dev/stderr | cut -c13- | sed ''s/^ //'' | xargs rpm -qf --qf=''%{name}\n'' | sort -u' - args: - warn: false + ansible.builtin.shell: 'rpm -Va --noconfig --nolinkto --nosize --nouser --nogroup --nomtime --nomode --nodigest --nosignature | grep ''^..5'' | tee /dev/stderr | cut -c13- | sed ''s/^ //'' | xargs rpm -qf --qf=''%{name}\n'' | sort -u' check_mode: false failed_when: false changed_when: rhel_07_010020_audit.stdout| length > 0 register: rhel_07_010020_audit - name: "HIGH | RHEL-07-010020 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." - debug: + ansible.builtin.debug: msg: "{{ rhel_07_010020_audit.stderr_lines }}" changed_when: true when: rhel_07_010020_audit.stdout | length > 0 - name: "HIGH | RHEL-07-010020 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." - command: yum reinstall -y {{ item }} - args: - warn: false + ansible.builtin.shell: yum reinstall -y {{ item }} failed_when: false with_items: - "{{ rhel_07_010020_audit.stdout_lines }}" @@ -84,12 +72,12 @@ - CAT1 - CCI-001749 - SRG-OS-000480-GPOS-00227 - - SV-214799r603261_rule + - SSV-214799r854001_rule - V-214799 - packages - name: "HIGH | RHEL-07-010290 | PATCH | The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords." - replace: + ansible.builtin.replace: dest: "{{ item }}" regexp: 'nullok ?' when: @@ -102,21 +90,21 @@ - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204424r809187_rule + - SV-204424r880839_rule - V-204424 - accounts -- name: "MEDIUM | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords." +- name: "HIGH | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords." block: - - name: "MEDIUM | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords. | Get users with no pw set" - command: "awk -F: '!$2 {print $1}' /etc/shadow" + - name: "HIGH | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords. | Get users with no pw set" + ansible.builtin.shell: "awk -F: '!$2 {print $1}' /etc/shadow" changed_when: false failed_when: false check_mode: false register: rhel_07_010291_no_pw_users - - name: "MEDIUM | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords. | Warn on accounts with no passwords" - debug: + - name: "HIGH | RHEL-07-010291 | PATCH | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords. | Warn on accounts with no passwords" + ansible.builtin.debug: msg: - "Alert! You have users that are not using passwords. Please either set a password, lock, or remove the accounts below:" - "{{ rhel_07_010291_no_pw_users.stdout_lines }}" @@ -126,7 +114,7 @@ when: - rhel_07_010291 tags: - - RHEL-07-010290 + - RHEL-07-010291 - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 @@ -135,12 +123,12 @@ - accounts - name: "HIGH | RHEL-07-010300 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password." - lineinfile: - state: present - dest: /etc/ssh/sshd_config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config regexp: "(?i)^#?PermitEmptyPasswords" line: PermitEmptyPasswords no validate: /usr/sbin/sshd -tf %s + state: present notify: restart sshd when: - rhel_07_010300 @@ -155,8 +143,8 @@ - ssh - name: "HIGH | RHEL-07-010440 | PATCH | The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface." - lineinfile: - dest: /etc/gdm/custom.conf + ansible.builtin.lineinfile: + path: /etc/gdm/custom.conf regexp: (?i)automaticloginenable line: AutomaticLoginEnable=false insertafter: '\[daemon\]' @@ -173,8 +161,8 @@ - gui - name: "HIGH | RHEL-07-010450 | PATCH | The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system." - lineinfile: - dest: /etc/gdm/custom.conf + ansible.builtin.lineinfile: + path: /etc/gdm/custom.conf regexp: (?i)timedloginenable line: TimedLoginEnable=false insertafter: '\[daemon\]' @@ -189,93 +177,37 @@ - SV-204433r603261_rule - V-204433 -# - name: | -# "HIGH | RHEL-07-010480 | PATCH | Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." -# "HIGH | RHEL-07-010490 | PATCH | Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." -# lineinfile: -# dest: /etc/grub.d/40_custom -# insertafter: EOF -# regexp: "{{ item.regex }}" -# line: "{{ item.line }}" -# with_items: -# - regexp: ^\s*set superusers= -# line: ' set superusers="root"' -# - regexp: ^password_pbkdf2 -# line: "^password_pbkdf2 {{ rhel7stig_boot_superuser }} {{ rhel7stig_bootloader_password_hash }}" -# no_log: true -# notify: -# - make grub2 config -# when: -# - rhel_07_010480 or -# rhel_07_010490 -# - ansible_distribution_version is version_compare('7.2', '<') -# tags: -# - CAT1 -# - RHEL-07-010480 -# - CCI-000213 -# - SRG-OS-000080-GPOS-00048 -# - SV-204436r603261_rule -# - V-204436 -# - RHEL-07-010490 -# - CCI-000213 -# - SRG-OS-000080-GPOS-00048 -# - SV-204439r603261_rule -# - V-204439 -# - grub -# - bootloader - - name: | "HIGH | RHEL-07-010482 | Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." "HIGH | RHEL-07-010491 | Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." block: - name: "HIGH | RHEL-07-010482 | Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." - lineinfile: + ansible.builtin.lineinfile: path: /boot/grub2/user.cfg - create: yes + regexp: ^GRUB2_PASSWORD= + line: GRUB2_PASSWORD={{ rhel7stig_bootloader_password_hash }} + create: true mode: '0644' - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" notify: - confirm grub2 user cfg - make grub2 config - with_items: - - regexp: ^GRUB2_PASSWORD={{ rhel7stig_bootloader_password_hash }} - line: GRUB2_PASSWORD={{ rhel7stig_bootloader_password_hash }} no_log: true when: - not rhel7stig_machine_uses_uefi - name: "HIGH | RHEL-07-010491 | Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel7stig_bootloader_path }}/user.cfg" - create: yes + regexp: ^GRUB2_PASSWORD= + line: GRUB2_PASSWORD={{ rhel7stig_bootloader_password_hash }} + create: true mode: '0644' - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - regexp: ^GRUB2_PASSWORD={{ rhel7stig_bootloader_password_hash }} - line: GRUB2_PASSWORD={{ rhel7stig_bootloader_password_hash }} no_log: true notify: - confirm grub2 user cfg - make grub2 config when: - rhel7stig_machine_uses_uefi - - # - name: | - # "HIGH | RHEL-07-010482 | Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." - # "HIGH | RHEL-07-010491 | Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." - # lineinfile: - # path: /etc/grub.d/01_users - # regexp: "{{ item.regexp }}" - # line: "{{ item.line }}" - # notify: - # - make grub2 config - # with_items: - # - regexp: ^\s*set superusers= - # line: ' set superusers="{{ rhel7stig_boot_superuser }}"' - # - regexp: ^\s*export superusers - # line: ' export superusers' when: - rhel_07_010482 or rhel_07_010491 @@ -296,7 +228,7 @@ - bootloader - name: "HIGH | RHEL-07-020000 | PATCH | The Red Hat Enterprise Linux operating system must not have the rsh-server package installed." - package: + ansible.builtin.package: name: rsh-server state: absent vars: @@ -314,7 +246,7 @@ - rsh - name: "HIGH | RHEL-07-020010 | PATCH | The Red Hat Enterprise Linux operating system must not have the ypserv package installed." - package: + ansible.builtin.package: name: ypserv state: absent vars: @@ -332,8 +264,8 @@ - ypserv - name: "HIGH | RHEL-07-020050 | PATCH | The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." - lineinfile: - dest: /etc/yum.conf + ansible.builtin.lineinfile: + path: /etc/yum.conf regexp: ^gpgcheck line: gpgcheck=1 insertafter: '\[main\]' @@ -349,8 +281,8 @@ - yum - name: "HIGH | RHEL-07-020060 | PATCH | The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." - lineinfile: - dest: /etc/yum.conf + ansible.builtin.lineinfile: + path: /etc/yum.conf regexp: ^localpkg_gpgcheck line: localpkg_gpgcheck=1 insertafter: '\[main\]' @@ -366,9 +298,9 @@ - yum - name: "HIGH | RHEL-07-020230 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line." - systemd: + ansible.builtin.systemd: name: ctrl-alt-del.target - masked: yes + masked: true when: - rhel_07_020230 tags: @@ -376,12 +308,12 @@ - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204455r603261_rule + - SV-204455r833106_rule - V-204455 - systemctl - name: "HIGH | RHEL-07-020231 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-disable-ctrl-alt-del content: | [org/gnome/settings-daemon/plugins/media-keys] @@ -405,7 +337,7 @@ # EUS RHEL7.7 31st August 2021 # Maintainance RHEL7.9 30th April 2021 - name: "HIGH | RHEL-07-020250 | PATCH | The Red Hat Enterprise Linux operating system must be a vendor supported release." - debug: + ansible.builtin.debug: msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel7stig_min_supported_os_ver[ansible_distribution] }} changed_when: - rhel7stig_audit_complex @@ -426,14 +358,14 @@ block: # Currently just locks user account - name: "HIGH | RHEL-07-020310 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system." - shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" + ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" check_mode: false changed_when: false failed_when: false register: rhel_07_020310_audit - name: "HIGH | RHEL-07-020310 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system." - command: "passwd -l {{ item }}" + ansible.builtin.shell: "passwd -l {{ item }}" with_items: "{{ rhel_07_020310_audit.stdout_lines }}" when: rhel_07_020310_audit.rc when: @@ -450,7 +382,7 @@ - name: "HIGH | RHEL-07-021350 | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." block: - name: "HIGH | RHEL-07-021350 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." - package: + ansible.builtin.package: name: dracut-fips state: present vars: @@ -460,8 +392,8 @@ - "'dracut-fips' not in ansible_facts.packages" - name: "HIGH | RHEL-07-021350 | PATCH | Disable prelinking." - lineinfile: - dest: /etc/sysconfig/prelink + ansible.builtin.lineinfile: + path: /etc/sysconfig/prelink regexp: ^#?PRELINKING line: PRELINKING=no notify: undo existing prelinking @@ -469,21 +401,21 @@ - "'prelink' in ansible_facts.packages" - name: "HIGH | RHEL-07-021350 | AUDIT | Check /etc/default/grub exists" - stat: + ansible.builtin.stat: path: /etc/default/grub register: rhel7_stig_default_grub - name: "HIGH | RHEL-07-021350 | AUDIT | Capture GRUB_CMDLINE_LINUX from /proc/cmdline" block: - name: "HIGH | RHEL-07-021350 | AUDIT | Capture GRUB_CMDLINE_LINUX from /proc/cmdline" - command: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline + ansible.builtin.shell: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline check_mode: false changed_when: false failed_when: rhel_07_021350_grub_cmdline_linux_audit.rc > 1 register: rhel_07_021350_grub_cmdline_linux_audit - name: "HIGH | RHEL-07-021350 | PATCH | Copy over a sane /etc/default/grub" - template: + ansible.builtin.template: src: etc_default_grub.j2 dest: /etc/default/grub owner: root @@ -495,7 +427,7 @@ when: not rhel7_stig_default_grub.stat.exists - name: "HIGH | RHEL-07-021350 | PATCH | fips=1 must be in /etc/default/grub" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: "{{ rhel7stig_regexp_quoted_params }}" replace: "{{ rhel7stig_replace_quoted_params }}" @@ -503,7 +435,7 @@ key: GRUB_CMDLINE_LINUX param: fips value: "{{ fips_value }}" - append: yes # this is the default + append: true # this is the default notify: confirm grub2 user cfg when: - not ansible_check_mode or @@ -512,7 +444,7 @@ - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." block: - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: "{{ rhel7stig_regexp_quoted_params }}" replace: "{{ rhel7stig_replace_quoted_params }}" @@ -523,7 +455,7 @@ key: GRUB_CMDLINE_LINUX param: boot value: UUID={{ item.uuid }} - insert: yes + insert: true when: - rhel7stig_boot_part not in ['/', ''] - not ansible_check_mode or @@ -532,7 +464,7 @@ register: result - name: "HIGH | RHEL-07-021350 | AUDIT | Verify kernel parameters in /etc/default/grub" - command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub check_mode: false with_items: - "fips={{ fips_value }}" @@ -568,7 +500,7 @@ - fips - name: "HIGH | RHEL-07-021710 | PATCH | The Red Hat Enterprise Linux operating system must not have the telnet-server package installed." - package: + ansible.builtin.package: name: telnet-server state: absent vars: @@ -588,17 +520,17 @@ - name: "HIGH | RHEL-07-032000 | The Red Hat Enterprise Linux operating system must use a virus scan program." block: - name: "HIGH | RHEL-07-032000 | PATCH | The Red Hat Enterprise Linux operating system must use a virus scan program." - package: + ansible.builtin.package: name: "{{ rhel7stig_av_package.package }}" state: present vars: ansible_python_interpreter: "{{ python2_bin }}" - name: "HIGH | RHEL-07-032000 | PATCH | The Red Hat Enterprise Linux operating system must use a virus scan program." - service: + ansible.builtin.service: name: "{{ rhel7stig_av_package.service }}" state: "{{ rhel7stig_service_started }}" - enabled: yes + enabled: true failed_when: false when: - rhel7stig_antivirus_required @@ -613,8 +545,8 @@ - antivirus - name: "HIGH | RHEL-07-040390 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol." - lineinfile: - dest: /etc/ssh/sshd_config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config regexp: "(?i)^#?Protocol" line: Protocol 2 validate: /usr/sbin/sshd -t -f %s @@ -636,13 +568,13 @@ - name: "HIGH | RHEL-07-040540 | The Red Hat Enterprise Linux operating system must not contain .shosts files." block: - name: "HIGH | RHEL-07-040540 | AUDIT | The Red Hat Enterprise Linux operating system must not contain .shosts files." - command: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -name '.shosts' + ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -name '.shosts' check_mode: false changed_when: false register: rhel_07_040540_audit - name: "HIGH | RHEL-07-040540 | PATCH | The Red Hat Enterprise Linux operating system must not contain .shosts files." - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: @@ -661,13 +593,13 @@ - name: "HIGH | RHEL-07-040550 | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." block: - name: "HIGH | RHEL-07-040550 | AUDIT | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." - command: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -name 'shosts.equiv' + ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -name 'shosts.equiv' check_mode: false changed_when: false register: rhel_07_040550_audit - name: "HIGH | RHEL-07-040550 | PATCH | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: @@ -684,7 +616,7 @@ - shosts - name: "HIGH | RHEL-07-040690 | PATCH | The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed." - package: + ansible.builtin.package: name: vsftpd state: absent vars: @@ -703,7 +635,7 @@ - ftp - name: "HIGH | RHEL-07-040700 | PATCH | The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support." - package: + ansible.builtin.package: name: - tftp - tftp-server @@ -730,7 +662,7 @@ - name: "HIGH | RHEL-07-040800 | SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default." block: - name: "HIGH | RHEL-07-040800 | AUDIT | SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default." - command: grep {{ item }} /etc/snmp/snmpd.conf + ansible.builtin.shell: grep {{ item }} /etc/snmp/snmpd.conf check_mode: false failed_when: false changed_when: false @@ -740,7 +672,7 @@ - private - name: "HIGH | RHEL-07-040800 | PATCH | SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default." - replace: + ansible.builtin.replace: dest: /etc/snmp/snmpd.conf regexp: (^com2sec.*default\s+)(public|private) replace: \1{{ rhel7stig_snmp_community }} diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index db41a6e5..05b6b970 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1,7 +1,8 @@ --- + ### RHEL-07-010030 | RHEL-07-010040 combined as related tasks in regards to a config file no other content will be in. - name: "MEDIUM | RHEL-07-010030 | RHEL-07-010040 | PATCH | The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." - copy: + ansible.builtin.copy: # noqa: template-instead-of-copy dest: /etc/dconf/db/local.d/01-banner-message content: | [org/gnome/login-screen] @@ -28,8 +29,8 @@ - dod_logon_banner - name: "MEDIUM | RHEL-07-010050 | PATCH | The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon." - copy: - content: "{{ rhel7stig_logon_banner }}" + ansible.builtin.copy: + content: "{{ rhel7stig_logon_banner }}" # noqa: template-instead-of-copy dest: "{{ item }}" owner: root group: root @@ -51,7 +52,7 @@ - dod_logon_banner - name: "MEDIUM | RHEL-07-010060 | PATCH | The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-screensaver_rhel_07_010060 content: | [org/gnome/desktop/screensaver] @@ -66,12 +67,12 @@ - CAT2 - CCI-000056 - SRG-OS-000028-GPOS-00009 - - SV-204396r603261_rule + - SV-204396r880746_rule - V-204396 - dconf - name: "MEDIUM | RHEL-07-010061 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-defaults_rhel_07_010061 content: | [org/gnome/login-screen] @@ -93,7 +94,7 @@ - dconf - name: "MEDIUM | RHEL-07-010070 | PATCH | The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-screensaver_rhel_07_010070 content: | [org/gnome/desktop/session] @@ -108,12 +109,12 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-204398r603261_rule + - SV-204398r880770_rule - V-204398 - dconf - name: "MEDIUM | RHEL-07-010081 | PATCH | The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/locks/session_rhel_07_010081 content: | /org/gnome/desktop/screensaver/lock-delay @@ -127,12 +128,12 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-204399r603261_rule + - SV-204399r880773_rule - V-204399 - dconf - name: "MEDIUM | RHEL-07-010082 | PATCH | The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/locks/session_rhel_07_010082 content: | /org/gnome/desktop/session/idle-delay @@ -146,12 +147,29 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-204400r603261_rule + - SV-204400r880776_rule - V-204400 - dconf +- name: "MEDIUM | RHEL-07-010090 | PATCH | The Red Hat Enterprise Linux operating system must have the screen package installed." + ansible.builtin.package: + name: screen + state: present + when: + - rhel_07_010090 + - "'screen' not in ansible_facts.packages" + - "'tmux' not in ansible_facts.packages" + tags: + - RHEL-07-010090 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-255926r880779_rule + - V-255926 + - screen + - name: "MEDIUM | RHEL-07-010100 | PATCH | The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-screensaver_rhel_07_010100 content: | [org/gnome/desktop/screensaver] @@ -166,12 +184,12 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-204402r603261_rule + - SV-204402r880782_rule - V-204402 - dconf - name: "MEDIUM | RHEL-07-010101 | PATCH | The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/locks/session_rhel_07_010101 content: | /org/gnome/desktop/screensaver/idle-activation-enabled @@ -185,12 +203,12 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-204403r603261_rule + - SV-204403r880785_rule - V-204403 - dconf - name: "MEDIUM | RHEL-07-010110 | PATCH | The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-screensaver_rhel_07_010110 content: | [org/gnome/desktop/screensaver] @@ -206,12 +224,12 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-204404r603261_rule + - SV-204404r880788_rule - V-204404 - dconf - name: "MEDIUM | RHEL-07-010118 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords." - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/passwd regexp: '^password\s+substack\s+system-auth' line: 'password substack system-auth' @@ -227,8 +245,8 @@ - pamd - name: "MEDIUM | RHEL-07-010119 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/pam.d/system-auth regexp: '^#?password\s+required pam_pwquality.so retry' line: password required pam_pwquality.so retry=3 @@ -245,8 +263,8 @@ - pamd - name: "MEDIUM | RHEL-07-010120 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*ucredit' line: "ucredit = {{ rhel7stig_password_complexity.ucredit | default('-1') }}" @@ -263,8 +281,8 @@ - pwquality - name: "MEDIUM | RHEL-07-010130 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*lcredit' line: "lcredit = {{ rhel7stig_password_complexity.lcredit | default('-1') }}" @@ -281,8 +299,8 @@ - pwquality - name: "MEDIUM | RHEL-07-010140 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*dcredit' line: "dcredit = {{ rhel7stig_password_complexity.dcredit | default('-1') }}" @@ -298,8 +316,8 @@ - RHELsality - name: "MEDIUM | RHEL-07-010150 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*ocredit' line: "ocredit = {{ rhel7stig_password_complexity.ocredit | default('-1') }}" @@ -316,8 +334,8 @@ - pwquality - name: "MEDIUM | RHEL-07-010160 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*difok' line: "difok = {{ rhel7stig_password_complexity.difok | default('8') }}" @@ -334,8 +352,8 @@ - pwquality - name: "MEDIUM | RHEL-07-010170 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*minclass' line: "minclass = {{ rhel7stig_password_complexity.minclass | default('4') }}" @@ -352,8 +370,8 @@ - pwquality - name: "MEDIUM | RHEL-07-010180 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*maxrepeat' line: "maxrepeat = {{ rhel7stig_password_complexity.maxrepeat | default('3') }}" @@ -370,8 +388,8 @@ - pwquality - name: "MEDIUM | RHEL-07-010190 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*maxclassrepeat' line: "maxclassrepeat = {{ rhel7stig_password_complexity.maxclassrepeat | default('4') }}" @@ -387,8 +405,27 @@ - V-204414 - pwquality +- name: "MEDIUM | RHEL-07-010199 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. | symlink" + ansible.builtin.file: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + state: link + loop: + - { 'src': '/etc/pam.d/password-auth', 'dest': '/etc/pam.d/password-auth-local' } + - { 'src': '/etc/pam.d/system-auth', 'dest': '/etc/pam.d/system-auth-local' } + when: + - rhel_07_010199 + tags: + - RHEL-07-010199 + - CAT2 + - CCI-000196 + - SRG-OS-000072-GPOS-00040 + - SV-255928r880830_rule + - V-255928 + - pamd + - name: "MEDIUM | RHEL-07-010200 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords." - pamd: + community.general.pamd: name: "{{ item[0] }}" state: "{{ item[1].state }}" type: password @@ -414,13 +451,13 @@ - CAT2 - CCI-000196 - SRG-OS-000073-GPOS-00041 - - SV-204415r603261_rule + - SV-204415r880833_rule - V-204415 - pamd - name: "MEDIUM | RHEL-07-010210 | PATCH | The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords." - lineinfile: - dest: /etc/login.defs + ansible.builtin.lineinfile: + path: /etc/login.defs regexp: ^#?ENCRYPT_METHOD line: "ENCRYPT_METHOD {{ rhel7stig_login_defaults.encrypt_method | default('SHA512') }}" when: @@ -435,8 +472,8 @@ - login - name: "MEDIUM | RHEL-07-010220 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords." - lineinfile: - dest: /etc/libuser.conf + ansible.builtin.lineinfile: + path: /etc/libuser.conf regexp: ^#?crypt_style line: crypt_style = sha512 when: @@ -451,8 +488,8 @@ - login - name: "MEDIUM | RHEL-07-010230 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/login.defs regexp: ^#?PASS_MIN_DAYS line: "PASS_MIN_DAYS {{ rhel7stig_login_defaults.pass_min_days | default('1') }}" @@ -471,13 +508,15 @@ - name: "MEDIUM | RHEL-07-010240 | The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime." block: - name: "MEDIUM | RHEL-07-010240 | AUDIT | Passwords must be restricted to a 24 hours/1 day minimum lifetime." - command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" check_mode: false changed_when: false register: rhel_07_010240_audit - name: "MEDIUM | RHEL-07-010240 | PATCH | Passwords must be restricted to a 24 hours/1 day minimum lifetime." - command: chage -m 1 {{ item }} + ansible.builtin.shell: chage -m 1 {{ item }} + check_mode: false + changed_when: true with_items: - "{{ rhel_07_010240_audit.stdout_lines }}" when: @@ -492,8 +531,8 @@ - password - name: "MEDIUM | RHEL-07-010250 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/login.defs regexp: ^#?PASS_MAX_DAYS line: "PASS_MAX_DAYS {{ rhel7stig_login_defaults.pass_max_days | default('60') }}" @@ -512,19 +551,19 @@ - name: "MEDIUM | RHEL-07-010260 | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime." block: - name: "MEDIUM | RHEL-07-010260 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime." - command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" - check_mode: no - changed_when: rhel_07_010260_audit.stdout| length > 0 + ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" + check_mode: false + changed_when: false register: rhel_07_010260_audit - name: "MEDIUM | RHEL-07-010260 | PATCH | Reset password timeout to prevent locking out user." - command: chage -d '-1 day' {{ item }} + ansible.builtin.shell: chage -d '-1 day' {{ item }} check_mode: "{{ rhel7stig_disruptive_check_mode }}" with_items: - "{{ rhel_07_010260_audit.stdout_lines }}" - name: "MEDIUM | RHEL-07-010260 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime." - command: chage -M 60 {{ item }} + ansible.builtin.shell: "chage -M 60 {{ item }}" check_mode: "{{ rhel7stig_disruptive_check_mode }}" with_items: - "{{ rhel_07_010260_audit.stdout_lines }}" @@ -544,7 +583,7 @@ - name: "MEDIUM | RHEL-07-010270 | The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations." block: - name: "MEDIUM | RHEL-07-010270 | PATCH | Ensure pam_pwhistory rule exists" - pamd: + community.general.pamd: name: "{{ item }}" state: before type: password @@ -559,7 +598,7 @@ # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent - name: "MEDIUM | RHEL-07-010270 | AUDIT | Check for existing password history reuse settings" - command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel7stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel7stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" + ansible.builtin.shell: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel7stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel7stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" check_mode: false changed_when: false failed_when: rhel_07_010270_audit.rc > 1 @@ -570,7 +609,7 @@ # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. - name: "MEDIUM | RHEL-07-010270 | PATCH | Ensure pam_pwhistory module arguments are set" - pamd: + community.general.pamd: name: "{{ item.item }}" state: updated type: password @@ -590,13 +629,27 @@ - CAT2 - CCI-000200 - SRG-OS-000077-GPOS-00045 - - SV-204422r603261_rule + - SV-204422r880836_rule - V-204422 - pamd +- name: "MEDIUM | AUDIT | RHEL-07-010271 | The Red Hat Enterprise Linux operating system emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + ansible.builtin.debug: + msg: + - "Warning!! Verify every existing emergency account and make sure it has an expiration date set within 72 hours." + when: + - rhel_07_010271 + tags: + - RHEL-07-010271 + - CAT2 + - CCI-001682 + - SRG-OS-000123-GPOS-00064 + - SV-254523r858501_rule + - V-254523 + - name: "MEDIUM | RHEL-07-010280 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/security/pwquality.conf regexp: '^#?\s*minlen' line: "minlen = {{ rhel7stig_password_complexity.minlen | default('15') }}" @@ -613,8 +666,8 @@ - pwquality - name: "MEDIUM | RHEL-07-010310 | PATCH | The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires." - lineinfile: - dest: /etc/default/useradd + ansible.builtin.lineinfile: + path: /etc/default/useradd regexp: ^#?INACTIVE line: INACTIVE=35 when: @@ -635,7 +688,7 @@ - name: | "MEDIUM | RHEL-07-010320 | PATCH | The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe." "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period." - pamd: + community.general.pamd: name: "{{ item }}" state: before type: auth @@ -652,7 +705,7 @@ # - name: | # "MEDIUM | RHEL-07-010320 | AUDIT | Check for existing account lockout settings" # "MEDIUM | RHEL-07-010330 | AUDIT | Check for existing account lockout settings" - # command: "grep -iE '^auth\\s+required\\s+pam_faillock.so\\s+preauth\\s+silent\\s+audit\\s+deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }}\\s+unlock_time={{ rhel7stig_pam_faillock.unlock_time }}$' /etc/pam.d/{{ item }}" + # ansible.builtin.shell: "grep -iE '^auth\\s+required\\s+pam_faillock.so\\s+preauth\\s+silent\\s+audit\\s+deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }}\\s+unlock_time={{ rhel7stig_pam_faillock.unlock_time }}$' /etc/pam.d/{{ item }}" # check_mode: no # changed_when: no # failed_when: rhel_07_010320_010330_preauth_audit.rc > 1 @@ -665,7 +718,7 @@ - name: | "MEDIUM | RHEL-07-010320 | PATCH | The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe." "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period." - pamd: + community.general.pamd: name: "{{ item }}" state: updated type: auth @@ -677,7 +730,7 @@ - "password-auth" - name: "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period." - pamd: + community.general.pamd: name: "{{ item }}" state: before type: auth @@ -692,7 +745,7 @@ # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent # - name: "MEDIUM | RHEL-07-010330 | AUDIT | Check for existing account lockout settings" - # command: "grep -iE '^auth\\s+\\[default=die\\]\\s+pam_faillock.so\\s+authfail\\s+audit\\s+deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }}\\s+unlock_time={{ rhel7stig_pam_faillock.unlock_time }}$' /etc/pam.d/{{ item }}" + # ansible.builtin.shell: "grep -iE '^auth\\s+\\[default=die\\]\\s+pam_faillock.so\\s+authfail\\s+audit\\s+deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }}\\s+unlock_time={{ rhel7stig_pam_faillock.unlock_time }}$' /etc/pam.d/{{ item }}" # check_mode: no # changed_when: no # failed_when: rhel_07_010330_authfail_audit.rc > 1 @@ -703,7 +756,7 @@ # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. - name: "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period." - pamd: + community.general.pamd: name: "{{ item }}" state: updated type: auth @@ -716,7 +769,7 @@ # when: item.rc == 1 - name: "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period." - pamd: + community.general.pamd: name: "{{ item }}" state: before type: account @@ -739,15 +792,16 @@ - CCI-002237 - CCI-002238 - SRG-OS-000329-GPOS-00128 - - SV-204427r603824_rule + - SV-204427r880842_rule - V-204427 - RHEL-07-010330 - CCI-002238 - - SV-204428r603261_rule + - SV-204428r880845_rule - V-204428 - pamd + - name: "MEDIUM | RHEL-08-010339 | PATCH | The Red Hat Enterprise Linux operating system must specify the default 'include' directory for the /etc/sudoers file." - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regex: '^#includedir' line: '#includedir /etc/sudoers.d' @@ -759,12 +813,12 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-251703r809566_rule + - SV-251703r833183_rule - V-251703 - sudoers - name: "MEDIUM | RHEL-07-010340 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation." - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#].*)NOPASSWD(.*)' replace: '\1PASSWD\2' @@ -773,18 +827,19 @@ - "{{ rhel7stig_sudoers_files.stdout_lines }}" when: - rhel7stig_using_password_auth + - rhel7stig_disruption_high - rhel_07_010340 tags: - RHEL-07-010340 - CAT2 - CCI-002038 - SRG-OS-000373-GPOS-00156 - - SV-204429r603261_rule + - SV-204429r833190_rule - V-204429 - sudoers - name: "MEDIUM | RHEL-07-010344 | PATCH | The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation." - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/sudo regex: 'pam_succeed_if' state: absent @@ -799,7 +854,7 @@ - V-251704 - name: "MEDIUM | RHEL-07-010350 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation." - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' @@ -818,8 +873,8 @@ - sudoers - name: "MEDIUM | RHEL-07-010430 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds." - lineinfile: - dest: /etc/login.defs + ansible.builtin.lineinfile: + path: /etc/login.defs regexp: ^#?FAIL_DELAY line: "FAIL_DELAY {{ rhel7stig_login_defaults.fail_delay_secs | default('4') }}" when: @@ -834,8 +889,8 @@ - login - name: "MEDIUM | RHEL-07-010460 | PATCH | The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables." - lineinfile: - dest: /etc/ssh/sshd_config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config regexp: "(?i)^#?PermitUserEnvironment" line: PermitUserEnvironment no validate: /usr/sbin/sshd -t -f %s @@ -853,8 +908,8 @@ - ssh - name: "MEDIUM | RHEL-07-010470 | PATCH | The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system." - lineinfile: - dest: /etc/ssh/sshd_config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config regexp: "(?i)^#?HostbasedAuthentication" line: HostbasedAuthentication no validate: /usr/sbin/sshd -t -f %s @@ -879,14 +934,14 @@ - name: "MEDIUM | RHEL-07-010481 | The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes." block: - name: "MEDIUM | RHEL-07-010481 | PATCH | Check if the packaged rescue.service file was edited directly" - shell: "cat /usr/lib/systemd/system/rescue.service | grep 'ExecStart=.*/usr/sbin/sulogin'" + ansible.builtin.shell: "cat /usr/lib/systemd/system/rescue.service | grep 'ExecStart=.*/usr/sbin/sulogin'" changed_when: false failed_when: false check_mode: false register: systemd_rescue_unit_check - name: "MEDIUM | RHEL-07-010481 | PATCH | Force reinstall systemd package to replace edited /usr/lib/systemd/system/rescue.service" - shell: yum -y reinstall systemd + ansible.builtin.shell: yum -y reinstall systemd when: systemd_rescue_unit_check.rc == 1 when: - rhel_07_010481 @@ -901,10 +956,10 @@ - name: | "MEDIUM | RHEL-07-010483 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes." - "MEDIUM | RHEL-07-010492 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance." + "MEDIUM | RHEL-07-010492 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with Unified Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance." block: - name: "MEDIUM | RHEL-07-010483 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes. | Set grub unique name BIOS" - lineinfile: + ansible.builtin.lineinfile: path: /etc/grub.d/01_users regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -916,8 +971,8 @@ - { regexp: '^\s*password_pbkdf2', line: ' password_pbkdf2 {{ rhel7stig_grub_superusers }} \${GRUB2_PASSWORD}' } when: not rhel7stig_machine_uses_uefi - - name: "MEDIUM | RHEL-07-010492 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance. | Set grub unique name UEFI" - lineinfile: + - name: "MEDIUM | RHEL-07-010492 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with Unified Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance. | Set grub unique name UEFI" + ansible.builtin.lineinfile: path: "{{ rhel7stig_bootloader_path }}/grub.cfg" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -936,10 +991,10 @@ - CAT2 - CCI-000213 - SRG-OS-000080-GPOS-00048 - - SV-244557r744063_rule + - SV-244557r833185_rule - V-244557 - - RHEL-07-01092 - - SV-244558r744066_rule + - RHEL-07-010492 + - SV-244558r833187_rule - V-244558 - grub - bootloader @@ -948,22 +1003,22 @@ block: # This task checks to test if pamd is enabled for pkcs11 - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - shell: authconfig --test | grep "pam_pkcs11 is enabled" + ansible.builtin.shell: authconfig --test | grep "pam_pkcs11 is enabled" register: rhel_07_010500pkcs11output # This task gathers output so we can test if smartcard removal action is enabled - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - shell: authconfig --test | grep "smartcard removal action" + ansible.builtin.shell: authconfig --test | grep "smartcard removal action" register: rhel_07_010500scremovaloutput # This task gathers output so we can test if smartcard module is enabled - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - shell: authconfig --test | grep "smartcard module" + ansible.builtin.shell: authconfig --test | grep "smartcard module" register: rhel_07_010500scenabledoutput # This is to remediate if pam_pkcs11 is not installed. - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - package: + ansible.builtin.package: name: "{{ item }}" state: present with_items: @@ -977,19 +1032,19 @@ # This task will remediate the smartcard login setting - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - shell: authconfig --enablesmartcard --smartcardaction=0 --update + ansible.builtin.shell: authconfig --enablesmartcard --smartcardaction=0 --update when: - rhel_07_010500scenabledoutput.stdout == ' smartcard module = \"\"' or rhel_07_010500scremovaloutput.stdout == ' smartcard removal action = \"\"' # This task will remediate the smartcard login setting - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - shell: authconfig --enablerequiresmartcard --update + ansible.builtin.shell: authconfig --enablerequiresmartcard --update when: rhel_07_010500scenabledoutput.stdout == ' smartcard module = \"\"' or rhel_07_010500scremovaloutput.stdout == ' smartcard removal action = \"\"' # This remediates the screensaver settings for smartcard authentication - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/pam_pkcs11/pkcs11_eventmgr.conf regexp: '^#?/usr/X11R6/bin/xscreensaver-command -lock' line: "/usr/X11R6/bin/xscreensaver-command -lock" @@ -998,7 +1053,7 @@ # This remediates the pam_pkcs11.conf file to enforce the cackey usage for smartcard authentication ### NOTE: If you have custom rules for /etc/pam_pkcs11/pam_pkcs11.conf then change the template pam_pkcs11.conf.j2 - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - template: + ansible.builtin.template: src: pam_pkcs11.conf.j2 dest: /etc/pam_pkcs11/pam_pkcs11.conf owner: root @@ -1015,7 +1070,7 @@ - CAT2 - CCI-000766 - SRG-OS-000104-GPOS-00051 - - SV-204441r603261_rule + - SV-204441r818813_rule - V-204441 - authentication @@ -1027,24 +1082,24 @@ - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." block: - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Get SELinux authorized users" - shell: semanage login -l + ansible.builtin.shell: semanage login -l changed_when: false failed_when: false register: rhel_07_020020_sel_auth_users - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Show SELinux authorized users" - debug: + ansible.builtin.debug: msg: - - "Warning! Below is your SELinux user/group list. Please review and make sure all of the following are met:" + - "Warning!! Below is your SELinux user/group list. Please review and make sure all of the following are met:" - "1) All administrators are mapped to staff_u or an appropriately tailored confined SELinux user as defined by the organization" - "2) All authorized non-administrative users must be mapped to the user_u SELinux user" - "{{ rhel_07_020020_sel_auth_users.stdout_lines }}" when: rhel_07_020020_sel_auth_users.stdout | length > 0 - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Warn that semanage is not installed" - debug: + ansible.builtin.debug: msg: - - "Alert! You do not have semanage installed! Please installed the needed packages" + - "Warning!! You do not have semanage installed! Please installed the needed packages" when: "'command not found' in rhel_07_020020_sel_auth_users.stderr" when: - rhel_07_020020 @@ -1058,9 +1113,10 @@ - V-204444 - name: "MEDIUM | RHEL-07-020029 | PATCH | The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions." - package: + ansible.builtin.package: name: aide state: present + notify: "{{ rhel7stig_aide_handler }}" when: - rhel_07_020029 - "'aide' not in ansible_facts.packages" @@ -1069,14 +1125,14 @@ - CAT2 - CCI-002696 - SRG-OS-000445-GPOS-00199 - - SV-251705r809229_rule + - SV-251705r880854_rule - V-251705 - aide - name: | "MEDIUM | RHEL-07-020030 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly." "MEDIUM | RHEL-07-020040 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner." - cron: + ansible.builtin.cron: name: 'Run AIDE integrity check {{ rhel7stig_aide_cron.special_time }}' user: "{{ rhel7stig_aide_cron.user }}" cron_file: "{{ rhel7stig_aide_cron.cron_file }}" @@ -1104,21 +1160,21 @@ - RHEL-07-020030 - CCI-001744 - SRG-OS-000363-GPOS-00150 - - SV-204445r603261_rule + - SV-204445r880848_rule - V-204445 - RHEL-07-020040 - SRG-OS-000363-GPOS-00150 - - SV-204446r603261_rule + - SV-204446r880851_rule - V-204446 - aide - name: "MEDIUM | RHEL-07-020100 | PATCH | The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage." - lineinfile: - dest: "{{ item.file }}" - insertafter: "{{ item.insertafter }}" + ansible.builtin.lineinfile: + path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" - create: yes + insertafter: "{{ item.insertafter }}" + create: true owner: root group: root mode: "0644" @@ -1145,12 +1201,12 @@ - usb_devices - name: "MEDIUM | RHEL-07-020101 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required." - lineinfile: - dest: "{{ item.file }}" - insertafter: "{{ item.insertafter }}" + ansible.builtin.lineinfile: + path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" - create: yes + insertafter: "{{ item.insertafter }}" + create: true owner: root group: root mode: "0644" @@ -1177,15 +1233,15 @@ - name: "MEDIUM | RHEL-07-020110 | PATCH | The Red Hat Enterprise Linux operating system must disable the file system automounter unless required." block: - name: "MEDIUM | RHEL-07-020110 | PATCH | The Red Hat Enterprise Linux operating system must disable the file system automounter unless required." - shell: "systemctl show autofs | grep LoadState | cut -d = -f 2" + ansible.builtin.shell: "systemctl show autofs | grep LoadState | cut -d = -f 2" changed_when: false check_mode: false register: rhel_07_020110_autofs_service_status - name: "MEDIUM | RHEL-07-020110 | PATCH | The Red Hat Enterprise Linux operating system must disable the file system automounter unless required." - service: + ansible.builtin.service: name: autofs - enabled: no + enabled: false state: stopped when: - rhel_07_020110_autofs_service_status == "loaded" @@ -1229,8 +1285,8 @@ - name: "MEDIUM | RHEL-07-020240 | PATCH | The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." - lineinfile: - dest: /etc/login.defs + ansible.builtin.lineinfile: + path: /etc/login.defs regexp: ^#?UMASK line: "UMASK {{ rhel7stig_login_defaults.umask | default('077') }}" when: @@ -1246,7 +1302,7 @@ - umask - name: "MEDIUM | RHEL-07-020260 | The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date." - package: + ansible.builtin.package: name: '*' state: latest vars: @@ -1265,7 +1321,7 @@ - name: "MEDIUM | RHEL-07-020270 | AUDIT | The Red Hat Enterprise Linux operating system must not have unnecessary accounts." block: - name: "MEDIUM | RHEL-07-020270 | AUDIT | The Red Hat Enterprise Linux operating system must not have unnecessary accounts." - command: "grep '^{{ item }}:' /etc/passwd" + ansible.builtin.shell: "grep '^{{ item }}:' /etc/passwd" check_mode: false failed_when: rhel_07_020270_audit.rc > 1 changed_when: rhel_07_020270_audit.rc == 0 @@ -1274,7 +1330,7 @@ - "{{ rhel7stig_unnecessary_accounts }}" - name: "MEDIUM | RHEL-07-020270 | PATCH | The Red Hat Enterprise Linux operating system must not have unnecessary accounts." - user: + ansible.builtin.user: name: "{{ item }}" state: absent remove: "{{ rhel7stig_remove_unnecessary_user_files }}" @@ -1301,7 +1357,7 @@ - name: "MEDIUM | RHEL-07-020320 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." block: - name: "MEDIUM | RHEL-07-020320 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." - command: find "{{ item.mount }}" -xdev -nouser + ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser check_mode: false failed_when: false changed_when: false @@ -1311,8 +1367,8 @@ when: item['device'].startswith('/dev') and not 'bind' in item['options'] - name: "MEDIUM | RHEL-07-020320 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." - debug: - msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + ansible.builtin.debug: + msg: "Warning!! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" changed_when: rhel7stig_audit_complex with_items: - "{{ rhel_07_020320_audit.results }}" @@ -1334,7 +1390,7 @@ - name: "MEDIUM | RHEL-07-020330 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." block: - name: "MEDIUM | RHEL-07-020330 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." - command: find "{{ item.mount }}" -xdev -nogroup + ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup check_mode: false failed_when: false changed_when: false @@ -1344,8 +1400,8 @@ when: item['device'].startswith('/dev') and not 'bind' in item['options'] - name: "MEDIUM | RHEL-07-020330 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." - debug: - msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + ansible.builtin.debug: + msg: "Warning!! Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" changed_when: rhel7stig_audit_complex with_items: - "{{ rhel_07_020330_audit.results }}" @@ -1365,8 +1421,8 @@ - complexity-high - name: "MEDIUM | RHEL-07-020610 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory." - lineinfile: - dest: /etc/login.defs + ansible.builtin.lineinfile: + path: /etc/login.defs regexp: ^#?CREATE_HOME line: "CREATE_HOME {{ rhel7stig_login_defaults.create_home | default('yes') }}" when: @@ -1382,9 +1438,10 @@ - home - name: "MEDIUM | RHEL-07-020620 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are defined in the /etc/passwd file." - file: + ansible.builtin.file: path: "{{ item.dir }}" state: directory + mode: 0700 with_items: - "{{ rhel7stig_passwd }}" loop_control: @@ -1402,7 +1459,7 @@ - users - name: "MEDIUM | RHEL-07-020630 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive." - file: + ansible.builtin.file: path: "{{ item.dir }}" mode: "{{ rhel7stig_homedir_mode }}" state: directory @@ -1423,9 +1480,10 @@ - users - name: "MEDIUM | RHEL-07-020640 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users." - file: + ansible.builtin.file: path: "{{ item.dir }}" owner: "{{ item.id }}" + mode: 0700 state: directory with_items: - "{{ rhel7stig_passwd }}" @@ -1444,10 +1502,11 @@ - users - name: "MEDIUM | RHEL-07-020650 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group." - file: + ansible.builtin.file: path: "{{ item.dir }}" - group: "{{ item.gid }}" + group: "{{ item.gid }}" # noqa risky-file-permissions state: directory + mode: 0700 with_items: - "{{ rhel7stig_passwd }}" loop_control: @@ -1460,14 +1519,14 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204470r744102_rule + - SV-204470r880764_rule - V-204470 - users - name: "MEDIUM | RHEL-07-020660 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory." block: - name: "MEDIUM | RHEL-07-020660 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory." - command: "{{ find_command_base }} -print -quit" + ansible.builtin.shell: "{{ find_command_base }} -print -quit" check_mode: false changed_when: rhel_07_020660_audit.stdout |length > 0 register: rhel_07_020660_audit @@ -1479,7 +1538,7 @@ this_item: "{{ item }}" - name: "MEDIUM | RHEL-07-020660 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory." - command: "{{ find_command_base }} -exec chown {{ this_item.uid }} {} +" + ansible.builtin.shell: "{{ find_command_base }} -exec chown {{ this_item.uid }} {} +" with_items: "{{ rhel_07_020660_audit.results }}" loop_control: label: "{{ rhel7stig_passwd_label }}" @@ -1488,7 +1547,7 @@ this_item: "{{ item.item }}" vars: find_command_base: 'find "{{ this_item.dir }}" -mindepth 1 - ( -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*" -type f ) -o + -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*" -type f -o -not -user {{ this_item.uid }}' when: - rhel_07_020660 @@ -1504,7 +1563,7 @@ - name: "MEDIUM | RHEL-07-020670 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." block: - name: "MEDIUM | RHEL-07-020670 | AUDIT | Get all GIDs for each user." - command: id -G "{{ item.id }}" + ansible.builtin.shell: id -G "{{ item.id }}" check_mode: false changed_when: false register: rhel_07_all_gid_audit @@ -1514,7 +1573,7 @@ label: "{{ rhel7stig_passwd_label }}" - name: "MEDIUM | RHEL-07-020670 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." - command: "{{ find_command_base }} -print -quit" + ansible.builtin.shell: "{{ find_command_base }} -print -quit" check_mode: false changed_when: rhel_07_020670_audit.stdout| length > 0 register: rhel_07_020670_audit @@ -1528,7 +1587,7 @@ this_result: "{{ item }}" - name: "MEDIUM | RHEL-07-020670 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." - command: "{{ find_command_base }} -exec chgrp {{ this_item.gid }} {} +" + ansible.builtin.shell: "{{ find_command_base }} -exec chgrp {{ this_item.gid }} {} +" with_items: "{{ rhel_07_020670_audit.results }}" loop_control: label: "{{ rhel7stig_passwd_label }}" @@ -1538,7 +1597,7 @@ this_result: "{{ item.item }}" vars: find_command_base: 'find "{{ this_item.dir }}" -mindepth 1 - ( -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*" -type f ) -o + -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*" -type f -o -not -group {{ this_result.stdout.split(" ") | join(" -not -group ") }}' when: - rhel_07_020670 @@ -1554,13 +1613,13 @@ - name: "MEDIUM | RHEL-07-020680 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." block: - name: "MEDIUM | RHEL-07-020680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - stat: + ansible.builtin.stat: path: "{{ item }}" with_items: "{{ rhel7stig_passwd | selectattr('uid', '>=', rhel7stig_interactive_uid_start | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" register: rhel_07_020680_audit - name: "MEDIUM | RHEL-07-020680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - command: find -H {{ item.0 | quote }} -not -type l -perm /027 + ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false changed_when: rhel_07_020680_patch_audit.stdout| length > 0 register: rhel_07_020680_patch_audit @@ -1574,9 +1633,9 @@ - item.1.exists - name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - file: + ansible.builtin.file: path: "{{ item.0 }}" - recurse: yes + recurse: true mode: a-st,g-w,o-rwx register: rhel_07_020680_patch with_together: @@ -1592,9 +1651,9 @@ - name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." acl: path: "{{ item.0 }}" - default: yes + default: true state: present - recursive: yes + recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" with_nested: @@ -1609,7 +1668,7 @@ when: - rhel_07_020680 tags: - - RHEL-07-020680 + - RHEL-07-020680 - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 @@ -1620,7 +1679,7 @@ - name: "MEDIUM | RHEL-07-020690 | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root." block: - name: "MEDIUM | RHEL-07-020690 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root." - command: "{{ find_command_base }} -print -quit" + ansible.builtin.shell: "{{ find_command_base }} -print -quit" check_mode: false changed_when: rhel_07_020690_audit.stdout | length > 0 register: rhel_07_020690_audit @@ -1633,7 +1692,7 @@ this_item: "{{ item }}" - name: "MEDIUM | RHEL-07-020690 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root." - command: "{{ find_command_base }} -exec chown {{ this_item.uid }} {} +" + ansible.builtin.shell: "{{ find_command_base }} -exec chown {{ this_item.uid }} {} +" with_items: "{{ rhel_07_020690_audit.results }}" loop_control: label: "{{ rhel7stig_passwd_label }}" @@ -1643,7 +1702,7 @@ vars: find_command_base: 'find "{{ this_item.dir }}" -mindepth 1 -type f -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*" - -not ( -user {{ this_item.uid }} -o -user root )' + -not -user {{ this_item.uid }} -o -user root' when: - rhel_07_020690 tags: @@ -1658,7 +1717,7 @@ - name: "MEDIUM | RHEL-07-020700 | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root." block: - name: "MEDIUM | RHEL-07-020700 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root." - command: "{{ find_command_base }} -print -quit" + ansible.builtin.shell: "{{ find_command_base }} -print -quit" check_mode: false changed_when: rhel_07_020700_audit.stdout| length > 0 register: rhel_07_020700_audit @@ -1671,7 +1730,7 @@ this_item: "{{ item }}" - name: "MEDIUM | RHEL-07-020700 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root." - command: "{{ find_command_base }} -exec chgrp {{ this_item.gid }} {} +" + ansible.builtin.shell: "{{ find_command_base }} -exec chgrp {{ this_item.gid }} {} +" with_items: "{{ rhel_07_020700_audit.results }}" loop_control: label: "{{ rhel7stig_passwd_label }}" @@ -1681,7 +1740,7 @@ vars: find_command_base: 'find "{{ this_item.dir }}" -mindepth 1 -type f -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*" - -not ( -group {{ this_item.gid }} -o -group root )' + -not -group {{ this_item.gid }} -o -group root' when: - rhel_07_020700 tags: @@ -1694,7 +1753,7 @@ - permissions - name: "MEDIUM | RHEL-07-020710 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files must have mode 0740 or less permissive." - file: + ansible.builtin.file: path: "{{ item }}" mode: '0640' state: touch @@ -1715,7 +1774,7 @@ - name: "MEDIUM | RHEL-07-020720 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory." block: - name: "MEDIUM | RHEL-07-020720 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory." - shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath + ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath with_items: "{{ rhel_07_stig_interactive_homedir_results }}" changed_when: false failed_when: false @@ -1725,13 +1784,13 @@ - rhel_07_stig_interactive_homedir_inifiles is defined - name: "MEDIUM | RHEL-07-020720 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory." - debug: + ansible.builtin.debug: msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. with_items: - "{{ rhel_07_020710_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" - name: "MEDIUM | RHEL-07-020720 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory." - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: "^PATH=" line: "{{ rhel_07_020720_user_path }}" @@ -1755,19 +1814,11 @@ block: # Let's find any progerams with world-writable permissions. - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." - shell: find / -xdev -perm -002 -type f -exec ls -ld {} \; | awk '{print $9}' + ansible.builtin.shell: find / -xdev -perm -002 -type f -exec ls -ld {} \; | awk '{print $9}' failed_when: false changed_when: false register: rhel_07_020730_perms_results - # Now let's see if those come up in any interactive users' home directory ini files. - - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." - debug: - msg: "Good news! We have not found any world-writable exeutable programs on your system." - failed_when: false - changed_when: false - when: rhel_07_020730_perms_results.stdout_lines | length == 0 - - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." include_tasks: audit_homedirinifiles.yml loop: @@ -1777,7 +1828,7 @@ when: rhel_07_020730_perms_results.stdout_lines | length > 0 - name: "MEDIUM | RHEL-07-020730 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." - file: + ansible.builtin.file: path: "{{ item }}" mode: '0755' state: touch @@ -1800,7 +1851,7 @@ - complexity-high - name: "MEDIUM | RHEL-07-020900 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification." - setup: + ansible.builtin.setup: gather_subset: selinux,!min,!all filter: ansible_selinux when: @@ -1823,13 +1874,13 @@ - name: "MEDIUM | RHEL-07-020900 | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification." block: - name: "MEDIUM | RHEL-07-020900 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification." - command: find {{ rhel7stig_local_mounts | join(' ') }} -xdev ( -context *:device_t:* -o -context *:unlabeled_t:* ) ( -type c -o -type b ) -printf '%p %Z\n' + ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -context *:device_t:* -o -context *:unlabeled_t:* -type c -o -type b -printf '%p %Z\n' changed_when: false check_mode: false register: rhel_07_020900_audit - name: "MEDIUM | RHEL-07-020900 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification." - debug: + ansible.builtin.debug: msg: "{{ rhel_07_020900_audit.stdout_lines }}" changed_when: rhel7stig_audit_complex when: rhel_07_020900_audit.stdout_lines | length > 0 @@ -1851,7 +1902,7 @@ - complexity-high - name: "MEDIUM | RHEL-07-021000 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed." - mount: + ansible.builtin.mount: path: /home state: mounted src: "{{ home_mount.device }}" @@ -1874,7 +1925,7 @@ - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." block: - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." - mount: + ansible.builtin.mount: path: /media state: mounted src: "{{ removable_mount.device }}" @@ -1887,7 +1938,7 @@ - "'nosuid' not in home_mount.options" - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." - mount: + ansible.builtin.mount: path: /mnt state: mounted src: "{{ removable_mount2.device }}" @@ -1910,7 +1961,7 @@ - V-204481 - name: "MEDIUM | RHEL-07-021020 | PATCH | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)." - mount: + ansible.builtin.mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" fstype: "{{ ansible_mounts | json_query(fstype_query) }}" @@ -1935,7 +1986,7 @@ - mounts - name: "MEDIUM | RHEL-07-021021 | PATCH | The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)." - mount: + ansible.builtin.mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" fstype: "{{ ansible_mounts | json_query(fstype_query) }}" @@ -1962,13 +2013,13 @@ - name: "MEDIUM | RHEL-07-021030 | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group." block: - name: "MEDIUM | RHEL-07-021030 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group." - command: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -type d -perm -002 -gid +999 + ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -type d -perm -002 -gid +999 changed_when: rhel_07_021030_audit.stdout != "" check_mode: false register: rhel_07_021030_audit - name: "MEDIUM | RHEL-07-021030 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group." - file: + ansible.builtin.file: path: "{{ item }}" group: root check_mode: "{{ rhel7stig_disruptive_check_mode }}" @@ -1982,14 +2033,14 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204487r603261_rule + - SV-204487r744106_rule - V-204487 - disruption-high - name: "MEDIUM | RHEL-07-021040 | PATCH | The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts." - file: + ansible.builtin.file: path: "{{ item }}" - mode: '0700' + mode: '077' state: touch changed_when: false with_items: @@ -2004,20 +2055,20 @@ - CCI-000368 - CCI-001813 - CCI-001814 - - CCI-00181 + - CCI-001812 - SRG-OS-000480-GPOS-00227 - - SV-204488r603261_rule + - SV-204488r861006_rule - V-204488 - permissions - accounts - name: "MEDIUM | RHEL-07-021100 | PATCH | The Red Hat Enterprise Linux operating system must have cron logging implemented." - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf - state: present regexp: '^cron\.\*[ \t]+/var/log/cron$' line: 'cron.* /var/log/cron' insertafter: '#### RULES ####' + state: present failed_when: - result is failed - result.rc != 257 @@ -2038,12 +2089,12 @@ MEDIUM | RHEL-07-021120 | The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root. block: - name: "MEDIUM | RHEL-07-021110, RHEL-07-021120 | PATCH | Check if cron.allow file exists" - stat: + ansible.builtin.stat: path: /etc/cron.allow register: cron_allow_file_check - name: "MEDIUM | RHEL-07-021110, RHEL-07-021120 | PATCH | Set cron.allow file owner and group-owner to root" - file: + ansible.builtin.file: dest: /etc/cron.allow state: file owner: root @@ -2067,15 +2118,15 @@ - name: "MEDIUM | RHEL-07-021300 | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed." block: - name: "MEDIUM | RHEL-07-021300 | PATCH | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed." - shell: "systemctl show kdump | grep LoadState | cut -d = -f 2" + ansible.builtin.shell: "systemctl show kdump | grep LoadState | cut -d = -f 2" register: rhel_07_021300_kdump_service_status changed_when: false check_mode: false - name: "MEDIUM | RHEL-07-021300 | PATCH | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed." - service: + ansible.builtin.service: name: kdump - enabled: no + enabled: false state: stopped when: - rhel_07_021300_kdump_service_status.stdout == "loaded" @@ -2094,7 +2145,7 @@ - name: "MEDIUM | RHEL-07-021620 | The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories." block: - name: "Replace sha256+sha512 entries with sha512" - replace: + ansible.builtin.replace: path: /etc/aide.conf regexp: '([A-Z]+ = .*)(sha256\+sha512)(.*)' replace: '\1sha512\3' @@ -2102,7 +2153,7 @@ notify: "{{ rhel7stig_aide_handler }}" - name: "Replace sha256 entries with sha512" - replace: + ansible.builtin.replace: path: /etc/aide.conf regexp: '([A-Z]+ = .*)(sha256)(.*)' replace: '\1sha512\3' @@ -2115,7 +2166,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204500r603261_rule + - SV-204500r880860_rule - V-204500 - aide @@ -2123,24 +2174,19 @@ block: # Let's see what is configured in grub. - name: "MEDIUM | RHEL-07-021700 | AUDIT | The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved." - shell: grep "set root" "{{ rhel7stig_grub_cfg_path }}" + ansible.builtin.shell: grep -o "set root=.*" "{{ rhel7stig_grub_cfg_path }}" | grep -v "{{ rhel7stig_grub_bootloader_validorder }}" | uniq register: rhel7stig_grub_cfg_mediacheck changed_when: false failed_when: false - # Set the fact, even if the return was empty/nonexistant - - name: "MEDIUM | RHEL-07-021700 | AUDIT | The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved." - set_fact: - rhel7stig_grub_bootloader_checkorder: "{{ rhel7stig_grub_cfg_mediacheck.stdout_lines | default(rhel7stig_grub_bootloader_validorder | list) | unique }}" - # Report on the bootloader list - name: "MEDIUM | RHEL-07-021700 | AUDIT | The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved." - debug: - msg: "The grub2 bootloader is configured to set root for menu entries as follows: {{ item }}. The configured expected entry is \"{{ rhel7stig_grub_bootloader_validorder }}\". If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding. You can set this comparison list in default vars as 'rhel7stig_grub_bootloader_validorder'" + ansible.builtin.debug: + msg: "Warning!! The grub2 bootloader potentially has some invalid entries that contain {{ item }}" changed_when: true with_items: - - "{{ rhel7stig_grub_bootloader_checkorder }}" - when: rhel7stig_grub_bootloader_validorder != rhel7stig_grub_bootloader_checkorder + - "{{ rhel7stig_grub_cfg_mediacheck.stdout }}" + when: rhel7stig_grub_cfg_mediacheck.stdout | length > 0 when: - rhel_07_021700 - not rhel7stig_system_is_chroot @@ -2166,7 +2212,7 @@ - name: "MEDIUM | RHEL-07-030000 | The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users." block: - name: "MEDIUM | RHEL-07-030000 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users." - package: + ansible.builtin.package: name: audit state: present vars: @@ -2175,10 +2221,10 @@ - "'audit' not in ansible_facts.packages" - name: "MEDIUM | RHEL-07-030000 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users." - service: + ansible.builtin.service: name: auditd state: "{{ rhel7stig_service_started }}" - enabled: yes + enabled: true when: - not rhel7stig_system_is_container when: @@ -2195,7 +2241,7 @@ - logging - name: "MEDIUM | RHEL-07-030010 | PATCH | The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: "^-f " line: "-f {{ rhel7stig_auditd_failure_flag }}" @@ -2207,18 +2253,18 @@ - CAT2 - CCI-000139 - SRG-OS-000046-GPOS-00022 - - SV-204504r603261_rule + - SV-204504r880761_rule - V-204504 - auditd - logging - name: "MEDIUM | RHEL-07-030201 | PATCH | The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audisp/plugins.d/au-remote.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - create: yes - mode: 0644 + create: true + mode: 0640 notify: restart auditd with_items: - { regexp: '^active =', line: 'active = yes'} @@ -2239,7 +2285,7 @@ - logging - name: "MEDIUM | RHEL-07-030210 | PATCH | The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audisp/audispd.conf regexp: '^overflow_action =' line: "overflow_action = syslog" @@ -2256,7 +2302,7 @@ - logging - name: "MEDIUM | RHEL-07-030211 | PATCH | The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audisp/audispd.conf regexp: '^name_format =' line: name_format = hostname @@ -2274,7 +2320,7 @@ - logging - name: "MEDIUM | RHEL-07-030300 | PATCH | The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audisp/audisp-remote.conf regexp: ^remote_server *= line: remote_server = {{ rhel7stig_audisp_remote_server }} @@ -2291,7 +2337,7 @@ - logging - name: "MEDIUM | RHEL-07-030310 | PATCH | The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audisp/audisp-remote.conf regexp: ^enable_krb5 += line: enable_krb5 = yes @@ -2308,7 +2354,7 @@ - logging - name: "MEDIUM | RHEL-07-030320 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audisp/audisp-remote.conf regexp: ^disk_full_action += line: "disk_full_action = {{ rhel7stig_audisp_disk_full_action }}" @@ -2325,7 +2371,7 @@ - logging - name: "MEDIUM | RHEL-07-030321 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audisp/audisp-remote.conf regexp: ^network_failure_action += line: "network_failure_action = {{ rhel7stig_audisp_network_failure_action }}" @@ -2342,7 +2388,7 @@ - logging - name: "MEDIUM | RHEL-07-030330 | PATCH | The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^space_left += line: "space_left = {{ [rhel7stig_auditd_space_left | int, 51] | max }}" @@ -2359,7 +2405,7 @@ - logging - name: "MEDIUM | RHEL-07-030340 | PATCH | The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^space_left_action += line: "space_left_action = email" @@ -2380,7 +2426,7 @@ - logging - name: "MEDIUM | RHEL-07-030350 | PATCH | The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^action_mail_acct += line: "action_mail_acct = {{ rhel7stig_auditd_mail_acct }}" @@ -2401,9 +2447,8 @@ - logging - name: "MEDIUM | RHEL-07-030360 | PATCH | The Red Hat Enterprise Linux operating system must audit all executions of privileged functions." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030360 tags: @@ -2416,9 +2461,8 @@ - auditd - name: "MEDIUM | RHEL-07-030370 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat, and lchown syscalls." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030370 tags: @@ -2431,9 +2475,8 @@ - auditd - name: "MEDIUM | RHEL-07-030410 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030410 tags: @@ -2446,9 +2489,8 @@ - auditd - name: "MEDIUM | RHEL-07-030440 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030440 tags: @@ -2461,9 +2503,8 @@ - auditd - name: "MEDIUM | RHEL-07-030510 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030510 tags: @@ -2476,9 +2517,8 @@ - auditd - name: "MEDIUM | RHEL-07-030560 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the semanage command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030560 tags: @@ -2486,14 +2526,13 @@ - CAT2 - CCI-000172 - SRG-OS-000392-GPOS-00172 - - SV-204536r603261_rule + - SV-204536r833109_rule - V-204536 - auditd - name: "MEDIUM | RHEL-07-030570 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030570 tags: @@ -2501,14 +2540,13 @@ - CAT2 - CCI-000172 - SRG-OS-000392-GPOS-00172 - - SV-204537r603261_rule + - SV-204537r833112_rule - V-204537 - auditd - name: "MEDIUM | RHEL-07-030580 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chcon command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030580 tags: @@ -2516,14 +2554,13 @@ - CAT2 - CCI-000172 - SRG-OS-000392-GPOS-00172 - - SV-204538r603261_rule + - SV-204538r833115_rule - V-204538 - auditd - name: "MEDIUM | RHEL-07-030590 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030590 tags: @@ -2531,14 +2568,13 @@ - CAT2 - CCI-000172 - SRG-OS-000392-GPOS-00172 - - SV-204539r603261_rule + - SV-204539r833118_rule - V-204539 - auditd - name: "MEDIUM | RHEL-07-030610 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030610 tags: @@ -2553,9 +2589,8 @@ - auditd - name: "MEDIUM | RHEL-07-030620 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030620 tags: @@ -2570,9 +2605,8 @@ - auditd - name: "MEDIUM | RHEL-07-030630 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the passwd command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030630 tags: @@ -2582,14 +2616,13 @@ - CCI-000172 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204542r603261_rule + - SV-204542r833121_rule - V-204542 - auditd - name: "MEDIUM | RHEL-07-030640 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030640 tags: @@ -2599,14 +2632,13 @@ - CCI-000172 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204543r603261_rule + - SV-204543r833124_rule - V-204543 - auditd - name: "MEDIUM | RHEL-07-030650 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030650 tags: @@ -2616,14 +2648,13 @@ - CCI-000172 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204544r603261_rule + - SV-204544r833127_rule - V-204544 - auditd - name: "MEDIUM | RHEL-07-030660 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chage command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030660 tags: @@ -2633,14 +2664,13 @@ - CCI-000172 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204545r603261_rule + - SV-204545r833130_rule - V-204545 - auditd - name: "MEDIUM | RHEL-07-030670 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030670 tags: @@ -2650,14 +2680,13 @@ - CCI-000172 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204546r603261_rule + - SV-204546r833133_rule - V-204546 - auditd - name: "MEDIUM | RHEL-07-030680 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the su command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030680 tags: @@ -2668,14 +2697,13 @@ - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - - SV-204547r603261_rule + - SV-204547r833136_rule - V-204547 - auditd - name: "MEDIUM | RHEL-07-030690 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the sudo command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030690 tags: @@ -2686,14 +2714,13 @@ - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - - SV-204548r603261_rule + - SV-204548r833139_rule - V-204548 - auditd - name: "MEDIUM | RHEL-07-030700 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the sudo command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030700 tags: @@ -2709,9 +2736,8 @@ - auditd - name: "MEDIUM | RHEL-07-030710 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030710 tags: @@ -2722,14 +2748,13 @@ - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - - SV-204550r603261_rule + - SV-204550r833142_rule - V-204550 - auditd - name: "MEDIUM | RHEL-07-030720 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chsh command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030720 tags: @@ -2740,14 +2765,13 @@ - CCI-000172 - CCI-002884 - SRG-OS-000037-GPOS-00015 - - SV-204551r603261_rule + - SV-204551r833145_rule - V-204551 - auditd - name: "MEDIUM | RHEL-07-030740 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030740 tags: @@ -2756,14 +2780,13 @@ - CCI-000135 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204552r603261_rule + - SV-204552r833148_rule - V-204552 - auditd - name: "MEDIUM | RHEL-07-030750 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the umount command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030750 tags: @@ -2772,14 +2795,13 @@ - CCI-000135 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204553r603261_rule + - SV-204553r833151_rule - V-204553 - auditd - name: "MEDIUM | RHEL-07-030760 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030760 tags: @@ -2788,14 +2810,13 @@ - CCI-000135 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204554r603261_rule + - SV-204554r833154_rule - V-204554 - auditd - name: "MEDIUM | RHEL-07-030770 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030770 tags: @@ -2804,14 +2825,13 @@ - CCI-000135 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204555r603261_rule + - SV-204555r833157_rule - V-204555 - auditd - name: "MEDIUM | RHEL-07-030780 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030780 tags: @@ -2821,14 +2841,13 @@ - CCI-000172 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204556r603261_rule + - SV-204556r833160_rule - V-204556 - auditd - name: "MEDIUM | RHEL-07-030800 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the crontab command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030800 tags: @@ -2838,14 +2857,13 @@ - CCI-000172 - CCI-002884 - SRG-OS-000042-GPOS-00020 - - SV-204557r603261_rule + - SV-204557r833163_rule - V-204557 - auditd - name: "MEDIUM | RHEL-07-030810 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030810 tags: @@ -2853,14 +2871,13 @@ - CAT2 - CCI-000172 - SRG-OS-000471-GPOS-00215 - - SV-204558r603261_rule + - SV-204558r833166_rule - V-204558 - auditd - name: "MEDIUM | RHEL-07-030819 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030819 tags: @@ -2868,14 +2885,13 @@ - CAT2 - CCI-000172 - SRG-OS-000471-GPOS-00216 - - SV-204559r603261_rule + - SV-204559r833169_rule - V-204559 - auditd - name: "MEDIUM | RHEL-07-030820 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscall." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030820 tags: @@ -2883,14 +2899,13 @@ - CAT2 - CCI-000172 - SRG-OS-000471-GPOS-00216 - - SV-204560r603261_rule + - SV-204560r833172_rule - V-204560 - auditd - name: "MEDIUM | RHEL-07-030830 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030830 tags: @@ -2898,14 +2913,13 @@ - CAT2 - CCI-000172 - SRG-OS-000471-GPOS-00216 - - SV-204562r603261_rule + - SV-204562r833175_rule - V-204562 - auditd - name: "MEDIUM | RHEL-07-030840 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the kmod command." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030840 tags: @@ -2913,14 +2927,13 @@ - CAT2 - CCI-000172 - SRG-OS-000471-GPOS-00216 - - SV-204563r603261_rule + - SV-204563r858498_rule - V-204563 - auditd - name: "MEDIUM | RHEL-07-030870 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030870 tags: @@ -2936,9 +2949,8 @@ - auditd - name: "MEDIUM | RHEL-07-030871 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030871 tags: @@ -2954,9 +2966,8 @@ - auditd - name: "MEDIUM | RHEL-07-030872 | PATCH | he Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030872 tags: @@ -2972,9 +2983,8 @@ - auditd - name: "MEDIUM | RHEL-07-030873 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030873 tags: @@ -2990,9 +3000,8 @@ - auditd - name: "MEDIUM | RHEL-07-030874 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030874 tags: @@ -3008,9 +3017,8 @@ - auditd - name: "MEDIUM | RHEL-07-030910 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat, and rmdir syscalls" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: restart auditd + ansible.builtin.set_fact: + update_audit_template: true when: - rhel_07_030910 tags: @@ -3026,7 +3034,7 @@ - auditd - name: "MEDIUM | RHEL-07-031000 | PATCH | The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server." - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present block: | @@ -3055,7 +3063,7 @@ - rsyslog - name: "MEDIUM | RHEL-07-031010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation." - replace: + ansible.builtin.replace: path: /etc/rsyslog.conf regexp: '({{ item }})' replace: '# \1' @@ -3085,32 +3093,30 @@ - V-204575 - rsyslog -# ###################### -# ####### 040000 ####### -# ###################### +####################### +######## 040000 ####### +####################### - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." block: - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." block: - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u + ansible.builtin.shell: for p in `firewall-cmd --list-services`; do firewall-cmd --permanent --service $p --get-ports | grep -Ev '{{ rhel7stig_firewall_ports_protocols | flatten | join('|') }}'; done; changed_when: false failed_when: false check_mode: false register: rhel7stig_PPSM_CLSA_check_firewalld + when: rhel7stig_firewall_ports_protocols is defined - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - debug: - msg: "The following task output is what firewalld is accepting on service ports to {{ ansible_hostname }}." - changed_when: true - when: rhel7stig_PPSM_CLSA_check_firewalld.stdout_lines is defined - - - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - debug: - var: rhel7stig_PPSM_CLSA_check_firewalld.stdout_lines - changed_when: true - when: rhel7stig_PPSM_CLSA_check_firewalld.stdout_lines is defined + ansible.builtin.debug: + msg: "Warning!! Firewalld is accepting the following port/protocols that are not in the accepted list: {{ item }}." + changed_when: false + with_items: "{{ rhel7stig_PPSM_CLSA_check_firewalld.stdout }}" + when: + - rhel7stig_PPSM_CLSA_check_firewalld.stdout_lines is defined + - rhel7stig_PPSM_CLSA_check_firewalld.stdout_lines | length > 0 when: - rhel7stig_firewall_service == "firewalld" - rhel7stig_start_firewall_service @@ -3118,21 +3124,21 @@ - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." block: - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - shell: iptables-save | grep -i accept | grep -i input + ansible.builtin.shell: iptables-save | grep -i accept | grep -i input changed_when: false failed_when: false check_mode: false - register: rhel7stig_PPSM_CLSA_check_iptables + register: rhel7stig_PPSM_CLSA_check_iptables # noqa var-naming - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - debug: + ansible.builtin.debug: msg: "The following task output is what iptables is accepting on service ports to {{ ansible_hostname }}." changed_when: true when: rhel7stig_PPSM_CLSA_check_iptables.stdout_lines is defined - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - debug: - var: rhel7stig_PPSM_CLSA_check_iptables.stdout_lines + ansible.builtin.debug: + var: rhel7stig_PPSM_CLSA_check_iptables.stdout_lines # noqa var-naming changed_when: true when: rhel7stig_PPSM_CLSA_check_iptables.stdout_lines is defined when: @@ -3140,7 +3146,7 @@ - rhel7stig_start_firewall_service - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." - debug: + ansible.builtin.debug: msg: "Your configured firewall service is {{ rhel7stig_firewall_service }}, but you have set the variable rhel7stig_start_firewall_service to false. We cannot audit control RHEL-07-040100 - The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." changed_when: true when: not rhel7stig_start_firewall_service @@ -3160,8 +3166,8 @@ - disruption-high - name: "MEDIUM | RHEL-07-040110 | PATCH | The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections." - lineinfile: - dest: /etc/ssh/sshd_config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config regexp: "(?i)^#?Ciphers" line: "Ciphers {{ rhel7stig_ssh_ciphers }}" validate: /usr/sbin/sshd -t -f %s @@ -3181,8 +3187,8 @@ - ssh - name: "MEDIUM | RHEL-07-040160 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements." - blockinfile: - create: yes + ansible.builtin.blockinfile: + create: true mode: 0644 dest: "{{ item.dest }}" state: "{{ item.state }}" @@ -3195,6 +3201,8 @@ state: present - dest: /etc/profile state: "{{ (rhel7stig_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" + - dest: /etc/bashrc + state: "{{ (rhel7stig_shell_session_timeout.file == '/etc/bashrc') | ternary('present', 'absent') }}" when: - rhel_07_040160 tags: @@ -3203,13 +3211,13 @@ - CCI-001133 - CCI-002361 - SRG-OS-000163-GPOS-00072 - - SV-204579r646844_rule + - SV-204579r861070_rule - V-204579 - profile - name: "MEDIUM | RHEL-07-040170 | PATCH | The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts." - lineinfile: - dest: /etc/ssh/sshd_config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config regexp: "(?i)^#?Banner" line: Banner /etc/issue validate: /usr/sbin/sshd -tf %s @@ -3242,7 +3250,7 @@ "MEDIUM | RHEL-07-040180 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." "MEDIUM | RHEL-07-040190 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." "MEDIUM | RHEL-07-040200 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." - shell: systemctl status sssd.service | grep "Active" | cut -d ':' -f1 | tr " " "\n" | sed '/^$/d' + ansible.builtin.shell: systemctl status sssd.service | grep "Active" | cut -d ':' -f1 | tr " " "\n" | sed '/^$/d' check_mode: false failed_when: false changed_when: false @@ -3252,24 +3260,24 @@ "MEDIUM | RHEL-07-040180 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." "MEDIUM | RHEL-07-040190 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." "MEDIUM | RHEL-07-040200 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." - stat: + ansible.builtin.stat: path: /etc/sssd/sssd.conf changed_when: false - register: rhel_07_040180_LDAPconf_audit + register: rhel_07_040180_ldapconf_audit when: rhel_07_040180_audit.stdout == "Active" - name: | "MEDIUM | RHEL-07-040180 | PATCH | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications." "MEDIUM | RHEL-07-040190 | PATCH | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." "MEDIUM | RHEL-07-040200 | PATCH | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." - blockinfile: + ansible.builtin.blockinfile: block: | ldap_id_use_start_tls = true ldap_tls_reqcert = demand ldap_tls_cacert = "{{ rhel_07_040200_cabundle_path }}" path: /etc/sssd/sssd.conf insertafter: "^ldap_search_base*" - create: yes + create: true mode: 0600 when: rhel_07_040180_audit.stdout == "Active" when: @@ -3297,8 +3305,8 @@ value: '2' state: present reload: "{{ rhel7stig_sysctl_reload }}" - sysctl_set: yes - ignoreerrors: yes + sysctl_set: true + ignoreerrors: true when: - rhel_07_040201 tags: @@ -3306,12 +3314,12 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204584r603261_rule + - SV-204584r880794_rule - V-204584 - sysctl - name: "MEDIUM | RHEL-07-040300 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed." - package: + ansible.builtin.package: name: - openssh-clients - openssh-server @@ -3334,25 +3342,28 @@ - ssh - name: "MEDIUM | RHEL-07-040310 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission." - service: + ansible.builtin.service: name: sshd state: "{{ rhel7stig_service_started }}" - enabled: yes + enabled: true when: - rhel_07_040310 - rhel7stig_ssh_required tags: - RHEL-07-040310 - CAT2 + - CCI-002418 + - CCI-002420 - CCI-002421 + - CCI-002422 - SRG-OS-000423-GPOS-00187 - - SV-204586r603261_rule + - SV-204586r861071_rule - V-204586 - ssh - name: "MEDIUM | RHEL-07-040320 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?ClientAliveInterval" line: ClientAliveInterval {{ rhel7stig_ssh_session_timeout }} @@ -3373,8 +3384,8 @@ - ssh - name: "MEDIUM | RHEL-07-040330 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication." - lineinfile: - dest: /etc/ssh/sshd_config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config regexp: "(?i)^#?RhostsRSAAuthentication" line: RhostsRSAAuthentication no validate: /usr/sbin/sshd -t -f %s @@ -3393,8 +3404,8 @@ - ssh - name: "MEDIUM | RHEL-07-040340 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?ClientAliveCountMax" line: ClientAliveCountMax 0 @@ -3415,9 +3426,9 @@ - ssh - name: "MEDIUM | RHEL-07-040350 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication." - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "(?i)^#?IgnoreRhosts" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?\s*IgnoreRhosts' line: IgnoreRhosts yes validate: /usr/sbin/sshd -t -f %s notify: restart sshd @@ -3434,8 +3445,8 @@ - ssh - name: "MEDIUM | RHEL-07-040360 | PATCH | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon." - lineinfile: - dest: /etc/ssh/sshd_config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config regexp: "(?i)^#?PrintLastLog" line: PrintLastLog yes validate: /usr/sbin/sshd -t -f %s @@ -3446,15 +3457,15 @@ tags: - RHEL-07-040360 - CAT2 - - CCI-000366 + - CCI-000052 - SRG-OS-000480-GPOS-00227 - - SV-204591r603261_rule + - SV-204591r858477_rule - V-204591 - ssh - name: "MEDIUM | RHEL-07-040370 | PATCH | The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?PermitRootLogin" line: PermitRootLogin no @@ -3474,8 +3485,8 @@ - ssh - name: "MEDIUM | RHEL-07-040380 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?IgnoreUserKnownHosts" line: IgnoreUserKnownHosts yes @@ -3495,8 +3506,8 @@ - ssh - name: "MEDIUM | RHEL-07-040400 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?MACs" line: "MACs {{ rhel7stig_ssh_macs }}" @@ -3518,9 +3529,9 @@ - name: "MEDIUM | RHEL-07-040410 | The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive." block: - name: "MEDIUM | RHEL-07-040410 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive." - find: + ansible.builtin.find: paths: /etc/ssh - recurse: yes + recurse: true file_type: file patterns: 'ssh_host*_key.pub' hidden: true @@ -3529,7 +3540,7 @@ register: rhel_07_040410_audit - name: "MEDIUM | RHEL-07-040410 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive." - file: + ansible.builtin.file: dest: "{{ item.path }}" mode: a-stx,go-w state: file @@ -3549,9 +3560,9 @@ - name: "MEDIUM | RHEL-07-040420 | The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive." block: - name: "MEDIUM | RHEL-07-040420 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive." - find: + ansible.builtin.find: paths: /etc/ssh - recurse: yes + recurse: true file_type: file patterns: 'ssh_host*_key' hidden: true @@ -3560,7 +3571,7 @@ register: rhel_07_040420_audit - name: "MEDIUM | RHEL-07-040420 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive." - file: + ansible.builtin.file: dest: "{{ item.path }}" mode: a-stx,go-w,o-r state: file @@ -3574,13 +3585,13 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204597r603261_rule + - SV-204597r880743_rule - V-204597 - ssh - name: "MEDIUM | RHEL-07-040430 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?GSSAPIAuthentication" line: GSSAPIAuthentication no @@ -3604,8 +3615,8 @@ - ssh - name: "MEDIUM | RHEL-07-040440 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed." - lineinfile: - dest: /etc/ssh/sshd_config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config regexp: "(?i)^#?KerberosAuthentication" line: KerberosAuthentication no validate: /usr/sbin/sshd -t -f %s @@ -3627,8 +3638,8 @@ - ssh - name: "MEDIUM | RHEL-07-040450 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files." - lineinfile: - dest: /etc/ssh/sshd_config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config regexp: "(?i)^#?StrictModes" line: StrictModes yes validate: /usr/sbin/sshd -t -f %s @@ -3646,8 +3657,8 @@ - ssh - name: "MEDIUM | RHEL-07-040460 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation." - lineinfile: - dest: /etc/ssh/sshd_config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config regexp: "(?i)^#?UsePrivilegeSeparation" line: UsePrivilegeSeparation sandbox validate: /usr/sbin/sshd -t -f %s @@ -3665,8 +3676,8 @@ - ssh - name: "MEDIUM | RHEL-07-040470 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication." - lineinfile: - dest: /etc/ssh/sshd_config + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config regexp: "(?i)^#?Compression" line: Compression no validate: /usr/sbin/sshd -t -f %s @@ -3674,19 +3685,20 @@ when: - rhel_07_040470 - rhel7stig_ssh_required + - ansible_facts['distribution_version'] <= "7.4" tags: - RHEL-07-040470 - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204602r603261_rule + - SV-204602r880758_rule - V-204602 - ssh - name: "MEDIUM | RHEL-07-040500 | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." block: - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - package: + ansible.builtin.package: name: chrony state: absent vars: @@ -3694,7 +3706,7 @@ when: "'chrony' in ansible_facts.packages" - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - package: + ansible.builtin.package: name: ntp state: present vars: @@ -3702,8 +3714,8 @@ when: "'ntp' not in ansible_facts.packages" - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -3728,7 +3740,7 @@ - name: "MEDIUM | RHEL-07-040500 | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." block: - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - package: + ansible.builtin.package: name: ntp state: absent vars: @@ -3736,7 +3748,7 @@ when: "'ntp' in ansible_facts.packages" - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - package: + ansible.builtin.package: name: chrony state: present vars: @@ -3744,7 +3756,7 @@ when: "'chrony' not in ansible_facts.packages" - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - replace: + ansible.builtin.replace: dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" regexp: '^server \S+( \w+)?$' notify: restart {{ rhel7stig_time_service }} @@ -3756,7 +3768,7 @@ - chronyd - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - blockinfile: + ansible.builtin.blockinfile: insertbefore: BOF dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" block: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].block }}" @@ -3776,9 +3788,17 @@ - chronyd - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." - package: - name: "{{ rhel7stig_firewall_service }}" - state: present + block: + - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." + ansible.builtin.package: + name: "{{ rhel7stig_firewall_service }}" + state: present + + - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." + ansible.builtin.service: + name: "{{ rhel7stig_firewall_service }}" + enabled: true + state: started vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -3798,7 +3818,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040610 tags: @@ -3806,7 +3826,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204609r603261_rule + - SV-204609r880797_rule - V-204609 - ipv4 @@ -3823,7 +3843,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204610r603261_rule + - SV-204610r880800_rule - V-204610 - sysctl - ipv4 @@ -3841,7 +3861,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204611r603261_rule + - SV-204611r880803_rule - V-204611 - sysctl - ipv4 @@ -3852,7 +3872,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040620 tags: @@ -3860,7 +3880,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204612r603261_rule + - SV-204612r880806_rule - V-204612 - ipv4 @@ -3869,9 +3889,9 @@ name: net.ipv4.icmp_echo_ignore_broadcasts state: present value: '1' - sysctl_set: yes + sysctl_set: true reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040630 tags: @@ -3879,7 +3899,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204613r603261_rule + - SV-204613r880809_rule - V-204613 - ipv4 @@ -3889,7 +3909,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040640 tags: @@ -3897,7 +3917,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204614r603261_rule + - SV-204614r880812_rule - V-204614 - ipv4 @@ -3907,7 +3927,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040641 tags: @@ -3915,7 +3935,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204615r603261_rule + - SV-204615r880815_rule - V-204615 - ipv4 @@ -3925,7 +3945,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040650 tags: @@ -3933,7 +3953,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204616r603261_rule + - SV-204616r880818_rule - V-204616 - ipv4 @@ -3943,7 +3963,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040660 tags: @@ -3951,22 +3971,22 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204617r603261_rule + - SV-204617r880821_rule - V-204617 - ipv4 - name: "MEDIUM | RHEL-07-040670 | Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode." block: - name: "MEDIUM | RHEL-07-040670 | PATCH | Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode." - shell: "ip link | grep -i promisc | cut -d ':' -f 2" + ansible.builtin.shell: "ip link | grep -i promisc | cut -d ':' -f 2" changed_when: rhel_07_040670_promisc_check.stdout| length > 0 failed_when: false check_mode: false - ignore_errors: yes + ignore_errors: true register: rhel_07_040670_promisc_check - name: "MEDIUM | RHEL-07-040670 | PATCH | Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode." - shell: "ip link set dev {{ item }} promisc off" + ansible.builtin.shell: "ip link set dev {{ item }} promisc off" with_items: - "{{ rhel_07_040670_promisc_check.stdout_lines }}" when: @@ -3983,14 +4003,14 @@ - name: "MEDIUM | RHEL-07-040680 | The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying." block: - name: "MEDIUM | RHEL-07-040680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying." - command: "/usr/sbin/postconf -n smtpd_client_restrictions" + ansible.builtin.shell: "/usr/sbin/postconf -n smtpd_client_restrictions" check_mode: false changed_when: false register: rhel_07_040680_postconf_audit when: "'postfix' in ansible_facts.packages" - name: "MEDIUM | RHEL-07-040680 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying." - command: "/usr/sbin/postconf -e 'smtpd_client_restrictions=permit_mynetworks, reject'" + ansible.builtin.shell: "/usr/sbin/postconf -e 'smtpd_client_restrictions=permit_mynetworks, reject'" when: - "'postfix' in ansible_facts.packages" - rhel_07_040680_postconf_audit.stdout != 'smtpd_client_restrictions = permit_mynetworks, reject' @@ -4005,8 +4025,8 @@ - V-204619 - name: "MEDIUM | RHEL-07-040710 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requiremen" - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?X11Forwarding" line: X11Forwarding no @@ -4025,8 +4045,29 @@ - V-204622 - ssh +- name: "MEDIUM | RHEL-07-040712 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requiremen" + ansible.builtin.lineinfile: + create: true + dest: /etc/ssh/sshd_config + regexp: "(?i)^#?KexAlgorithms" + line: KexAlgorithms "{{ rhel7stig_ssh_kex }}" + validate: /usr/sbin/sshd -t -f %s + mode: 0600 + notify: restart sshd + when: + - rhel_07_040712 + - rhel7stig_ssh_required + tags: + - RHEL-07-040712 + - CAT2 + - CCI-001453 + - SRG-OS-000033-GPOS-00014 + - SV-255925r880749_rule + - V-255925 + - ssh + - name: "MEDIUM | RHEL-07-040720 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode." - lineinfile: + ansible.builtin.lineinfile: path: /etc/xinetd.d/tftp regexp: "(?i)^.*server_args.*=" line: " server_args = -s /var/lib/tftpboot" @@ -4049,7 +4090,7 @@ - tftp - name: "MEDIUM | RHEL-07-040730 | PATCH | The Red Hat Enterprise Linux operating system must not have an X Windows display manager installed unless approved." - package: + ansible.builtin.package: name: - "@x11" - xorg-x11-server-common @@ -4074,7 +4115,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - not rhel7stig_system_is_router - rhel_07_040740 @@ -4083,27 +4124,27 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204625r603261_rule + - SV-204625r880824_rule - V-204625 - ipv4 - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS." block: - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS." - shell: cat /etc/fstab | grep nfs + ansible.builtin.shell: cat /etc/fstab | grep nfs register: rhel_07_040750_nfssec_check changed_when: false failed_when: false check_mode: false - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS." - debug: + ansible.builtin.debug: msg: "There were no applicable NFS mounts found to audit per RHEL-07-040750." changed_when: true when: rhel_07_040750_nfssec_check.stdout_lines is not defined - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS." - debug: + ansible.builtin.debug: msg: "The following NFS mount is required to be audited per RHEL-07-040750: {{ item }} - If the system is mounting file systems via NFS and has the sec option without the 'krb5:krb5i:krb5p' settings, the 'sec' option has the 'sys' setting, or the 'sec' option is missing, this is a finding." changed_when: true with_items: @@ -4130,8 +4171,8 @@ when: rhel7stig_firewall_service != "firewalld" - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - debug: - msg: "Your configured firewall service is {{ rhel7stig_firewall_service }}, but you have set the variable rhel7stig_start_firewall_service to false. We cannot audit control RHEL-07-040810. Please set the variable rhel7stig_start_firewall_service to true in the defaults file of this role and re-run the playbook." + ansible.builtin.debug: + msg: "Warning!! The variable rhel7stig_start_firewall_service to false, but unable to pull configuration rules for RHEL-07-040810 {{ rhel7stig_firewall_service }}" changed_when: true when: not rhel7stig_start_firewall_service when: @@ -4148,7 +4189,7 @@ - disruption-high - name: "MEDIUM | RHEL-07-040820 | PATCH | The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured." - package: + ansible.builtin.package: name: libreswan state: absent vars: @@ -4170,7 +4211,7 @@ state: present value: '0' reload: "{{ rhel7stig_sysctl_reload }}" - ignoreerrors: yes + ignoreerrors: true when: - rhel_07_040830 tags: @@ -4178,14 +4219,14 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204630r603261_rule + - SV-204630r880827_rule - V-204630 - ipv6 - name: "MEDIUM | RHEL-07-041001 | The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed." block: - name: "MEDIUM | RHEL-07-041001 | PATCH | The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed." - package: + ansible.builtin.package: name: - esc - authconfig-gtk @@ -4196,7 +4237,7 @@ - rhel7stig_gui - name: "MEDIUM | RHEL-07-041001 | PATCH | The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed." - package: + ansible.builtin.package: name: pam_pkcs11 state: present vars: @@ -4218,7 +4259,7 @@ - name: "MEDIUM | RHEL-07-041002 | The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)." block: - name: "MEDIUM | RHEL-07-041002 | AUDIT | Check if pam service is configured in sssd file" - command: 'grep -E "^\s*services\s*=.*pam" /etc/sssd/sssd.conf' + ansible.builtin.shell: 'grep -E "^\s*services\s*=.*pam" /etc/sssd/sssd.conf' check_mode: false changed_when: - sssd_services_check.rc == 1 @@ -4229,8 +4270,8 @@ register: sssd_services_check - name: "MEDIUM | RHEL-07-041002 | PATCH | The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)." - debug: - msg: "WARNING: SSSD is in use and /etc/sssd/sssd.conf is not configured to use the PAM service (services = nss, pam)" + ansible.builtin.debug: + msg: "Warning!! SSSD is in use and /etc/sssd/sssd.conf is not configured to use the PAM service (services = nss, pam)" changed_when: rhel7stig_audit_complex when: sssd_services_check.rc == 1 when: @@ -4250,7 +4291,7 @@ - sssd - name: "MEDIUM | RHEL-07-041003 | The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication." - replace: + ansible.builtin.replace: path: /etc/pam_pkcs11/pam_pkcs11.conf regexp: (?im)^([ \t]*cert_policy[ \t]*=(?:[^ \t\n]|[ \t](?!ocsp_on,))*?)(?:[ \t]ocsp_on,[ \t]*)?[ \t]*((?:[^,\n]|,(?![ \t]*ocsp_on,))*?)(?:,[ \t]*ocsp_on)?;$ replace: '\1 ocsp_on, \2;' @@ -4270,13 +4311,13 @@ - name: "MEDIUM | RHEL-07-041010 | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled." block: - name: "MEDIUM | RHEL-07-041010 | AUDIT | check if wifi is enabled" - command: nmcli radio wifi + ansible.builtin.shell: nmcli radio wifi changed_when: false check_mode: false register: rhel_07_wifi_enabled - name: "MEDIUM | RHEL-07-041010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled." - command: nmcli radio wifi off + ansible.builtin.shell: nmcli radio wifi off when: - "'enabled' in rhel_07_wifi_enabled.stdout" when: @@ -4295,7 +4336,7 @@ - networking - name: "MEDIUM | RHEL-07-020019 | AUDIT | The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed." - debug: + ansible.builtin.debug: msg: - "Please install and enable the latest McAfee HIPS package, available from USCYBERCOM." - "If the system does not support the McAfee HIPS package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official." @@ -4312,7 +4353,7 @@ - antivirus - name: "MEDIUM | RHEL-07-010062 | The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/locks/session_rhel_07_010062 content: | /org/gnome/desktop/screensaver/lock-enabled @@ -4326,12 +4367,12 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-214937r603261_rule + - SV-214937r880767_rule - V-214937 - dconf - name: "MEDIUM | RHEL-07-020111 | PATCH | The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-No-Automount content: | [org/gnome/desktop/media-handling] @@ -4357,7 +4398,7 @@ - name: "MEDIUM | RHEL-07-021031 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user." block: - name: "MEDIUM | RHEL-07-021031 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | Get world-writable files" - shell: "find {{ item.mount }} -xdev -type d -perm -0002 -uid +999 -print" + ansible.builtin.shell: "find {{ item.mount }} -xdev -type d -perm -0002 -uid +999 -print" changed_when: false failed_when: false register: rhel_07_021031_world_writable_files @@ -4365,26 +4406,19 @@ - "{{ ansible_facts.mounts }}" - name: "MEDIUM | RHEL-07-021031 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | Flatten results" - set_fact: + ansible.builtin.set_fact: rhel_07_021031_world_writable_files_flat: "{{ rhel_07_021031_world_writable_files.results | map(attribute='stdout_lines') | flatten }}" - name: "MEDIUM | RHEL-07-021031 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | List world-writable files" - debug: + ansible.builtin.debug: msg: - "Below are the world-writable files" - "{{ rhel_07_021031_world_writable_files_flat }}" when: - rhel_07_021031_world_writable_files_flat != [] - - name: "MEDIUM | RHEL-07-021031 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | Alert on no world-writable files" - debug: - msg: - - "Good News! No world-writable files detected" - when: - - rhel_07_021031_world_writable_files_flat == [] - - name: "MEDIUM | RHEL-07-021031 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | Adjust world-writable files" - file: + ansible.builtin.file: path: "{{ item }}" owner: root with_items: @@ -4407,12 +4441,12 @@ - name: "MEDIUM | RHEL-07-910055 | PATCH | The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion" block: - name: "MEDIUM | RHEL-07-910055 | AUDIT | The Red Hat EnterpriseLinux operating system must protect audit information from unauthorized read, modification, or deletion | Get log files" - find: + ansible.builtin.find: paths: /var/log/audit register: rhel_07_910055_audit_log_files - name: "MEDIUM | RHEL-07-910055 | PATCH | The Red Hat EnterpriseLinux operating system must protect audit information from unauthorized read, modification, or deletion | Apply permissions" - file: + ansible.builtin.file: path: "{{ item.path }}" owner: root group: root @@ -4435,8 +4469,8 @@ - logs - name: "MEDIUM | RHEL-07-040711 | PATCH | The Red Hat Enterprise Linux operating system must prevent remote hosts from connecting to the proxy display." - lineinfile: - create: yes + ansible.builtin.lineinfile: + create: true dest: /etc/ssh/sshd_config regexp: "(?i)^#?X11UseLocalhost" line: X11UseLocalhost yes @@ -4457,13 +4491,13 @@ - name: "MEDIUM | RHEL-07-010341 | PATCH | The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel." block: - name: "MEDIUM | RHEL-07-010341 | AUDIT | The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel. | Get ALL settings" - shell: grep -iws 'ALL' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + ansible.builtin.shell: grep -iws 'ALL' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false register: rhel_07_010341_sudoers_all - name: "MEDIUM | RHEL-07-010341 | PATCH | The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel. | Remove format 1" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'ALL ALL=(ALL) ALL' state: absent @@ -4473,7 +4507,7 @@ when: rhel_07_010341_sudoers_all.stdout | length > 0 - name: "MEDIUM | RHEL-07-010341 | PATCH | The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel. | Remove format 2" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'ALL\s+ALL=(ALL:ALL)\s+ALL' state: absent @@ -4496,13 +4530,13 @@ - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo." block: - name: "MEDIUM | RHEL-07-010342 | AUDIT | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Get privilege escalation" - shell: egrep -is '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d":" -f1 | sort --unique + ansible.builtin.shell: grep -Eirs '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d":" -f1 | sort --uniq changed_when: false failed_when: false register: rhel_07_010342_priv_escalation - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for no findings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers line: "{{ item }}" validate: '/usr/sbin/visudo -cf %s' @@ -4513,7 +4547,7 @@ when: rhel_07_010342_priv_escalation.stdout | length == 0 - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for targetpw with findings" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults !targetpw' line: 'Defaults !targetpw' @@ -4524,7 +4558,7 @@ - rhel_07_010342_priv_escalation.stdout | length > 0 - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for rootpw with findings" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults !rootpw' line: 'Defaults !rootpw' @@ -4535,7 +4569,7 @@ - rhel_07_010342_priv_escalation.stdout | length > 0 - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for runaspw with findings" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults !runaspw' line: 'Defaults !runaspw' @@ -4552,20 +4586,20 @@ - CAT2 - CCI-002227 - SRG-OS-000480-GPOS-00227 - - SV-237634r809213_rule + - SV-237634r880755_rule - V-237634 - sudo - name: "MEDIUM | RHEL-07-010343 | PATCH | The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command." block: - name: "MEDIUM | RHEL-07-010343 | PATCH | The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command. | Get files with timeout set" - shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + ansible.builtin.shell: grep -irs 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false register: rhel_07_010343_timeout_files - name: "MEDIUM | RHEL-07-010343 | PATCH | The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command. | Set value if no results" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regexp: 'Defaults timestamp_timeout=' line: "Defaults timestamp_timeout={{ rhel7stig_sudo_timestamp_timeout }}" @@ -4573,7 +4607,7 @@ when: rhel_07_010343_timeout_files.stdout | length == 0 - name: "MEDIUM | RHEL-07-010343 | PATCH | The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command. | Set value if has results" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults timestamp_timeout=' line: "Defaults timestamp_timeout={{ rhel7stig_sudo_timestamp_timeout }}" @@ -4589,26 +4623,26 @@ - CAT2 - CCI-002038 - SRG-OS-000373-GPOS-00156 - - SV-237635r809215_rule + - SV-237635r833179_rule - V-237635 - sudo - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege." block: - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Get SELinux Role mappings" - shell: semanage user -l + ansible.builtin.shell: semanage user -l changed_when: false failed_when: false register: rhel_07_020021_sel_role_mappings - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Show SELinux Role mappings" - debug: - msg: "Warning! Below are your SELinux Role mappings. Please review the mappings with your SA to determine validity of the mappings" + ansible.builtin.debug: + msg: "Warning!! Below are your SELinux Role mappings. Please review the mappings with your SA to determine validity of the mappings" when: rhel_07_020021_sel_role_mappings.stdout | length > 0 - - - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Alert that semanage is not installed" - debug: - msg: "Alert! You do not have semanage installed! Please installed the needed packages" + + - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Warning!! that semanage is not installed" + ansible.builtin.debug: + msg: "Warning!! You do not have semanage installed! Please installed the needed packages" when: "'command not found' in rhel_07_020021_sel_role_mappings.stderr" when: - rhel_07_020021 @@ -4640,24 +4674,24 @@ - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command" block: - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command | Get sysadm_r sudoers status" - shell: grep -s sysadm_r /etc/sudoers.d/* /etc/sudoers + ansible.builtin.shell: grep -rs sysadm_r /etc/sudoers /etc/sudoers.d/* changed_when: false failed_when: false register: rhel_07_020023_sel_admin_sudo_status - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command" - debug: + ansible.builtin.debug: msg: - - "Warning! Below is your sysadm_r settings in your sudoers file." + - "Warning!! Below is your sysadm_r settings in your sudoers file." - "Please review to confirm a designated sudoers admin group or account(s) is not configured to eleveate the SELinux type and role to sysadm_t and sysadm_r with the use of the sudo command | Display if entry exists" - "{{ rhel_07_020023_sel_admin_sudo_status.stdout_lines }}" when: rhel_07_020023_sel_admin_sudo_status.stdout | length > 0 - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command" - debug: + ansible.builtin.debug: msg: - - "Alert! You do not have sysadm_r configured in your sudoers file(s_" - - "Please configure to designate sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to sysadm_t and sysadm_r with the use of the sudo command | Alert that on entry exists" + - "Warning!! You do not have sysadm_r configured in your sudoers file(s_" + - "Please configure to designate sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to sysadm_t and sysadm_r with the use of the sudo command | Warning!! that on entry exists" when: rhel_07_020023_sel_admin_sudo_status.stdout | length == 0 when: - rhel_07_020023 @@ -4667,5 +4701,5 @@ - CCI-002165 - CCI-002235 - SRG-OS-000324-GPOS-00125 - - SV-250314r809217_rule + - SV-250314r861076_rule - V-250314 diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 1b0e3b38..501158cc 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -1,7 +1,27 @@ --- + +- name: "LOW | RHEL-07-010375 | PATCH | The Red Hat Enterprise Linux operating system must restrict access to the kernel message buffer." + ansible.posix.sysctl: + name: kernel.dmesg_restrict + value: '1' + state: present + reload: "{{ rhel7stig_sysctl_reload }}" + sysctl_set: true + ignoreerrors: true + when: + - rhel_07_010375 + tags: + - RHEL-07-010375 + - CAT3 + - CCI-001090 + - SRG-OS-000138-GPOS-00069 + - SV-255927r880791_rule + - V-255927 + - sysctl + - name: "LOW | RHEL-07-020200 | PATCH | The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed." - lineinfile: - dest: /etc/yum.conf + ansible.builtin.lineinfile: + path: /etc/yum.conf regexp: ^#?clean_requirements_on_remove line: clean_requirements_on_remove=1 insertafter: '\[main\]' @@ -19,14 +39,14 @@ - name: "LOW | RHEL-07-020300 | The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file." block: - name: "LOW | RHEL-07-020300 | PATCH | Check /etc/passwd entries" - shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' changed_when: false failed_when: false check_mode: false register: passwd_gid_check - name: "LOW | RHEL-07-020300 | PATCH | Print warning about users with invalid GIDs missing GID entries in /etc/group" - debug: + ansible.builtin.debug: msg: "WARNING: The following users have non-existent GIDs: {{ passwd_gid_check.stdout_lines | join (', ') }}" changed_when: rhel7stig_audit_complex when: passwd_gid_check.stdout_lines @@ -44,7 +64,7 @@ - passwd - name: "LOW | RHEL-07-021024 | PATCH | The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options." - mount: + ansible.builtin.mount: path: /dev/shm state: mounted src: "{{ dev_shm_mount.device | default('tmpfs') }}" @@ -66,7 +86,7 @@ - mount - name: "LOW | RHEL-07-021310 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent)." - debug: + ansible.builtin.debug: msg: "WARNING: /home is not mounted on a separate partition" changed_when: - rhel7stig_audit_complex @@ -87,7 +107,7 @@ - home - name: "LOW | RHEL-07-021320 | PATCH | The Red Hat Enterprise Linux operating system must use a separate file system for /var." - debug: + ansible.builtin.debug: msg: "WARNING: /var is not mounted on a separate partition" changed_when: - rhel7stig_audit_complex @@ -108,7 +128,7 @@ - var - name: "LOW | RHEL-07-021330 | PATCH | The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path." - debug: + ansible.builtin.debug: msg: "WARNING: /var/log/audit is not mounted on a separate partition" changed_when: rhel7stig_audit_complex when: @@ -128,11 +148,11 @@ - auditd - name: "LOW | RHEL-07-021340 | PATCH | The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent)." - systemd: + ansible.builtin.systemd: name: tmp.mount daemon_reload: "{{ rhel7stig_systemd_daemon_reload }}" - enabled: yes - masked: no + enabled: true + masked: false state: "{{ rhel7stig_service_started }}" when: - rhel_07_021340 @@ -150,7 +170,7 @@ - name: | "LOW | RHEL-07-021600 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs)." "LOW | RHEL-07-021610 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes." - template: + ansible.builtin.template: src: aide.conf.j2 dest: /etc/aide.conf owner: root @@ -164,22 +184,22 @@ - RHEL-07-021600 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204498r603261_rule + - SV-204498r880856_rule - V-204498 - RHEL-07-021610 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204499r603261_rule + - SV-204499r880858_rule - V-204499 - aide - name: "LOW | RHEL-07-040000 | PATCH | The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types." - lineinfile: - state: present - dest: /etc/security/limits.conf - insertbefore: '^# End of file' + ansible.builtin.lineinfile: + path: /etc/security/limits.conf regexp: '^\*.*maxlogins' line: '* hard maxlogins {{ rhel7stig_maxlogins }}' + insertbefore: '^# End of file' + state: present when: - rhel_07_040000 tags: @@ -192,8 +212,8 @@ - name: "LOW | RHEL-07-040530 | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon." block: - - name: "LOW | RHEL-07-040530 | Update pam_lastlog control to satisfy benchmark." - pamd: + - name: "LOW | RHEL-07-040530 | PATCH | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon | Update pam_lastlog control to satisfy benchmark." + community.general.pamd: name: postlogin type: session control: "{{ old_control }}" @@ -201,8 +221,8 @@ module_path: pam_lastlog.so state: updated - - name: "LOW | RHEL-07-040530 | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon." - pamd: + - name: "LOW | RHEL-07-040530 | PATCH | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon | Update pam_lastlog when line absent." + community.general.pamd: name: postlogin state: args_absent type: session @@ -213,8 +233,8 @@ - '[default=1]' - "{{ default_control }}" - - name: "MEDIUM | RHEL-07-010270 | PATCH | Remove old remediation" - blockinfile: + - name: "LOW | RHEL-07-040530 | PATCH | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon | Remove old remediation." + ansible.builtin.blockinfile: state: absent path: /etc/pam.d/postlogin insertafter: '^# User changes will be destroyed' @@ -229,9 +249,9 @@ tags: - RHEL-07-040530 - CAT3 - - CCI-000366 + - CCI-000052 - SRG-OS-000480-GPOS-00227 - - SV-204605r603261_rule + - SV-204605r858478_rule - V-204605 # NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. @@ -239,7 +259,7 @@ block: # Audit the /etc/nsswitch.conf config - name: "LOW | RHEL-07-040600 | AUDIT | For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured." - shell: grep "dns" /etc/nsswitch.conf | grep -v "#" + ansible.builtin.shell: grep "dns" /etc/nsswitch.conf | grep -v "#" changed_when: false failed_when: false check_mode: false @@ -247,7 +267,7 @@ # Determine if networkmanager is setting /etc/resolv.conf - name: "LOW | RHEL-07-040600 | AUDIT | For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured." - command: grep "# Generated by NetworkManager" /etc/resolv.conf + ansible.builtin.shell: grep "# Generated by NetworkManager" /etc/resolv.conf changed_when: false failed_when: false check_mode: false @@ -255,7 +275,7 @@ # Determine number of nameserver lines in /etc/resolv.conf - name: "LOW | RHEL-07-040600 | AUDIT | For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured." - shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l + ansible.builtin.shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l changed_when: false failed_when: false check_mode: false @@ -263,13 +283,13 @@ # Change resolv.conf if dns is not present in nsswitch.conf - name: "LOW | RHEL-07-040600 | PATCH | For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured." - shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf + ansible.builtin.shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf when: - "'dns' not in rhel_07_040600_nsswitch_check.stdout" # Set resolv.conf if dns is set in nsswitch.conf - name: "LOW | RHEL-07-040600 | PATCH | For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured." - lineinfile: - dest: /etc/resolv.conf + ansible.builtin.lineinfile: + path: /etc/resolv.conf regexp: '^nameserver {{ item }}' line: nameserver {{ item }} insertafter: '^search' @@ -281,7 +301,7 @@ # If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp. - name: "LOW | RHEL-07-040600 | PATCH | For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured." - debug: + ansible.builtin.debug: msg: "The file /etc/resolv.conf is managed by network manager and shows less than two DNS servers configured. Please correct this in your DHCP configurations." changed_when: true when: diff --git a/tasks/main.yml b/tasks/main.yml index d2718edb..fe187585 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Gather distribution info - setup: + ansible.builtin.setup: gather_subset: distribution,!all,!min when: - ansible_distribution is not defined @@ -8,21 +8,42 @@ - always - name: Check OS version and family - assert: + ansible.builtin.assert: that: ansible_os_family == 'RedHat' and ansible_distribution_major_version is version_compare('7', '==') msg: "This role can only be run against RHEL/CENTOS 7. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." tags: - always - name: Check ansible version - assert: + ansible.builtin.assert: that: ansible_version.full is version_compare(rhel7stig_min_ansible_version, '>=') msg: You must use Ansible {{ rhel7stig_min_ansible_version }} or greater tags: - always +- name: "Check password set for {{ ansible_user }}" + block: + - name: Capture current password state of "{{ ansible_user }}" + ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + changed_when: false + failed_when: false + check_mode: false + register: ansible_user_password_set + + - name: "Assert that password set for {{ ansible_user }} and account not locked" + ansible.builtin.assert: + that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" + success_msg: "You a password set for the {{ ansible_user }}" + vars: + sudo_password_rule: RHEL-07-010340 + when: + - rhel_07_010340 + tags: + - user_passwd + - name: FIPS turned on - set_fact: + ansible.builtin.set_fact: fips_value: '1' when: - rhel7stig_use_fips @@ -30,9 +51,9 @@ - RHEL-07-021350 - name: Check rhel7stig_bootloader_password_hash variable has been changed - assert: + ansible.builtin.assert: that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' - msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set" + msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'" when: - rhel_07_010481 or rhel_07_010482 or @@ -45,72 +66,75 @@ - RHEL-07-010491 - cat1 -- import_tasks: prelim.yml - become: yes +- name: include prelim tasks + ansible.builtin.import_tasks: prelim.yml tags: - prelim_tasks - run_audit -- import_tasks: pre_remediation_audit.yml +- name: include pre-remediation audit + ansible.builtin.import_tasks: pre_remediation_audit.yml when: - run_audit tags: - run_audit - name: Gather the package facts - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always - name: Include CAT I patches - import_tasks: fix-cat1.yml + ansible.builtin.import_tasks: fix-cat1.yml when: rhel7stig_cat1_patch tags: - cat1 - high - name: Include CAT II patches - import_tasks: fix-cat2.yml + ansible.builtin.import_tasks: fix-cat2.yml when: rhel7stig_cat2_patch tags: - cat2 - medium - name: Include CAT III patches - import_tasks: fix-cat3.yml + ansible.builtin.import_tasks: fix-cat3.yml when: rhel7stig_cat3_patch tags: - cat3 - low -- name: trigger update auditd - shell: /bin/true - args: - warn: false - notify: update auditd - changed_when: true - check_mode: false - tags: - - auditd +- name: update auditd + ansible.builtin.template: + src: audit/99_auditd.rules.j2 + dest: /etc/audit/rules.d/99_auditd.rules + owner: root + group: root + mode: 0600 + register: auditd_file + notify: restart auditd + when: + - update_audit_template - name: flush handlers - meta: flush_handlers + ansible.builtin.meta: flush_handlers - name: Reboot system - reboot: + ansible.builtin.reboot: when: - not rhel7stig_skip_reboot -- import_tasks: post_remediation_audit.yml +- name: include post-remediation audit + ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit - name: Show Audit Summary - debug: + ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" when: - run_audit tags: - run_audit - diff --git a/tasks/parse_etc_passwd.yml b/tasks/parse_etc_passwd.yml index d27e2d6d..4df03de1 100644 --- a/tasks/parse_etc_passwd.yml +++ b/tasks/parse_etc_passwd.yml @@ -2,13 +2,13 @@ - name: "PRELIM | {{ rhel7stig_passwd_tasks }} | Parse /etc/passwd" block: - name: "PRELIM | {{ rhel7stig_passwd_tasks }} | Parse /etc/passwd" - command: cat /etc/passwd + ansible.builtin.shell: cat /etc/passwd changed_when: false check_mode: false register: rhel7stig_passwd_file_audit - name: "PRELIM | {{ rhel7stig_passwd_tasks }} | Split passwd entries" - set_fact: + ansible.builtin.set_fact: rhel7stig_passwd: "{{ rhel7stig_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" with_items: "{{ rhel7stig_passwd_file_audit.stdout_lines }}" diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index d01d4e4e..e31be2ff 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,12 +1,15 @@ --- - name: "Post Audit | Run post_remediation {{ benchmark }} audit" - shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + environment: "{{ audit_run_script_environment | default({}) }}" + changed_when: false + register: audit_run_post_remediation vars: warn: false - name: Post Audit | ensure audit files readable by users - file: + ansible.builtin.file: path: "{{ item }}" mode: 0644 state: file @@ -16,14 +19,14 @@ - name: Post Audit | Capture audit data if json format block: - - name: "capture data {{ post_audit_outfile }}" - command: "cat {{ post_audit_outfile }}" + - name: "Post Audit | capture data {{ post_audit_outfile }} | JSON format" + ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false - - name: Capture post-audit result - set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json |json_query(summary) }}" + - name: PostAudit | Capture post-audit result | JSON format + ansible.builtin.set_fact: + post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' when: @@ -31,13 +34,13 @@ - name: Post Audit | Capture audit data if documentation format block: - - name: "Post Audit | capture data {{ post_audit_outfile }}" - command: "tail -2 {{ post_audit_outfile }}" + - name: "Post Audit | capture data {{ post_audit_outfile }} | documentation format" + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false - - name: Post Audit | Capture post-audit result - set_fact: + - name: Post Audit | Capture post-audit result | documentation format + ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" when: - audit_format == "documentation" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 45f42c11..e8e1daba 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,111 +1,115 @@ --- - name: Audit Binary Setup | Setup the LE audit - include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: LE_audit_setup.yml when: - - setup_audit + - setup_audit tags: - - setup_audit + - setup_audit - name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" - file: - path: "{{ audit_conf_dir }}" - state: directory - mode: '0755' + ansible.builtin.file: + path: "{{ audit_conf_dir }}" + state: directory + mode: '0755' - name: Pre Audit Setup | If using git for content set up block: - - name: Pre Audit Setup | Install git (rh8 python3) - package: - name: git - state: present - when: ansible_distribution_major_version == '8' - - - name: Pre Audit Setup | Install git (rh7 python2) - package: - name: git - state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == '7' + - name: Pre Audit Setup | Install git (rh8 python3) + ansible.builtin.package: + name: git + state: present + when: ansible_distribution_major_version == '8' - - name: Pre Audit Setup | retrieve audit content files from git - git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" + - name: Pre Audit Setup | Install git (rh7 python2) + ansible.builtin.package: + name: git + state: present + vars: + ansible_python_interpreter: "{{ python2_bin }}" + when: ansible_distribution_major_version == '7' + + - name: Pre Audit Setup | retrieve audit content files from git + ansible.builtin.git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - - audit_content == 'git' + - audit_content == 'git' - name: Pre Audit Setup | copy to audit content files to server - copy: - src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dir }}" - mode: 0644 + ansible.builtin.copy: + src: "{{ audit_local_copy }}" + dest: "{{ audit_conf_dir }}" + mode: 0644 when: - - audit_content == 'copy' + - audit_content == 'copy' - name: Pre Audit Setup | get audit content from url - get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" + ansible.builtin.get_url: + url: "{{ audit_files_url }}" + dest: "{{ audit_conf_dir }}" + owner: root + group: root + mode: 0755 when: - - audit_content == 'get_url' + - audit_content == 'get_url' - name: Pre Audit Setup | Check Goss is available block: - - name: Pre Audit Setup | Check for goss file - stat: - path: "{{ audit_bin }}" - register: goss_available - - - name: Pre Audit Setup | If audit ensure goss is available - assert: - msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - not goss_available.stat.exists + - name: Pre Audit Setup | Check for goss file + ansible.builtin.stat: + path: "{{ audit_bin }}" + register: goss_available + + - name: Pre Audit Setup | If audit ensure goss is available + ansible.builtin.assert: + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" + when: + - not goss_available.stat.exists when: - - run_audit + - run_audit - name: Pre Audit Setup | Copy ansible default vars values to test audit - template: - src: ansible_vars_goss.yml.j2 - dest: "{{ audit_vars_path }}" - mode: 0600 + ansible.builtin.template: + src: ansible_vars_goss.yml.j2 + dest: "{{ audit_vars_path }}" + mode: 0600 when: - - run_audit + - run_audit tags: - - goss_template - + - goss_template + - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - vars: - warn: false + ansible.builtin.shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + environment: "{{ audit_run_script_environment | default({}) }}" + changed_when: audit_run_pre_remediation.rc == 0 + register: audit_run_pre_remediation - name: Pre Audit | Capture audit data if json format block: - - name: "capture data {{ pre_audit_outfile }}" - command: "cat {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false - - - name: Pre Audit | Capture pre-audit result - set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}" - vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + - name: "capture data {{ pre_audit_outfile }}" + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false + + - name: Pre Audit | Capture pre-audit result + ansible.builtin.set_fact: + pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" + vars: + summary: 'summary."summary-line"' + when: + - audit_format == "json" - name: Pre Audit | Capture audit data if documentation format block: - - name: "capture data {{ pre_audit_outfile }}" - command: "tail -2 {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false + - name: "capture data {{ pre_audit_outfile }}" + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false - - name: Pre Audit | Capture pre-audit result - set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" - when: - - audit_format == "documentation" + - name: Pre Audit | Capture pre-audit result + ansible.builtin.set_fact: + pre_audit_summary: "{{ pre_audit.stdout_lines }}" + when: + - audit_format == "documentation" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f0c1635f..a733c03b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,7 +1,7 @@ --- -- name: "PREREQ | Check required packages installed | Python2" - package: +- name: "PRELIM | Check required packages installed | Python2" + ansible.builtin.package: list: "{{ item }}" state: present loop: @@ -11,26 +11,26 @@ ansible_python_interpreter: "{{ python2_bin }}" when: ansible_python.version.major == 2 -- name: "PREREQ | Add the required packages | Python 3" +- name: "PRELIM | Add the required packages | Python 3" block: - name: Check if python36-rpm package installed - command: rpm -q python36-rpm + ansible.builtin.shell: rpm -q python36-rpm failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] ) changed_when: false register: python36_rpm_present args: warn: false - - name: Add the EPEL repository required for the python36-rpm pkg - package: + - name: "PRELIM | Add the EPEL repository required for the python36-rpm pkg" + ansible.builtin.package: name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm state: present register: epel_installed when: - python36_rpm_present.rc != '0' - - name: "PREREQ | Check required packages installed | Python3 " - package: + - name: "PRELIM | Check required packages installed | Python3 " + ansible.builtin.package: name: "{{ item }}" state: present register: python3reqs_installed @@ -38,8 +38,8 @@ - python36-rpm - libselinux-python3 - - name: Disable Epel repo if installed earlier - command: yum-config-manager disable epel + - name: "PRELIM | Disable Epel repo if installed earlier" + ansible.builtin.shell: yum-config-manager disable epel when: epel_installed.changed when: - ( ansible_python.version.major == 3 and ansible_python.version.minor == 6 ) @@ -49,14 +49,14 @@ - name: "PRELIM | dconf" block: - name: "PRELIM | Check for dconf availability" - command: rpm -q dconf + ansible.builtin.shell: rpm -q dconf changed_when: false failed_when: rhel7stig_dconf_audit.rc >= 2 check_mode: false register: rhel7stig_dconf_audit - name: "PRELIM | Install dconf" - package: + ansible.builtin.package: name: dconf vars: ansible_python_interpreter: "{{ python2_bin }}" @@ -65,7 +65,7 @@ - rhel7stig_gui - name: dconf directory structure - file: + ansible.builtin.file: path: /etc/dconf/db/local.d/locks state: directory mode: '0755' @@ -98,8 +98,8 @@ - RHEL-07-010110 - RHEL-07-020230 -- name: "MEDIUM | RHEL-07-020710 | RHEL-07-020720 | RHEL-07-020730 | AUDIT | Find ini files for interactive users." - shell: find "{{ item }}" -maxdepth 1 -type f | awk -F"/" '$NF ~ /^\..*$/ {print $NF}' | grep -v history +- name: "PRELIM | RHEL-07-020710 | RHEL-07-020720 | RHEL-07-020730 | AUDIT | Find ini files for interactive users." + ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | awk -F"/" '$NF ~ /^\..*$/ {print $NF}' | grep -v history changed_when: false failed_when: false register: rhel_07_020710_ini_file_list @@ -117,8 +117,8 @@ - RHEL-07-020730 - complexity-high -- name: "MEDIUM | RHEL-07-020710 | RHEL-07-020720 | RHEL-07-020730 | Set fact for home directory paths for interactive users" - set_fact: +- name: "PRELIM | RHEL-07-020710 | RHEL-07-020720 | RHEL-07-020730 | Set fact for home directory paths for interactive users" + ansible.builtin.set_fact: rhel_07_stig_interactive_homedir_inifiles: "{{ rhel_07_020710_ini_file_list.results | map(attribute='stdout_lines') | list }}" when: - rhel_07_stig_interactive_homedir_results is defined @@ -134,7 +134,7 @@ - complexity-high - name: "PRELIM | Find all sudoers files." - command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" + ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false check_mode: false @@ -149,7 +149,7 @@ - RHEL-07-010350 - name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | Install grub2-tools." - package: + ansible.builtin.package: name: grub2-tools vars: ansible_python_interpreter: "{{ python2_bin }}" @@ -169,7 +169,7 @@ - RHEL-07-021350 - name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | RHEL-07-021700 | Check whether machine is UEFI-based" - stat: + ansible.builtin.stat: path: /sys/firmware/efi register: rhel_07_sys_firmware_efi when: @@ -192,7 +192,7 @@ - RHEL-07-021700 - name: "PRELIM | Gather chroot status" - setup: + ansible.builtin.setup: gather_subset: chroot,!all,!min filter: ansible_is_chroot when: @@ -202,7 +202,7 @@ - always - name: "PRELIM | Gather mount information" - setup: + ansible.builtin.setup: gather_subset: hardware,!all,!min filter: ansible_mounts when: @@ -210,8 +210,8 @@ tags: - always -- name: ensure cronie is available - package: +- name: "PRELIM | ensure cronie is available" + ansible.builtin.package: name: cronie vars: ansible_python_interpreter: "{{ python2_bin }}" @@ -226,7 +226,7 @@ - RHEL-07-020040 - name: "PRELIM | RHEL-07-020600 | RHEL-07-020620 | RHEL-07-020630 | RHEL-07-020640 | RHEL-07-020650 | RHEL-07-020660 | RHEL-07-020690 | Parse /etc/passwd" - include_tasks: parse_etc_passwd.yml + ansible.builtin.include_tasks: parse_etc_passwd.yml vars: rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" when: @@ -258,7 +258,7 @@ # NOTE: You will need to adjust the UID range in parenthases below. # ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below. - name: "PRELIM | RHEL-07-020680 | RHEL-07-020710 | RHEL-07-020720 | RHEL-07-020730 | Gather local interactive user directories" - shell: "getent passwd { {{ rhel7stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'" + ansible.builtin.shell: "getent passwd { {{ rhel7stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'" # rhel_07_020680_getent.stdout_lines is defined changed_when: false failed_when: false @@ -271,7 +271,7 @@ - complexity-high - name: "PRELIM | RHEL-07-020680 | RHEL-07-020710 | RHEL-07-020720 | RHEL-07-020730 | Set fact for home directory paths for interactive users" - set_fact: + ansible.builtin.set_fact: rhel_07_stig_interactive_homedir_results: "{{ rhel_07_020680_getent.stdout_lines }}" when: - rhel_07_020680_getent.stdout_lines is defined @@ -283,7 +283,7 @@ - complexity-high - name: "PRELIM | RHEL-07-021100 | RHEL-07-031000 | RHEL-07-031010 | Ensure rsyslog is installed when required." - package: + ansible.builtin.package: name: rsyslog vars: ansible_python_interpreter: "{{ python2_bin }}" @@ -299,7 +299,7 @@ - RHEL-07-031010 - name: "PRELIM | RHEL-07-021350 | Check if /boot or /boot/efi reside on separate partitions" - shell: df --output=target /boot | tail -n 1 + ansible.builtin.shell: df --output=target /boot | tail -n 1 changed_when: false check_mode: false register: rhel_07_boot_part @@ -311,7 +311,7 @@ - RHEL-07-021350 - name: "PRELIM | RHEL-07-030300 | RHEL-07-030310 | RHEL-07-030320 | RHEL-07-030321 | Install audit remote plugin." - package: + ansible.builtin.package: name: audispd-plugins vars: ansible_python_interpreter: "{{ python2_bin }}" @@ -332,13 +332,13 @@ - name: "PRELIM | RHEL-07-030330 | Determine audit log partition." block: - name: "PRELIM | RHEL-07-030330 | Find audit.log location" - command: grep -oP '^log_file\s*=\s*\K.*?(?=\s*$)' /etc/audit/auditd.conf + ansible.builtin.shell: grep -oP '^log_file\s*=\s*\K.*?(?=\s*$)' /etc/audit/auditd.conf changed_when: false check_mode: false register: rhel_07_audit_log_file - name: "PRELIM | RHEL-07-030330 | Find partition holding audit.log" - shell: df --output=target {{ rhel_07_audit_log_file.stdout }} | tail -n 1 + ansible.builtin.shell: df --output=target {{ rhel_07_audit_log_file.stdout }} | tail -n 1 changed_when: false check_mode: false register: rhel_07_audit_part @@ -353,7 +353,7 @@ - name: "PRELIM | RHEL-07-020030 | RHEL-07-020040 | RHEL-07-021600 | RHEL-07-021610 RHEL-07-021620 | Install and initialize AIDE" block: - name: "PRELIM | RHEL-07-020030 | RHEL-07-020040 | RHEL-07-021600 | RHEL-07-021610 | RHEL-07-021620 | Install AIDE" - package: + ansible.builtin.package: name: aide state: present vars: @@ -361,7 +361,7 @@ notify: "{{ rhel7stig_aide_handler }}" - name: "PRELIM | RHEL-07-020030 | RHEL-07-020040 | RHEL-07-021600 | RHEL-07-021610 | RHEL-07-021620 | Check for existing AIDE database" - stat: + ansible.builtin.stat: path: "{{ rhel7stig_aide_db_file }}" changed_when: not rhel7stig_aide_db_status.stat.exists check_mode: false @@ -385,7 +385,7 @@ - RHEL-07-021620 - name: "PRELIM | RHEL-07-020210 | RHEL-07-020220 | Install SELinux related dependencies" - package: + ansible.builtin.package: name: - libselinux-python - policycoreutils-python @@ -400,82 +400,82 @@ - name: "PRELIM | Bare bones SSH Server" block: - name: "PRELIM | Install SSH" - package: + ansible.builtin.package: name: openssh-server vars: ansible_python_interpreter: "{{ python2_bin }}" - name: PRELIM | Start SSH - service: + ansible.builtin.service: name: sshd state: "{{ rhel7stig_service_started }}" - enabled: yes + enabled: true - name: PRELIM | check if ssh host key exists - stat: + ansible.builtin.stat: path: /etc/ssh/ssh_host_rsa_key register: rhel7stig_ssh_host_rsa_key_stat - name: PRELIM | create ssh host key to allow 'sshd -t -f %s' to succeed - command: ssh-keygen -N '' -f /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 + ansible.builtin.shell: ssh-keygen -N '' -f /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 notify: clean up ssh host key when: not rhel7stig_ssh_host_rsa_key_stat.stat.exists when: -rhel7stig_ssh_required - name: "PRELIM | Check whether machine is UEFI-based" - stat: - path: /sys/firmware/efi + ansible.builtin.stat: + path: /sys/firmware/efi register: rhel7_efi_boot tags: - - goss_template + - goss_template - name: set bootloader type block: - - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" - set_fact: - rhel7stig_bootloader_path: /boot/efi/EFI/redhat - rhel7stig_legacy_boot: false - when: - - rhel7_efi_boot.stat.exists - - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path - - - name: "PRELIM | set fact if UEFI boot | CentOS " - set_fact: - rhel7stig_bootloader_path: /boot/efi/EFI/centos - rhel7stig_legacy_boot: false - when: - - rhel7_efi_boot.stat.exists - - ansible_distribution == 'CentOS' - - - name: "PRELIM | set if not UEFI boot" - set_fact: - rhel7stig_bootloader_path: /boot/grub2/ - rhel7stig_legacy_boot: true - when: not rhel7_efi_boot.stat.exists - - - name: PRELIM | output bootloader and efi state - debug: - msg: - - "bootloader path set to {{ rhel7stig_bootloader_path }}" - - "legacy boot equals {{ rhel7stig_legacy_boot }}" + - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" + ansible.builtin.set_fact: + rhel7stig_bootloader_path: /boot/efi/EFI/redhat + rhel7stig_legacy_boot: false + when: + - rhel7_efi_boot.stat.exists + - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path + + - name: "PRELIM | set fact if UEFI boot | CentOS " + ansible.builtin.set_fact: + rhel7stig_bootloader_path: /boot/efi/EFI/centos + rhel7stig_legacy_boot: false + when: + - rhel7_efi_boot.stat.exists + - ansible_distribution == 'CentOS' + + - name: "PRELIM | set if not UEFI boot" + ansible.builtin.set_fact: + rhel7stig_bootloader_path: /boot/grub2/ + rhel7stig_legacy_boot: true + when: not rhel7_efi_boot.stat.exists + + - name: PRELIM | output bootloader and efi state + ansible.builtin.debug: + msg: + - "bootloader path set to {{ rhel7stig_bootloader_path }}" + - "legacy boot equals {{ rhel7stig_legacy_boot }}" - name: "PRELIM | Gather interactive user ID min" block: - name: "PRELIM | Gather interactive user ID min" - shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' + ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' changed_when: false failed_when: false register: rhel7stig_min_uid - name: "PRELIM | Gather interactive user ID max" - shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' + ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' changed_when: false failed_when: false register: rhel7stig_max_uid - name: "PRELIM | Setting the fact" - set_fact: + ansible.builtin.set_fact: rhel7stig_interactive_uid_start: "{{ rhel7stig_min_uid.stdout }}" rhel7stig_interactive_uid_stop: "{{ rhel7stig_max_uid.stdout }}" tags: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index c62c7b86..555c3dbd 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -74,6 +74,7 @@ RHEL_07_010160: {{ rhel_07_010160 }} RHEL_07_010170: {{ rhel_07_010170 }} RHEL_07_010180: {{ rhel_07_010180 }} RHEL_07_010190: {{ rhel_07_010190 }} +RHEL_07_010199: {{ rhel_07_010199 }} RHEL_07_010200: {{ rhel_07_010200 }} RHEL_07_010210: {{ rhel_07_010210 }} RHEL_07_010220: {{ rhel_07_010220 }} @@ -82,6 +83,7 @@ RHEL_07_010240: {{ rhel_07_010240 }} RHEL_07_010250: {{ rhel_07_010250 }} RHEL_07_010260: {{ rhel_07_010260 }} RHEL_07_010270: {{ rhel_07_010270 }} +RHEL_07_010271: {{ rhel_07_010271 }} RHEL_07_010280: {{ rhel_07_010280 }} RHEL_07_010310: {{ rhel_07_010310 }} RHEL_07_010320: {{ rhel_07_010320 }} @@ -152,6 +154,7 @@ RHEL_07_030201: {{ rhel_07_030201 }} RHEL_07_030210: {{ rhel_07_030210 }} RHEL_07_030211: {{ rhel_07_030211 }} # if you set 030300 to 'true' ensure you define rhel7stig_audisp_remote_server +RHEL_07_010375: {{ rhel_07_010375 }} RHEL_07_030300: {{ rhel_07_030300 }} RHEL_07_030310: {{ rhel_07_030310 }} RHEL_07_030320: {{ rhel_07_030320 }} @@ -244,6 +247,7 @@ RHEL_07_040670: {{ rhel_07_040670 }} RHEL_07_040680: {{ rhel_07_040680 }} RHEL_07_040710: {{ rhel_07_040710 }} RHEL_07_040711: {{ rhel_07_040711 }} +RHEL_07_040712: {{ rhel_07_040712 }} RHEL_07_040720: {{ rhel_07_040720 }} RHEL_07_040730: {{ rhel_07_040730 }} RHEL_07_040740: {{ rhel_07_040740 }} @@ -259,6 +263,7 @@ RHEL_07_910055: {{ rhel_07_910055 }} ## Cat III +RHEL_07_010375: {{ rhel_07_010375 }} RHEL_07_020200: {{ rhel_07_020200 }} RHEL_07_020300: {{ rhel_07_020300 }} RHEL_07_021024: {{ rhel_07_021024 }} @@ -339,6 +344,7 @@ rhel7stig_aide_cron: # Disable the notification check rule to disable mailing notifications notify_by_mail: {{ rhel_07_020040 }} notify_cmd: ' {{ rhel7stig_aide_cron.notify_cmd }}' +rhel7stig_notify_cmd: ' {{ rhel7stig_aide_cron.notify_cmd }}' rhel7stig_unnecessary_accounts: - gopher @@ -385,6 +391,7 @@ rhel7stig_firewalld_services: #SSH settings rhel7stig_ssh_ciphers: {{ rhel7stig_ssh_ciphers }} rhel7stig_ssh_MACs: {{ rhel7stig_ssh_macs }} +rhel7stig_ssh_kex: {{ rhel7stig_ssh_kex }} # RHEL_07_040160 # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) @@ -394,8 +401,13 @@ rhel7stig_shell_session_timeout: # RHEL_07_040180 # Whether the system should be using LDAP for authentication rhel7stig_auth_settings: +{% if rhel7stig_complex %} use_ldap: {{ rhel7stig_auth_settings.use_ldap }} use_sssd: {{ rhel7stig_auth_settings.use_sssd }} +{% else %} + use_ldap: false + use_sssd: false +{% endif %} # RHEL-07-040740 rhel7stig_system_is_router: {{ rhel7stig_system_is_router }} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 5ea1a464..2b730902 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -140,7 +140,7 @@ {% endif %} {% if rhel_07_030840 %} --w /usr/bin/kmod -p x -F auid!=unset -k module-change +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules {% endif %} {% if rhel_07_030870 %} @@ -166,4 +166,4 @@ {% if rhel_07_030910 %} -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k delete -{% endif %} \ No newline at end of file +{% endif %} diff --git a/vars/main.yml b/vars/main.yml index 516b97c2..7dd1e3de 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,5 @@ --- -rhel7stig_min_ansible_version: 2.9 +rhel7stig_min_ansible_version: 2.10.0 rhel7stig_dconf_available: "{{ rhel7stig_gui or rhel7stig_dconf_audit.rc == 0 or rhel7stig_always_configure_dconf }}"