-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #7 from ansible-lockdown/devel
RHEL8 STIG Version 1 Release 1 Signed-off-by: George Nalen <[email protected]>
- Loading branch information
Showing
7 changed files
with
2,593 additions
and
432 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -49,40 +49,41 @@ system_is_ec2: false | |
# CAT 1 rules | ||
rhel_08_010000: true | ||
rhel_08_010020: true | ||
rhel_08_010030: true | ||
rhel_08_010140: true | ||
rhel_08_010150: true | ||
rhel_08_010170: true | ||
rhel_08_010370: true | ||
rhel_08_010450: true | ||
rhel_08_010371: true | ||
rhel_08_010460: true | ||
rhel_08_010470: true | ||
rhel_08_010820: true | ||
rhel_08_010830: true | ||
rhel_08_020330: true | ||
rhel_08_040000: true | ||
rhel_08_040010: true | ||
rhel_08_040060: true | ||
rhel_08_040170: true | ||
rhel_08_040180: true | ||
rhel_08_040171: true | ||
rhel_08_040172: true | ||
rhel_08_040190: true | ||
rhel_08_040200: true | ||
rhel_08_040340: true | ||
rhel_08_040360: true | ||
|
||
# CAT 2 rules | ||
rhel_08_010010: true | ||
rhel_08_010030: true | ||
rhel_08_010040: true | ||
rhel_08_010050: true | ||
rhel_08_010060: true | ||
rhel_08_010070: true | ||
rhel_08_010080: true | ||
rhel_08_010090: true | ||
rhel_08_010100: true | ||
rhel_08_010110: true | ||
rhel_08_010120: true | ||
rhel_08_010130: true | ||
rhel_08_010151: true | ||
rhel_08_010160: true | ||
rhel_08_010161: true | ||
rhel_08_010162: true | ||
rhel_08_010170: true | ||
rhel_08_010180: true | ||
rhel_08_010190: true | ||
rhel_08_010200: true | ||
|
@@ -92,31 +93,45 @@ rhel_08_010230: true | |
rhel_08_010240: true | ||
rhel_08_010250: true | ||
rhel_08_010260: true | ||
rhel_08_010270: true | ||
rhel_08_010280: true | ||
rhel_08_010290: true | ||
rhel_08_010291: true | ||
rhel_08_010293: true | ||
rhel_08_010294: true | ||
rhel_08_010295: true | ||
rhel_08_010300: true | ||
rhel_08_010310: true | ||
rhel_08_010320: true | ||
rhel_08_010330: true | ||
rhel_08_010340: true | ||
rhel_08_010350: true | ||
rhel_08_010360: true | ||
# !!!!!!!!!!!!!!!--------------!!!!!!!!!!!!!!!!!!CHANGE TO TRUE BEFORE FINALIZATION. SET TO FALSE TO PREVENT THE VAGRANT USER FROM AUTHENTICATING WHEN USING SUDO | ||
rhel_08_010372: true | ||
rhel_08_010373: true | ||
rhel_08_010374: true | ||
# !!!!!!!!!!!!!!!--------------!!!!!!!!!!!!!!!!!!CHANGE TO TRUE BEFORE FINALIZATION. SET TO FALSE TO PREVENT THE VAGRANT USER FROM AUTHENTICATING WHEN USING SUDO (380/381) | ||
rhel_08_010380: false | ||
rhel_08_010381: false | ||
rhel_08_010390: true | ||
rhel_08_010400: true | ||
rhel_08_010410: true | ||
rhel_08_010420: true | ||
rhel_08_010421: true | ||
rhel_08_010422: true | ||
rhel_08_010423: true | ||
rhel_08_010430: true | ||
rhel_08_010450: true | ||
rhel_08_010480: true | ||
rhel_08_010490: true | ||
rhel_08_010500: true | ||
rhel_08_010510: true | ||
rhel_08_010520: true | ||
rhel_08_010521: true | ||
rhel_08_010543: true | ||
rhel_08_010550: true | ||
rhel_08_010560: true | ||
rhel_08_010561: true | ||
rhel_08_010570: true | ||
rhel_08_010571: true | ||
rhel_08_010580: true | ||
rhel_08_010590: true | ||
rhel_08_010600: true | ||
|
@@ -127,7 +142,12 @@ rhel_08_010640: true | |
rhel_08_010650: true | ||
rhel_08_010660: true | ||
rhel_08_010670: true | ||
rhel_08_010680: false | ||
rhel_08_010671: true | ||
rhel_08_010672: true | ||
rhel_08_010673: true | ||
rhel_08_010674: true | ||
rhel_08_010675: true | ||
rhel_08_010680: true | ||
rhel_08_010690: true | ||
rhel_08_010700: true | ||
rhel_08_010710: true | ||
|
@@ -140,11 +160,25 @@ rhel_08_010770: true | |
rhel_08_010780: true | ||
rhel_08_010790: true | ||
rhel_08_010800: true | ||
rhel_08_010810: true | ||
rhel_08_010830: true | ||
rhel_08_020000: true | ||
rhel_08_020010: true | ||
rhel_08_020011: true | ||
rhel_08_020012: true | ||
rhel_08_020013: true | ||
rhel_08_020014: true | ||
rhel_08_020015: true | ||
rhel_08_020016: true | ||
rhel_08_020017: true | ||
rhel_08_020018: true | ||
rhel_08_020019: true | ||
rhel_08_020020: true | ||
rhel_08_020021: true | ||
rhel_08_020022: true | ||
rhel_08_020023: true | ||
rhel_08_020030: true | ||
rhel_08_020040: true | ||
rhel_08_020041: true | ||
rhel_08_020050: true | ||
rhel_08_020060: true | ||
rhel_08_020070: true | ||
|
@@ -164,6 +198,7 @@ rhel_08_020200: true | |
rhel_08_020210: true | ||
rhel_08_020220: true | ||
rhel_08_020230: true | ||
rhel_08_020231: true | ||
rhel_08_020240: true | ||
rhel_08_020250: true | ||
rhel_08_020260: true | ||
|
@@ -174,25 +209,33 @@ rhel_08_020300: true | |
rhel_08_020310: true | ||
rhel_08_020320: true | ||
rhel_08_020350: true | ||
rhel_08_020351: true | ||
rhel_08_020352: true | ||
rhel_08_020353: true | ||
rhel_08_030000: true | ||
rhel_08_030010: true | ||
rhel_08_030020: true | ||
rhel_08_030030: true | ||
rhel_08_030040: true | ||
rhel_08_030050: true | ||
rhel_08_030060: true | ||
rhel_08_030061: true | ||
rhel_08_030062: true | ||
rhel_08_030070: true | ||
rhel_08_030080: true | ||
rhel_08_030090: true | ||
rhel_08_030100: true | ||
rhel_08_030110: true | ||
### When logs folder is set to 600 per STIG auditd fails to start. Need to figure out perms | ||
rhel_08_030120: true | ||
rhel_08_030121: true | ||
rhel_08_030122: true | ||
rhel_08_030130: true | ||
rhel_08_030140: true | ||
rhel_08_030150: true | ||
rhel_08_030160: true | ||
rhel_08_030170: true | ||
rhel_08_030171: true | ||
rhel_08_030172: true | ||
rhel_08_030180: true | ||
rhel_08_030190: true | ||
rhel_08_030200: true | ||
|
@@ -206,12 +249,26 @@ rhel_08_030270: true | |
rhel_08_030280: true | ||
rhel_08_030290: true | ||
rhel_08_030300: true | ||
rhel_08_030301: true | ||
rhel_08_030302: true | ||
rhel_08_030310: true | ||
rhel_08_030311: true | ||
rhel_08_030312: true | ||
rhel_08_030313: true | ||
rhel_08_030314: true | ||
rhel_08_030315: true | ||
rhel_08_030316: true | ||
rhel_08_030317: true | ||
rhel_08_030320: true | ||
rhel_08_030330: true | ||
rhel_08_030340: true | ||
rhel_08_030350: true | ||
rhel_08_030360: true | ||
rhel_08_030361: true | ||
rhel_08_030362: true | ||
rhel_08_030363: true | ||
rhel_08_030364: true | ||
rhel_08_030365: true | ||
rhel_08_030370: true | ||
rhel_08_030380: true | ||
rhel_08_030390: true | ||
|
@@ -240,7 +297,6 @@ rhel_08_030610: true | |
rhel_08_030620: true | ||
rhel_08_030630: true | ||
rhel_08_030640: true | ||
# !!!!!!!!!---------- handlers are overwriting the config change for this item | ||
rhel_08_030650: true | ||
rhel_08_030660: true | ||
rhel_08_030670: true | ||
|
@@ -251,45 +307,99 @@ rhel_08_030710: true | |
rhel_08_030720: true | ||
rhel_08_030730: true | ||
rhel_08_030740: true | ||
rhel_08_040001: true | ||
rhel_08_040002: true | ||
rhel_08_040003: true | ||
rhel_08_040020: true | ||
rhel_08_040030: true | ||
rhel_08_040040: true | ||
rhel_08_040050: true | ||
rhel_08_040070: true | ||
rhel_08_040080: true | ||
rhel_08_040090: true | ||
rhel_08_040100: true | ||
rhel_08_040110: true | ||
rhel_08_040111: true | ||
rhel_08_040120: true | ||
rhel_08_040121: true | ||
rhel_08_040122: true | ||
rhel_08_040123: true | ||
rhel_08_040124: true | ||
rhel_08_040125: true | ||
rhel_08_040126: true | ||
rhel_08_040127: true | ||
rhel_08_040128: true | ||
rhel_08_040129: true | ||
rhel_08_040130: true | ||
rhel_08_040131: true | ||
rhel_08_040132: true | ||
rhel_08_040133: true | ||
rhel_08_040134: true | ||
rhel_08_040135: true | ||
rhel_08_040140: true | ||
rhel_08_040150: true | ||
rhel_08_040160: true | ||
rhel_08_040161: true | ||
rhel_08_040162: true | ||
rhel_08_040180: true | ||
rhel_08_040210: true | ||
rhel_08_040220: true | ||
rhel_08_040230: true | ||
rhel_08_040240: true | ||
rhel_08_040250: true | ||
rhel_08_040260: true | ||
rhel_08_040261: true | ||
rhel_08_040262: true | ||
rhel_08_040270: true | ||
rhel_08_040280: true | ||
rhel_08_040281: true | ||
rhel_08_040282: true | ||
rhel_08_040283: true | ||
rhel_08_040284: true | ||
rhel_08_040285: true | ||
rhel_08_040290: true | ||
rhel_08_040320: true | ||
rhel_08_040330: true | ||
rhel_08_040340: true | ||
rhel_08_040341: true | ||
rhel_08_040350: true | ||
rhel_08_040370: true | ||
rhel_08_040380: true | ||
rhel_08_040390: true | ||
|
||
# CAT 3 rules | ||
rhel_08_010171: true | ||
rhel_08_010292: true | ||
rhel_08_010375: true | ||
rhel_08_010376: true | ||
rhel_08_010440: true | ||
rhel_08_010530: true | ||
rhel_08_010471: true | ||
rhel_08_010540: true | ||
rhel_08_020020: true | ||
rhel_08_010541: true | ||
rhel_08_010542: true | ||
rhel_08_020024: true | ||
rhel_08_020042: true | ||
rhel_08_020340: true | ||
rhel_08_030063: true | ||
rhel_08_030601: true | ||
rhel_08_030602: true | ||
rhel_08_030603: true | ||
rhel_08_030741: true | ||
rhel_08_030742: true | ||
rhel_08_040004: true | ||
rhel_08_040021: true | ||
rhel_08_040022: true | ||
rhel_08_040023: true | ||
rhel_08_040024: true | ||
rhel_08_040025: true | ||
rhel_08_040026: true | ||
rhel_08_040300: true | ||
rhel_08_040310: true | ||
|
||
# Whether or not to run tasks related to auditing/patching the desktop environment | ||
rhel8stig_gui: false | ||
|
||
# Whether or not you need kdump. False will disable service and true will leave service | ||
rhel8stig_kdump_needed: false | ||
|
||
# Whether to configure dconf rules unconditionally (ignoring presence of dconf | ||
# or rhel8stig_gui) | ||
rhel8stig_always_configure_dconf: false | ||
|
@@ -444,13 +554,15 @@ rhel8stig_pam_pwhistory: | |
remember: 5 | ||
retries: 3 | ||
|
||
# RHEL-08-010320 | ||
# RHEL-08-010330 | ||
# RHEL-08-020010 | ||
# RHEL-08-020011 | ||
# RHEL-08-020012 | ||
# RHEL-08-020013 | ||
# pam_faillock settings - accounts must be locked for max time period after 3 unsuccessful attempts within 15 minutes. | ||
rhel8stig_pam_faillock: | ||
attempts: 3 | ||
interval: 900 | ||
unlock_time: 900 | ||
unlock_time: 0 | ||
fail_for_root: yes | ||
|
||
# RHEL-08-030670 | ||
|
@@ -493,7 +605,9 @@ rhel8stig_login_defaults: | |
create_home: 'yes' | ||
|
||
# RHEL-08-030690 uncomment and set the value to a remote IP address that can receive audit logs | ||
rhel8stig_audisp_remote_server: 10.10.10.10 | ||
rhel8stig_remotelog_server: | ||
server: 10.10.10.10 | ||
port: 9999 | ||
|
||
# RHEL-08-030020 | ||
rhel8stig_auditd_mail_acct: root | ||
|
@@ -531,8 +645,8 @@ rhel8stig_nfs_mounts_query: "[?starts_with(fstype, 'nfs')].mount" | |
|
||
# RHEL-08-010680 | ||
rhel8stig_dns_servers: | ||
- 9.9.9.9 | ||
- 149.112.112.112 | ||
- 8.8.8.8 | ||
- 8.8.4.4 | ||
|
||
rhel8stig_int_gid: 1000 | ||
|
||
|
@@ -569,4 +683,25 @@ rhel8stig_custom_firewall_zone: "new_fw_zone" | |
rhel8stig_white_list_services: | ||
- http | ||
- https | ||
- ssh | ||
- ssh | ||
|
||
# RHEL-08-010290 | ||
# RHEL-08-010290 | ||
# This will be the MACs setting. It is a string that will be the entirety of the MAC's setting in the openssh.config file | ||
# to conform to STIG standard control RHEL-08-010290 this variable must include hmac-sha2-512,hmac-sha2-256 | ||
# to conform to STIG standard control RHEL-08-010291 this variable must include aes256-ctr,aes192-ctr,aes128-ctr | ||
rhel8stig_ssh_macs_settings: "[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,hmac-sha2-512 | ||
GSSAPIKeyExchange no" | ||
# This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting | ||
# to conform to STIG standard control RHEL-08-010290 this variable must contain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256 settings | ||
# to conform to STIG standard control RHEL-08-010291 this variable must cotnain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr | ||
rhel8stig_ssh_server_crypto_settings: "[email protected],aes256-ctr,aes192-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc [email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected] -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected] -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512" | ||
|
||
# RHEL-08-010295 | ||
# This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions | ||
# to conform to STIG standards this variable must contain -VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 | ||
rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" | ||
|
||
# RHEL-08-020070 | ||
# This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less | ||
rhel8stig_tmux_lock_after_time: 900 |
Oops, something went wrong.