diff --git a/tasks/main.yml b/tasks/main.yml index 146def4..6ba8188 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,485 +1,166 @@ -- name: Security patches are up to date - package: - name: '*' - state: latest - tags: - - security_patches_up_to_date - - high_severity - - patch_strategy - - low_complexity - - high_disruption - - CCE-26895-3 - - NIST-800-53-SI-2 - - NIST-800-53-SI-2(c) - - NIST-800-53-MA-1(b) - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-020260 -- check_mode: false - name: Read permission of GPG key directory - register: gpg_key_directory_permission - stat: - path: /etc/pki/rpm-gpg/ - tags: - - ensure_redhat_gpgkey_installed - - high_severity - - restrict_strategy - - medium_complexity - - medium_disruption - - CCE-26957-1 - - NIST-800-53-CM-5(3) - - NIST-800-53-SI-7 - - NIST-800-53-MA-1(b) - - NIST-800-171-3.4.8 - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 -- changed_when: false - check_mode: false - name: Read signatures in GPG key - register: gpg_fingerprints - shell: gpg --with-fingerprint '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release' | grep 'Key fingerprint =' | tr -s ' ' | sed - 's;.*= ;;g' - tags: - - ensure_redhat_gpgkey_installed - - high_severity - - restrict_strategy - - medium_complexity - - medium_disruption - - CCE-26957-1 - - NIST-800-53-CM-5(3) - - NIST-800-53-SI-7 - - NIST-800-53-MA-1(b) - - NIST-800-171-3.4.8 - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 -- name: Set Fact - Valid fingerprints - set_fact: - gpg_valid_fingerprints: ("567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51" "43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 - 2FA6 58E0") - tags: - - ensure_redhat_gpgkey_installed - - high_severity - - restrict_strategy - - medium_complexity - - medium_disruption - - CCE-26957-1 - - NIST-800-53-CM-5(3) - - NIST-800-53-SI-7 - - NIST-800-53-MA-1(b) - - NIST-800-171-3.4.8 - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 -- name: Import RedHat GPG key - rpm_key: - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release - state: present - tags: - - ensure_redhat_gpgkey_installed - - high_severity - - restrict_strategy - - medium_complexity - - medium_disruption - - CCE-26957-1 - - NIST-800-53-CM-5(3) - - NIST-800-53-SI-7 - - NIST-800-53-MA-1(b) - - NIST-800-171-3.4.8 - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 - when: (gpg_key_directory_permission.stat.mode <= '0755') and (( gpg_fingerprints.stdout_lines | difference(gpg_valid_fingerprints)) - | length == 0) and (gpg_fingerprints.stdout_lines | length > 0) and (ansible_distribution == "RedHat") -- find: - paths: /etc/yum.repos.d/ - patterns: '*.repo' - name: Find All Yum Repositories - register: yum_find -- lineinfile: - create: true - dest: '{{ item.path }}' - line: gpgcheck=1 - regexp: ^gpgcheck - name: Ensure gpgcheck Enabled For All Yum Package Repositories - tags: - - ensure_gpgcheck_never_disabled - - high_severity - - unknown_strategy - - low_complexity - - medium_disruption - - CCE-26876-3 - - NIST-800-53-CM-5(3) - - NIST-800-53-SI-7 - - NIST-800-53-MA-1(b) - - NIST-800-171-3.4.8 - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 - with_items: '{{ yum_find.files }}' -- check_mode: false - name: Check existence of yum on Fedora - register: yum_config_file - stat: - path: /etc/yum.conf - when: ansible_distribution == "Fedora" -- ini_file: - create: false - dest: '{{item}}' - option: gpgcheck - section: main - value: 1 - name: Ensure GPG check is globally activated (yum) - tags: - - ensure_gpgcheck_globally_activated - - high_severity - - unknown_strategy - - low_complexity - - medium_disruption - - CCE-26989-4 - - NIST-800-53-CM-5(3) - - NIST-800-53-SI-7 - - NIST-800-53-MA-1(b) - - NIST-800-171-3.4.8 - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-020050 - when: ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists - with_items: /etc/yum.conf -- ini_file: - create: false - dest: '{{item}}' - option: gpgcheck - section: main - value: 1 - name: Ensure GPG check is globally activated (dnf) - tags: - - ensure_gpgcheck_globally_activated - - high_severity - - unknown_strategy - - low_complexity - - medium_disruption - - CCE-26989-4 - - NIST-800-53-CM-5(3) - - NIST-800-53-SI-7 - - NIST-800-53-MA-1(b) - - NIST-800-171-3.4.8 - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-020050 - when: ansible_distribution == "Fedora" - with_items: /etc/dnf/dnf.conf -- changed_when: false - check_mode: false - failed_when: false - name: Read list of files with incorrect permissions - register: files_with_incorrect_permissions - shell: rpm -Va | grep '^.M' | cut -d ' ' -f5- | sed -r 's;^.*\s+(.+);\1;g' - tags: - - rpm_verify_permissions - - high_severity - - restrict_strategy - - high_complexity - - medium_disruption - - CCE-27209-6 - - NIST-800-53-AC-6 - - NIST-800-53-AU-9(1) - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - PCI-DSS-Req-11.5 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010010 -- name: Correct file permissions with RPM - shell: rpm --quiet --setperms $(rpm -qf '{{item}}') - tags: - - rpm_verify_permissions - - high_severity - - restrict_strategy - - high_complexity - - medium_disruption - - CCE-27209-6 - - NIST-800-53-AC-6 - - NIST-800-53-AU-9(1) - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - PCI-DSS-Req-11.5 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010010 - when: files_with_incorrect_permissions.stdout_lines | length > 0 - with_items: '{{ files_with_incorrect_permissions.stdout_lines }}' -- name: 'Set fact: Package manager reinstall command (dnf)' - set_fact: - package_manager_reinstall_cmd: dnf reinstall -y - tags: - - rpm_verify_hashes - - high_severity - - unknown_strategy - - high_complexity - - medium_disruption - - CCE-27157-7 - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SI-7(1) - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - PCI-DSS-Req-11.5 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 - when: ansible_distribution == "Fedora" -- name: 'Set fact: Package manager reinstall command (yum)' - set_fact: - package_manager_reinstall_cmd: yum reinstall -y - tags: - - rpm_verify_hashes - - high_severity - - unknown_strategy - - high_complexity - - medium_disruption - - CCE-27157-7 - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SI-7(1) - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - PCI-DSS-Req-11.5 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 - when: ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux" -- changed_when: false - check_mode: false - name: Read files with incorrect hash - register: files_with_incorrect_hash - shell: rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | sed -r 's;^.*\s+(.+);\1;g' - tags: - - rpm_verify_hashes - - high_severity - - unknown_strategy - - high_complexity - - medium_disruption - - CCE-27157-7 - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SI-7(1) - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - PCI-DSS-Req-11.5 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 - when: package_manager_reinstall_cmd is defined -- name: Reinstall packages of files with incorrect hash - shell: '{{package_manager_reinstall_cmd}} $(rpm -qf ''{{item}}'')' - tags: - - rpm_verify_hashes - - high_severity - - unknown_strategy - - high_complexity - - medium_disruption - - CCE-27157-7 - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SI-7(1) - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - PCI-DSS-Req-11.5 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 - when: package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0) - with_items: '{{ files_with_incorrect_hash.stdout_lines }}' -- name: Ensure aide is installed - package: - name: '{{item}}' - state: present +- name: Test for existence /etc/group + stat: + path: /etc/group + register: file_exists +- name: Ensure owner 0 on /etc/group + file: + path: /etc/group + owner: 0 + when: file_exists.stat.exists tags: - - package_aide_installed + - file_owner_etc_group - medium_severity - - enable_strategy + - configure_strategy - low_complexity - low_disruption - - CCE-27096-7 - - NIST-800-53-CM-3(d) - - NIST-800-53-CM-3(e) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 - with_items: - - aide -- name: Ensure AIDE is installed - package: - name: '{{item}}' - state: present + - CCE-26933-2 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 +- name: Test for existence /etc/passwd + stat: + path: /etc/passwd + register: file_exists +- name: Ensure group owner 0 on /etc/passwd + file: + path: /etc/passwd + group: 0 + when: file_exists.stat.exists tags: - - aide_periodic_cron_checking + - file_groupowner_etc_passwd - medium_severity - - restrict_strategy + - configure_strategy - low_complexity - low_disruption - - CCE-26952-2 - - NIST-800-53-CM-3(d) - - NIST-800-53-CM-3(e) - - NIST-800-53-CM-3(5) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 - - DISA-STIG-RHEL-07-020030 - with_items: - - aide -- cron: - hour: 4 - job: /usr/sbin/aide --check - minute: 5 - name: run AIDE check - user: root - weekday: 0 - name: Configure Periodic Execution of AIDE + - CCE-26639-5 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 +- name: Ensure permission 0644 on /etc/passwd + file: + path: /etc/passwd + mode: 420 tags: - - aide_periodic_cron_checking + - file_permissions_etc_passwd - medium_severity - - restrict_strategy + - configure_strategy - low_complexity - low_disruption - - CCE-26952-2 - - NIST-800-53-CM-3(d) - - NIST-800-53-CM-3(e) - - NIST-800-53-CM-3(5) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 - - DISA-STIG-RHEL-07-020030 -- name: Ensure AIDE is installed - package: - name: '{{item}}' - state: present + - CCE-26887-0 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 +- name: Test for existence /etc/passwd + stat: + path: /etc/passwd + register: file_exists +- name: Ensure owner 0 on /etc/passwd + file: + path: /etc/passwd + owner: 0 + when: file_exists.stat.exists tags: - - aide_build_database + - file_owner_etc_passwd - medium_severity - - restrict_strategy + - configure_strategy - low_complexity - low_disruption - - CCE-27220-3 - - NIST-800-53-CM-3(d) - - NIST-800-53-CM-3(e) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 - with_items: - - aide -- name: Build and Test AIDE Database - shell: /usr/sbin/aide --init + - CCE-27138-7 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 +- name: Test for existence /etc/shadow + stat: + path: /etc/shadow + register: file_exists +- name: Ensure group owner 0 on /etc/shadow + file: + path: /etc/shadow + group: 0 + when: file_exists.stat.exists tags: - - aide_build_database + - file_groupowner_etc_shadow - medium_severity - - restrict_strategy + - configure_strategy - low_complexity - low_disruption - - CCE-27220-3 - - NIST-800-53-CM-3(d) - - NIST-800-53-CM-3(e) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 -- name: Check whether the stock AIDE Database exists - register: aide_database_stat - stat: - path: /var/lib/aide/aide.db.new.gz + - CCE-27125-4 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 +- name: Ensure permission 0000 on /etc/shadow + file: + path: /etc/shadow + mode: 0 tags: - - aide_build_database + - file_permissions_etc_shadow - medium_severity - - restrict_strategy + - configure_strategy - low_complexity - low_disruption - - CCE-27220-3 - - NIST-800-53-CM-3(d) - - NIST-800-53-CM-3(e) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 -- copy: - backup: true - dest: /var/lib/aide/aide.db.gz - remote_src: true - src: /var/lib/aide/aide.db.new.gz - name: Stage AIDE Database + - CCE-27100-7 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 +- name: Test for existence /etc/shadow + stat: + path: /etc/shadow + register: file_exists +- name: Ensure owner 0 on /etc/shadow + file: + path: /etc/shadow + owner: 0 + when: file_exists.stat.exists tags: - - aide_build_database + - file_owner_etc_shadow - medium_severity - - restrict_strategy + - configure_strategy - low_complexity - low_disruption - - CCE-27220-3 - - NIST-800-53-CM-3(d) - - NIST-800-53-CM-3(e) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 - when: aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists -- name: Does prelink file exist - register: prelink_exists - stat: - path: /etc/sysconfig/prelink + - CCE-26795-5 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 +- name: Ensure permission 0644 on /etc/group + file: + path: /etc/group + mode: 420 tags: - - disable_prelink - - unknown_severity - - restrict_strategy + - file_permissions_etc_group + - medium_severity + - configure_strategy - low_complexity - low_disruption - - CCE-27078-5 - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - NIST-800-171-3.13.11 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 -- lineinfile: - line: PRELINKING=no - path: /etc/sysconfig/prelink - regexp: ^PRELINKING= - name: disable prelinking + - CCE-26949-8 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 +- name: Test for existence /etc/group + stat: + path: /etc/group + register: file_exists +- name: Ensure group owner 0 on /etc/group + file: + path: /etc/group + group: 0 + when: file_exists.stat.exists tags: - - disable_prelink - - unknown_severity - - restrict_strategy + - file_groupowner_etc_group + - medium_severity + - configure_strategy - low_complexity - low_disruption - - CCE-27078-5 - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - NIST-800-171-3.13.11 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 - when: prelink_exists.stat.exists == True -- ini_file: - create: true + - CCE-27037-1 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 +- name: Implement Blank Screensaver + ini_file: dest: /etc/dconf/db/local.d/00-security-settings - option: picture-uri section: org/gnome/desktop/screensaver + option: picture-uri value: string '' - name: Implement Blank Screensaver + create: true tags: - dconf_gnome_screensaver_mode_blank - unknown_severity @@ -491,12 +172,12 @@ - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 -- lineinfile: - create: true - line: /org/gnome/desktop/screensaver/picture-uri +- name: Prevent user modification of GNOME picture-uri + lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/screensaver/picture-uri - name: Prevent user modification of GNOME picture-uri + line: /org/gnome/desktop/screensaver/picture-uri + create: true tags: - dconf_gnome_screensaver_mode_blank - unknown_severity @@ -508,55 +189,92 @@ - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 -- ini_file: - create: true +- name: Enable GNOME3 Screensaver Lock After Idle Period + ini_file: dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver option: lock-enabled + value: 'true' + create: true + tags: + - dconf_gnome_screensaver_lock_enabled + - medium_severity + - unknown_strategy + - low_complexity + - medium_disruption + - CCE-80112-6 + - NIST-800-53-AC-11(b) + - NIST-800-171-3.1.10 + - PCI-DSS-Req-8.1.8 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 +- name: Prevent user modification of GNOME lock-enabled + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/lock-enabled + line: /org/gnome/desktop/screensaver/lock-enabled + create: true + tags: + - dconf_gnome_screensaver_lock_enabled + - medium_severity + - unknown_strategy + - low_complexity + - medium_disruption + - CCE-80112-6 + - NIST-800-53-AC-11(b) + - NIST-800-171-3.1.10 + - PCI-DSS-Req-8.1.8 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 +- name: Enable GNOME3 Screensaver Idle Activation + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/screensaver + option: idle_activation_enabled value: 'true' - name: Enable GNOME3 Screensaver Lock After Idle Period + create: true tags: - - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_idle_activation_enabled - medium_severity - unknown_strategy - low_complexity - medium_disruption - - CCE-80112-6 - - NIST-800-53-AC-11(b) + - CCE-80111-8 + - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010060 -- lineinfile: - create: true - line: /org/gnome/desktop/screensaver/lock-enabled + - DISA-STIG-RHEL-07-010100 +- name: Prevent user modification of GNOME idle_activation_enabled + lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/lock-enabled - name: Prevent user modification of GNOME lock-enabled + regexp: ^/org/gnome/desktop/screensaver/idle-activation-enabled + line: /org/gnome/desktop/screensaver/idle-activation-enabled + create: true tags: - - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_idle_activation_enabled - medium_severity - unknown_strategy - low_complexity - medium_disruption - - CCE-80112-6 - - NIST-800-53-AC-11(b) + - CCE-80111-8 + - NIST-800-53-AC-11(a) - NIST-800-171-3.1.10 - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010060 + - DISA-STIG-RHEL-07-010100 - name: XCCDF Value inactivity_timeout_value set_fact: inactivity_timeout_value: '900' tags: - always -- ini_file: - create: true +- name: Set GNOME3 Screensaver Inactivity Timeout + ini_file: dest: /etc/dconf/db/local.d/00-security-settings - option: idle-delay section: org/gnome/desktop/screensaver + option: idle-delay value: '{{ inactivity_timeout_value }}' - name: Set GNOME3 Screensaver Inactivity Timeout + create: true tags: - dconf_gnome_screensaver_idle_delay - medium_severity @@ -569,12 +287,12 @@ - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - DISA-STIG-RHEL-07-010070 -- lineinfile: - create: true - line: /org/gnome/desktop/screensaver/idle-delay +- name: Prevent user modification of GNOME idle-delay + lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/screensaver/idle-delay - name: Prevent user modification of GNOME idle-delay + line: /org/gnome/desktop/screensaver/idle-delay + create: true tags: - dconf_gnome_screensaver_idle_delay - medium_severity @@ -587,190 +305,482 @@ - PCI-DSS-Req-8.1.8 - CJIS-5.5.5 - DISA-STIG-RHEL-07-010070 -- ini_file: +- name: Find All yum Repositories + find: + paths: /etc/yum.repos.d/ + patterns: '*.repo' + register: yum_find +- name: Ensure gpgcheck Enabled For All yum Package Repositories + with_items: '{{ yum_find.files }}' + lineinfile: create: true - dest: /etc/dconf/db/local.d/00-security-settings - option: idle_activation_enabled - section: org/gnome/desktop/screensaver - value: 'true' - name: Enable GNOME3 Screensaver Idle Activation + dest: '{{ item.path }}' + regexp: ^gpgcheck + line: gpgcheck=1 tags: - - dconf_gnome_screensaver_idle_activation_enabled - - medium_severity + - ensure_gpgcheck_never_disabled + - high_severity - unknown_strategy - low_complexity - medium_disruption - - CCE-80111-8 - - NIST-800-53-AC-11(a) - - NIST-800-171-3.1.10 - - PCI-DSS-Req-8.1.8 - - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010100 -- lineinfile: - create: true - line: /org/gnome/desktop/screensaver/idle-activation-enabled - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/idle-activation-enabled - name: Prevent user modification of GNOME idle_activation_enabled + - CCE-26876-3 + - NIST-800-53-CM-5(3) + - NIST-800-53-SI-7 + - NIST-800-53-MA-1(b) + - NIST-800-171-3.4.8 + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 +- name: Read permission of GPG key directory + stat: + path: /etc/pki/rpm-gpg/ + register: gpg_key_directory_permission + check_mode: false tags: - - dconf_gnome_screensaver_idle_activation_enabled - - medium_severity + - ensure_redhat_gpgkey_installed + - high_severity + - restrict_strategy + - medium_complexity + - medium_disruption + - CCE-26957-1 + - NIST-800-53-CM-5(3) + - NIST-800-53-SI-7 + - NIST-800-53-MA-1(b) + - NIST-800-171-3.4.8 + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 +- name: Read signatures in GPG key + shell: gpg --with-fingerprint '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release' | grep 'Key fingerprint =' | tr -s ' ' | sed + 's;.*= ;;g' + changed_when: false + register: gpg_fingerprints + check_mode: false + tags: + - ensure_redhat_gpgkey_installed + - high_severity + - restrict_strategy + - medium_complexity + - medium_disruption + - CCE-26957-1 + - NIST-800-53-CM-5(3) + - NIST-800-53-SI-7 + - NIST-800-53-MA-1(b) + - NIST-800-171-3.4.8 + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 +- name: Set Fact - Valid fingerprints + set_fact: + gpg_valid_fingerprints: ("567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51" "43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 + 2FA6 58E0") + tags: + - ensure_redhat_gpgkey_installed + - high_severity + - restrict_strategy + - medium_complexity + - medium_disruption + - CCE-26957-1 + - NIST-800-53-CM-5(3) + - NIST-800-53-SI-7 + - NIST-800-53-MA-1(b) + - NIST-800-171-3.4.8 + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 +- name: Import RedHat GPG key + rpm_key: + state: present + key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + when: (gpg_key_directory_permission.stat.mode <= '0755') and (( gpg_fingerprints.stdout_lines | difference(gpg_valid_fingerprints)) + | length == 0) and (gpg_fingerprints.stdout_lines | length > 0) and (ansible_distribution == "RedHat") + tags: + - ensure_redhat_gpgkey_installed + - high_severity + - restrict_strategy + - medium_complexity + - medium_disruption + - CCE-26957-1 + - NIST-800-53-CM-5(3) + - NIST-800-53-SI-7 + - NIST-800-53-MA-1(b) + - NIST-800-171-3.4.8 + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 +- name: Check existence of yum on Fedora + stat: + path: /etc/yum.conf + register: yum_config_file + check_mode: false + when: ansible_distribution == "Fedora" +- name: Ensure GPG check is globally activated (yum) + ini_file: + dest: '{{item}}' + section: main + option: gpgcheck + value: 1 + create: false + with_items: /etc/yum.conf + when: ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists + tags: + - ensure_gpgcheck_globally_activated + - high_severity - unknown_strategy - low_complexity - medium_disruption - - CCE-80111-8 - - NIST-800-53-AC-11(a) - - NIST-800-171-3.1.10 - - PCI-DSS-Req-8.1.8 - - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010100 -- file: - mode: 0 - path: '{{ item }}' - name: Ensure permission 0000 on /etc/shadow + - CCE-26989-4 + - NIST-800-53-CM-5(3) + - NIST-800-53-SI-7 + - NIST-800-53-MA-1(b) + - NIST-800-171-3.4.8 + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-020050 +- name: Ensure GPG check is globally activated (dnf) + ini_file: + dest: '{{item}}' + section: main + option: gpgcheck + value: 1 + create: false + with_items: /etc/dnf/dnf.conf + when: ansible_distribution == "Fedora" tags: - - file_permissions_etc_shadow + - ensure_gpgcheck_globally_activated + - high_severity + - unknown_strategy + - low_complexity + - medium_disruption + - CCE-26989-4 + - NIST-800-53-CM-5(3) + - NIST-800-53-SI-7 + - NIST-800-53-MA-1(b) + - NIST-800-171-3.4.8 + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-020050 +- name: Security patches are up to date + package: + name: '*' + state: latest + tags: + - security_patches_up_to_date + - high_severity + - patch_strategy + - low_complexity + - high_disruption + - CCE-26895-3 + - NIST-800-53-SI-2 + - NIST-800-53-SI-2(c) + - NIST-800-53-MA-1(b) + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-020260 +- name: Ensure AIDE is installed + package: + name: '{{item}}' + state: present + with_items: + - aide + tags: + - aide_periodic_cron_checking - medium_severity - - configure_strategy + - restrict_strategy - low_complexity - low_disruption - - CCE-27100-7 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 + - CCE-26952-2 + - NIST-800-53-CM-3(d) + - NIST-800-53-CM-3(e) + - NIST-800-53-CM-3(5) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 + - DISA-STIG-RHEL-07-020030 +- name: Configure Periodic Execution of AIDE + cron: + name: run AIDE check + minute: 5 + hour: 4 + weekday: 0 + user: root + job: /usr/sbin/aide --check + tags: + - aide_periodic_cron_checking + - medium_severity + - restrict_strategy + - low_complexity + - low_disruption + - CCE-26952-2 + - NIST-800-53-CM-3(d) + - NIST-800-53-CM-3(e) + - NIST-800-53-CM-3(5) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 + - DISA-STIG-RHEL-07-020030 +- name: Ensure AIDE is installed + package: + name: '{{item}}' + state: present with_items: - - /etc/shadow -- file: - mode: 420 - path: '{{ item }}' - name: Ensure permission 0644 on /etc/passwd + - aide tags: - - file_permissions_etc_passwd + - aide_build_database - medium_severity - - configure_strategy + - restrict_strategy - low_complexity - low_disruption - - CCE-26887-0 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 - with_items: - - /etc/passwd -- file: - mode: 420 - path: '{{ item }}' - name: Ensure permission 0644 on /etc/group + - CCE-27220-3 + - NIST-800-53-CM-3(d) + - NIST-800-53-CM-3(e) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 +- name: Build and Test AIDE Database + shell: /usr/sbin/aide --init tags: - - file_permissions_etc_group + - aide_build_database - medium_severity - - configure_strategy + - restrict_strategy - low_complexity - low_disruption - - CCE-26949-8 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 - with_items: - - /etc/group -- file: - owner: 0 - path: '{{ item }}' - name: Ensure owner 0 on /etc/shadow + - CCE-27220-3 + - NIST-800-53-CM-3(d) + - NIST-800-53-CM-3(e) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 +- name: Check whether the stock AIDE Database exists + stat: + path: /var/lib/aide/aide.db.new.gz + register: aide_database_stat tags: - - file_owner_etc_shadow + - aide_build_database - medium_severity - - configure_strategy + - restrict_strategy - low_complexity - low_disruption - - CCE-26795-5 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 - with_items: - - /etc/shadow -- file: - owner: 0 - path: '{{ item }}' - name: Ensure owner 0 on /etc/passwd + - CCE-27220-3 + - NIST-800-53-CM-3(d) + - NIST-800-53-CM-3(e) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 +- name: Stage AIDE Database + copy: + src: /var/lib/aide/aide.db.new.gz + dest: /var/lib/aide/aide.db.gz + backup: true + remote_src: true + when: aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists tags: - - file_owner_etc_passwd + - aide_build_database - medium_severity - - configure_strategy + - restrict_strategy - low_complexity - low_disruption - - CCE-27138-7 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 - with_items: - - /etc/passwd -- file: - owner: 0 - path: '{{ item }}' - name: Ensure owner 0 on /etc/group + - CCE-27220-3 + - NIST-800-53-CM-3(d) + - NIST-800-53-CM-3(e) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 +- name: Ensure aide is installed + package: + name: aide + state: present tags: - - file_owner_etc_group + - package_aide_installed - medium_severity - - configure_strategy + - enable_strategy - low_complexity - low_disruption - - CCE-26933-2 + - CCE-27096-7 + - NIST-800-53-CM-3(d) + - NIST-800-53-CM-3(e) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 +- name: Read list of files with incorrect permissions + shell: rpm -Va --nofiledigest | awk '/^.M/ {print $NF}' + register: files_with_incorrect_permissions + failed_when: false + changed_when: false + check_mode: false + tags: + - rpm_verify_permissions + - high_severity + - restrict_strategy + - high_complexity + - medium_disruption + - CCE-27209-6 - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 - with_items: - - /etc/group -- file: - group: 0 - path: '{{ item }}' - name: Ensure group owner 0 on /etc/shadow + - NIST-800-53-AU-9(1) + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - PCI-DSS-Req-11.5 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010010 +- name: Correct file permissions with RPM + shell: rpm --quiet --setperms $(rpm -qf '{{item}}') + with_items: '{{ files_with_incorrect_permissions.stdout_lines }}' + when: files_with_incorrect_permissions.stdout_lines | length > 0 tags: - - file_groupowner_etc_shadow - - medium_severity - - configure_strategy - - low_complexity - - low_disruption - - CCE-27125-4 + - rpm_verify_permissions + - high_severity + - restrict_strategy + - high_complexity + - medium_disruption + - CCE-27209-6 - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 - with_items: - - /etc/shadow -- file: - group: 0 - path: '{{ item }}' - name: Ensure group owner 0 on /etc/passwd + - NIST-800-53-AU-9(1) + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - PCI-DSS-Req-11.5 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010010 +- name: 'Set fact: Package manager reinstall command (dnf)' + set_fact: + package_manager_reinstall_cmd: dnf reinstall -y + when: ansible_distribution == "Fedora" tags: - - file_groupowner_etc_passwd - - medium_severity - - configure_strategy + - rpm_verify_hashes + - high_severity + - unknown_strategy + - high_complexity + - medium_disruption + - CCE-27157-7 + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SI-7(1) + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - PCI-DSS-Req-11.5 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010020 +- name: 'Set fact: Package manager reinstall command (yum)' + set_fact: + package_manager_reinstall_cmd: yum reinstall -y + when: ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux" + tags: + - rpm_verify_hashes + - high_severity + - unknown_strategy + - high_complexity + - medium_disruption + - CCE-27157-7 + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SI-7(1) + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - PCI-DSS-Req-11.5 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010020 +- name: Read files with incorrect hash + shell: rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | awk '{print $NF}' + register: files_with_incorrect_hash + changed_when: false + when: package_manager_reinstall_cmd is defined + check_mode: false + tags: + - rpm_verify_hashes + - high_severity + - unknown_strategy + - high_complexity + - medium_disruption + - CCE-27157-7 + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SI-7(1) + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - PCI-DSS-Req-11.5 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010020 +- name: Reinstall packages of files with incorrect hash + shell: '{{package_manager_reinstall_cmd}} $(rpm -qf ''{{item}}'')' + with_items: '{{ files_with_incorrect_hash.stdout_lines }}' + when: package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0) + tags: + - rpm_verify_hashes + - high_severity + - unknown_strategy + - high_complexity + - medium_disruption + - CCE-27157-7 + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SI-7(1) + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - PCI-DSS-Req-11.5 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010020 +- name: Does prelink file exist + stat: + path: /etc/sysconfig/prelink + register: prelink_exists + tags: + - disable_prelink + - unknown_severity + - restrict_strategy - low_complexity - low_disruption - - CCE-26639-5 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 - with_items: - - /etc/passwd -- file: - group: 0 - path: '{{ item }}' - name: Ensure group owner 0 on /etc/group + - CCE-27078-5 + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - NIST-800-171-3.13.11 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 +- name: disable prelinking + lineinfile: + path: /etc/sysconfig/prelink + regexp: ^PRELINKING= + line: PRELINKING=no + when: prelink_exists.stat.exists == True tags: - - file_groupowner_etc_group - - medium_severity - - configure_strategy + - disable_prelink + - unknown_severity + - restrict_strategy - low_complexity - low_disruption - - CCE-27037-1 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 - with_items: - - /etc/group + - CCE-27078-5 + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - NIST-800-171-3.13.11 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 - name: Ensure libreswan is installed package: - name: '{{item}}' + name: libreswan state: present tags: - package_libreswan_installed @@ -783,133 +793,128 @@ - NIST-800-53-MA-4 - NIST-800-53-SC-9 - PCI-DSS-Req-4.1 - with_items: - - libreswan -- name: XCCDF Value var_auditd_space_left_action - set_fact: - var_auditd_space_left_action: email - tags: - - always -- lineinfile: - dest: /etc/audit/auditd.conf - line: space_left_action = {{ var_auditd_space_left_action }} - regexp: ^space_left_action* - name: Configure auditd space_left Action on Low Disk Space - tags: - - auditd_data_retention_space_left_action - - medium_severity - - restrict_strategy - - low_complexity - - low_disruption - - CCE-27375-5 - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-4 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(b) - - NIST-800-53-IR-5 - - NIST-800-171-3.3.1 - - PCI-DSS-Req-10.7 - - CJIS-5.4.1.1 -- name: XCCDF Value var_auditd_max_log_file_action - set_fact: - var_auditd_max_log_file_action: rotate - tags: - - always -- lineinfile: - dest: /etc/audit/auditd.conf - line: max_log_file_action {{ var_auditd_max_log_file_action }} - state: present - name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size +- name: Search for privileged commands + shell: find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat + check_mode: false + register: find_result tags: - - auditd_data_retention_max_log_file_action + - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27231-0 + - CCE-27437-3 + - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - - NIST-800-53-AU-4 - - NIST-800-53-AU-11 + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-2(4) + - NIST-800-53-AU-6(9) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - - PCI-DSS-Req-10.7 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 -- name: XCCDF Value var_auditd_max_log_file - set_fact: - var_auditd_max_log_file: '6' - tags: - - always -- lineinfile: - dest: /etc/audit/auditd.conf - line: max_log_file {{ var_auditd_max_log_file }} - state: present - name: Configure auditd Max Log File Size + - DISA-STIG-RHEL-07-030360 +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path={{ item }} .*$ + patterns: '*.rules' + with_items: + - '{{ find_result.stdout_lines }}' + register: files_result tags: - - auditd_data_retention_max_log_file + - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27319-3 + - CCE-27437-3 + - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - - NIST-800-53-AU-11 + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-2(4) + - NIST-800-53-AU-6(9) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - - PCI-DSS-Req-10.7 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 -- name: XCCDF Value var_auditd_admin_space_left_action - set_fact: - var_auditd_admin_space_left_action: single - tags: - - always -- lineinfile: - dest: /etc/audit/auditd.conf - line: admin_space_left_action = {{ var_auditd_admin_space_left_action }} - regexp: ^admin_space_left_action* - name: Configure auditd admin_space_left Action on Low Disk Space + - DISA-STIG-RHEL-07-030360 +- name: Overwrites the rule in rules.d + lineinfile: + path: '{{ item.1.path }}' + line: -a always,exit -F path={{ item.0.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged + create: false + regexp: ^.*path={{ item.0.item }} .*$ + with_subelements: + - '{{ files_result.results }}' + - files tags: - - auditd_data_retention_admin_space_left_action + - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27370-6 + - CCE-27437-3 + - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - - NIST-800-53-AU-4 - - NIST-800-53-AU-5(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-2(4) + - NIST-800-53-AU-6(9) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - - NIST-800-171-3.3.1 - - PCI-DSS-Req-10.7 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030340 -- name: XCCDF Value var_auditd_action_mail_acct - set_fact: - var_auditd_action_mail_acct: root - tags: - - always -- lineinfile: - dest: /etc/audit/auditd.conf - line: action_mail_acct = {{ var_auditd_action_mail_acct }} - state: present - name: Configure auditd mail_acct Action on Low Disk Space + - DISA-STIG-RHEL-07-030360 +- name: Adds the rule in rules.d + lineinfile: + path: /etc/audit/rules.d/privileged.rules + line: -a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged + create: true + with_items: + - '{{ files_result.results }}' + when: item.matched == 0 tags: - - auditd_data_retention_action_mail_acct + - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27394-6 + - CCE-27437-3 + - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - - NIST-800-53-AU-4 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(a) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-2(4) + - NIST-800-53-AU-6(9) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - - NIST-800-171-3.3.1 - - PCI-DSS-Req-10.7.a + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030350 -- check_mode: false - name: Search for privileged commands - register: find_result - shell: find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat + - DISA-STIG-RHEL-07-030360 +- name: Inserts/replaces the rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged + create: true + regexp: ^.*path={{ item.item }} .*$ + with_items: + - '{{ files_result.results }}' tags: - audit_rules_privileged_commands - medium_severity @@ -931,156 +936,157 @@ - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030360 -- find: - contains: ^.*path={{ item }} .*$ +- name: Set architecture for audit lchown tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Search /etc/audit/rules.d for other DAC audit rules + find: paths: /etc/audit/rules.d - patterns: '*.rules' recurse: false - name: Search /etc/audit/rules.d for audit rule entries - register: files_result + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_lchown +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: find_lchown.matched == 0 +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_lchown.files | map(attribute=''path'') | list | first }}' + when: find_lchown.matched > 0 +- name: Inserts/replaces the lchown rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true tags: - - audit_rules_privileged_commands - - medium_severity + - audit_rules_dac_modification_lchown + - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27437-3 + - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - - NIST-800-53-AU-2(4) - - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 - with_items: - - '{{ find_result.stdout_lines }}' -- lineinfile: - create: false - line: -a always,exit -F path={{ item.0.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged - path: '{{ item.1.path }}' - regexp: ^.*path={{ item.0.item }} .*$ - name: Overwrites the rule in rules.d + - DISA-STIG-RHEL-07-030390 +- name: Inserts/replaces the lchown rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true + when: audit_arch == 'b64' tags: - - audit_rules_privileged_commands - - medium_severity + - audit_rules_dac_modification_lchown + - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27437-3 + - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - - NIST-800-53-AU-2(4) - - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 - with_subelements: - - '{{ files_result.results }}' - - files -- lineinfile: - create: true - line: -a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged - path: /etc/audit/rules.d/privileged.rules - name: Adds the rule in rules.d + - DISA-STIG-RHEL-07-030390 +- name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + state: present + dest: /etc/audit/audit.rules tags: - - audit_rules_privileged_commands - - medium_severity + - audit_rules_dac_modification_lchown + - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27437-3 + - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - - NIST-800-53-AU-2(4) - - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 - when: item.matched == 0 - with_items: - - '{{ files_result.results }}' -- lineinfile: + - DISA-STIG-RHEL-07-030390 +- name: Inserts/replaces the lchown rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true - line: -a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged - path: /etc/audit/audit.rules - regexp: ^.*path={{ item.item }} .*$ - name: Inserts/replaces the rule in audit.rules + when: audit_arch == 'b64' tags: - - audit_rules_privileged_commands - - medium_severity + - audit_rules_dac_modification_lchown + - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27437-3 + - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - - NIST-800-53-AU-2(4) - - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 - with_items: - - '{{ files_result.results }}' -- name: Set architecture for audit setxattr tasks + - DISA-STIG-RHEL-07-030390 +- name: Set architecture for audit fchownat tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- find: - contains: -F key=perm_mod$ +- name: Search /etc/audit/rules.d for other DAC audit rules + find: paths: /etc/audit/rules.d - patterns: '*.rules' recurse: false - name: Search /etc/audit/rules.d for other DAC audit rules - register: find_setxattr + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchownat - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_setxattr.matched == 0 + when: find_fchownat.matched == 0 - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_setxattr.files | map(attribute=''path'') | list | first }}' - when: find_setxattr.matched > 0 -- lineinfile: - create: true - line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - '{{ find_fchownat.files | map(attribute=''path'') | list | first }}' + when: find_fchownat.matched > 0 +- name: Inserts/replaces the fchownat rule in rules.d when on x86 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the setxattr rule in rules.d when on x86 + line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true tags: - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fchownat - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27213-8 + - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1092,19 +1098,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 -- lineinfile: - create: true - line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - DISA-STIG-RHEL-07-030400 +- name: Inserts/replaces the fchownat rule in rules.d when on x86_64 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the setxattr rule in rules.d when on x86_64 + line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fchownat - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27213-8 + - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1116,20 +1123,19 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 - when: audit_arch == 'b64' -- lineinfile: - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030400 +- name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 + dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fchownat - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27213-8 + - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1141,22 +1147,21 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 - with_items: - - -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- lineinfile: - create: true - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030400 +- name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fchownat - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27213-8 + - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1168,42 +1173,39 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 - when: audit_arch == 'b64' - with_items: - - -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- name: Set architecture for audit removexattr tasks + - DISA-STIG-RHEL-07-030400 +- name: Set architecture for audit setxattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- find: - contains: -F key=perm_mod$ +- name: Search /etc/audit/rules.d for other DAC audit rules + find: paths: /etc/audit/rules.d - patterns: '*.rules' recurse: false - name: Search /etc/audit/rules.d for other DAC audit rules - register: find_removexattr + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_setxattr - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_removexattr.matched == 0 + when: find_setxattr.matched == 0 - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_removexattr.files | map(attribute=''path'') | list | first }}' - when: find_removexattr.matched > 0 -- lineinfile: - create: true - line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - '{{ find_setxattr.files | map(attribute=''path'') | list | first }}' + when: find_setxattr.matched > 0 +- name: Inserts/replaces the setxattr rule in rules.d when on x86 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the removexattr rule in rules.d when on x86 + line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true tags: - - audit_rules_dac_modification_removexattr - - medium_severity + - audit_rules_dac_modification_setxattr + - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27367-2 + - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1215,19 +1217,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 -- lineinfile: - create: true - line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - DISA-STIG-RHEL-07-030440 +- name: Inserts/replaces the setxattr rule in rules.d when on x86_64 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the removexattr rule in rules.d when on x86_64 + line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_removexattr - - medium_severity + - audit_rules_dac_modification_setxattr + - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27367-2 + - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1239,20 +1242,19 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 - when: audit_arch == 'b64' -- lineinfile: - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030440 +- name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 + dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_removexattr - - medium_severity + - audit_rules_dac_modification_setxattr + - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27367-2 + - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1264,22 +1266,21 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 - with_items: - - -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- lineinfile: - create: true - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030440 +- name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_removexattr - - medium_severity + - audit_rules_dac_modification_setxattr + - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27367-2 + - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1291,42 +1292,39 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 - when: audit_arch == 'b64' - with_items: - - -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- name: Set architecture for audit lsetxattr tasks + - DISA-STIG-RHEL-07-030440 +- name: Set architecture for audit chmod tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- find: - contains: -F key=perm_mod$ +- name: Search /etc/audit/rules.d for other DAC audit rules + find: paths: /etc/audit/rules.d - patterns: '*.rules' recurse: false - name: Search /etc/audit/rules.d for other DAC audit rules - register: find_lsetxattr + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_chmod - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_lsetxattr.matched == 0 + when: find_chmod.matched == 0 - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_lsetxattr.files | map(attribute=''path'') | list | first }}' - when: find_lsetxattr.matched > 0 -- lineinfile: - create: true - line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - '{{ find_chmod.files | map(attribute=''path'') | list | first }}' + when: find_chmod.matched > 0 +- name: Inserts/replaces the chmod rule in rules.d when on x86 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the lsetxattr rule in rules.d when on x86 + line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true tags: - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_chmod - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27280-7 + - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1338,19 +1336,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 -- lineinfile: - create: true - line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - DISA-STIG-RHEL-07-030410 +- name: Inserts/replaces the chmod rule in rules.d when on x86_64 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 + line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_chmod - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27280-7 + - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1362,20 +1361,19 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 - when: audit_arch == 'b64' -- lineinfile: - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030410 +- name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 + dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_chmod - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27280-7 + - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1387,22 +1385,21 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 - with_items: - - -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- lineinfile: - create: true - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030410 +- name: Inserts/replaces the chmod rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_chmod - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27280-7 + - CCE-27339-1 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1414,42 +1411,39 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 - when: audit_arch == 'b64' - with_items: - - -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- name: Set architecture for audit lremovexattr tasks + - DISA-STIG-RHEL-07-030410 +- name: Set architecture for audit removexattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- find: - contains: -F key=perm_mod$ +- name: Search /etc/audit/rules.d for other DAC audit rules + find: paths: /etc/audit/rules.d - patterns: '*.rules' recurse: false - name: Search /etc/audit/rules.d for other DAC audit rules - register: find_lremovexattr + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_removexattr - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_lremovexattr.matched == 0 + when: find_removexattr.matched == 0 - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_lremovexattr.files | map(attribute=''path'') | list | first }}' - when: find_lremovexattr.matched > 0 -- lineinfile: - create: true - line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - '{{ find_removexattr.files | map(attribute=''path'') | list | first }}' + when: find_removexattr.matched > 0 +- name: Inserts/replaces the removexattr rule in rules.d when on x86 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the lremovexattr rule in rules.d when on x86 + line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true tags: - - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27410-0 + - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1461,19 +1455,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 -- lineinfile: - create: true - line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - DISA-STIG-RHEL-07-030470 +- name: Inserts/replaces the removexattr rule in rules.d when on x86_64 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 + line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27410-0 + - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1485,20 +1480,19 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - when: audit_arch == 'b64' -- lineinfile: - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030470 +- name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 + dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27410-0 + - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1510,22 +1504,21 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - with_items: - - -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- lineinfile: - create: true - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030470 +- name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27410-0 + - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1537,42 +1530,39 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - when: audit_arch == 'b64' - with_items: - - -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- name: Set architecture for audit lchown tasks + - DISA-STIG-RHEL-07-030470 +- name: Set architecture for audit lsetxattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- find: - contains: -F key=perm_mod$ +- name: Search /etc/audit/rules.d for other DAC audit rules + find: paths: /etc/audit/rules.d - patterns: '*.rules' recurse: false - name: Search /etc/audit/rules.d for other DAC audit rules - register: find_lchown + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_lsetxattr - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_lchown.matched == 0 + when: find_lsetxattr.matched == 0 - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_lchown.files | map(attribute=''path'') | list | first }}' - when: find_lchown.matched > 0 -- lineinfile: - create: true - line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - '{{ find_lsetxattr.files | map(attribute=''path'') | list | first }}' + when: find_lsetxattr.matched > 0 +- name: Inserts/replaces the lsetxattr rule in rules.d when on x86 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the lchown rule in rules.d when on x86 + line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true tags: - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lsetxattr - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27083-5 + - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1584,19 +1574,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 -- lineinfile: - create: true - line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - DISA-STIG-RHEL-07-030460 +- name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the lchown rule in rules.d when on x86_64 + line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lsetxattr - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27083-5 + - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1608,20 +1599,19 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 - when: audit_arch == 'b64' -- lineinfile: - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030460 +- name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 + dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lsetxattr - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27083-5 + - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1633,22 +1623,21 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 - with_items: - - -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- lineinfile: - create: true - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030460 +- name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the lchown rule in audit.rules when on x86_64 + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lsetxattr - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27083-5 + - CCE-27280-7 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1660,42 +1649,39 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 - when: audit_arch == 'b64' - with_items: - - -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- name: Set architecture for audit fsetxattr tasks + - DISA-STIG-RHEL-07-030460 +- name: Set architecture for audit chown tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- find: - contains: -F key=perm_mod$ +- name: Search /etc/audit/rules.d for other DAC audit rules + find: paths: /etc/audit/rules.d - patterns: '*.rules' recurse: false - name: Search /etc/audit/rules.d for other DAC audit rules - register: find_fsetxattr + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_chown - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_fsetxattr.matched == 0 + when: find_chown.matched == 0 - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fsetxattr.files | map(attribute=''path'') | list | first }}' - when: find_fsetxattr.matched > 0 -- lineinfile: - create: true - line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - '{{ find_chown.files | map(attribute=''path'') | list | first }}' + when: find_chown.matched > 0 +- name: Inserts/replaces the chown rule in rules.d when on x86 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the fsetxattr rule in rules.d when on x86 + line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true tags: - - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_chown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27389-6 + - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1707,19 +1693,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 -- lineinfile: - create: true - line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - DISA-STIG-RHEL-07-030370 +- name: Inserts/replaces the chown rule in rules.d when on x86_64 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 + line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_chown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27389-6 + - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1731,20 +1718,19 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 - when: audit_arch == 'b64' -- lineinfile: - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030370 +- name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 + dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_chown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27389-6 + - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1756,22 +1742,21 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 - with_items: - - -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- lineinfile: - create: true - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030370 +- name: Inserts/replaces the chown rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_chown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27389-6 + - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1783,19 +1768,16 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 - when: audit_arch == 'b64' - with_items: - - -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - DISA-STIG-RHEL-07-030370 - name: Set architecture for audit fremovexattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- find: - contains: -F key=perm_mod$ +- name: Search /etc/audit/rules.d for other DAC audit rules + find: paths: /etc/audit/rules.d - patterns: '*.rules' recurse: false - name: Search /etc/audit/rules.d for other DAC audit rules + contains: -F key=perm_mod$ + patterns: '*.rules' register: find_fremovexattr - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: @@ -1807,11 +1789,11 @@ all_files: - '{{ find_fremovexattr.files | map(attribute=''path'') | list | first }}' when: find_fremovexattr.matched > 0 -- lineinfile: - create: true - line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod +- name: Inserts/replaces the fremovexattr rule in rules.d when on x86 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the fremovexattr rule in rules.d when on x86 + line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true tags: - audit_rules_dac_modification_fremovexattr - medium_severity @@ -1831,11 +1813,12 @@ - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 -- lineinfile: - create: true - line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod +- name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 + line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true + when: audit_arch == 'b64' tags: - audit_rules_dac_modification_fremovexattr - medium_severity @@ -1855,12 +1838,11 @@ - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 - when: audit_arch == 'b64' -- lineinfile: - dest: /etc/audit/audit.rules - line: '{{ item }}' +- name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 + dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_fremovexattr - medium_severity @@ -1880,14 +1862,13 @@ - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 - with_items: - - -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- lineinfile: - create: true - dest: /etc/audit/audit.rules - line: '{{ item }}' +- name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' tags: - audit_rules_dac_modification_fremovexattr - medium_severity @@ -1907,41 +1888,38 @@ - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030480 - when: audit_arch == 'b64' - with_items: - - -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- name: Set architecture for audit fchownat tasks +- name: Set architecture for audit lremovexattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- find: - contains: -F key=perm_mod$ +- name: Search /etc/audit/rules.d for other DAC audit rules + find: paths: /etc/audit/rules.d - patterns: '*.rules' recurse: false - name: Search /etc/audit/rules.d for other DAC audit rules - register: find_fchownat + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_lremovexattr - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_fchownat.matched == 0 + when: find_lremovexattr.matched == 0 - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fchownat.files | map(attribute=''path'') | list | first }}' - when: find_fchownat.matched > 0 -- lineinfile: - create: true - line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - '{{ find_lremovexattr.files | map(attribute=''path'') | list | first }}' + when: find_lremovexattr.matched > 0 +- name: Inserts/replaces the lremovexattr rule in rules.d when on x86 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the fchownat rule in rules.d when on x86 + line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true tags: - - audit_rules_dac_modification_fchownat - - unknown_severity + - audit_rules_dac_modification_lremovexattr + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27387-0 + - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1953,19 +1931,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 -- lineinfile: - create: true - line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - DISA-STIG-RHEL-07-030490 +- name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the fchownat rule in rules.d when on x86_64 + line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_fchownat - - unknown_severity + - audit_rules_dac_modification_lremovexattr + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27387-0 + - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1977,20 +1956,19 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 - when: audit_arch == 'b64' -- lineinfile: - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030490 +- name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 + dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_fchownat - - unknown_severity + - audit_rules_dac_modification_lremovexattr + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27387-0 + - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -2002,22 +1980,21 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 - with_items: - - -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- lineinfile: - create: true - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030490 +- name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_fchownat - - unknown_severity + - audit_rules_dac_modification_lremovexattr + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27387-0 + - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -2029,42 +2006,39 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 - when: audit_arch == 'b64' - with_items: - - -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- name: Set architecture for audit fchown tasks + - DISA-STIG-RHEL-07-030490 +- name: Set architecture for audit fchmod tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- find: - contains: -F key=perm_mod$ +- name: Search /etc/audit/rules.d for other DAC audit rules + find: paths: /etc/audit/rules.d - patterns: '*.rules' recurse: false - name: Search /etc/audit/rules.d for other DAC audit rules - register: find_fchown + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchmod - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_fchown.matched == 0 + when: find_fchmod.matched == 0 - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fchown.files | map(attribute=''path'') | list | first }}' - when: find_fchown.matched > 0 -- lineinfile: - create: true - line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - '{{ find_fchmod.files | map(attribute=''path'') | list | first }}' + when: find_fchmod.matched > 0 +- name: Inserts/replaces the fchmod rule in rules.d when on x86 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the fchown rule in rules.d when on x86 + line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true tags: - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmod - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27356-5 + - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -2076,19 +2050,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 -- lineinfile: - create: true - line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - DISA-STIG-RHEL-07-030420 +- name: Inserts/replaces the fchmod rule in rules.d when on x86_64 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the fchown rule in rules.d when on x86_64 + line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmod - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27356-5 + - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -2100,20 +2075,19 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 - when: audit_arch == 'b64' -- lineinfile: - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030420 +- name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 + dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmod - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27356-5 + - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -2125,22 +2099,21 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 - with_items: - - -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- lineinfile: - create: true - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030420 +- name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the fchown rule in audit.rules when on x86_64 + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmod - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27356-5 + - CCE-27393-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -2152,19 +2125,16 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 - when: audit_arch == 'b64' - with_items: - - -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - DISA-STIG-RHEL-07-030420 - name: Set architecture for audit fchmodat tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- find: - contains: -F key=perm_mod$ +- name: Search /etc/audit/rules.d for other DAC audit rules + find: paths: /etc/audit/rules.d - patterns: '*.rules' recurse: false - name: Search /etc/audit/rules.d for other DAC audit rules + contains: -F key=perm_mod$ + patterns: '*.rules' register: find_fchmodat - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: @@ -2176,11 +2146,11 @@ all_files: - '{{ find_fchmodat.files | map(attribute=''path'') | list | first }}' when: find_fchmodat.matched > 0 -- lineinfile: - create: true - line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod +- name: Inserts/replaces the fchmodat rule in rules.d when on x86 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the fchmodat rule in rules.d when on x86 + line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true tags: - audit_rules_dac_modification_fchmodat - unknown_severity @@ -2200,11 +2170,12 @@ - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 -- lineinfile: - create: true - line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod +- name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 + line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true + when: audit_arch == 'b64' tags: - audit_rules_dac_modification_fchmodat - unknown_severity @@ -2224,12 +2195,11 @@ - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 - when: audit_arch == 'b64' -- lineinfile: - dest: /etc/audit/audit.rules - line: '{{ item }}' +- name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 + dest: /etc/audit/audit.rules tags: - audit_rules_dac_modification_fchmodat - unknown_severity @@ -2249,14 +2219,13 @@ - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 - with_items: - - -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- lineinfile: - create: true - dest: /etc/audit/audit.rules - line: '{{ item }}' +- name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' tags: - audit_rules_dac_modification_fchmodat - unknown_severity @@ -2276,41 +2245,38 @@ - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030430 - when: audit_arch == 'b64' - with_items: - - -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- name: Set architecture for audit fchmod tasks +- name: Set architecture for audit fsetxattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- find: - contains: -F key=perm_mod$ +- name: Search /etc/audit/rules.d for other DAC audit rules + find: paths: /etc/audit/rules.d - patterns: '*.rules' recurse: false - name: Search /etc/audit/rules.d for other DAC audit rules - register: find_fchmod + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fsetxattr - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_fchmod.matched == 0 + when: find_fsetxattr.matched == 0 - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fchmod.files | map(attribute=''path'') | list | first }}' - when: find_fchmod.matched > 0 -- lineinfile: - create: true - line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - '{{ find_fsetxattr.files | map(attribute=''path'') | list | first }}' + when: find_fsetxattr.matched > 0 +- name: Inserts/replaces the fsetxattr rule in rules.d when on x86 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the fchmod rule in rules.d when on x86 + line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true tags: - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fsetxattr - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27393-8 + - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -2322,19 +2288,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 -- lineinfile: - create: true - line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - DISA-STIG-RHEL-07-030450 +- name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the fchmod rule in rules.d when on x86_64 + line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fsetxattr - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27393-8 + - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -2346,20 +2313,19 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 - when: audit_arch == 'b64' -- lineinfile: - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030450 +- name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 + dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fsetxattr - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27393-8 + - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -2371,22 +2337,21 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 - with_items: - - -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- lineinfile: - create: true - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030450 +- name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fsetxattr - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27393-8 + - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -2398,42 +2363,39 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 - when: audit_arch == 'b64' - with_items: - - -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- name: Set architecture for audit chown tasks + - DISA-STIG-RHEL-07-030450 +- name: Set architecture for audit fchown tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- find: - contains: -F key=perm_mod$ +- name: Search /etc/audit/rules.d for other DAC audit rules + find: paths: /etc/audit/rules.d - patterns: '*.rules' recurse: false - name: Search /etc/audit/rules.d for other DAC audit rules - register: find_chown + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchown - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_chown.matched == 0 + when: find_fchown.matched == 0 - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_chown.files | map(attribute=''path'') | list | first }}' - when: find_chown.matched > 0 -- lineinfile: - create: true - line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - '{{ find_fchown.files | map(attribute=''path'') | list | first }}' + when: find_fchown.matched > 0 +- name: Inserts/replaces the fchown rule in rules.d when on x86 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the chown rule in rules.d when on x86 + line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true tags: - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27364-9 + - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -2445,19 +2407,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 -- lineinfile: - create: true - line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + - DISA-STIG-RHEL-07-030380 +- name: Inserts/replaces the fchown rule in rules.d when on x86_64 + lineinfile: path: '{{ all_files[0] }}' - name: Inserts/replaces the chown rule in rules.d when on x86_64 + line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27364-9 + - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -2469,20 +2432,19 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 - when: audit_arch == 'b64' -- lineinfile: - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030380 +- name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 + dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27364-9 + - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -2494,22 +2456,21 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 - with_items: - - -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- lineinfile: - create: true - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030380 +- name: Inserts/replaces the fchown rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod state: present - name: Inserts/replaces the chown rule in audit.rules when on x86_64 + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27364-9 + - CCE-27356-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -2521,137 +2482,160 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 - when: audit_arch == 'b64' - with_items: - - -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- name: Set architecture for audit chmod tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- find: - contains: -F key=perm_mod$ - paths: /etc/audit/rules.d - patterns: '*.rules' - recurse: false - name: Search /etc/audit/rules.d for other DAC audit rules - register: find_chmod -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + - DISA-STIG-RHEL-07-030380 +- name: XCCDF Value var_auditd_max_log_file set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: find_chmod.matched == 0 -- name: Use matched file as the recipient for the rule + var_auditd_max_log_file: '6' + tags: + - always +- name: Configure auditd Max Log File Size + lineinfile: + dest: /etc/audit/auditd.conf + regexp: ^\s*max_log_file\s*=\s*.*$ + line: max_log_file = {{ var_auditd_max_log_file }} + state: present + tags: + - auditd_data_retention_max_log_file + - medium_severity + - restrict_strategy + - low_complexity + - low_disruption + - CCE-27319-3 + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-11 + - NIST-800-53-IR-5 + - PCI-DSS-Req-10.7 + - CJIS-5.4.1.1 +- name: XCCDF Value var_auditd_max_log_file_action set_fact: - all_files: - - '{{ find_chmod.files | map(attribute=''path'') | list | first }}' - when: find_chmod.matched > 0 -- lineinfile: - create: true - line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - path: '{{ all_files[0] }}' - name: Inserts/replaces the chmod rule in rules.d when on x86 + var_auditd_max_log_file_action: rotate tags: - - audit_rules_dac_modification_chmod - - unknown_severity + - always +- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size + lineinfile: + dest: /etc/audit/auditd.conf + line: max_log_file_action = {{ var_auditd_max_log_file_action }} + regexp: ^\s*max_log_file_action\s*=\s*.*$ + state: present + tags: + - auditd_data_retention_max_log_file_action + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27339-1 - - NIST-800-53-AC-17(7) + - CCE-27231-0 - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) + - NIST-800-53-AU-4 + - NIST-800-53-AU-11 + - NIST-800-53-IR-5 + - PCI-DSS-Req-10.7 + - CJIS-5.4.1.1 +- name: XCCDF Value var_auditd_space_left_action + set_fact: + var_auditd_space_left_action: email + tags: + - always +- name: Configure auditd space_left Action on Low Disk Space + lineinfile: + dest: /etc/audit/auditd.conf + line: space_left_action = {{ var_auditd_space_left_action }} + regexp: ^\s*space_left_action\s*=\s*.*$ + state: present + tags: + - auditd_data_retention_space_left_action + - medium_severity + - restrict_strategy + - low_complexity + - low_disruption + - CCE-27375-5 + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-4 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(b) - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 + - NIST-800-171-3.3.1 + - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 -- lineinfile: - create: true - line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - path: '{{ all_files[0] }}' - name: Inserts/replaces the chmod rule in rules.d when on x86_64 +- name: XCCDF Value var_auditd_admin_space_left_action + set_fact: + var_auditd_admin_space_left_action: single tags: - - audit_rules_dac_modification_chmod - - unknown_severity + - always +- name: Configure auditd admin_space_left Action on Low Disk Space + lineinfile: + dest: /etc/audit/auditd.conf + line: admin_space_left_action = {{ var_auditd_admin_space_left_action }} + regexp: ^\s*admin_space_left_action\s*=\s*.*$ + state: present + tags: + - auditd_data_retention_admin_space_left_action + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27339-1 - - NIST-800-53-AC-17(7) + - CCE-27370-6 - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) + - NIST-800-53-AU-4 + - NIST-800-53-AU-5(b) - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 + - NIST-800-171-3.3.1 + - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 - when: audit_arch == 'b64' -- lineinfile: - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030340 +- name: XCCDF Value var_auditd_action_mail_acct + set_fact: + var_auditd_action_mail_acct: root + tags: + - always +- name: Configure auditd mail_acct Action on Low Disk Space + lineinfile: + dest: /etc/audit/auditd.conf + line: action_mail_acct = {{ var_auditd_action_mail_acct }} state: present - name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 tags: - - audit_rules_dac_modification_chmod - - unknown_severity + - auditd_data_retention_action_mail_acct + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27339-1 - - NIST-800-53-AC-17(7) + - CCE-27394-6 - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) + - NIST-800-53-AU-4 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(a) - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 + - NIST-800-171-3.3.1 + - PCI-DSS-Req-10.7.a - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 - with_items: - - -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -- lineinfile: - create: true - dest: /etc/audit/audit.rules - line: '{{ item }}' + - DISA-STIG-RHEL-07-030350 +- name: XCCDF Value var_auditd_num_logs + set_fact: + var_auditd_num_logs: '5' + tags: + - always +- name: Configure auditd Number of Logs Retained + lineinfile: + dest: /etc/audit/auditd.conf + line: num_logs = {{ var_auditd_num_logs }} + regexp: ^\s*num_logs\s*=\s*.*$ state: present - name: Inserts/replaces the chmod rule in audit.rules when on x86_64 tags: - - audit_rules_dac_modification_chmod - - unknown_severity + - auditd_data_retention_num_logs + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27339-1 - - NIST-800-53-AC-17(7) + - CCE-27348-2 - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) + - NIST-800-53-AU-11 - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 + - NIST-800-171-3.3.1 + - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 - when: audit_arch == 'b64' - with_items: - - -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - name: Enable service auditd service: + name: auditd enabled: 'yes' - name: '{{item}}' state: started tags: - service_auditd_enabled @@ -2671,109 +2655,183 @@ - NIST-800-171-3.3.1 - NIST-800-171-3.3.2 - NIST-800-171-3.3.6 - - PCI-DSS-Req-10 + - PCI-DSS-Req-10.1 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030000 - with_items: - - auditd -- name: Prevent Log In to Accounts With Empty Password - system-auth +- name: Test for existence /boot/grub2/grub.cfg + stat: + path: /boot/grub2/grub.cfg + register: file_exists +- name: Ensure group owner 0 on /boot/grub2/grub.cfg + file: + path: /boot/grub2/grub.cfg + group: 0 + when: file_exists.stat.exists + tags: + - file_groupowner_grub2_cfg + - medium_severity + - configure_strategy + - low_complexity + - low_disruption + - CCE-26812-8 + - NIST-800-53-AC-6(7) + - NIST-800-171-3.4.5 + - PCI-DSS-Req-7.1 + - CJIS-5.5.2.2 +- name: Test for existence /boot/grub2/grub.cfg + stat: + path: /boot/grub2/grub.cfg + register: file_exists +- name: Ensure owner 0 on /boot/grub2/grub.cfg + file: + path: /boot/grub2/grub.cfg + owner: 0 + when: file_exists.stat.exists + tags: + - file_owner_grub2_cfg + - medium_severity + - configure_strategy + - low_complexity + - low_disruption + - CCE-26860-7 + - NIST-800-53-AC-6(7) + - NIST-800-171-3.4.5 + - PCI-DSS-Req-7.1 + - CJIS-5.5.2.2 +- name: XCCDF Value var_password_pam_unix_remember + set_fact: + var_password_pam_unix_remember: '4' + tags: + - always +- name: Do not allow users to reuse recent passwords - system-auth (change) replace: dest: /etc/pam.d/system-auth follow: true - regexp: nullok + regexp: ^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$ + replace: \g<1>{{ var_password_pam_unix_remember }}\g<3> tags: - - no_empty_passwords - - high_severity + - accounts_password_pam_unix_remember + - medium_severity - configure_strategy - low_complexity - medium_disruption - - CCE-27286-4 - - NIST-800-53-AC-6 - - NIST-800-53-IA-5(b) - - NIST-800-53-IA-5(c) - - NIST-800-53-IA-5(1)(a) - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 - - PCI-DSS-Req-8.2.3 - - CJIS-5.5.2 - - DISA-STIG-RHEL-07-010290 -- name: Prevent Log In to Accounts With Empty Password - password-auth + - CCE-26923-3 + - NIST-800-53-IA-5(f) + - NIST-800-53-IA-5(1)(e) + - NIST-800-171-3.5.8 + - PCI-DSS-Req-8.2.5 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010270 +- name: Do not allow users to reuse recent passwords - system-auth (add) replace: - dest: /etc/pam.d/password-auth + dest: /etc/pam.d/system-auth follow: true - regexp: nullok + regexp: ^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$ + replace: \g<0> remember={{ var_password_pam_unix_remember }} tags: - - no_empty_passwords - - high_severity + - accounts_password_pam_unix_remember + - medium_severity - configure_strategy - low_complexity - medium_disruption - - CCE-27286-4 - - NIST-800-53-AC-6 - - NIST-800-53-IA-5(b) - - NIST-800-53-IA-5(c) - - NIST-800-53-IA-5(1)(a) - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 - - PCI-DSS-Req-8.2.3 - - CJIS-5.5.2 - - DISA-STIG-RHEL-07-010290 -- name: XCCDF Value var_accounts_maximum_age_login_defs + - CCE-26923-3 + - NIST-800-53-IA-5(f) + - NIST-800-53-IA-5(1)(e) + - NIST-800-171-3.5.8 + - PCI-DSS-Req-8.2.5 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010270 +- name: XCCDF Value var_accounts_passwords_pam_faillock_deny set_fact: - var_accounts_maximum_age_login_defs: '90' + var_accounts_passwords_pam_faillock_deny: '6' tags: - always -- lineinfile: - create: true - dest: /etc/login.defs - line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }} - regexp: ^#?PASS_MAX_DAYS - name: Set Password Maximum Age +- name: XCCDF Value var_accounts_passwords_pam_faillock_unlock_time + set_fact: + var_accounts_passwords_pam_faillock_unlock_time: '1800' tags: - - accounts_maximum_age_login_defs + - always +- name: XCCDF Value var_accounts_passwords_pam_faillock_fail_interval + set_fact: + var_accounts_passwords_pam_faillock_fail_interval: '900' + tags: + - always +- name: set auth pam_faillock before pam_unix.so + pamd: + name: system-auth + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: required + new_module_path: pam_faillock.so + module_arguments: 'preauth silent deny: {{ var_accounts_passwords_pam_faillock_deny }} unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time + }} fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' + state: before + tags: + - accounts_passwords_pam_faillock_deny - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27051-2 - - NIST-800-53-IA-5(f) - - NIST-800-53-IA-5(g) - - NIST-800-53-IA-5(1)(d) - - NIST-800-171-3.5.6 - - PCI-DSS-Req-8.2.4 - - CJIS-5.6.2.1 - - DISA-STIG-RHEL-07-010250 -- name: XCCDF Value var_account_disable_post_pw_expiration - set_fact: - var_account_disable_post_pw_expiration: '90' + - CCE-27350-8 + - NIST-800-53-AC-7(b) + - NIST-800-171-3.1.8 + - PCI-DSS-Req-8.1.6 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 +- name: set auth pam_faillock after pam_unix.so + pamd: + name: system-auth + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: '[default=die]' + new_module_path: pam_faillock.so + module_arguments: 'preauth silent deny: {{ var_accounts_passwords_pam_faillock_deny }} unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time + }} fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' + state: after tags: - - always -- lineinfile: - create: true - dest: /etc/default/useradd - line: INACTIVE={{ var_account_disable_post_pw_expiration }} - regexp: ^INACTIVE - name: Set Account Expiration Following Inactivity + - accounts_passwords_pam_faillock_deny + - medium_severity + - restrict_strategy + - low_complexity + - low_disruption + - CCE-27350-8 + - NIST-800-53-AC-7(b) + - NIST-800-171-3.1.8 + - PCI-DSS-Req-8.1.6 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 +- name: set account pam_faillock before pam_unix.so + pamd: + name: system-auth + type: account + control: required + module_path: pam_unix.so + new_type: account + new_control: required + new_module_path: pam_faillock.so + state: before tags: - - account_disable_post_pw_expiration + - accounts_passwords_pam_faillock_deny - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27355-7 - - NIST-800-53-AC-2(2) - - NIST-800-53-AC-2(3) - - NIST-800-53-IA-4(e) - - NIST-800-171-3.5.6 - - PCI-DSS-Req-8.1.4 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010310 -- lineinfile: + - CCE-27350-8 + - NIST-800-53-AC-7(b) + - NIST-800-171-3.1.8 + - PCI-DSS-Req-8.1.6 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 +- name: Set Password Hashing Algorithm in /etc/login.defs + lineinfile: dest: /etc/login.defs - line: ENCRYPT_METHOD SHA512 regexp: ^#?ENCRYPT_METHOD + line: ENCRYPT_METHOD SHA512 state: present - name: Set Password Hashing Algorithm in /etc/login.defs tags: - set_password_hashing_algorithm_logindefs - medium_severity @@ -2789,13 +2847,13 @@ - PCI-DSS-Req-8.2.1 - CJIS-5.6.2.2 - DISA-STIG-RHEL-07-010210 -- lineinfile: +- name: Set Password Hashing Algorithm in /etc/libuser.conf + lineinfile: dest: /etc/libuser.conf - insertafter: ^.default] - line: crypt_style = sha512 + insertafter: ^\s*\[defaults] regexp: ^#?crypt_style + line: crypt_style = sha512 state: present - name: Set Password Hashing Algorithm in /etc/libuser.conf tags: - set_password_hashing_algorithm_libuserconf - medium_severity @@ -2811,238 +2869,202 @@ - PCI-DSS-Req-8.2.1 - CJIS-5.6.2.2 - DISA-STIG-RHEL-07-010220 -- name: XCCDF Value var_password_pam_ucredit +- name: XCCDF Value var_password_pam_lcredit set_fact: - var_password_pam_ucredit: '-1' + var_password_pam_lcredit: '-1' tags: - always -- lineinfile: +- name: Ensure PAM variable lcredit is set accordingly + lineinfile: create: true dest: /etc/security/pwquality.conf - line: ucredit = {{ var_password_pam_ucredit }} - regexp: ^#?\s*ucredit - name: Ensure PAM variable ucredit is set accordingly + regexp: ^#?\s*lcredit + line: lcredit = {{ var_password_pam_lcredit }} tags: - - accounts_password_pam_ucredit + - accounts_password_pam_lcredit - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27200-5 + - CCE-27345-8 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - NIST-800-53-IA-5(1)(a) - PCI-DSS-Req-8.2.3 - - DISA-STIG-RHEL-07-010120 -- name: XCCDF Value var_password_pam_minlen + - DISA-STIG-RHEL-07-010130 +- name: XCCDF Value var_password_pam_dcredit set_fact: - var_password_pam_minlen: '7' + var_password_pam_dcredit: '-1' tags: - always -- lineinfile: +- name: Ensure PAM variable dcredit is set accordingly + lineinfile: create: true dest: /etc/security/pwquality.conf - line: minlen = {{ var_password_pam_minlen }} - regexp: ^#?\s*minlen - name: Ensure PAM variable minlen is set accordingly + regexp: ^#?\s*dcredit + line: dcredit = {{ var_password_pam_dcredit }} tags: - - accounts_password_pam_minlen + - accounts_password_pam_dcredit - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27293-0 + - CCE-27214-6 - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(b) + - NIST-800-53-IA-5(c) + - NIST-800-53-194 - PCI-DSS-Req-8.2.3 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010280 -- name: XCCDF Value var_password_pam_lcredit + - DISA-STIG-RHEL-07-010140 +- name: XCCDF Value var_password_pam_minlen set_fact: - var_password_pam_lcredit: '-1' + var_password_pam_minlen: '7' tags: - always -- lineinfile: +- name: Ensure PAM variable minlen is set accordingly + lineinfile: create: true dest: /etc/security/pwquality.conf - line: lcredit = {{ var_password_pam_lcredit }} - regexp: ^#?\s*lcredit - name: Ensure PAM variable lcredit is set accordingly + regexp: ^#?\s*minlen + line: minlen = {{ var_password_pam_minlen }} tags: - - accounts_password_pam_lcredit + - accounts_password_pam_minlen - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27345-8 - - NIST-800-53-IA-5(b) - - NIST-800-53-IA-5(c) + - CCE-27293-0 - NIST-800-53-IA-5(1)(a) - PCI-DSS-Req-8.2.3 - - DISA-STIG-RHEL-07-010130 -- name: XCCDF Value var_password_pam_dcredit + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010280 +- name: XCCDF Value var_password_pam_ucredit set_fact: - var_password_pam_dcredit: '-1' + var_password_pam_ucredit: '-1' tags: - always -- lineinfile: +- name: Ensure PAM variable ucredit is set accordingly + lineinfile: create: true dest: /etc/security/pwquality.conf - line: dcredit = {{ var_password_pam_dcredit }} - regexp: ^#?\s*dcredit - name: Ensure PAM variable dcredit is set accordingly + regexp: ^#?\s*ucredit + line: ucredit = {{ var_password_pam_ucredit }} tags: - - accounts_password_pam_dcredit + - accounts_password_pam_ucredit - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27214-6 - - NIST-800-53-IA-5(1)(a) + - CCE-27200-5 - NIST-800-53-IA-5(b) - NIST-800-53-IA-5(c) - - NIST-800-53-194 + - NIST-800-53-IA-5(1)(a) - PCI-DSS-Req-8.2.3 - - DISA-STIG-RHEL-07-010140 -- name: XCCDF Value var_accounts_passwords_pam_faillock_deny - set_fact: - var_accounts_passwords_pam_faillock_deny: '6' - tags: - - always -- name: XCCDF Value var_accounts_passwords_pam_faillock_unlock_time - set_fact: - var_accounts_passwords_pam_faillock_unlock_time: '1800' - tags: - - always -- name: XCCDF Value var_accounts_passwords_pam_faillock_fail_interval + - DISA-STIG-RHEL-07-010120 +- name: XCCDF Value var_account_disable_post_pw_expiration set_fact: - var_accounts_passwords_pam_faillock_fail_interval: '900' + var_account_disable_post_pw_expiration: '90' tags: - always -- name: set auth pam_faillock before pam_unix.so - pamd: - control: sufficient - module_arguments: 'preauth silent deny: {{ var_accounts_passwords_pam_faillock_deny }} unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time - }} fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' - module_path: pam_unix.so - name: system-auth - new_control: required - new_module_path: pam_faillock.so - new_type: auth - state: before - type: auth +- name: Set Account Expiration Following Inactivity + lineinfile: + create: true + dest: /etc/default/useradd + regexp: ^INACTIVE + line: INACTIVE={{ var_account_disable_post_pw_expiration }} tags: - - accounts_passwords_pam_faillock_deny + - account_disable_post_pw_expiration - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27350-8 - - NIST-800-53-AC-7(b) - - NIST-800-171-3.1.8 - - PCI-DSS-Req-8.1.6 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 -- name: set auth pam_faillock after pam_unix.so - pamd: - control: sufficient - module_arguments: 'preauth silent deny: {{ var_accounts_passwords_pam_faillock_deny }} unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time - }} fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' - module_path: pam_unix.so - name: system-auth - new_control: '[default=die]' - new_module_path: pam_faillock.so - new_type: auth - state: after - type: auth + - CCE-27355-7 + - NIST-800-53-AC-2(2) + - NIST-800-53-AC-2(3) + - NIST-800-53-IA-4(e) + - NIST-800-171-3.5.6 + - PCI-DSS-Req-8.1.4 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010310 +- name: XCCDF Value var_accounts_maximum_age_login_defs + set_fact: + var_accounts_maximum_age_login_defs: '90' tags: - - accounts_passwords_pam_faillock_deny - - medium_severity - - restrict_strategy - - low_complexity - - low_disruption - - CCE-27350-8 - - NIST-800-53-AC-7(b) - - NIST-800-171-3.1.8 - - PCI-DSS-Req-8.1.6 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 -- name: set account pam_faillock before pam_unix.so - pamd: - control: required - module_path: pam_unix.so - name: system-auth - new_control: required - new_module_path: pam_faillock.so - new_type: account - state: before - type: account + - always +- name: Set Password Maximum Age + lineinfile: + create: true + dest: /etc/login.defs + regexp: ^#?PASS_MAX_DAYS + line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }} tags: - - accounts_passwords_pam_faillock_deny + - accounts_maximum_age_login_defs - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27350-8 - - NIST-800-53-AC-7(b) - - NIST-800-171-3.1.8 - - PCI-DSS-Req-8.1.6 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 -- name: XCCDF Value var_password_pam_unix_remember - set_fact: - var_password_pam_unix_remember: '4' - tags: - - always -- name: Do not allow users to reuse recent passwords - system-auth (change) + - CCE-27051-2 + - NIST-800-53-IA-5(f) + - NIST-800-53-IA-5(g) + - NIST-800-53-IA-5(1)(d) + - NIST-800-171-3.5.6 + - PCI-DSS-Req-8.2.4 + - CJIS-5.6.2.1 + - DISA-STIG-RHEL-07-010250 +- name: Prevent Log In to Accounts With Empty Password - system-auth replace: dest: /etc/pam.d/system-auth follow: true - regexp: ^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$ - replace: \g<1>{{ var_password_pam_unix_remember }}\g<3> + regexp: nullok tags: - - accounts_password_pam_unix_remember - - medium_severity + - no_empty_passwords + - high_severity - configure_strategy - low_complexity - medium_disruption - - CCE-26923-3 - - NIST-800-53-IA-5(f) - - NIST-800-53-IA-5(1)(e) - - NIST-800-171-3.5.8 - - PCI-DSS-Req-8.2.5 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010270 -- name: Do not allow users to reuse recent passwords - system-auth (add) + - CCE-27286-4 + - NIST-800-53-AC-6 + - NIST-800-53-IA-5(b) + - NIST-800-53-IA-5(c) + - NIST-800-53-IA-5(1)(a) + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - PCI-DSS-Req-8.2.3 + - CJIS-5.5.2 + - DISA-STIG-RHEL-07-010290 +- name: Prevent Log In to Accounts With Empty Password - password-auth replace: - dest: /etc/pam.d/system-auth + dest: /etc/pam.d/password-auth follow: true - regexp: ^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$ - replace: \g<0> remember={{ var_password_pam_unix_remember }} + regexp: nullok tags: - - accounts_password_pam_unix_remember - - medium_severity + - no_empty_passwords + - high_severity - configure_strategy - low_complexity - medium_disruption - - CCE-26923-3 - - NIST-800-53-IA-5(f) - - NIST-800-53-IA-5(1)(e) - - NIST-800-171-3.5.8 - - PCI-DSS-Req-8.2.5 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010270 + - CCE-27286-4 + - NIST-800-53-AC-6 + - NIST-800-53-IA-5(b) + - NIST-800-53-IA-5(c) + - NIST-800-53-IA-5(1)(a) + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - PCI-DSS-Req-8.2.3 + - CJIS-5.5.2 + - DISA-STIG-RHEL-07-010290 - name: XCCDF Value sshd_idle_timeout_value set_fact: sshd_idle_timeout_value: '900' tags: - always -- lineinfile: +- name: Set SSH Idle Timeout Interval + lineinfile: create: true dest: /etc/ssh/sshd_config - line: ClientAliveInterval {{ sshd_idle_timeout_value }} regexp: ^ClientAliveInterval + line: ClientAliveInterval {{ sshd_idle_timeout_value }} validate: sshd -t -f %s - name: Set SSH Idle Timeout Interval tags: - sshd_set_idle_timeout - unknown_severity