From 9f40f5130c2acdd5767d03d7861bbc005be3540f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 8 Jan 2021 08:33:19 -0500 Subject: [PATCH 01/15] Completed section 1 sync with v1 STIG release Signed-off-by: George Nalen --- defaults/main.yml | 16 ++- handlers/main.yml | 3 + tasks/fix-cat1.yml | 267 +++++++++++++++++++++++++++++++-------------- tasks/prelim.yml | 18 +-- 4 files changed, 210 insertions(+), 94 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ecb2e874..587ccff6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,8 +6,8 @@ rhel8stig_oscap_scan: no rhel8stig_report_dir: /tmp rhel8stig_cat1_patch: true -rhel8stig_cat2_patch: true -rhel8stig_cat3_patch: true +rhel8stig_cat2_patch: false +rhel8stig_cat3_patch: false # We've defined complexity-high to mean that we cannot automatically remediate # the rule in question. In the future this might mean that the remediation @@ -49,21 +49,25 @@ system_is_ec2: false # CAT 1 rules rhel_08_010000: true rhel_08_010020: true -rhel_08_010030: true +# rhel_08_010030: true rhel_08_010140: true rhel_08_010150: true -rhel_08_010170: true +# rhel_08_010170: true rhel_08_010370: true -rhel_08_010450: true +rhel_08_010371: true rhel_08_010460: true +# rhel_08_010450: true +# rhel_08_010460: true rhel_08_010470: true rhel_08_010820: true -rhel_08_010830: true +# rhel_08_010830: true rhel_08_020330: true rhel_08_040000: true rhel_08_040010: true rhel_08_040060: true rhel_08_040170: true +rhel_08_040171: true +rhel_08_040172: true rhel_08_040180: true rhel_08_040190: true rhel_08_040200: true diff --git a/handlers/main.yml b/handlers/main.yml index 75d648dd..7bf6cd35 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,4 +1,7 @@ --- +- name: systemctl daemon-reload + systemd: daemon_reload=yes + - name: restart sshd service: name: sshd diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index d98b88aa..ac9917b7 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -125,25 +125,6 @@ tags: - RHEL-08-010020 -- name: "HIGH | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection." - block: - - name: "HIGH | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout" - command: lsblk - changed_when: false - failed_when: false - register: rhel_08_010030_partition_layout - - - name: "HIGH | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning" - debug: - msg: - - 'WARNING!! Below is partition layout. Please run the "sudo more /etc/crypttab" command to confirm' - - "every persistent disk partition has an entry. If partitions other than psuedo file systems (such as /var or /sys) this is a finding" - - "{{ rhel_08_010030_partition_layout.stdout_lines }}" - - when: rhel_08_010030 - tags: - - RHEL-08-010030 - - name: | "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance." "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes." @@ -193,37 +174,19 @@ - grub - bootloader -- name: | - "HIGH | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services." - "HIGH | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." - selinux: - state: enforcing - policy: targeted - check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" - notify: reboot system - when: - - rhel_08_010170 or rhel_08_010450 - - not rhel8stig_system_is_container - - rhel8stig_disruption_high - tags: - - RHEL-08-010170 - - RHEL-08-010450 - - selinux - - disruption_high - -- name: "HIGH | RHEL-08-010370 | PATCH | YUM must be configured to prevent the installation of patches, service packs, device drivers, or RHEL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization." +- name: "HIGH | RHEL-08-010370 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." block: - - name: "HIGH | RHEL-08-010370 | AUDIT | YUM must be configured to prevent the installation of patches, service packs, device drivers, or RHEL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization. | Gather Repos" + - name: "HIGH | RHEL-08-010370 | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Gather Repos" find: paths: /etc/yum.repos.d pattern: '*.repo' register: rhel_08_010370_repos_files_list_full - - name: "HIGH | RHEL-08-010370 | AUDIT | YUM must be configured to prevent the installation of patches, service packs, device drivers, or RHEL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization. | Flatten result" + - name: "HIGH | RHEL-08-010370 | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Flatten result" set_fact: rhel_08_010370_repos_files_list: "{{ rhel_08_010370_repos_files_list_full.files | map(attribute='path') | flatten }}" - - name: "HIGH | RHEL-08-010370 | PATCH | YUM must be configured to prevent the installation of patches, service packs, device drivers, or RHEL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization. | Set gpgcheck" + - name: "HIGH | RHEL-08-010370 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Set gpgcheck" lineinfile: path: "{{ item }}" regexp: '^gpgcheck' @@ -234,6 +197,18 @@ - rhel_08_010370 tags: - RHEL-08-010370 + - yum + +- name: "HIGH | RHEL-08-010371 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." + lineinfile: + path: /etc/dnf/dnf.conf + regexp: '^localpkg_gpgcheck=' + line: localpkg_gpgcheck=True + when: + - rhel_08_010371 + tags: + - RHEL-08-010371 + - dnf - name: "HIGH | RHEL-08-010460 | PATCH | There must be no shosts.equiv files on the RHEL 8 operating system." file: @@ -243,6 +218,7 @@ - rhel_08_010460 tags: - RHEL-08-010460 + - shosts - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system." block: @@ -263,6 +239,7 @@ - rhel_08_010470 tags: - RHEL-08-010470 + - shosts - name: "HIGH | RHEL-08-010820 | PATCH | Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed." lineinfile: @@ -276,19 +253,6 @@ tags: - RHEL-08-010820 -- name: "HIGH | RHEL-08-010830 | PATCH |Unattended or automatic logon to RHEL 8 via ssh must not be allowed." - lineinfile: - path: /etc/ssh/sshd_config - regexp: ^PermitUserEnvironment - line: 'PermitUserEnvironment no' - notify: restart sshd - when: - - rhel_08_010830 - - rhel8stig_disruption_high - tags: - - RHEL-08-010830 - - disruption_high - - name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords." block: - name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Remove nullok" @@ -350,30 +314,60 @@ systemd: name: ctrl-alt-del.target masked: yes + notify: systemctl daemon-reload - name: "HIGH | RHEL-08-040170 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Create symlink to /dev/null" file: src: /dev/null dest: /etc/systemd/system/ctrl-alt-del.target state: link + notify: systemctl daemon-reload when: - rhel_08_040170 tags: - RHEL-08-040170 -- name: "HIGH | RHEL-08-040180 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed." - copy: - dest: /etc/dconf/db/local.d/00-disable-CAD - content: | - [org/gnome/settings-daemon/plugins/media-keys] - logout='' - mode: '0644' - notify: dconf update +- name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed." + block: + - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Check for setting existing" + command: grep -s logout /etc/dconf/db/local.d/* + changed_when: false + failed_when: false + register: rhel_08_040171_logout_settings_status + + - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Add if missing" + lineinfile: + path: /etc/dconf/db/local.d/00-disable-CAD + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + with_items: + - { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' } + - { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' } + when: rhel_08_040171_logout_settings_status.stdout == "" + + - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Edit if exists" + replace: + path: "{{ rhel_08_040171_logout_settings_status.stdout }}" + regexp: '^[L|l]ogout=.*' + replace: "logout=''" + when: rhel_08_040171_logout_settings_status.stdout != "" when: - - rhel_08_040180 - - rhel8stig_dconf_available + - rhel_08_040171 tags: - - RHEL-08-040180 + - RHEL-08-040171 + +- name: "HIGH | RHEL-08-040172 | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled." + lineinfile: + path: /etc/systemd/system.conf + regexp: '^CtrlAltDelBurstAction=|^#CtrlAltDelBurstAction=' + line: CtrlAltDelBurstAction=none + notify: systemctl daemon-reload + when: + - rhel_08_040172 + tags: + - RHEL-08-040172 - name: "HIGH | RHEL-08-040190 | PATCH | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support." dnf: @@ -413,20 +407,6 @@ - RHEL-08-040200 - disruption_high -- name: "HIGH | RHEL-08-040340 | PATCH | Remote X connections for interactive users must be encrypted in RHEL 8." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^.*X11Forwarding' - line: 'X11Forwarding yes' - create: yes - notify: restart sshd - when: - - rhel_08_040340 - - rhel8stig_ssh_required - tags: - - RHEL-08-040340 - - ssh - - name: "HIGH | RHEL-08-040360 | PATCH | A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8." dnf: name: vsftpd @@ -436,3 +416,132 @@ tags: - RHEL-08-040360 - ftp + +#=============old below this line + +# - name: "HIGH | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection." +# block: +# - name: "HIGH | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout" +# command: lsblk +# changed_when: false +# failed_when: false +# register: rhel_08_010030_partition_layout + +# - name: "HIGH | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning" +# debug: +# msg: +# - 'WARNING!! Below is partition layout. Please run the "sudo more /etc/crypttab" command to confirm' +# - "every persistent disk partition has an entry. If partitions other than psuedo file systems (such as /var or /sys) this is a finding" +# - "{{ rhel_08_010030_partition_layout.stdout_lines }}" + +# when: rhel_08_010030 +# tags: +# - RHEL-08-010030 + + +# - name: | +# "HIGH | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services." +# "HIGH | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." +# selinux: +# state: enforcing +# policy: targeted +# check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" +# notify: reboot system +# when: +# - rhel_08_010170 or rhel_08_010450 +# - not rhel8stig_system_is_container +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010170 +# - RHEL-08-010450 +# - selinux +# - disruption_high + +# - name: "HIGH | RHEL-08-010830 | PATCH |Unattended or automatic logon to RHEL 8 via ssh must not be allowed." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: ^PermitUserEnvironment +# line: 'PermitUserEnvironment no' +# notify: restart sshd +# when: +# - rhel_08_010830 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010830 +# - disruption_high +# +# - name: "HIGH | RHEL-08-040180 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed." +# copy: +# dest: /etc/dconf/db/local.d/00-disable-CAD +# content: | +# [org/gnome/settings-daemon/plugins/media-keys] +# logout='' +# mode: '0644' +# notify: dconf update +# when: +# - rhel_08_040180 +# - rhel8stig_dconf_available +# tags: +# - RHEL-08-040180 + +# - name: "HIGH | RHEL-08-040190 | PATCH | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support." +# dnf: +# name: tftp-server +# state: absent +# when: +# - rhel_08_040190 +# - not rhel8stig_tftp_required +# tags: +# - RHEL-08-040190 +# - tftp + +# - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system." +# block: +# - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Get list of non-root accounts with UID of 0" +# shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" +# changed_when: false +# failed_when: false +# register: rhel_08_040200_nonroot_uid + +# - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Lock non-root account with UID of 0" +# command: "passwd -l {{ item }}" +# with_items: +# - "{{ rhel_08_040200_nonroot_uid.stdout_lines }}" +# when: rhel_08_040200_nonroot_uid.stdout != "" + +# - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Display accounts that were locked" +# debug: +# msg: +# - "WARNING!! The following accounts were locked since they had UID of 0 and were not the root user" +# - " {{ rhel_08_040200_nonroot_uid.stdout_lines }}" +# when: rhel_08_040200_nonroot_uid.stdout != "" +# when: +# - rhel_08_040200 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-040200 +# - disruption_high + +# - name: "HIGH | RHEL-08-040340 | PATCH | Remote X connections for interactive users must be encrypted in RHEL 8." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '^.*X11Forwarding' +# line: 'X11Forwarding yes' +# create: yes +# notify: restart sshd +# when: +# - rhel_08_040340 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-040340 +# - ssh + +# - name: "HIGH | RHEL-08-040360 | PATCH | A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8." +# dnf: +# name: vsftpd +# state: absent +# when: +# - rhel_08_040360 +# tags: +# - RHEL-08-040360 +# - ftp \ No newline at end of file diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 0054f38a..a9d0ed1b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -251,15 +251,15 @@ - RHEL-08-010380 - RHEL-08-040310 -- name: "PRELIM | RHEL-08-010170 | RHEL-08-010450 | Install SELinux related dependencies" - dnf: - name: - - libselinux-utils - # - policycoreutils-python-utils - # - selinux-policy-targeted - when: - - rhel_08_010170 or - rhel_08_010450 +# - name: "PRELIM | RHEL-08-010170 | RHEL-08-010450 | Install SELinux related dependencies" +# dnf: +# name: +# - libselinux-utils +# # - policycoreutils-python-utils +# # - selinux-policy-targeted +# when: +# - rhel_08_010170 or +# rhel_08_010450 - name: "PRELIM | Bare bones SSH Server" block: From 3a54feb6215afaf8773f4068b0ae00d87e23d8a6 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 8 Jan 2021 16:18:55 -0500 Subject: [PATCH 02/15] completed cat3 sync with v1 STIG release Signed-off-by: George Nalen --- defaults/main.yml | 32 ++- handlers/main.yml | 3 + tasks/fix-cat3.yml | 502 +++++++++++++++++++++++++++++++++++++++++++-- tasks/main.yml | 24 +-- tasks/prelim.yml | 17 +- 5 files changed, 543 insertions(+), 35 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 587ccff6..a3385dba 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ rhel8stig_report_dir: /tmp rhel8stig_cat1_patch: true rhel8stig_cat2_patch: false -rhel8stig_cat3_patch: false +rhel8stig_cat3_patch: true # We've defined complexity-high to mean that we cannot automatically remediate # the rule in question. In the future this might mean that the remediation @@ -68,10 +68,10 @@ rhel_08_040060: true rhel_08_040170: true rhel_08_040171: true rhel_08_040172: true -rhel_08_040180: true +# rhel_08_040180: true rhel_08_040190: true rhel_08_040200: true -rhel_08_040340: true +# rhel_08_040340: true rhel_08_040360: true # CAT 2 rules @@ -283,11 +283,33 @@ rhel_08_040330: true rhel_08_040350: true # CAT 3 rules +rhel_08_010171: true +rhel_08_010292: true +rhel_08_010375: true +rhel_08_010376: true rhel_08_010440: true -rhel_08_010530: true +rhel_08_010471: true +# rhel_08_010530: true rhel_08_010540: true -rhel_08_020020: true +rhel_08_010541: true +rhel_08_010542: true +# rhel_08_020020: true +rhel_08_020024: true +rhel_08_020042: true rhel_08_020340: true +rhel_08_030063: true +rhel_08_030601: true +rhel_08_030602: true +rhel_08_030603: true +rhel_08_030741: true +rhel_08_030742: true +rhel_08_040004: true +rhel_08_040021: true +rhel_08_040022: true +rhel_08_040023: true +rhel_08_040024: true +rhel_08_040025: true +rhel_08_040026: true rhel_08_040300: true rhel_08_040310: true diff --git a/handlers/main.yml b/handlers/main.yml index 7bf6cd35..e5fdbe82 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -2,6 +2,9 @@ - name: systemctl daemon-reload systemd: daemon_reload=yes +- name: sysctl system + command: sysctl --system + - name: restart sshd service: name: sshd diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 3439d8a3..9c6b8dce 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -1,4 +1,79 @@ --- +- name: "LOW | RHEL-08-010171 | PATCH | RHEL 8 must have policycoreutils package installed." + dnf: + name: policycoreutils + when: + - rhel_08_010171 + tags: + - RHEL-08-010171 + - policycoreutils + +- name: "LOW | RHEL-08-010292 | PATCH | RHEL 8 must ensure the SSH server uses strong entropy." + lineinfile: + path: /etc/sysconfig/sshd + regexp: '^SSH_USE_STRONG_RNG=|^.*SSH_USE_STRONG_RNG=' + line: SSH_USE_STRONG_RNG=3 + notify: restart sshd + when: + - rhel_08_010292 + tags: + - RHEL-08-010292 + - sshd + +- name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." + block: + - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer. | Set kernel message buffer if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.dmesg_restrict =' + line: "kernel.dmesg_restrict = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk + + - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer. | Set kernel message buffer no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^kernel.dmesg_restrict =' + line: "kernel.dmesg_restrict = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010375 + tags: + - RHEL-08-010375 + - sysctl + +- name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." + block: + - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users. | Set kernel profiling if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.perf_event_paranoid =' + line: 'kernel.perf_event_paranoid = 2' + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk + + - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users. | Set kernel profiling no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^kernel.perf_event_paranoid =' + line: 'kernel.perf_event_paranoid = 2' + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010376 + tags: + - RHEL-08-010376 + - sysctl + - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8." block: - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Find .conf files" @@ -24,40 +99,67 @@ tags: - RHEL-08-010440 -- name: "LOW | RHEL-08-010530 | AUDIT | The RHEL 8 must use a separate file system for the system audit data path." +- name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service." + systemd: + name: rngd.service + state: started + enabled: yes + when: + - rhel_08_010471 + tags: + - RHEL-08-010471 + +- name: "LOW | RHEL-08-010540 | AUDIT | The RHEL 8 must use a separate file system for /var." + debug: + msg: "WARNING: /var is not mounted on a separate partition" + changed_when: + - rhel8stig_audit_complex + when: + - rhel_08_010540 + - not rhel8stig_system_is_container + - rhel8stig_complex + - ansible_mounts | selectattr('mount', 'match', '^/var$') | list | length == 0 + tags: + - RHEL-08-010540 + - complexity-high + - mount + - var + +- name: "LOW | RHEL-08-010541 | AUDIT | RHEL 8 must use a separate file system for /var/log." debug: msg: - - "WARNING!! /var/log/audit is not mounted on a seperate partition" + - "WARNING!! /var/log is not mounted on a seperate partition" changed_when: - rhel8stig_audit_complex when: - - rhel_08_010530 + - rhel_08_010541 - not rhel8stig_system_is_container - rhel8stig_complex - - ansible_mounts | selectattr('mount', 'match', '^/var/log/audit$') | list | length == 0 + - ansible_mounts | selectattr('mount', 'match', '^/var/log$') | list | length == 0 tags: - - RHEL-08-010530 + - RHEL-08-010541 - complexity_high - mount - auditd -- name: "LOW | RHEL-08-010540 | AUDIT | The RHEL 8 must use a separate file system for /var." +- name: "LOW | RHEL-08-010542 | AUDIT | The RHEL 8 must use a separate file system for the system audit data path." debug: - msg: "WARNING: /var is not mounted on a separate partition" + msg: + - "WARNING!! /var/log/audit is not mounted on a seperate partition" changed_when: - rhel8stig_audit_complex when: - - rhel_08_010540 + - rhel_08_010542 - not rhel8stig_system_is_container - rhel8stig_complex - - ansible_mounts | selectattr('mount', 'match', '^/var$') | list | length == 0 + - ansible_mounts | selectattr('mount', 'match', '^/var/log/audit$') | list | length == 0 tags: - - RHEL-08-021320 - - complexity-high + - RHEL-08-010542 + - complexity_high - mount - - var + - auditd -- name: "LOW | RHEL-08-020020 | PATCH | RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types." +- name: "LOW | RHEL-08-020024 | PATCH | RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types." lineinfile: path: /etc/security/limits.conf regexp: '^\* hard maxlogins' @@ -65,9 +167,20 @@ insertbefore: '^# End of file' create: yes when: - - rhel_08_020020 + - rhel_08_020024 + tags: + - RHEL-08-020024 + +- name: "LOW | RHEL-08-020042 | PATCH | RHEL 8 must prevent users from disabling session control mechanisms." + lineinfile: + path: /etc/shells + regexp: 'tmux' + state: absent + when: + - rhel_08_020042 tags: - - RHEL-08-020020 + - RHEL-08-020042 + - tmux - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon." block: @@ -96,6 +209,250 @@ tags: - RHEL-08-020340 +- name: "LOW | RHEL-08-030063 | PATCH | RHEL 8 must resolve audit information before writing to disk." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^log_format =' + line: "log_format = ENRICHED" + notify: restart auditd + when: + - rhel_08_030063 + tags: + - RHEL-08-030063 + - auditd + +- name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon." + block: + - name: "LOW | RHEL-08-030601 | AUDIT | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + register: rhel8stig_030601_grub_cmdline_linux + + - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit to 1 as active" + shell: grubby --update-kernel=ALL --args="audit=1" + + - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if doesnt exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_030601_grub_cmdline_linux.stdout }} audit=1"' + when: '"audit=" not in rhel8stig_030601_grub_cmdline_linux.stdout' + + - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if exists" + replace: + path: /etc/default/grub + regexp: 'audit=([^\s|"])+' + replace: "audit=1" + when: '"audit=" in rhel8stig_030601_grub_cmdline_linux.stdout' + when: + - rhel_08_030601 + tags: + - RHEL-08-030601 + - grub + +- name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon." + block: + - name: "LOW | RHEL-08-030602 | AUDIT | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + register: rhel8stig_030602_grub_cmdline_linux + + - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | set audit_backlog_limit active" + shell: grubby --update-kernel=ALL --args="audit_backlog_limit=8192" + + - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_030602_grub_cmdline_linux.stdout }} audit_backlog_limit=8192"' + when: '"audit_backlog_limit=" not in rhel8stig_030602_grub_cmdline_linux.stdout' + + - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if exists" + replace: + path: /etc/default/grub + regexp: 'audit_backlog_limit=([^\s|"])+' + replace: "audit_backlog_limit=8192" + when: '"audit_backlog_limit=" in rhel8stig_030602_grub_cmdline_linux.stdout' + when: + - rhel_08_030602 + tags: + - RHEL-08-030602 + - grub + +- name: "LOW | RHEL-08-030603 | PATCH | RHEL 8 must enable Linux audit logging for the USBGuard daemon" + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: '^AuditBackend=' + line: "AuditBackend=LinuxAudit" + create: yes + when: + - rhel_08_030603 + tags: + - RHEL-08-030603 + - usb + +- name: "LOW | RHEL-08-030741 | PATCH | RHEL 8 must disable the chrony daemon from acting as a server." + lineinfile: + path: /etc/chrony.conf + regexp: '^port|#port' + line: "port 0" + when: + - rhel_08_030741 + tags: + - RHEL-08-030741 + - chrony + +- name: "LOW | RHEL-08-030742 | PATCH | RHEL 8 must disable network management of the chrony daemon." + lineinfile: + path: /etc/chrony.conf + regexp: '^cmdport|#cmdport' + line: "cmdport 0" + when: + - rhel_08_030742 + tags: + - RHEL-08-030742 + - chrony + +- name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities." + block: + - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + register: rhel8stig_040004_grub_cmdline_linux + + - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti=on active" + shell: grubby --update-kernel=ALL --args="pti=on" + + - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_040004_grub_cmdline_linux.stdout }} pti=on"' + when: '"pti=" not in rhel8stig_040004_grub_cmdline_linux.stdout' + + - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti exists" + replace: + path: /etc/default/grub + regexp: 'pti=([^\s|"])+' + replace: "pti=on" + when: '"pti=" in rhel8stig_040004_grub_cmdline_linux.stdout' + when: + - rhel_08_040004 + tags: + - RHEL-08-040004 + - grub + +- name: "LOW | RHEL-08-040021 | PATCH | RHEL 8 must disable the asynchronous transfer mode (ATM) protocol." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + notify: reboot system + with_items: + - { regexp: '^install ATM', line: 'install ATM /bin/true', insertafter: 'EOF' } + - { regexp: '^blacklist ATM', line: 'blacklist ATM', insertafter: '^install ATM /bin/true' } + when: + - rhel_08_040021 + tags: + - RHEL-08-040021 + - modprobe + - atm + +- name: "LOW | RHEL-08-040022 | PATCH | RHEL 8 must disable the controller area network (CAN) protocol." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + notify: reboot system + with_items: + - { regexp: '^install CAN', line: 'install CAN /bin/true', insertafter: 'EOF' } + - { regexp: 'blacklist CAN', line: 'blacklist CAN', insertafter: '^install CAN /bin/true' } + when: + - rhel_08_040022 + tags: + - RHEL-08-040022 + - modprobe + - can + +- name: "LOW | RHEL-08-040023 | PATCH | RHEL 8 must disable the stream control transmission (SCTP) protocol." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + notify: reboot system + with_items: + - { regexp: '^install SCTP', line: 'install SCTP /bin/true', insertafter: 'EOF' } + - { regexp: '^blacklist SCTP', line: 'blacklist SCTP', insertafter: '^install SCTP' } + when: + - rhel_08_040023 + tags: + - RHEL-08-040023 + - modprobe + - sctp + +- name: "LOW | RHEL-08-040024 | PATCH | RHEL 8 must disable the transparent inter-process communication (TIPC) protocol." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + notify: reboot system + with_items: + - { regexp: '^install TIPC', line: 'install TIPC /bin/true', insertafter: 'EOF' } + - { regexp: '^blacklist TIPC', line: 'blacklist TIPC', insertafter: '^install TIPC' } + when: + - rhel_08_040024 + tags: + - RHEL-08-040024 + - modprobe + - tipc + +- name: "LOW | RHEL-08-040025 | PATCH | RHEL 8 must disable mounting of cramfs." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + notify: reboot system + with_items: + - { regexp: '^install cramfs', line: 'install cramfs /bin/true', insertafter: 'EOF' } + - { regexp: 'blacklist cramfs', line: 'blacklist cramfs', insertafter: '^install cramfs' } + when: + - rhel_08_040025 + tags: + - RHEL-08-040025 + - modprobe + - cramfs + +- name: "LOW | RHEL-08-040026 | PATCH | RHEL 8 must disable IEEE 1394 (FireWire) Support." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + notify: reboot system + with_items: + - { regexp: '^install firewire-core', line: 'install firewire-core /bin/true', insertafter: 'EOF' } + - { regexp: '^blacklist firewire-core', line: 'blacklist firewire-core', insertafter: '^install firewire-core' } + when: + - rhel_08_040026 + tags: + - RHEL-08-040026 + - modprobe + - firewire + - name: | "LOW | RHEL-08-040300 | PATCH | The RHEL 8 file integrity tool must be configured to verify extended attributes." "LOW | RHEL-08-040310 | PATCH | The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs)." @@ -112,3 +469,118 @@ - RHEL-08-040300 - RHEL-08-040310 - aide + +# ======= below this line is old +# - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8." +# block: +# - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Find .conf files" +# find: +# paths: /etc +# recurse: yes +# file_type: any +# depth: 2 +# patterns: +# - yum.conf +# - dnf.conf +# register: rhel_08_010440_package_confs + +# - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Set settings" +# lineinfile: +# path: "{{ item.path }}" +# regexp: '^.*clean_requirements_on_remove' +# line: 'clean_requirements_on_remove=True' +# with_items: +# - "{{ rhel_08_010440_package_confs.files }}" +# when: +# - rhel_08_010440 +# tags: +# - RHEL-08-010440 + +# - name: "LOW | RHEL-08-010530 | AUDIT | The RHEL 8 must use a separate file system for the system audit data path." +# debug: +# msg: +# - "WARNING!! /var/log/audit is not mounted on a seperate partition" +# changed_when: +# - rhel8stig_audit_complex +# when: +# - rhel_08_010530 +# - not rhel8stig_system_is_container +# - rhel8stig_complex +# - ansible_mounts | selectattr('mount', 'match', '^/var/log/audit$') | list | length == 0 +# tags: +# - RHEL-08-010530 +# - complexity_high +# - mount +# - auditd + +# - name: "LOW | RHEL-08-010540 | AUDIT | The RHEL 8 must use a separate file system for /var." +# debug: +# msg: "WARNING: /var is not mounted on a separate partition" +# changed_when: +# - rhel8stig_audit_complex +# when: +# - rhel_08_010540 +# - not rhel8stig_system_is_container +# - rhel8stig_complex +# - ansible_mounts | selectattr('mount', 'match', '^/var$') | list | length == 0 +# tags: +# - RHEL-08-021320 +# - complexity-high +# - mount +# - var + +# - name: "LOW | RHEL-08-020020 | PATCH | RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types." +# lineinfile: +# path: /etc/security/limits.conf +# regexp: '^\* hard maxlogins' +# line: '* hard maxlogins 10' +# insertbefore: '^# End of file' +# create: yes +# when: +# - rhel_08_020020 +# tags: +# - RHEL-08-020020 + +# - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon." +# block: +# - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon. | Set session required for pam_lastlog.so" +# pamd: +# name: postlogin +# type: session +# control: optional +# new_control: required +# module_path: pam_lastlog.so +# state: updated + +# - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon. | Remove default=1 and optional control" +# pamd: +# name: postlogin +# type: session +# state: args_absent +# control: "{{ item }}" +# module_path: pam_lastlog.so +# module_arguments: silent +# with_items: +# - '[default=1]' +# - required +# when: +# - rhel_08_020340 +# tags: +# - RHEL-08-020340 + +# - name: | +# "LOW | RHEL-08-040300 | PATCH | The RHEL 8 file integrity tool must be configured to verify extended attributes." +# "LOW | RHEL-08-040310 | PATCH | The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs)." +# template: +# src: aide.conf.j2 +# dest: /etc/aide.conf +# owner: root +# group: root +# mode: '0600' +# when: +# - rhel_08_040300 +# - rhel_08_040310 +# tags: +# - RHEL-08-040300 +# - RHEL-08-040310 +# - aide diff --git a/tasks/main.yml b/tasks/main.yml index e14017c6..537a379e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -32,19 +32,19 @@ tags: - prelim_tasks -- name: Include CAT I patches - import_tasks: fix-cat1.yml - when: rhel8stig_cat1_patch | bool - tags: - - cat1 - - high +# - name: Include CAT I patches +# import_tasks: fix-cat1.yml +# when: rhel8stig_cat1_patch | bool +# tags: +# - cat1 +# - high -- name: Include CAT II patches - import_tasks: fix-cat2.yml - when: rhel8stig_cat2_patch | bool - tags: - - cat2 - - medium +# - name: Include CAT II patches +# import_tasks: fix-cat2.yml +# when: rhel8stig_cat2_patch | bool +# tags: +# - cat2 +# - medium - name: Include CAT III patches import_tasks: fix-cat3.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index a9d0ed1b..41dc763e 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -28,8 +28,8 @@ rhel_08_020050 or rhel_08_020060 or rhel_08_020080 or - rhel_08_020090 or - rhel_08_040180 + rhel_08_020090 + # rhel_08_040180 - removed from section 1 waiting to see if it comes up somewhere else tags: - rhel_08_010050 - rhel_08_020030 @@ -37,7 +37,7 @@ - rhel_08_020060 - rhel_08_020080 - rhel_08_020090 - - rhel_08_040180 + # - rhel_08_040180 - removed from section 1 waiting to see if it comes up somewhere else - name: "PRELIM | Find all sudoers files." command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" @@ -334,3 +334,14 @@ - name: "PRELIM | Setting the fact" set_fact: rhel8stig_interactive_uid_min: "{{ rhel8stig_interactive.stdout | int }}" + +- name: "PRELIM | Find sysctl config file name | RHEL-08-010372 | RHEL-08-010373 | RHEL-08-010374 | RHEL-08-010375 | RHEL-08-010376" + find: + paths: /etc/sysctl.d + patterns: '.*sysctl.conf' + use_regex: yes + file_type: any + register: rhel8stig_sysctlconf_filename + when: + - rhel_08_010375 or + rhel_08_010376 \ No newline at end of file From f2d95e7668063e79a30bd704da710922e00af633 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 8 Jan 2021 17:10:14 -0500 Subject: [PATCH 03/15] started cat2 sync with v1 STIG release Signed-off-by: George Nalen --- defaults/main.yml | 9 +- tasks/fix-cat2.yml | 265 ++++++++++++++++++++++++++++++++++++++++++--- tasks/main.yml | 24 ++-- 3 files changed, 269 insertions(+), 29 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a3385dba..f559ed2b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,8 +6,8 @@ rhel8stig_oscap_scan: no rhel8stig_report_dir: /tmp rhel8stig_cat1_patch: true -rhel8stig_cat2_patch: false -rhel8stig_cat3_patch: true +rhel8stig_cat2_patch: true +rhel8stig_cat3_patch: false # We've defined complexity-high to mean that we cannot automatically remediate # the rule in question. In the future this might mean that the remediation @@ -76,17 +76,20 @@ rhel_08_040360: true # CAT 2 rules rhel_08_010010: true +rhel_08_010030: true rhel_08_010040: true rhel_08_010050: true rhel_08_010060: true rhel_08_010070: true -rhel_08_010080: true +# rhel_08_010080: true rhel_08_010090: true rhel_08_010100: true rhel_08_010110: true rhel_08_010120: true rhel_08_010130: true +rhel_08_010151: true rhel_08_010160: true +rhel_08_010161: true rhel_08_010180: true rhel_08_010190: true rhel_08_010200: true diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 6283ca2c..533089a0 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -9,6 +9,25 @@ tags: - RHEL-08-010010 +- name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection." + block: + - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout" + command: lsblk + changed_when: false + failed_when: false + register: rhel_08_010030_partition_layout + + - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning" + debug: + msg: + - 'WARNING!! Below is partition layout. Please run the "sudo more /etc/crypttab" command to confirm' + - "every persistent disk partition has an entry. If partitions other than psuedo file systems (such as /var or /sys) this is a finding" + - "{{ rhel_08_010030_partition_layout.stdout_lines }}" + + when: rhel_08_010030 + tags: + - RHEL-08-010030 + - name: | "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" @@ -74,20 +93,6 @@ tags: - RHEL-08-010070 -- name: "MEDIUM | RHEL-08-010080 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^Ciphers.*' - line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr - insertafter: '# Ciphers and keying' - notify: restart sshd - when: - - rhel_08_010080 - - rhel8stig_ssh_required - tags: - - RHEL-08-010080 - - ssh - # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." block: @@ -181,6 +186,18 @@ tags: - RHEL-08-010130 +- name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." + lineinfile: + path: /usr/lib/systemd/system/rescue.service + regexp: '^ExecStart=' + line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" + create: yes + when: + - rhel_08_010151 + tags: + - RHEL-08-010151 + - systemd + - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Add sha512 argument" pamd: name: "{{ item }}" @@ -197,6 +214,226 @@ tags: - RHEL-08-010160 +- name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication." + block: + - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" + find: + path: / + patterns: '*.keytab' + recurse: yes + register: rhel8stig_010161_keytab_files + + - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Remove .keytab files" + file: + path: "{{ item.path }}" + state: absent + with_items: + - "{{ rhel8stig_010161_keytab_files.files }}" + when: rhel8stig_010161_keytab_files.matched > 0 + when: + - rhel_08_010161 + tags: + - RHEL-08-010161 + - kerberos +# ===========below here is old=========== +# - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." +# dnf: +# name: "*" +# state: latest +# when: +# - not system_is_ec2 +# - rhel_08_010010 +# tags: +# - RHEL-08-010010 + +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" +# block: +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^.*banner' +# line: 'Banner /etc/issue' + +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" +# copy: +# dest: /etc/issue +# content: "{{ rhel8stig_logon_banner }}" +# owner: root +# group: root +# mode: '0644' +# notify: restart sshd +# when: +# # - not system_is_ec2 +# - rhel_08_010040 or +# rhel_08_010060 +# tags: +# - RHEL-08-010040 +# - RHEL-08-010060 + +# - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." +# copy: +# dest: /etc/dconf/db/local.d/01-banner-message +# content: | +# [org/gnome/login-screen] +# banner-message-enable=true +# banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' +# mode: '0644' +# owner: root +# group: root +# vars: +# newline: "\n" +# notify: dconf update +# when: +# - rhel_08_010050 +# - rhel8stig_dconf_available +# tags: +# - RHEL-08-010050 + +# - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." +# lineinfile: +# path: /etc/rsyslog.d/50-default.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# create: yes +# mode: '0644' +# notify: restart rsyslog +# with_items: +# - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } +# - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } +# when: +# - rhel_08_010070 +# tags: +# - RHEL-08-010070 + +# - name: "MEDIUM | RHEL-08-010080 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^Ciphers.*' +# line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr +# insertafter: '# Ciphers and keying' +# notify: restart sshd +# when: +# - rhel_08_010080 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010080 +# - ssh + +# # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." +# block: +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" +# command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem +# changed_when: false +# failed_when: false +# register: rhel_08_010090_certs_list + +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" +# debug: +# msg: +# - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" +# - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" +# - "{{ rhel_08_010090_certs_list.stdout_lines }}" +# when: +# - rhel_08_010090 +# tags: +# - RHEL-08-010090 + +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." +# block: +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" +# file: +# path: "{{ rhel8stig_path_to_sshkey }}" +# state: directory +# mode: '0700' + +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" +# openssh_keypair: +# path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" +# when: +# - rhel_08_010100 +# tags: +# - RHEL-08-010100 + +# - name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." +# lineinfile: +# path: /etc/login.defs +# regexp: '^ENCRYPT_METHOD.*' +# line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" +# when: +# - rhel_08_010110 +# tags: +# - RHEL-08-010110 +# - login + +# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." +# block: +# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" +# command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' +# changed_when: false +# failed_when: false +# register: rhel_08_010120_non_fips_hashed_accounts + +# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" +# command: "passwd -l {{ item }}" +# with_items: +# -"{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" +# when: +# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" + +# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" +# debug: +# msg: +# - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" +# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" +# when: +# - not rhel8stig_disruption_high +# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" +# when: +# - rhel_08_010120 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010120 +# - disruption_high + +# - name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" +# pamd: +# name: "{{ item }}" +# type: password +# control: sufficient +# module_path: pam_unix.so +# module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" +# state: args_present +# with_items: +# - password-auth +# - system-auth +# when: +# - rhel_08_010130 +# tags: +# - RHEL-08-010130 + +# - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Add sha512 argument" +# pamd: +# name: "{{ item }}" +# type: password +# control: sufficient +# module_path: pam_unix.so +# module_arguments: sha512 +# state: args_present +# with_items: +# - password-auth +# - system-auth +# when: +# - rhel_08_010160 +# tags: +# - RHEL-08-010160 + - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." block: - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" diff --git a/tasks/main.yml b/tasks/main.yml index 537a379e..e14017c6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -32,19 +32,19 @@ tags: - prelim_tasks -# - name: Include CAT I patches -# import_tasks: fix-cat1.yml -# when: rhel8stig_cat1_patch | bool -# tags: -# - cat1 -# - high +- name: Include CAT I patches + import_tasks: fix-cat1.yml + when: rhel8stig_cat1_patch | bool + tags: + - cat1 + - high -# - name: Include CAT II patches -# import_tasks: fix-cat2.yml -# when: rhel8stig_cat2_patch | bool -# tags: -# - cat2 -# - medium +- name: Include CAT II patches + import_tasks: fix-cat2.yml + when: rhel8stig_cat2_patch | bool + tags: + - cat2 + - medium - name: Include CAT III patches import_tasks: fix-cat3.yml From 504a7c587cb20eaf4f6215c99af78cf47905802f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 11 Jan 2021 08:49:07 -0500 Subject: [PATCH 04/15] cat2 synced with release of STIG 010010 - 010190 Signed-off-by: George Nalen --- defaults/main.yml | 5 +- tasks/fix-cat2.yml | 138 +++++++++++++++++++++++++++++++++------------ tasks/prelim.yml | 18 +++--- 3 files changed, 116 insertions(+), 45 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f559ed2b..398b0959 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -52,7 +52,7 @@ rhel_08_010020: true # rhel_08_010030: true rhel_08_010140: true rhel_08_010150: true -# rhel_08_010170: true +# rhel_08_010170: true - Moved to cat2 rhel_08_010370: true rhel_08_010371: true rhel_08_010460: true @@ -90,6 +90,8 @@ rhel_08_010130: true rhel_08_010151: true rhel_08_010160: true rhel_08_010161: true +rhel_08_010162: true +rhel_08_010170: true rhel_08_010180: true rhel_08_010190: true rhel_08_010200: true @@ -116,6 +118,7 @@ rhel_08_010400: true rhel_08_010410: true rhel_08_010420: true rhel_08_010430: true +rhel_08_010450: true rhel_08_010480: true rhel_08_010490: true rhel_08_010500: true diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 533089a0..8b22c410 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -235,6 +235,74 @@ tags: - RHEL-08-010161 - kerberos + +- name: "MEDIUM | RHEL-08-010162 | PATCH | The krb5-workstation package must not be installed on RHEL 8." + dnf: + name: krb5-workstation + state: absent + when: + - rhel_08_010162 + tags: + - RHEL-08-010162 + - kerberos + +- name: | + "HIGH | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services." + "HIGH | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." + selinux: + state: enforcing + policy: targeted + check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" + notify: reboot system + when: + - rhel_08_010170 or rhel_08_010450 + - not rhel8stig_system_is_container + - rhel8stig_disruption_high + tags: + - RHEL-08-010170 + - RHEL-08-010450 + - selinux + - disruption_high + +- name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." + block: + - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" + shell: "find / ! -user root -type d -perm -0002 -exec ls -lLd {} \\; | sed 's/.* //'" + changed_when: false + failed_when: false + register: rhel_08_010180_public_not_root_owned + + - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Chown non-root public folders" + file: + path: "{{ item }}" + owner: root + group: root + with_items: + - "{{ rhel_08_010180_public_not_root_owned.stdout_lines }}" + when: + - rhel_08_010180 + tags: + - RHEL-08-010180 + +- name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." + block: + - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" + shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" + changed_when: false + failed_when: false + register: rhel_08_010190_world_writable_files + + - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" + file: + path: "{{ item }}" + mode: '1777' + with_items: + - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" + when: + - rhel_08_010190 + tags: + - RHEL-08-010190 + # ===========below here is old=========== # - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." # dnf: @@ -434,44 +502,44 @@ # tags: # - RHEL-08-010160 -- name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." - block: - - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" - shell: "find / ! -user root -type d -perm -0002 -exec ls -lLd {} \\; | sed 's/.* //'" - changed_when: false - failed_when: false - register: rhel_08_010180_public_not_root_owned +# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." +# block: +# - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" +# shell: "find / ! -user root -type d -perm -0002 -exec ls -lLd {} \\; | sed 's/.* //'" +# changed_when: false +# failed_when: false +# register: rhel_08_010180_public_not_root_owned - - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Chown non-root public folders" - file: - path: "{{ item }}" - owner: root - group: root - with_items: - - "{{ rhel_08_010180_public_not_root_owned.stdout_lines }}" - when: - - rhel_08_010180 - tags: - - RHEL-08-010180 +# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Chown non-root public folders" +# file: +# path: "{{ item }}" +# owner: root +# group: root +# with_items: +# - "{{ rhel_08_010180_public_not_root_owned.stdout_lines }}" +# when: +# - rhel_08_010180 +# tags: +# - RHEL-08-010180 -- name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." - block: - - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" - shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" - changed_when: false - failed_when: false - register: rhel_08_010190_world_writable_files +# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." +# block: +# - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" +# shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" +# changed_when: false +# failed_when: false +# register: rhel_08_010190_world_writable_files - - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" - file: - path: "{{ item }}" - mode: '1777' - with_items: - - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" - when: - - rhel_08_010190 - tags: - - RHEL-08-010190 +# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" +# file: +# path: "{{ item }}" +# mode: '1777' +# with_items: +# - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" +# when: +# - rhel_08_010190 +# tags: +# - RHEL-08-010190 - name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." lineinfile: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 41dc763e..3d8b48a8 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -251,15 +251,15 @@ - RHEL-08-010380 - RHEL-08-040310 -# - name: "PRELIM | RHEL-08-010170 | RHEL-08-010450 | Install SELinux related dependencies" -# dnf: -# name: -# - libselinux-utils -# # - policycoreutils-python-utils -# # - selinux-policy-targeted -# when: -# - rhel_08_010170 or -# rhel_08_010450 +- name: "PRELIM | RHEL-08-010170 | RHEL-08-010450 | Install SELinux related dependencies" + dnf: + name: + - libselinux-utils + # - policycoreutils-python-utils + # - selinux-policy-targeted + when: + - rhel_08_010170 or + rhel_08_010450 - name: "PRELIM | Bare bones SSH Server" block: From 5ffd0c15da2e8b752d34e65c847260a329bf2861 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 11 Jan 2021 09:16:15 -0500 Subject: [PATCH 05/15] cat2 synced with release of STIG 010200 - 010291 Signed-off-by: George Nalen --- defaults/main.yml | 5 +- tasks/fix-cat2.yml | 266 +++++++++++++++++++++++++++++---------------- 2 files changed, 178 insertions(+), 93 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 398b0959..2df8c44c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -101,9 +101,10 @@ rhel_08_010230: true rhel_08_010240: true rhel_08_010250: true rhel_08_010260: true -rhel_08_010270: true -rhel_08_010280: true +# rhel_08_010270: true +# rhel_08_010280: true rhel_08_010290: true +rhel_08_010291: true rhel_08_010300: true rhel_08_010310: true rhel_08_010320: true diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8b22c410..ba759685 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -303,6 +303,90 @@ tags: - RHEL-08-010190 +- name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." + lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: restart sshd + with_items: + - { regexp: '^.*ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} + - { regexp: '^.*ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } + when: + - rhel_08_010200 + - rhel8stig_ssh_required + tags: + - RHEL-08-010200 + - ssh + +- name: | + "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." + "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." + "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." + file: + path: /var/log/messages + owner: root + group: root + mode: '0640' + when: + - rhel_08_010210 or + rhel_08_010220 or + rhel_08_010230 + tags: + - RHEL-08-010210 + - RHEL-08-010220 + - RHEL-08-010230 + +- name: | + "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." + "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." + "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." + file: + path: /var/log + owner: root + group: root + mode: '0755' + when: + - rhel_08_010240 or + rhel_08_010250 or + rhel_08_010260 + tags: + - RHEL-08-010240 + - RHEL-08-010250 + - RHEL-08-010260 + +- name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." + block: + - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" + command: fips-mode-setup --check + changed_when: false + failed_when: false + register: rhel_08_010290_pre_fips_check + + - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" + command: fips-mode-setup --enable + register: rhel_08_010290_fips_enable + notify: reboot system + when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' + when: + - rhel_08_010290 + tags: + - RHEL-08-010290 + - FIPS + +- name: "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^Ciphers.*' + line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr + insertafter: '# Ciphers and keying' + notify: restart sshd + when: + - rhel_08_010291 + - rhel8stig_ssh_required + tags: + - RHEL-08-010291 + - ssh # ===========below here is old=========== # - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." # dnf: @@ -541,103 +625,103 @@ # tags: # - RHEL-08-010190 -- name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." - lineinfile: - path: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - notify: restart sshd - with_items: - - { regexp: '^.*ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} - - { regexp: '^.*ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } - when: - - rhel_08_010200 - - rhel8stig_ssh_required - tags: - - RHEL-08-010200 - - ssh +# - name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# notify: restart sshd +# with_items: +# - { regexp: '^.*ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} +# - { regexp: '^.*ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } +# when: +# - rhel_08_010200 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010200 +# - ssh -- name: | - "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." - "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." - "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." - file: - path: /var/log/messages - owner: root - group: root - mode: '0640' - when: - - rhel_08_010210 or - rhel_08_010220 or - rhel_08_010230 - tags: - - RHEL-08-010210 - - RHEL-08-010220 - - RHEL-08-010230 +# - name: | +# "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." +# "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." +# "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." +# file: +# path: /var/log/messages +# owner: root +# group: root +# mode: '0640' +# when: +# - rhel_08_010210 or +# rhel_08_010220 or +# rhel_08_010230 +# tags: +# - RHEL-08-010210 +# - RHEL-08-010220 +# - RHEL-08-010230 -- name: | - "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0770 or less permissive." - "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." - "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." - file: - path: /var/log - owner: root - group: root - mode: '0770' - when: - - rhel_08_010240 or - rhel_08_010250 or - rhel_08_010260 - tags: - - RHEL-08-010240 - - RHEL-08-010250 - - RHEL-08-010260 +# - name: | +# "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0770 or less permissive." +# "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." +# "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." +# file: +# path: /var/log +# owner: root +# group: root +# mode: '0770' +# when: +# - rhel_08_010240 or +# rhel_08_010250 or +# rhel_08_010260 +# tags: +# - RHEL-08-010240 +# - RHEL-08-010250 +# - RHEL-08-010260 -- name: | - "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive." - "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root." - block: - - name: | - "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive. | Find audit log files" - "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root. | Find audit log files" - shell: cat /etc/audit/auditd.conf | grep "^log_file " | cut -f2 -d= | sed 's/^[ \t]*//;s/[ \t]*$//' - changed_when: false - failed_when: false - register: rhel_08_010270_audit_log_location +# - name: | +# "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive." +# "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root." +# block: +# - name: | +# "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive. | Find audit log files" +# "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root. | Find audit log files" +# shell: cat /etc/audit/auditd.conf | grep "^log_file " | cut -f2 -d= | sed 's/^[ \t]*//;s/[ \t]*$//' +# changed_when: false +# failed_when: false +# register: rhel_08_010270_audit_log_location - # I have this set to 750 since 600 is too restrictive for auditd to work - - name: | - "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive. | Set permissions" - "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root. | Set permissions" - file: - path: "{{ rhel_08_010270_audit_log_location.stdout }}" - owner: root - mode: '0750' - when: - - rhel_08_010270 or - rhel_08_010280 - tags: - - RHEL-08-010270 - - RHEL-08-010280 +# # I have this set to 750 since 600 is too restrictive for auditd to work +# - name: | +# "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive. | Set permissions" +# "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root. | Set permissions" +# file: +# path: "{{ rhel_08_010270_audit_log_location.stdout }}" +# owner: root +# mode: '0750' +# when: +# - rhel_08_010270 or +# rhel_08_010280 +# tags: +# - RHEL-08-010270 +# - RHEL-08-010280 -- name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." - block: - - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" - command: fips-mode-setup --check - changed_when: false - failed_when: false - register: rhel_08_010290_pre_fips_check +# - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." +# block: +# - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" +# command: fips-mode-setup --check +# changed_when: false +# failed_when: false +# register: rhel_08_010290_pre_fips_check - - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" - command: fips-mode-setup --enable - register: rhel_08_010290_fips_enable - notify: reboot system - when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' - when: - - rhel_08_010290 - tags: - - RHEL-08-010290 - - FIPS +# - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" +# command: fips-mode-setup --enable +# register: rhel_08_010290_fips_enable +# notify: reboot system +# when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' +# when: +# - rhel_08_010290 +# tags: +# - RHEL-08-010290 +# - FIPS - name: | "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive." From 0ca9f2cf4da1b7937f0a533136637b320be44bf7 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 11 Jan 2021 16:57:32 -0500 Subject: [PATCH 06/15] cat2 synced with release of STIG 010293 - 10672 Signed-off-by: George Nalen --- defaults/main.yml | 336 ++++---- tasks/fix-cat2.yml | 1986 ++++++++++++++++++++++++++++++++------------ tasks/prelim.yml | 5 +- 3 files changed, 1643 insertions(+), 684 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2df8c44c..4cab1cfa 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -105,6 +105,9 @@ rhel_08_010260: true # rhel_08_010280: true rhel_08_010290: true rhel_08_010291: true +rhel_08_010293: true +rhel_08_010294: true +rhel_08_010295: true rhel_08_010300: true rhel_08_010310: true rhel_08_010320: true @@ -112,12 +115,20 @@ rhel_08_010330: true rhel_08_010340: true rhel_08_010350: true rhel_08_010360: true -# !!!!!!!!!!!!!!!--------------!!!!!!!!!!!!!!!!!!CHANGE TO TRUE BEFORE FINALIZATION. SET TO FALSE TO PREVENT THE VAGRANT USER FROM AUTHENTICATING WHEN USING SUDO +rhel_08_010372: true +rhel_08_010373: true +rhel_08_010374: true +# !!!!!!!!!!!!!!!--------------!!!!!!!!!!!!!!!!!!CHANGE TO TRUE BEFORE FINALIZATION. SET TO FALSE TO PREVENT THE VAGRANT USER FROM AUTHENTICATING WHEN USING SUDO (380/381) +# below set to false when running, don't change back to true after testing rhel_08_010380: false +rhel_08_010381: false rhel_08_010390: true rhel_08_010400: true rhel_08_010410: true rhel_08_010420: true +rhel_08_010421: true +rhel_08_010422: true +rhel_08_010423: true rhel_08_010430: true rhel_08_010450: true rhel_08_010480: true @@ -125,9 +136,13 @@ rhel_08_010490: true rhel_08_010500: true rhel_08_010510: true rhel_08_010520: true +rhel_08_010521: true +rhel_08_010543: true rhel_08_010550: true rhel_08_010560: true +rhel_08_010561: true rhel_08_010570: true +rhel_08_010571: true rhel_08_010580: true rhel_08_010590: true rhel_08_010600: true @@ -138,156 +153,159 @@ rhel_08_010640: true rhel_08_010650: true rhel_08_010660: true rhel_08_010670: true +rhel_08_010671: true +rhel_08_010672: true +# below set to false when running, don't change back after testing rhel_08_010680: false -rhel_08_010690: true -rhel_08_010700: true -rhel_08_010710: true -rhel_08_010720: true -rhel_08_010730: true -rhel_08_010740: true -rhel_08_010750: true -rhel_01_010760: true -rhel_08_010770: true -rhel_08_010780: true -rhel_08_010790: true -rhel_08_010800: true -rhel_08_010810: true -rhel_08_020000: true -rhel_08_020010: true -rhel_08_020030: true -rhel_08_020040: true -rhel_08_020050: true -rhel_08_020060: true -rhel_08_020070: true -rhel_08_020080: true -rhel_08_020090: true -rhel_08_020100: true -rhel_08_020110: true -rhel_08_020120: true -rhel_08_020130: true -rhel_08_020140: true -rhel_08_020150: true -rhel_08_020160: true -rhel_08_020170: true -rhel_08_020180: true -rhel_08_020190: true -rhel_08_020200: true -rhel_08_020210: true -rhel_08_020220: true -rhel_08_020230: true -rhel_08_020240: true -rhel_08_020250: true -rhel_08_020260: true -rhel_08_020270: true -rhel_08_020280: true -rhel_08_020290: true -rhel_08_020300: true -rhel_08_020310: true -rhel_08_020320: true -rhel_08_020350: true -rhel_08_030000: true -rhel_08_030010: true -rhel_08_030020: true -rhel_08_030030: true -rhel_08_030040: true -rhel_08_030050: true -rhel_08_030060: true -rhel_08_030070: true -rhel_08_030080: true -rhel_08_030090: true -rhel_08_030100: true -rhel_08_030110: true +rhel_08_010690: false +rhel_08_010700: false +rhel_08_010710: false +rhel_08_010720: false +rhel_08_010730: false +rhel_08_010740: false +rhel_08_010750: false +rhel_01_010760: false +rhel_08_010770: false +rhel_08_010780: false +rhel_08_010790: false +rhel_08_010800: false +rhel_08_010810: false +rhel_08_020000: false +rhel_08_020010: false +rhel_08_020030: false +rhel_08_020040: false +rhel_08_020050: false +rhel_08_020060: false +rhel_08_020070: false +rhel_08_020080: false +rhel_08_020090: false +rhel_08_020100: false +rhel_08_020110: false +rhel_08_020120: false +rhel_08_020130: false +rhel_08_020140: false +rhel_08_020150: false +rhel_08_020160: false +rhel_08_020170: false +rhel_08_020180: false +rhel_08_020190: false +rhel_08_020200: false +rhel_08_020210: false +rhel_08_020220: false +rhel_08_020230: false +rhel_08_020240: false +rhel_08_020250: false +rhel_08_020260: false +rhel_08_020270: false +rhel_08_020280: false +rhel_08_020290: false +rhel_08_020300: false +rhel_08_020310: false +rhel_08_020320: false +rhel_08_020350: false +rhel_08_030000: false +rhel_08_030010: false +rhel_08_030020: false +rhel_08_030030: false +rhel_08_030040: false +rhel_08_030050: false +rhel_08_030060: false +rhel_08_030070: false +rhel_08_030080: false +rhel_08_030090: false +rhel_08_030100: false +rhel_08_030110: false ### When logs folder is set to 600 per STIG auditd fails to start. Need to figure out perms -rhel_08_030120: true -rhel_08_030130: true -rhel_08_030140: true -rhel_08_030150: true -rhel_08_030160: true -rhel_08_030170: true -rhel_08_030180: true -rhel_08_030190: true -rhel_08_030200: true -rhel_08_030210: true -rhel_08_030220: true -rhel_08_030230: true -rhel_08_030240: true -rhel_08_030250: true -rhel_08_030260: true -rhel_08_030270: true -rhel_08_030280: true -rhel_08_030290: true -rhel_08_030300: true -rhel_08_030310: true -rhel_08_030320: true -rhel_08_030330: true -rhel_08_030340: true -rhel_08_030350: true -rhel_08_030360: true -rhel_08_030370: true -rhel_08_030380: true -rhel_08_030390: true -rhel_08_030400: true -rhel_08_030410: true -rhel_08_030420: true -rhel_08_030430: true -rhel_08_030440: true -rhel_08_030450: true -rhel_08_030460: true -rhel_08_030470: true -rhel_08_030480: true -rhel_08_030490: true -rhel_08_030500: true -rhel_08_030510: true -rhel_08_030520: true -rhel_08_030530: true -rhel_08_030540: true -rhel_08_030550: true -rhel_08_030560: true -rhel_08_030570: true -rhel_08_030580: true -rhel_08_030590: true -rhel_08_030600: true -rhel_08_030610: true -rhel_08_030620: true -rhel_08_030630: true -rhel_08_030640: true +rhel_08_030120: false +rhel_08_030130: false +rhel_08_030140: false +rhel_08_030150: false +rhel_08_030160: false +rhel_08_030170: false +rhel_08_030180: false +rhel_08_030190: false +rhel_08_030200: false +rhel_08_030210: false +rhel_08_030220: false +rhel_08_030230: false +rhel_08_030240: false +rhel_08_030250: false +rhel_08_030260: false +rhel_08_030270: false +rhel_08_030280: false +rhel_08_030290: false +rhel_08_030300: false +rhel_08_030310: false +rhel_08_030320: false +rhel_08_030330: false +rhel_08_030340: false +rhel_08_030350: false +rhel_08_030360: false +rhel_08_030370: false +rhel_08_030380: false +rhel_08_030390: false +rhel_08_030400: false +rhel_08_030410: false +rhel_08_030420: false +rhel_08_030430: false +rhel_08_030440: false +rhel_08_030450: false +rhel_08_030460: false +rhel_08_030470: false +rhel_08_030480: false +rhel_08_030490: false +rhel_08_030500: false +rhel_08_030510: false +rhel_08_030520: false +rhel_08_030530: false +rhel_08_030540: false +rhel_08_030550: false +rhel_08_030560: false +rhel_08_030570: false +rhel_08_030580: false +rhel_08_030590: false +rhel_08_030600: false +rhel_08_030610: false +rhel_08_030620: false +rhel_08_030630: false +rhel_08_030640: false # !!!!!!!!!---------- handlers are overwriting the config change for this item -rhel_08_030650: true -rhel_08_030660: true -rhel_08_030670: true -rhel_08_030680: true -rhel_08_030690: true -rhel_08_030700: true -rhel_08_030710: true -rhel_08_030720: true -rhel_08_030730: true -rhel_08_030740: true -rhel_08_040020: true -rhel_08_040030: true -rhel_08_040040: true -rhel_08_040050: true -rhel_08_040070: true -rhel_08_040080: true -rhel_08_040090: true -rhel_08_040100: true -rhel_08_040110: true -rhel_08_040120: true -rhel_08_040130: true -rhel_08_040140: true -rhel_08_040150: true -rhel_08_040160: true -rhel_08_040210: true -rhel_08_040220: true -rhel_08_040230: true -rhel_08_040240: true -rhel_08_040250: true -rhel_08_040260: true -rhel_08_040270: true -rhel_08_040280: true -rhel_08_040290: true -rhel_08_040320: true -rhel_08_040330: true -rhel_08_040350: true +rhel_08_030650: false +rhel_08_030660: false +rhel_08_030670: false +rhel_08_030680: false +rhel_08_030690: false +rhel_08_030700: false +rhel_08_030710: false +rhel_08_030720: false +rhel_08_030730: false +rhel_08_030740: false +rhel_08_040020: false +rhel_08_040030: false +rhel_08_040040: false +rhel_08_040050: false +rhel_08_040070: false +rhel_08_040080: false +rhel_08_040090: false +rhel_08_040100: false +rhel_08_040110: false +rhel_08_040120: false +rhel_08_040130: false +rhel_08_040140: false +rhel_08_040150: false +rhel_08_040160: false +rhel_08_040210: false +rhel_08_040220: false +rhel_08_040230: false +rhel_08_040240: false +rhel_08_040250: false +rhel_08_040260: false +rhel_08_040270: false +rhel_08_040280: false +rhel_08_040290: false +rhel_08_040320: false +rhel_08_040330: false +rhel_08_040350: false # CAT 3 rules rhel_08_010171: true @@ -323,6 +341,9 @@ rhel_08_040310: true # Whether or not to run tasks related to auditing/patching the desktop environment rhel8stig_gui: false +# Whether or not you need kdump. False will disable service and true will leave service +rhel8stig_kdump_needed: false + # Whether to configure dconf rules unconditionally (ignoring presence of dconf # or rhel8stig_gui) rhel8stig_always_configure_dconf: false @@ -602,4 +623,21 @@ rhel8stig_custom_firewall_zone: "new_fw_zone" rhel8stig_white_list_services: - http - https - - ssh \ No newline at end of file + - ssh + +# RHEL-08-010290 +# RHEL-08-010290 +# This will be the MACs setting. It is a string that will be the entirety of the MAC's setting in the openssh.config file +# to conform to STIG standard control RHEL-08-010290 this variable must include hmac-sha2-512,hmac-sha2-256 +# to conform to STIG standard control RHEL-08-010291 this variable must include aes256-ctr,aes192-ctr,aes128-ctr +rhel8stig_ssh_macs_settings: "hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 +GSSAPIKeyExchange no" +# This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting +# to conform to STIG standard control RHEL-08-010290 this variable must contain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256 settings +# to conform to STIG standard control RHEL-08-010291 this variable must cotnain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr +rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512" + +# RHEL-08-010295 +# This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions +# to conform to STIG standards this variable must contain -VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 +rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" \ No newline at end of file diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index ba759685..6f465370 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -355,568 +355,452 @@ - RHEL-08-010250 - RHEL-08-010260 -- name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." +- name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." + "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" block: - - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" + - name: | + "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" + "MEDIUM | RHEL-08-010291 | AUDIT | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Get current FIPS mode state" command: fips-mode-setup --check changed_when: false failed_when: false register: rhel_08_010290_pre_fips_check - - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" + - name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" + "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Enable FIPS" command: fips-mode-setup --enable register: rhel_08_010290_fips_enable notify: reboot system when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' + + - name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" + "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Add ssh ciphers" + lineinfile: + path: "{{ item.path }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: reboot system + with_items: + - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^MACs', line: "MACs {{ rhel8stig_ssh_macs_settings }}" } + - { path: /etc/crypto-policies/back-ends/opensshserver.config, regexp: '^CRYPTO_POLICY=', line: "CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" } when: - - rhel_08_010290 + - rhel_08_010290 or + rhel_08_010291 tags: - RHEL-08-010290 - - FIPS + - RHEL-08-010291 + - fips + +- name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." + block: + - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" + command: fips-mode-setup --check + changed_when: false + failed_when: false + register: rhel_08_010293_pre_fips_check + + - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" + command: fips-mode-setup --enable + register: rhel_08_010290_fips_enable + notify: reboot system + when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' + when: + - rhel_08_010293 + tags: + - RHEL-08-010293 + - fips -- name: "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" +- name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^Ciphers.*' - line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr - insertafter: '# Ciphers and keying' - notify: restart sshd + path: /etc/crypto-policies/back-ends/opensslcnf.config + regexp: '^MinProtocol =' + line: "MinProtocol = TLSv1.2" + notify: reboot system when: - - rhel_08_010291 - - rhel8stig_ssh_required + - rhel_08_010294 tags: - - RHEL-08-010291 - - ssh -# ===========below here is old=========== -# - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." -# dnf: -# name: "*" -# state: latest -# when: -# - not system_is_ec2 -# - rhel_08_010010 -# tags: -# - RHEL-08-010010 + - RHEL-08-010294 + - openssl -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" -# block: -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^.*banner' -# line: 'Banner /etc/issue' +- name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package" + lineinfile: + path: /etc/crypto-policies/back-ends/gnutls.config + regexp: '^\+VERS-ALL:' + line: "+VERS-ALL:{{ rhel8stig_gnutls_encryption }}" + create: yes + notify: reboot system + when: + - rhel_08_010295 + tags: + - RHEL-08-010295 + - gnutls -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" -# copy: -# dest: /etc/issue -# content: "{{ rhel8stig_logon_banner }}" -# owner: root -# group: root -# mode: '0644' -# notify: restart sshd -# when: -# # - not system_is_ec2 -# - rhel_08_010040 or -# rhel_08_010060 -# tags: -# - RHEL-08-010040 -# - RHEL-08-010060 +- name: | + "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive." + "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root." + "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root." + block: + - name: | + "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive" + "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" + "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root. | Get commands no group-owned by root" + shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" + changed_when: false + failed_when: false + register: rhel_08_010300_commands -# - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." -# copy: -# dest: /etc/dconf/db/local.d/01-banner-message -# content: | -# [org/gnome/login-screen] -# banner-message-enable=true -# banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' -# mode: '0644' -# owner: root -# group: root -# vars: -# newline: "\n" -# notify: dconf update -# when: -# - rhel_08_010050 -# - rhel8stig_dconf_available -# tags: -# - RHEL-08-010050 + - name: | + "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions" + "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions" + "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root. | Set permissions" + file: + path: "{{ item }}" + owner: root + group: root + mode: '0755' + force: yes + with_items: + - "{{ rhel_08_010300_commands.stdout_lines }}" + when: + - rhel_08_010300 or + rhel_08_010310 or + rhel_08_010320 + tags: + - RHEL-08-010300 + - RHEL-08-010310 + - RHEL-08-010320 -# - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." -# lineinfile: -# path: /etc/rsyslog.d/50-default.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# create: yes -# mode: '0644' -# notify: restart rsyslog -# with_items: -# - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } -# - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } -# when: -# - rhel_08_010070 -# tags: -# - RHEL-08-010070 +- name: | + "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive." + "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root." + "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root." + block: + - name: | + "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" + "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root. | Get library files not owned by root" + "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" + shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" + changed_when: false + failed_when: false + register: rhel_08_010330_library_files -# - name: "MEDIUM | RHEL-08-010080 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^Ciphers.*' -# line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr -# insertafter: '# Ciphers and keying' -# notify: restart sshd -# when: -# - rhel_08_010080 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010080 -# - ssh + - name: | + "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" + "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" + "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" + file: + path: "{{ item }}" + owner: root + group: root + mode: '0755' + with_items: + - "{{ rhel_08_010330_library_files.stdout_lines }}" + when: + - rhel_08_010330 or + rhel_08_010340 or + rhel_08_010350 + tags: + - RHEL-08-010330 + - RHEL-08-010340 + - RHEL-08-010350 -# # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." -# block: -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" -# command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem -# changed_when: false -# failed_when: false -# register: rhel_08_010090_certs_list +- name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." + cron: + name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' + user: "{{ rhel8stig_aide_cron.user }}" + cron_file: "{{ rhel8stig_aide_cron.cron_file }}" + job: "{{ rhel8stig_aide_cron.job + ((rhel8stig_aide_cron.notify_by_mail) | ternary(rhel8stig_aide_cron.notify_cmd,'')) }}" + minute: "{{ rhel8stig_aide_cron.minute | default((rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | + ternary('0', omit)) | default(omit) }}" + hour: "{{ rhel8stig_aide_cron.hour | default((rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['daily', 'weekly', 'monthly']) | + ternary('0', omit)) | default(omit) }}" + weekday: "{{ rhel8stig_aide_cron.weekday | default((rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['weekly']) | + ternary('0', omit)) | default(omit) }}" + day: "{{ rhel8stig_aide_cron.day | default((rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['monthly']) | + ternary('1', omit)) | default(omit) }}" + special_time: "{{ (rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | + ternary(omit, rhel8stig_aide_cron.special_time) }}" + when: + - rhel_08_010360 + - rhel8stig_disruption_high + tags: + - RHEL-08-010360 + - aide -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" -# debug: -# msg: -# - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" -# - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" -# - "{{ rhel_08_010090_certs_list.stdout_lines }}" -# when: -# - rhel_08_010090 -# tags: -# - RHEL-08-010090 +- name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." + block: + - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.kexec_load_disabled =' + line: "kernel.kexec_load_disabled = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." -# block: -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" -# file: -# path: "{{ rhel8stig_path_to_sshkey }}" -# state: directory -# mode: '0700' + - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^kernel.kexec_load_disabled =' + line: "kernel.kexec_load_disabled = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010372 + tags: + - RHEL-08-010372 + - sysctl -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" -# openssh_keypair: -# path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" -# when: -# - rhel_08_010100 -# tags: -# - RHEL-08-010100 +- name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks." + block: + - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^fs.protected_symlinks =' + line: "fs.protected_symlinks = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk -# - name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." -# lineinfile: -# path: /etc/login.defs -# regexp: '^ENCRYPT_METHOD.*' -# line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" -# when: -# - rhel_08_010110 -# tags: -# - RHEL-08-010110 -# - login + - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^fs.protected_symlinks =' + line: "fs.protected_symlinks = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010373 + tags: + - RHEL-08-010373 + - sysctl -# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." -# block: -# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" -# command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' -# changed_when: false -# failed_when: false -# register: rhel_08_010120_non_fips_hashed_accounts +- name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." + block: + - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^fs.protected_hardlinks =' + line: "fs.protected_hardlinks = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk -# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" -# command: "passwd -l {{ item }}" -# with_items: -# -"{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" -# when: -# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" + - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^fs.protected_hardlinks =' + line: "fs.protected_hardlinks = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010374 + tags: + - RHEL-08-010374 + - sysctl -# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" -# debug: -# msg: -# - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" -# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" -# when: -# - not rhel8stig_disruption_high -# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" -# when: -# - rhel_08_010120 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010120 -# - disruption_high +- name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." + replace: + path: "{{ item }}" + regexp: '^([^#].*)NOPASSWD(.*)' + replace: '\1PASSWD\2' + with_items: + - "{{ rhel8stig_sudoers_files.stdout_lines }}" + when: + - rhel_08_010380 + - rhel8stig_using_password_auth + tags: + - RHEL-08-010380 + - sudoers -# - name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" -# pamd: -# name: "{{ item }}" -# type: password -# control: sufficient -# module_path: pam_unix.so -# module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" -# state: args_present -# with_items: -# - password-auth -# - system-auth -# when: -# - rhel_08_010130 -# tags: -# - RHEL-08-010130 +- name: "MEDIUM | RHEL-08-010381 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation." + replace: + path: "{{ item }}" + regexp: '^([^#].*)!authenticate(.*)' + replace: '\1authenticate\2' + with_items: + - "{{ rhel8stig_sudoers_files.stdout_lines }}" + when: + - rhel_08_010381 + - rhel8stig_using_password_auth + tags: + - RHEL-08-010381 + - sudoers -# - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Add sha512 argument" -# pamd: -# name: "{{ item }}" -# type: password -# control: sufficient -# module_path: pam_unix.so -# module_arguments: sha512 -# state: args_present -# with_items: -# - password-auth -# - system-auth -# when: -# - rhel_08_010160 -# tags: -# - RHEL-08-010160 +- name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." + block: + - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" + dnf: + name: esc + state: present + when: rhel8stig_gui + + - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" + dnf: + name: openssl-pkcs11 + state: present + when: + - rhel_08_010390 + tags: + - RHEL-08-010390 + - multifactor -# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." -# block: -# - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" -# shell: "find / ! -user root -type d -perm -0002 -exec ls -lLd {} \\; | sed 's/.* //'" -# changed_when: false -# failed_when: false -# register: rhel_08_010180_public_not_root_owned +- name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." + lineinfile: + path: '{{ rhel8stig_sssd_conf.stdout }}' + regexp: '^certificate_verification = {{ item }}' + state: absent + with_items: + - 'no_ocsp, no_verification' + - no_ocsp + - no_verification + notify: restart sssd + when: + - rhel_08_010400 + tags: + - RHEL-08-010400 -# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Chown non-root public folders" -# file: -# path: "{{ item }}" -# owner: root -# group: root -# with_items: -# - "{{ rhel_08_010180_public_not_root_owned.stdout_lines }}" -# when: -# - rhel_08_010180 -# tags: -# - RHEL-08-010180 +- name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." + dnf: + name: opensc + state: present + when: + - rhel_08_010410 + tags: + - RHEL-08-010410 + - opensc + - piv -# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." -# block: -# - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" -# shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" -# changed_when: false -# failed_when: false -# register: rhel_08_010190_world_writable_files +- name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution." + block: + - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state" + shell: dmesg |grep "NX (" + changed_when: false + failed_when: false + register: rhel_08_010420_nx_bit_state -# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" -# file: -# path: "{{ item }}" -# mode: '1777' -# with_items: -# - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" -# when: -# - rhel_08_010190 -# tags: -# - RHEL-08-010190 + - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set" + debug: + msg: + - "Good News! You are setup with execute disable active." + when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout' -# - name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# notify: restart sshd -# with_items: -# - { regexp: '^.*ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} -# - { regexp: '^.*ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } -# when: -# - rhel_08_010200 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010200 -# - ssh + - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" + debug: + msg: + - "ALERT!! You do not have execute disable active. Please change the setting in your BIOS settings" + when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' + when: + - rhel_08_010420 + tags: + - RHEL-08-010420 -# - name: | -# "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." -# "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." -# "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." -# file: -# path: /var/log/messages -# owner: root -# group: root -# mode: '0640' -# when: -# - rhel_08_010210 or -# rhel_08_010220 or -# rhel_08_010230 -# tags: -# - RHEL-08-010210 -# - RHEL-08-010220 -# - RHEL-08-010230 +- name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks." + block: + - name: "MEDIUM | RHEL-08-010421 | AUDIT | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + register: rhel8stig_010421_grub_cmdline_linux -# - name: | -# "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0770 or less permissive." -# "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." -# "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." -# file: -# path: /var/log -# owner: root -# group: root -# mode: '0770' -# when: -# - rhel_08_010240 or -# rhel_08_010250 or -# rhel_08_010260 -# tags: -# - RHEL-08-010240 -# - RHEL-08-010250 -# - RHEL-08-010260 + - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active" + shell: grubby --update-kernel=ALL --args="page_poison=1" -# - name: | -# "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive." -# "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root." -# block: -# - name: | -# "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive. | Find audit log files" -# "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root. | Find audit log files" -# shell: cat /etc/audit/auditd.conf | grep "^log_file " | cut -f2 -d= | sed 's/^[ \t]*//;s/[ \t]*$//' -# changed_when: false -# failed_when: false -# register: rhel_08_010270_audit_log_location + - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010421_grub_cmdline_linux.stdout }} page_poison=1"' + when: '"page_poison=" not in rhel8stig_010421_grub_cmdline_linux.stdout' -# # I have this set to 750 since 600 is too restrictive for auditd to work -# - name: | -# "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive. | Set permissions" -# "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root. | Set permissions" -# file: -# path: "{{ rhel_08_010270_audit_log_location.stdout }}" -# owner: root -# mode: '0750' -# when: -# - rhel_08_010270 or -# rhel_08_010280 -# tags: -# - RHEL-08-010270 -# - RHEL-08-010280 - -# - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." -# block: -# - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" -# command: fips-mode-setup --check -# changed_when: false -# failed_when: false -# register: rhel_08_010290_pre_fips_check - -# - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" -# command: fips-mode-setup --enable -# register: rhel_08_010290_fips_enable -# notify: reboot system -# when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' -# when: -# - rhel_08_010290 -# tags: -# - RHEL-08-010290 -# - FIPS - -- name: | - "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive." - "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root." - "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root." - block: - - name: | - "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive" - "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" - "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root. | Get commands no group-owned by root" - shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" - changed_when: false - failed_when: false - register: rhel_08_010300_commands - - - name: | - "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions" - "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions" - "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root. | Set permissions" - file: - path: "{{ item }}" - owner: root - group: root - mode: '0755' - force: yes - with_items: - - "{{ rhel_08_010300_commands.stdout_lines }}" + - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if exists" + replace: + path: /etc/default/grub + regexp: 'page_poison=([^\s|"])+' + replace: "page_poison=1" + when: '"page_poison=" in rhel8stig_010421_grub_cmdline_linux.stdout' when: - - rhel_08_010300 or - rhel_08_010310 or - rhel_08_010320 + - rhel_08_010421 tags: - - RHEL-08-010300 - - RHEL-08-010310 - - RHEL-08-010320 + - RHEL-08-010421 + - grub -- name: | - "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive." - "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root." - "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root." +- name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls." block: - - name: | - "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" - "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" - "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" - shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" + - name: "MEDIUM | RHEL-08-010422 | AUDIT | RHEL 8 must disable virtual syscalls. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false - register: rhel_08_010330_library_files - - - name: | - "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" - "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" - "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" - file: - path: "{{ item }}" - owner: root - group: root - mode: '0755' - with_items: - - "{{ rhel_08_010330_library_files.stdout_lines }}" - when: - - rhel_08_010330 or - rhel_08_010340 or - rhel_08_010350 - tags: - - RHEL-08-010330 - - RHEL-08-010340 - - RHEL-08-010350 + register: rhel8stig_010422_grub_cmdline_linux -- name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." - cron: - name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' - user: "{{ rhel8stig_aide_cron.user }}" - cron_file: "{{ rhel8stig_aide_cron.cron_file }}" - job: "{{ rhel8stig_aide_cron.job + ((rhel8stig_aide_cron.notify_by_mail) | ternary(rhel8stig_aide_cron.notify_cmd,'')) }}" - minute: "{{ rhel8stig_aide_cron.minute | default((rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | - ternary('0', omit)) | default(omit) }}" - hour: "{{ rhel8stig_aide_cron.hour | default((rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['daily', 'weekly', 'monthly']) | - ternary('0', omit)) | default(omit) }}" - weekday: "{{ rhel8stig_aide_cron.weekday | default((rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['weekly']) | - ternary('0', omit)) | default(omit) }}" - day: "{{ rhel8stig_aide_cron.day | default((rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['monthly']) | - ternary('1', omit)) | default(omit) }}" - special_time: "{{ (rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | - ternary(omit, rhel8stig_aide_cron.special_time) }}" - when: - - rhel_08_010360 - - rhel8stig_disruption_high - tags: - - RHEL-08-010360 - - aide + - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active" + shell: grubby --update-kernel=ALL --args="vsyscall=none" -- name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation and changing roles." - block: - - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation and changing roles. | Remove NOPASSWD" - replace: - path: "{{ item }}" - regexp: '^([^#].*)NOPASSWD(.*)' - replace: '\1PASSWD\2' - with_items: - - "{{ rhel8stig_sudoers_files.stdout_lines }}" + - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010422_grub_cmdline_linux.stdout }} vsyscall=none"' + when: '"vsyscall=" not in rhel8stig_010422_grub_cmdline_linux.stdout' - - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation and changing roles. | Remove !authenticate" + - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if exists" replace: - path: "{{ item }}" - regexp: '^([^#].*)!authenticate(.*)' - replace: '\1authenticate\2' - with_items: - - "{{ rhel8stig_sudoers_files.stdout_lines }}" - when: - - rhel_08_010380 - - rhel8stig_using_password_auth - tags: - - RHEL-08-010380 - - sudoers - -- name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." - block: - - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" - dnf: - name: esc - state: present - when: rhel8stig_gui - - - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" - dnf: - name: openssl-pkcs11 - state: present - when: - - rhel_08_010390 - tags: - - RHEL-08-010390 - - multifactor - -- name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." - # block: - # - name: "MEDIUM | RHEL-08-010400 | AUDIT | RHEL 8 must implement certificate status checking for multifactor authentication | Find sssd_config location." - # shell: find / -name sssd.conf - # changed_when: false - # failed_when: false - # register: rhel_08_010400_sssd_config - - # - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication | Set certificate_verification." - lineinfile: - path: '{{ rhel8stig_sssd_conf.stdout }}' - regexp: '^certificate_verification = {{ item }}' - state: absent - with_items: - - 'no_ocsp, no_verification' - - no_ocsp - - no_verification - notify: restart sssd + path: /etc/default/grub + regexp: 'vsyscall=([^\s|"])+' + replace: "vsyscall=none" + when: '"vsyscall=" in rhel8stig_010422_grub_cmdline_linux.stdout' when: - - rhel_08_010400 - tags: - - RHEL-08-010400 - -- name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." - dnf: - name: opensc - state: present - when: - - rhel_08_010410 + - rhel_08_010422 tags: - - RHEL-08-010410 + - RHEL-08-010422 + - grub -- name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution." +- name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks." block: - - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state" - shell: dmesg |grep "NX (" + - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false - register: rhel_08_010420_nx_bit_state + register: rhel8stig_010423_grub_cmdline_linux - - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set" - debug: - msg: - - "Good News! You are setup with execute disable active." - when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout' + - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active" + shell: grubby --update-kernel=ALL --args="slub_debug=P" - - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" - debug: - msg: - - "ALERT!! You do not have execute disable active. Please change the setting in your BIOS settings" - when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' + - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010423_grub_cmdline_linux.stdout }} slub_debug=P"' + when: '"slub_debug=" not in rhel8stig_010423_grub_cmdline_linux.stdout' + + - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if exists" + replace: + path: /etc/default/grub + regexp: 'slub_debug=([^\s|"])+' + replace: "slub_debug=P" + when: '"slub_debug=" in rhel8stig_010423_grub_cmdline_linux.stdout' when: - - rhel_08_010420 + - rhel_08_010423 tags: - - RHEL-08-010420 + - RHEL-08-010423 + - grub - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." sysctl: @@ -926,6 +810,7 @@ reload: "{{ rhel8stig_sysctl_reload }}" sysctl_set: yes ignoreerrors: yes + notify: sysctl system when: - rhel_08_010430 tags: @@ -959,7 +844,7 @@ - RHEL-08-010480 - ssh -- name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0600 or less permissive." +- name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." block: - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Find files" find: @@ -972,10 +857,10 @@ failed_when: false register: rhel_08_010490_private_host_key_files - - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Set permissions" + - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" file: path: "{{ item.path }}" - mode: '0600' + mode: '0640' with_items: - "{{ rhel_08_010490_private_host_key_files.files }}" notify: restart sshd @@ -1025,6 +910,37 @@ - RHEL-08-010520 - ssh +- name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow unused methods of authentication." + lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^KerberosAuthentication ', line: "KerberosAuthentication no" } + - { regexp: '^GSSAPIAuthentication ', line: "GSSAPIAuthentication no" } + notify: restart sshd + when: + - rhel_08_010521 + tags: + - RHEL-08-010521 + - ssh + +- name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." + debug: + msg: "WARNING!!!! /tmp is not mounted on a separate partition" + changed_when: + - rhel8stig_audit_complex + when: + - rhel_08_010543 + - not rhel8stig_system_is_container + - rhel8stig_complex + - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 + tags: + - RHEL-08-010543 + - complexity-high + - mount + - tmp + - name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." lineinfile: path: /etc/ssh/sshd_config @@ -1050,6 +966,17 @@ - RHEL-08-010560 - auditd +- name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." + service: + name: rsyslog.service + state: started + enabled: true + when: + - rhel_08_010561 + tags: + - RHEL-08-010561 + - rsyslog + - name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." mount: path: /home @@ -1065,26 +992,39 @@ home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" tags: - RHEL-08-010570 + - mounts + - home -# The cotnrol in the stig has the same title as the RHEL-08-010570 control -- name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." +- name: "MEDIUM | RHEL-08-010571 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory." mount: - path: /home + path: /boot state: mounted - src: "{{ home_mount.device }}" - fstype: "{{ home_mount.fstype }}" - opts: "{{ home_mount.options }},nodev" + src: "{{ boot_mount.device }}" + fstype: "{{ boot_mount.fstype }}" + opts: "{{ boot_mount.options }},nosuid" when: - - rhel_08_010580 - - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 - - "'nodev' not in home_mount.options" + - rhel_08_010571 + - ansible_mounts | selectattr('mount', 'match', '^/boot$') | list | length != 0 + - "'nosuid' not in boot_mount.options" vars: - home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" + boot_mount: "{{ ansible_mounts | json_query('[?mount == `/boot`] | [0]') }}" + tags: + - RHEL-08-010571 + - mounts + - boot + +- name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions." + command: /bin/true + changed_when: false + failed_when: false + when: + - rhel_08_010580 tags: - RHEL-08-010580 + - mounts + - non-root -# The control in the stig has the same title as RHEL-01-01570 -- name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." +- name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent code from being executed on file systems that contain user home directories." mount: path: /home state: mounted @@ -1099,10 +1039,12 @@ home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" tags: - RHEL-08-010590 + - mounts + - home -- name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." +- name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media." block: - - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nodev to /media" + - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /media" mount: path: /media state: mounted @@ -1117,7 +1059,7 @@ vars: removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nodev to /mnt" + - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /mnt" mount: path: /mnt state: mounted @@ -1136,11 +1078,12 @@ - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) tags: - RHEL-08-010600 + - mounts + - media -# The control has the same title as RHEL-08-010600 -- name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." +- name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media." block: - - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set noexec to /media" + - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /media" mount: path: /media state: mounted @@ -1155,7 +1098,7 @@ vars: removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set noexec to /mnt" + - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /mnt" mount: path: /mnt state: mounted @@ -1174,11 +1117,12 @@ - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) tags: - RHEL-08-010610 + - mounts + - media -# The control has the same title as RHEL-08-010600 -- name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." +- name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." block: - - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media" + - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media" mount: path: /media state: mounted @@ -1193,7 +1137,7 @@ vars: removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" + - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" mount: path: /mnt state: mounted @@ -1212,8 +1156,10 @@ - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) tags: - RHEL-08-010620 + - mounts + - media -- name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)." +- name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)." mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" @@ -1230,8 +1176,10 @@ - "'noexec' not in (ansible_mounts | json_query(options_query))" tags: - RHEL-08-010630 + - mounts + - nfs -- name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)." +- name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)." mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" @@ -1249,7 +1197,7 @@ tags: - RHEL-08-010640 -- name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)." +- name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)" mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" @@ -1304,17 +1252,987 @@ - rhel8stig_disruption_high # - rhel_08_stig_interactive_homedir_inifiles is defined tags: - - RHEL-010660 + - RHEL-08-010660 -- name: "MEDIUM | RHEL-08-010670 | PATCH | In the event of a system failure, RHEL 8 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes." +- name: "MEDIUM | RHEL-08-010670 | PATCH | RHEL 8 must disable kernel dumps unless needed." service: name: kdump - enabled: yes - state: started + enabled: no + state: stopped when: - rhel_08_010670 + - not rhel8stig_kdump_needed tags: - RHEL-08-010670 + - kdump + +- name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." + block: + - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.core_pattern =' + line: "kernel.core_pattern = |/bin/false" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk + + - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^kernel.core_pattern =' + line: "kernel.core_pattern = |/bin/false" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010671 + tags: + - RHEL-08-010671 + - sysctl + +- name: "MEDIUM | RHEL-08-010672 | PATCH | RHEL 8 must disable acquiring, saving, and processing core dumps." + systemd: + name: systemd-coredump.socket + masked: yes + daemon_reload: yes + notify: systemctl daemon-reload + when: + - rhel_08_010672 + tags: + - RHEL-08-010672 + - systemd + +# ===========below here is old=========== +# - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." +# dnf: +# name: "*" +# state: latest +# when: +# - not system_is_ec2 +# - rhel_08_010010 +# tags: +# - RHEL-08-010010 + +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" +# block: +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^.*banner' +# line: 'Banner /etc/issue' + +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" +# copy: +# dest: /etc/issue +# content: "{{ rhel8stig_logon_banner }}" +# owner: root +# group: root +# mode: '0644' +# notify: restart sshd +# when: +# # - not system_is_ec2 +# - rhel_08_010040 or +# rhel_08_010060 +# tags: +# - RHEL-08-010040 +# - RHEL-08-010060 + +# - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." +# copy: +# dest: /etc/dconf/db/local.d/01-banner-message +# content: | +# [org/gnome/login-screen] +# banner-message-enable=true +# banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' +# mode: '0644' +# owner: root +# group: root +# vars: +# newline: "\n" +# notify: dconf update +# when: +# - rhel_08_010050 +# - rhel8stig_dconf_available +# tags: +# - RHEL-08-010050 + +# - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." +# lineinfile: +# path: /etc/rsyslog.d/50-default.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# create: yes +# mode: '0644' +# notify: restart rsyslog +# with_items: +# - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } +# - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } +# when: +# - rhel_08_010070 +# tags: +# - RHEL-08-010070 + +# - name: "MEDIUM | RHEL-08-010080 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^Ciphers.*' +# line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr +# insertafter: '# Ciphers and keying' +# notify: restart sshd +# when: +# - rhel_08_010080 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010080 +# - ssh + +# # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." +# block: +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" +# command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem +# changed_when: false +# failed_when: false +# register: rhel_08_010090_certs_list + +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" +# debug: +# msg: +# - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" +# - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" +# - "{{ rhel_08_010090_certs_list.stdout_lines }}" +# when: +# - rhel_08_010090 +# tags: +# - RHEL-08-010090 + +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." +# block: +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" +# file: +# path: "{{ rhel8stig_path_to_sshkey }}" +# state: directory +# mode: '0700' + +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" +# openssh_keypair: +# path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" +# when: +# - rhel_08_010100 +# tags: +# - RHEL-08-010100 + +# - name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." +# lineinfile: +# path: /etc/login.defs +# regexp: '^ENCRYPT_METHOD.*' +# line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" +# when: +# - rhel_08_010110 +# tags: +# - RHEL-08-010110 +# - login + +# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." +# block: +# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" +# command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' +# changed_when: false +# failed_when: false +# register: rhel_08_010120_non_fips_hashed_accounts + +# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" +# command: "passwd -l {{ item }}" +# with_items: +# -"{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" +# when: +# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" + +# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" +# debug: +# msg: +# - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" +# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" +# when: +# - not rhel8stig_disruption_high +# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" +# when: +# - rhel_08_010120 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010120 +# - disruption_high + +# - name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" +# pamd: +# name: "{{ item }}" +# type: password +# control: sufficient +# module_path: pam_unix.so +# module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" +# state: args_present +# with_items: +# - password-auth +# - system-auth +# when: +# - rhel_08_010130 +# tags: +# - RHEL-08-010130 + +# - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Add sha512 argument" +# pamd: +# name: "{{ item }}" +# type: password +# control: sufficient +# module_path: pam_unix.so +# module_arguments: sha512 +# state: args_present +# with_items: +# - password-auth +# - system-auth +# when: +# - rhel_08_010160 +# tags: +# - RHEL-08-010160 + +# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." +# block: +# - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" +# shell: "find / ! -user root -type d -perm -0002 -exec ls -lLd {} \\; | sed 's/.* //'" +# changed_when: false +# failed_when: false +# register: rhel_08_010180_public_not_root_owned + +# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Chown non-root public folders" +# file: +# path: "{{ item }}" +# owner: root +# group: root +# with_items: +# - "{{ rhel_08_010180_public_not_root_owned.stdout_lines }}" +# when: +# - rhel_08_010180 +# tags: +# - RHEL-08-010180 + +# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." +# block: +# - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" +# shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" +# changed_when: false +# failed_when: false +# register: rhel_08_010190_world_writable_files + +# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" +# file: +# path: "{{ item }}" +# mode: '1777' +# with_items: +# - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" +# when: +# - rhel_08_010190 +# tags: +# - RHEL-08-010190 + +# - name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# notify: restart sshd +# with_items: +# - { regexp: '^.*ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} +# - { regexp: '^.*ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } +# when: +# - rhel_08_010200 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010200 +# - ssh + +# - name: | +# "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." +# "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." +# "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." +# file: +# path: /var/log/messages +# owner: root +# group: root +# mode: '0640' +# when: +# - rhel_08_010210 or +# rhel_08_010220 or +# rhel_08_010230 +# tags: +# - RHEL-08-010210 +# - RHEL-08-010220 +# - RHEL-08-010230 + +# - name: | +# "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0770 or less permissive." +# "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." +# "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." +# file: +# path: /var/log +# owner: root +# group: root +# mode: '0770' +# when: +# - rhel_08_010240 or +# rhel_08_010250 or +# rhel_08_010260 +# tags: +# - RHEL-08-010240 +# - RHEL-08-010250 +# - RHEL-08-010260 + +# - name: | +# "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive." +# "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root." +# block: +# - name: | +# "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive. | Find audit log files" +# "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root. | Find audit log files" +# shell: cat /etc/audit/auditd.conf | grep "^log_file " | cut -f2 -d= | sed 's/^[ \t]*//;s/[ \t]*$//' +# changed_when: false +# failed_when: false +# register: rhel_08_010270_audit_log_location + +# # I have this set to 750 since 600 is too restrictive for auditd to work +# - name: | +# "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive. | Set permissions" +# "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root. | Set permissions" +# file: +# path: "{{ rhel_08_010270_audit_log_location.stdout }}" +# owner: root +# mode: '0750' +# when: +# - rhel_08_010270 or +# rhel_08_010280 +# tags: +# - RHEL-08-010270 +# - RHEL-08-010280 + +# - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." +# block: +# - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" +# command: fips-mode-setup --check +# changed_when: false +# failed_when: false +# register: rhel_08_010290_pre_fips_check + +# - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" +# command: fips-mode-setup --enable +# register: rhel_08_010290_fips_enable +# notify: reboot system +# when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' +# when: +# - rhel_08_010290 +# tags: +# - RHEL-08-010290 +# - FIPS + +# - name: | +# "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive." +# "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root." +# "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root." +# block: +# - name: | +# "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive" +# "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" +# "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root. | Get commands no group-owned by root" +# shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" +# changed_when: false +# failed_when: false +# register: rhel_08_010300_commands + +# - name: | +# "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions" +# "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions" +# "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root. | Set permissions" +# file: +# path: "{{ item }}" +# owner: root +# group: root +# mode: '0755' +# force: yes +# with_items: +# - "{{ rhel_08_010300_commands.stdout_lines }}" +# when: +# - rhel_08_010300 or +# rhel_08_010310 or +# rhel_08_010320 +# tags: +# - RHEL-08-010300 +# - RHEL-08-010310 +# - RHEL-08-010320 + +# - name: | +# "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive." +# "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root." +# "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root." +# block: +# - name: | +# "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" +# "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" +# "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" +# shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" +# changed_when: false +# failed_when: false +# register: rhel_08_010330_library_files + +# - name: | +# "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" +# "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" +# "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" +# file: +# path: "{{ item }}" +# owner: root +# group: root +# mode: '0755' +# with_items: +# - "{{ rhel_08_010330_library_files.stdout_lines }}" +# when: +# - rhel_08_010330 or +# rhel_08_010340 or +# rhel_08_010350 +# tags: +# - RHEL-08-010330 +# - RHEL-08-010340 +# - RHEL-08-010350 + +# - name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." +# cron: +# name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' +# user: "{{ rhel8stig_aide_cron.user }}" +# cron_file: "{{ rhel8stig_aide_cron.cron_file }}" +# job: "{{ rhel8stig_aide_cron.job + ((rhel8stig_aide_cron.notify_by_mail) | ternary(rhel8stig_aide_cron.notify_cmd,'')) }}" +# minute: "{{ rhel8stig_aide_cron.minute | default((rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | +# ternary('0', omit)) | default(omit) }}" +# hour: "{{ rhel8stig_aide_cron.hour | default((rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['daily', 'weekly', 'monthly']) | +# ternary('0', omit)) | default(omit) }}" +# weekday: "{{ rhel8stig_aide_cron.weekday | default((rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['weekly']) | +# ternary('0', omit)) | default(omit) }}" +# day: "{{ rhel8stig_aide_cron.day | default((rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['monthly']) | +# ternary('1', omit)) | default(omit) }}" +# special_time: "{{ (rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | +# ternary(omit, rhel8stig_aide_cron.special_time) }}" +# when: +# - rhel_08_010360 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010360 +# - aide + +# - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation and changing roles." +# block: +# - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation and changing roles. | Remove NOPASSWD" +# replace: +# path: "{{ item }}" +# regexp: '^([^#].*)NOPASSWD(.*)' +# replace: '\1PASSWD\2' +# with_items: +# - "{{ rhel8stig_sudoers_files.stdout_lines }}" + +# - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation and changing roles. | Remove !authenticate" +# replace: +# path: "{{ item }}" +# regexp: '^([^#].*)!authenticate(.*)' +# replace: '\1authenticate\2' +# with_items: +# - "{{ rhel8stig_sudoers_files.stdout_lines }}" +# when: +# - rhel_08_010380 +# - rhel8stig_using_password_auth +# tags: +# - RHEL-08-010380 +# - sudoers + +# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." +# block: +# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" +# dnf: +# name: esc +# state: present +# when: rhel8stig_gui + +# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" +# dnf: +# name: openssl-pkcs11 +# state: present +# when: +# - rhel_08_010390 +# tags: +# - RHEL-08-010390 +# - multifactor + +# - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." +# # block: +# # - name: "MEDIUM | RHEL-08-010400 | AUDIT | RHEL 8 must implement certificate status checking for multifactor authentication | Find sssd_config location." +# # shell: find / -name sssd.conf +# # changed_when: false +# # failed_when: false +# # register: rhel_08_010400_sssd_config + +# # - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication | Set certificate_verification." +# lineinfile: +# path: '{{ rhel8stig_sssd_conf.stdout }}' +# regexp: '^certificate_verification = {{ item }}' +# state: absent +# with_items: +# - 'no_ocsp, no_verification' +# - no_ocsp +# - no_verification +# notify: restart sssd +# when: +# - rhel_08_010400 +# tags: +# - RHEL-08-010400 + +# - name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." +# dnf: +# name: opensc +# state: present +# when: +# - rhel_08_010410 +# tags: +# - RHEL-08-010410 + +# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution." +# block: +# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state" +# shell: dmesg |grep "NX (" +# changed_when: false +# failed_when: false +# register: rhel_08_010420_nx_bit_state + +# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set" +# debug: +# msg: +# - "Good News! You are setup with execute disable active." +# when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout' + +# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" +# debug: +# msg: +# - "ALERT!! You do not have execute disable active. Please change the setting in your BIOS settings" +# when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' +# when: +# - rhel_08_010420 +# tags: +# - RHEL-08-010420 + +# - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." +# sysctl: +# name: kernel.randomize_va_space +# value: '2' +# state: present +# reload: "{{ rhel8stig_sysctl_reload }}" +# sysctl_set: yes +# ignoreerrors: yes +# when: +# - rhel_08_010430 +# tags: +# - RHEL-08-010430 +# - sysctl + +# - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." +# block: +# - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files" +# find: +# paths: /etc/ssh +# recurse: yes +# file_type: file +# patterns: 'ssh_host*_key.pub' +# hidden: true +# changed_when: false +# failed_when: false +# register: rhel_08_010480_public_files + +# - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" +# file: +# path: "{{ item.path }}" +# mode: '0644' +# with_items: +# - "{{ rhel_08_010480_public_files.files }}" +# notify: restart sshd +# when: +# - rhel_08_010480 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010480 +# - ssh + +# - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0600 or less permissive." +# block: +# - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Find files" +# find: +# paths: /etc/ssh +# recurse: yes +# file_type: file +# patterns: 'ssh_host*key' +# hidden: true +# changed_when: false +# failed_when: false +# register: rhel_08_010490_private_host_key_files + +# - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Set permissions" +# file: +# path: "{{ item.path }}" +# mode: '0600' +# with_items: +# - "{{ rhel_08_010490_private_host_key_files.files }}" +# notify: restart sshd +# when: +# - rhel_08_010490 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010490 +# - ssh + +# - name: "MEDIUM | RHEL-08-010500 | PATCH | The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '#StrictModes.(yes|no)|StrictModes.(yes|no)' +# line: 'StrictModes yes' +# notify: restart sshd +# when: +# - rhel_08_010500 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010500 +# - ssh + +# - name: "MEDIUM | RHEL-08-010510 | PATCH | The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '^#Compression.(yes|delayed|no)|^Compression.(yes|delayed|no)' +# line: 'Compression {{ rhel8stig_sshd_compression }}' +# notify: restart sshd +# when: +# - rhel_08_010510 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010510 +# - ssh + +# - name: "MEDIUM | RHEL-08-010520 | PATCH | The RHEL 8 SSH daemon must not allow authentication using known host’s authentication." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '#IgnoreUserKnownHosts.(yes|no)|IgnoreUserKnownHosts.(yes|no)' +# line: 'IgnoreUserKnownHosts yes' +# notify: restart sshd +# when: +# - rhel_08_010520 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010520 +# - ssh + +# - name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '^#PermitRootLogin.(yes|without-password|forced-commands-only|no)|^PermitRootLogin.(yes|without-password|forced-commands-only|no)' +# line: 'PermitRootLogin no' +# notify: restart sshd +# when: +# - rhel_08_010550 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010550 +# - ssh + +# - name: "MEDIUM | RHEL-08-010560 | PATCH | The auditd service must be running in RHEL 8." +# service: +# name: auditd +# state: started +# enabled: yes +# when: +# - rhel_08_010560 +# - not rhel8stig_system_is_container +# tags: +# - RHEL-08-010560 +# - auditd + +# - name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." +# mount: +# path: /home +# state: mounted +# src: "{{ home_mount.device }}" +# fstype: "{{ home_mount.fstype }}" +# opts: "{{ home_mount.options }},nosuid" +# when: +# - rhel_08_010570 +# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 +# - "'nosuid' not in home_mount.options" +# vars: +# home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" +# tags: +# - RHEL-08-010570 + +# The cotnrol in the stig has the same title as the RHEL-08-010570 control +# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." +# mount: +# path: /home +# state: mounted +# src: "{{ home_mount.device }}" +# fstype: "{{ home_mount.fstype }}" +# opts: "{{ home_mount.options }},nodev" +# when: +# - rhel_08_010580 +# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 +# - "'nodev' not in home_mount.options" +# vars: +# home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" +# tags: +# - RHEL-08-010580 + +# The control in the stig has the same title as RHEL-01-01570 +# - name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." +# mount: +# path: /home +# state: mounted +# src: "{{ home_mount.device }}" +# fstype: "{{ home_mount.fstype }}" +# opts: "{{ home_mount.options }},noexec" +# when: +# - rhel_08_010590 +# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 +# - "'noexec' not in home_mount.options" +# vars: +# home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" +# tags: +# - RHEL-08-010590 + +# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." +# block: +# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nodev to /media" +# mount: +# path: /media +# state: mounted +# src: "{{ removable_mount.device }}" +# fstype: "{{ removable_mount.fstype }}" +# opts: "{{ removable_mount.options }},nodev" +# when: +# - rhel_08_010600 +# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 +# - "'nodev' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + +# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nodev to /mnt" +# mount: +# path: /mnt +# state: mounted +# src: "{{ removable_mount2.device }}" +# fstype: "{{ removable_mount2.fstype }}" +# opts: "{{ removable_mount2.options }},nodev" +# when: +# - rhel_08_010600 +# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 +# - "'nodev' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" +# when: +# - rhel_08_010600 +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# tags: +# - RHEL-08-010600 + +# # The control has the same title as RHEL-08-010600 +# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." +# block: +# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set noexec to /media" +# mount: +# path: /media +# state: mounted +# src: "{{ removable_mount.device }}" +# fstype: "{{ removable_mount.fstype }}" +# opts: "{{ removable_mount.options }},noexec" +# when: +# - rhel_08_010600 +# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 +# - "'noexec' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + +# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set noexec to /mnt" +# mount: +# path: /mnt +# state: mounted +# src: "{{ removable_mount2.device }}" +# fstype: "{{ removable_mount2.fstype }}" +# opts: "{{ removable_mount2.options }},noexec" +# when: +# - rhel_08_010610 +# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 +# - "'noexec' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" +# when: +# - rhel_08_010610 +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# tags: +# - RHEL-08-010610 + +# The control has the same title as RHEL-08-010600 +# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." +# block: +# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media" +# mount: +# path: /media +# state: mounted +# src: "{{ removable_mount.device }}" +# fstype: "{{ removable_mount.fstype }}" +# opts: "{{ removable_mount.options }},nosuid" +# when: +# - rhel_08_010620 +# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 +# - "'nosuid' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + +# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" +# mount: +# path: /mnt +# state: mounted +# src: "{{ removable_mount2.device }}" +# fstype: "{{ removable_mount2.fstype }}" +# opts: "{{ removable_mount2.options }},nosuid" +# when: +# - rhel_08_010620 +# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 +# - "'nosuid' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" +# when: +# - rhel_08_010620 +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# tags: +# - RHEL-08-010620 + +# - name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)." +# mount: +# path: "{{ item }}" +# src: "{{ ansible_mounts | json_query(device_query) }}" +# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" +# opts: "{{ ansible_mounts | json_query(options_query) }},noexec" +# state: mounted +# vars: +# device_query: '[?mount == `{{ item }}`] | [0].device' +# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' +# options_query: '[?mount == `{{ item }}`] | [0].options' +# with_items: "{{ rhel8stig_nfs_mounts }}" +# when: +# - rhel_08_010630 +# - "'noexec' not in (ansible_mounts | json_query(options_query))" +# tags: +# - RHEL-08-010630 + +# - name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)." +# mount: +# path: "{{ item }}" +# src: "{{ ansible_mounts | json_query(device_query) }}" +# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" +# opts: "{{ ansible_mounts | json_query(options_query) }},nodev" +# state: mounted +# vars: +# device_query: '[?mount == `{{ item }}`] | [0].device' +# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' +# options_query: '[?mount == `{{ item }}`] | [0].options' +# with_items: "{{ rhel8stig_nfs_mounts }}" +# when: +# - rhel_08_010640 +# - "'nodev' not in (ansible_mounts | json_query(options_query))" +# tags: +# - RHEL-08-010640 + +# - name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)." +# mount: +# path: "{{ item }}" +# src: "{{ ansible_mounts | json_query(device_query) }}" +# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" +# opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" +# state: mounted +# vars: +# device_query: '[?mount == `{{ item }}`] | [0].device' +# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' +# options_query: '[?mount == `{{ item }}`] | [0].options' +# with_items: "{{ rhel8stig_nfs_mounts }}" +# when: +# - rhel_08_010650 +# - "'nosuid' not in (ansible_mounts | json_query(options_query))" +# tags: +# - RHEL-08-010650 + +# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs." +# block: +# - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions" +# shell: find {{ item.mount }} -xdev -type f -perm -002 +# changed_when: false +# failed_when: false +# register: rhel_08_010660_world_writable_files +# with_items: +# - "{{ ansible_mounts }}" + +# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening" +# set_fact: +# rhel_08_010660_change_perms: "{{ rhel_08_010660_world_writable_files.results | map(attribute='stdout_lines') | flatten }}" + +# - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Compare to home directories" +# include_tasks: audit_homedirinifiles.yml +# loop: +# - "{{ rhel_08_stig_interactive_homedir_inifiles }}" +# loop_control: +# loop_var: ini_item +# when: +# - rhel_08_010660_change_perms != [] + +# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions" +# file: +# path: "{{ item }}" +# mode: '0755' +# state: file +# with_items: +# - "{{ rhel_08_010660_change_perms }}" +# when: +# - rhel_08_010660_change_perms != [] +# when: +# - rhel_08_010660 +# - rhel8stig_disruption_high +# # - rhel_08_stig_interactive_homedir_inifiles is defined +# tags: +# - RHEL-010660 + +# - name: "MEDIUM | RHEL-08-010670 | PATCH | In the event of a system failure, RHEL 8 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes." +# service: +# name: kdump +# enabled: yes +# state: started +# when: +# - rhel_08_010670 +# tags: +# - RHEL-08-010670 # NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 3d8b48a8..70280488 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -343,5 +343,8 @@ file_type: any register: rhel8stig_sysctlconf_filename when: - - rhel_08_010375 or + - rhel_08_010372 or + rhel_08_010373 or + rhel_08_010374 or + rhel_08_010375 or rhel_08_010376 \ No newline at end of file From e72e64082714323259263cecd7bf6338e06d2988 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 12 Jan 2021 08:47:52 -0500 Subject: [PATCH 07/15] cat2 synced with release of STIG 10673 - 010800 Signed-off-by: George Nalen --- defaults/main.yml | 28 +- tasks/fix-cat2.yml | 821 +++++++++++++++++++++++++++++++-------------- 2 files changed, 583 insertions(+), 266 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4cab1cfa..cab5e13a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -155,20 +155,24 @@ rhel_08_010660: true rhel_08_010670: true rhel_08_010671: true rhel_08_010672: true +rhel_08_010673: true +rhel_08_010674: true +rhel_08_010675: true # below set to false when running, don't change back after testing rhel_08_010680: false -rhel_08_010690: false -rhel_08_010700: false -rhel_08_010710: false -rhel_08_010720: false -rhel_08_010730: false -rhel_08_010740: false -rhel_08_010750: false -rhel_01_010760: false -rhel_08_010770: false -rhel_08_010780: false -rhel_08_010790: false -rhel_08_010800: false +# check to make sure I'm doing this one right +rhel_08_010690: true +rhel_08_010700: true +rhel_08_010710: true +rhel_08_010720: true +rhel_08_010730: true +rhel_08_010740: true +rhel_08_010750: true +rhel_01_010760: true +rhel_08_010770: true +rhel_08_010780: true +rhel_08_010790: true +rhel_08_010800: true rhel_08_010810: false rhel_08_020000: false rhel_08_020010: false diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 6f465370..3e78d81f 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1305,6 +1305,319 @@ - RHEL-08-010672 - systemd +- name: "MEDIUM | RHEL-08-010673 | PATCH | RHEL 8 must disable core dumps for all users." + lineinfile: + path: /etc/security/limits.conf + regexp: '^\*.*hard.*core' + line: "* hard core 0" + insertbefore: '# End of file' + when: + - rhel_08_010673 + tags: + - RHEL-08-010673 + - security + - limits + +- name: "MEDIUM | RHEL-08-010674 | PATCH | RHEL 8 must disable storing core dumps." + lineinfile: + path: /etc/systemd/coredump.conf + regexp: '^(S|s)torage=|#(S|s)torage=' + line: "Storage=none" + when: + - rhel_08_010674 + tags: + - RHEL-08-010674 + - systemd + +- name: "MEDIUM | RHEL-08-010675 | PATCH | RHEL 8 must disable core dump backtraces." + lineinfile: + path: /etc/systemd/coredump.conf + regexp: '^(P|p)rocess(S|s)ize(M|m)ax=|(P|p)rocess(S|s)ize(M|m)ax=' + line: "ProcessSizeMax=0" + when: + - rhel_08_010675 + tags: + - RHEL-08-010675 + - systemd + +# NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. +- name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." + block: + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf" + shell: grep "dns" /etc/nsswitch.conf | grep -v "#" + changed_when: no + failed_when: false + check_mode: no + register: rhel_08_010680_nsswitch_check + + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf" + command: grep "# Generated by NetworkManager" /etc/resolv.conf + changed_when: no + failed_when: false + check_mode: no + register: rhel_08_010680_networkmanager_check + + + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf" + shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l + changed_when: no + failed_when: false + check_mode: no + register: rhel_08_010680_nameserver_count + + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf" + shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf + when: + - "'dns' not in rhel_08_010680_nsswitch_check.stdout" + + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf" + lineinfile: + dest: /etc/resolv.conf + regexp: '^nameserver' + line: namserver "{{ item }}" + insertafter: '^search' + with_items: + - "{{ rhel8stig_dns_servers }}" + when: + - rhel_08_010680_networkmanager_check != '# Generated by NetworkManager' + - rhel_08_010680_nameserver_count.stdout|int < 2 + + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp." + debug: + msg: "The file /etc/resolv.conf is managed by network manager and shows less than two DNS servers configured. Please correct this in your DHCP configurations." + changed_when: true + when: + - rhel_08_010680_networkmanager_check == '# Generated by NetworkManager' + - rhel_08_010680_nameserver_count.stdout|int < 2 + when: + - rhel_08_010680 + - not rhel8stig_system_is_chroot + - not rhel8stig_system_is_container + tags: + - RHEL-08-010680 + +# I can't figure what is needed here. It looks simple but the fix doesn't show enough details to fill in the gaps of what's needed. +- name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." + block: + - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" + shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath + with_items: "{{ rhel_08_stig_interactive_homedir_results }}" + register: rhel_08_010690_ini_path_grep_list + changed_when: no + failed_when: false + + - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." + debug: + msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. + with_items: + - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" + + - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." + lineinfile: + path: "{{ item }}" + regexp: "^PATH=" + line: "{{ rhel_08_010690_user_path }}" + with_items: + - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" + when: + - rhel_08_010690 + - rhel8stig_disruption_high + - rhel8stig_change_user_path + tags: + - RHEL-08-010690 + - complexity-high + +- name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." + block: + - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories" + command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 + changed_when: false + failed_when: false + register: rhel_08_010700_world_writable_directories + + - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" + file: + path: "{{ item }}" + owner: root + with_items: + - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" + when: rhel_08_010700_world_writable_directories.stdout != "" + when: + - rhel_08_010700 + tags: + - RHEL-08-010700 + +- name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group." + block: + - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories" + command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 + changed_when: false + failed_when: false + register: rhel_08_010710_world_writable_directories + + - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" + file: + path: "{{ item }}" + group: root + with_items: + - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" + when: rhel_08_010710_world_writable_directories.stdout != "" + when: + - rhel_08_010710 + tags: + - RHEL-08-010710 + +- name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file." + block: + - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory" + shell: pwck -r | grep user | cut -f2 -d"'" + changed_when: false + failed_when: false + register: rhel_08_010720_users_no_home_dir + + - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory" + shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' + changed_when: false + failed_when: false + register: rhel_08_010720_user_list + + - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" + debug: + msg: + - "WARNING!!!!The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" + - "{{ rhel_08_010720_user_list.stdout_lines }}" + when: rhel_08_010720_user_list.stdout != "" + when: + - rhel_08_010720 + tags: + - RHEL-08-010720 + +- name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." + block: + - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." + shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) + changed_when: false + failed_when: false + register: rhel_08_010730_home_directories + + - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." + file: + path: "{{ item }}" + mode: 0750 + with_items: + - "{{ rhel_08_010730_home_directories.stdout_lines }}" + when: rhel_08_010730_home_directories.stdout != "" + when: + - rhel_08_010730 + tags: + - RHEL-08-010730 + +- name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." + file: + path: "{{ item.dir }}" + group: "{{ item.gid }}" + state: directory + with_items: "{{ rhel8stig_passwd }}" + loop_control: + label: "{{ rhel8stig_passwd_label }}" + when: + - rhel_08_010740 + - item.uid >= rhel8stig_interactive_uid_start + tags: + - RHEL-08-010740 + +- name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." + file: + path: "{{ item.dir }}" + state: directory + with_items: "{{ rhel8stig_passwd }}" + loop_control: + label: "{{ rhel8stig_passwd_label }}" + when: + - rhel_08_010750 + - item.uid >= rhel8stig_interactive_uid_start + tags: + - RHEL-08-010750 + +- name: "MEDIUM | REHL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." + lineinfile: + path: /etc/login.defs + regexp: '.*?CREATE_HOME.*' + line: CREATE_HOME yes + when: + - rhel_01_010760 + tags: + - REHL-08-010760 + - login + - home + +- name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." + file: + path: "{{ item }}" + mode: 0740 + with_items: + - "{{ rhel_08_stig_interactive_homedir_inifiles }}" + when: + - rhel_08_010770 + - rhel8stig_disruption_high + - rhel_08_stig_interactive_homedir_inifiles is defined + tags: + - RHEL-08-010770 + - complexity-high + +- name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." + block: + - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" + shell: find / -nouser + changed_when: false + failed_when: false + register: rhel_08_010780_nouser_files + + - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" + debug: + msg: + - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" + - "{{ rhel_08_010780_nouser_files.stdout_lines }}" + when: rhel_08_010780_nouser_files.stdout != "" + when: + - rhel_08_010780 + tags: + - RHEL-08-010780 + +- name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." + block: + - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" + shell: find / -nogroup + changed_when: false + failed_when: false + register: rhel_08_010790_nogroup_files + + - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" + debug: + msg: + - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" + - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" + when: rhel_08_010790_nogroup_files.stdout != "" + when: + - rhel_08_010790 + tags: + - RHEL-08-010790 + +- name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." + debug: + msg: "WARNING!!!! /home is not mounted on a separate partition" + changed_when: + - rhel8stig_audit_complex + when: + - rhel_08_010800 + - not rhel8stig_system_is_container + - rhel8stig_complex + - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 + tags: + - RHEL-08-010800 + - complexity-high + - mount + - home # ===========below here is old=========== # - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." # dnf: @@ -2234,284 +2547,284 @@ # tags: # - RHEL-08-010670 -# NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. -- name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." - block: - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf" - shell: grep "dns" /etc/nsswitch.conf | grep -v "#" - changed_when: no - failed_when: false - check_mode: no - register: rhel_08_010680_nsswitch_check - - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf" - command: grep "# Generated by NetworkManager" /etc/resolv.conf - changed_when: no - failed_when: false - check_mode: no - register: rhel_08_010680_networkmanager_check - - - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf" - shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l - changed_when: no - failed_when: false - check_mode: no - register: rhel_08_010680_nameserver_count +# # NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." +# block: +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf" +# shell: grep "dns" /etc/nsswitch.conf | grep -v "#" +# changed_when: no +# failed_when: false +# check_mode: no +# register: rhel_08_010680_nsswitch_check - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf" - shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf - when: - - "'dns' not in rhel_08_010680_nsswitch_check.stdout" +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf" +# command: grep "# Generated by NetworkManager" /etc/resolv.conf +# changed_when: no +# failed_when: false +# check_mode: no +# register: rhel_08_010680_networkmanager_check - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf" - lineinfile: - dest: /etc/resolv.conf - regexp: '^nameserver' - line: namserver "{{ item }}" - insertafter: '^search' - with_items: - - "{{ rhel8stig_dns_servers }}" - when: - - rhel_08_010680_networkmanager_check != '# Generated by NetworkManager' - - rhel_08_010680_nameserver_count.stdout|int < 2 - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp." - debug: - msg: "The file /etc/resolv.conf is managed by network manager and shows less than two DNS servers configured. Please correct this in your DHCP configurations." - changed_when: true - when: - - rhel_08_010680_networkmanager_check == '# Generated by NetworkManager' - - rhel_08_010680_nameserver_count.stdout|int < 2 - when: - - rhel_08_010680 - - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container - tags: - - RHEL-08-010680 +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf" +# shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l +# changed_when: no +# failed_when: false +# check_mode: no +# register: rhel_08_010680_nameserver_count -# I can't figure what is needed here. It looks simple but the fix doesn't show enough details to fill in the gaps of what's needed. -- name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." - block: - - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" - shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath - with_items: "{{ rhel_08_stig_interactive_homedir_results }}" - register: rhel_08_010690_ini_path_grep_list - changed_when: no - failed_when: false +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf" +# shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf +# when: +# - "'dns' not in rhel_08_010680_nsswitch_check.stdout" - - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." - debug: - msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. - with_items: - - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf" +# lineinfile: +# dest: /etc/resolv.conf +# regexp: '^nameserver' +# line: namserver "{{ item }}" +# insertafter: '^search' +# with_items: +# - "{{ rhel8stig_dns_servers }}" +# when: +# - rhel_08_010680_networkmanager_check != '# Generated by NetworkManager' +# - rhel_08_010680_nameserver_count.stdout|int < 2 - - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." - lineinfile: - path: "{{ item }}" - regexp: "^PATH=" - line: "{{ rhel_08_010690_user_path }}" - with_items: - - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" - when: - - rhel_08_010690 - - rhel8stig_disruption_high - - rhel8stig_change_user_path - tags: - - RHEL-08-010690 - - complexity-high +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp." +# debug: +# msg: "The file /etc/resolv.conf is managed by network manager and shows less than two DNS servers configured. Please correct this in your DHCP configurations." +# changed_when: true +# when: +# - rhel_08_010680_networkmanager_check == '# Generated by NetworkManager' +# - rhel_08_010680_nameserver_count.stdout|int < 2 +# when: +# - rhel_08_010680 +# - not rhel8stig_system_is_chroot +# - not rhel8stig_system_is_container +# tags: +# - RHEL-08-010680 -- name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." - block: - - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories" - command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 - changed_when: false - failed_when: false - register: rhel_08_010700_world_writable_directories +# # I can't figure what is needed here. It looks simple but the fix doesn't show enough details to fill in the gaps of what's needed. +# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." +# block: +# - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" +# shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath +# with_items: "{{ rhel_08_stig_interactive_homedir_results }}" +# register: rhel_08_010690_ini_path_grep_list +# changed_when: no +# failed_when: false - - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" - file: - path: "{{ item }}" - owner: root - with_items: - - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" - when: rhel_08_010700_world_writable_directories.stdout != "" - when: - - rhel_08_010700 - tags: - - RHEL-08-010700 +# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." +# debug: +# msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. +# with_items: +# - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" -- name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group." - block: - - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories" - command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 - changed_when: false - failed_when: false - register: rhel_08_010710_world_writable_directories +# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." +# lineinfile: +# path: "{{ item }}" +# regexp: "^PATH=" +# line: "{{ rhel_08_010690_user_path }}" +# with_items: +# - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" +# when: +# - rhel_08_010690 +# - rhel8stig_disruption_high +# - rhel8stig_change_user_path +# tags: +# - RHEL-08-010690 +# - complexity-high - - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" - file: - path: "{{ item }}" - group: root - with_items: - - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" - when: rhel_08_010710_world_writable_directories.stdout != "" - when: - - rhel_08_010710 - tags: - - RHEL-08-010710 +# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." +# block: +# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories" +# command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 +# changed_when: false +# failed_when: false +# register: rhel_08_010700_world_writable_directories -- name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file." - block: - - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory" - shell: pwck -r | grep user | cut -f2 -d"'" - changed_when: false - failed_when: false - register: rhel_08_010720_users_no_home_dir +# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" +# file: +# path: "{{ item }}" +# owner: root +# with_items: +# - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" +# when: rhel_08_010700_world_writable_directories.stdout != "" +# when: +# - rhel_08_010700 +# tags: +# - RHEL-08-010700 - - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory" - shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' - changed_when: false - failed_when: false - register: rhel_08_010720_user_list +# - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group." +# block: +# - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories" +# command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 +# changed_when: false +# failed_when: false +# register: rhel_08_010710_world_writable_directories - - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" - debug: - msg: - - "WARNING!!!!The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" - - "{{ rhel_08_010720_user_list.stdout_lines }}" - when: rhel_08_010720_user_list.stdout != "" - when: - - rhel_08_010720 - tags: - - RHEL-08-010720 +# - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" +# file: +# path: "{{ item }}" +# group: root +# with_items: +# - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" +# when: rhel_08_010710_world_writable_directories.stdout != "" +# when: +# - rhel_08_010710 +# tags: +# - RHEL-08-010710 -- name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - block: - - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) - changed_when: false - failed_when: false - register: rhel_08_010730_home_directories +# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file." +# block: +# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory" +# shell: pwck -r | grep user | cut -f2 -d"'" +# changed_when: false +# failed_when: false +# register: rhel_08_010720_users_no_home_dir - - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - file: - path: "{{ item }}" - mode: 0750 - with_items: - - "{{ rhel_08_010730_home_directories.stdout_lines }}" - when: rhel_08_010730_home_directories.stdout != "" - when: - - rhel_08_010730 - tags: - - RHEL-08-010730 +# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory" +# shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' +# changed_when: false +# failed_when: false +# register: rhel_08_010720_user_list -- name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." - file: - path: "{{ item.dir }}" - group: "{{ item.gid }}" - state: directory - with_items: "{{ rhel8stig_passwd }}" - loop_control: - label: "{{ rhel8stig_passwd_label }}" - when: - - rhel_08_010740 - - item.uid >= rhel8stig_interactive_uid_start - tags: - - RHEL-08-010740 +# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" +# debug: +# msg: +# - "WARNING!!!!The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" +# - "{{ rhel_08_010720_user_list.stdout_lines }}" +# when: rhel_08_010720_user_list.stdout != "" +# when: +# - rhel_08_010720 +# tags: +# - RHEL-08-010720 -- name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." - file: - path: "{{ item.dir }}" - state: directory - with_items: "{{ rhel8stig_passwd }}" - loop_control: - label: "{{ rhel8stig_passwd_label }}" - when: - - rhel_08_010750 - - item.uid >= rhel8stig_interactive_uid_start - tags: - - RHEL-08-010750 +# - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." +# block: +# - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." +# shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) +# changed_when: false +# failed_when: false +# register: rhel_08_010730_home_directories -- name: "MEDIUM | REHL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." - lineinfile: - path: /etc/login.defs - regexp: '.*?CREATE_HOME.*' - line: CREATE_HOME yes - when: - - rhel_01_010760 - tags: - - REHL-08-010760 - - login - - home +# - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." +# file: +# path: "{{ item }}" +# mode: 0750 +# with_items: +# - "{{ rhel_08_010730_home_directories.stdout_lines }}" +# when: rhel_08_010730_home_directories.stdout != "" +# when: +# - rhel_08_010730 +# tags: +# - RHEL-08-010730 -- name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." - file: - path: "{{ item }}" - mode: 0740 - with_items: - - "{{ rhel_08_stig_interactive_homedir_inifiles }}" - when: - - rhel_08_010770 - - rhel8stig_disruption_high - - rhel_08_stig_interactive_homedir_inifiles is defined - tags: - - RHEL-08-010770 - - complexity-high +# - name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." +# file: +# path: "{{ item.dir }}" +# group: "{{ item.gid }}" +# state: directory +# with_items: "{{ rhel8stig_passwd }}" +# loop_control: +# label: "{{ rhel8stig_passwd_label }}" +# when: +# - rhel_08_010740 +# - item.uid >= rhel8stig_interactive_uid_start +# tags: +# - RHEL-08-010740 -- name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." - block: - - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" - shell: find / -nouser - changed_when: false - failed_when: false - register: rhel_08_010780_nouser_files +# - name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." +# file: +# path: "{{ item.dir }}" +# state: directory +# with_items: "{{ rhel8stig_passwd }}" +# loop_control: +# label: "{{ rhel8stig_passwd_label }}" +# when: +# - rhel_08_010750 +# - item.uid >= rhel8stig_interactive_uid_start +# tags: +# - RHEL-08-010750 - - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" - debug: - msg: - - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" - - "{{ rhel_08_010780_nouser_files.stdout_lines }}" - when: rhel_08_010780_nouser_files.stdout != "" - when: - - rhel_08_010780 - tags: - - RHEL-08-010780 +# - name: "MEDIUM | REHL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." +# lineinfile: +# path: /etc/login.defs +# regexp: '.*?CREATE_HOME.*' +# line: CREATE_HOME yes +# when: +# - rhel_01_010760 +# tags: +# - REHL-08-010760 +# - login +# - home -- name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." - block: - - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" - shell: find / -nogroup - changed_when: false - failed_when: false - register: rhel_08_010790_nogroup_files +# - name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." +# file: +# path: "{{ item }}" +# mode: 0740 +# with_items: +# - "{{ rhel_08_stig_interactive_homedir_inifiles }}" +# when: +# - rhel_08_010770 +# - rhel8stig_disruption_high +# - rhel_08_stig_interactive_homedir_inifiles is defined +# tags: +# - RHEL-08-010770 +# - complexity-high - - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" - debug: - msg: - - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" - - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" - when: rhel_08_010790_nogroup_files.stdout != "" - when: - - rhel_08_010790 - tags: - - RHEL-08-010790 +# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." +# block: +# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" +# shell: find / -nouser +# changed_when: false +# failed_when: false +# register: rhel_08_010780_nouser_files -- name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." - debug: - msg: "WARNING!!!! /home is not mounted on a separate partition" - changed_when: - - rhel8stig_audit_complex - when: - - rhel_08_010800 - - not rhel8stig_system_is_container - - rhel8stig_complex - - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 - tags: - - RHEL-08-010800 - - complexity-high - - mount - - home +# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" +# debug: +# msg: +# - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" +# - "{{ rhel_08_010780_nouser_files.stdout_lines }}" +# when: rhel_08_010780_nouser_files.stdout != "" +# when: +# - rhel_08_010780 +# tags: +# - RHEL-08-010780 + +# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." +# block: +# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" +# shell: find / -nogroup +# changed_when: false +# failed_when: false +# register: rhel_08_010790_nogroup_files + +# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" +# debug: +# msg: +# - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" +# - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" +# when: rhel_08_010790_nogroup_files.stdout != "" +# when: +# - rhel_08_010790 +# tags: +# - RHEL-08-010790 + +# - name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." +# debug: +# msg: "WARNING!!!! /home is not mounted on a separate partition" +# changed_when: +# - rhel8stig_audit_complex +# when: +# - rhel_08_010800 +# - not rhel8stig_system_is_container +# - rhel8stig_complex +# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 +# tags: +# - RHEL-08-010800 +# - complexity-high +# - mount +# - home - name: "MEDIUM | RHEL-08-010810 | PATCH | RHEL 8 default permissions must be defined in such a way that all authenticated users can only read and modify their own files" lineinfile: From 56c8c56225ec200146803c0f6d9390958b78e54f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 12 Jan 2021 15:28:29 -0500 Subject: [PATCH 08/15] cat2 synced with release of STIG 010830 - 020350 Signed-off-by: George Nalen --- defaults/main.yml | 98 +- tasks/fix-cat2.yml | 2703 ++++++++++++++++++++++++++++++++------------ 2 files changed, 2055 insertions(+), 746 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index cab5e13a..322a54c8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -173,40 +173,56 @@ rhel_08_010770: true rhel_08_010780: true rhel_08_010790: true rhel_08_010800: true -rhel_08_010810: false -rhel_08_020000: false -rhel_08_020010: false -rhel_08_020030: false -rhel_08_020040: false -rhel_08_020050: false -rhel_08_020060: false -rhel_08_020070: false -rhel_08_020080: false -rhel_08_020090: false -rhel_08_020100: false -rhel_08_020110: false -rhel_08_020120: false -rhel_08_020130: false -rhel_08_020140: false -rhel_08_020150: false -rhel_08_020160: false -rhel_08_020170: false -rhel_08_020180: false -rhel_08_020190: false -rhel_08_020200: false -rhel_08_020210: false -rhel_08_020220: false -rhel_08_020230: false -rhel_08_020240: false -rhel_08_020250: false -rhel_08_020260: false -rhel_08_020270: false -rhel_08_020280: false -rhel_08_020290: false -rhel_08_020300: false -rhel_08_020310: false -rhel_08_020320: false -rhel_08_020350: false +# rhel_08_010810: false +rhel_08_010830: true +rhel_08_020000: true +rhel_08_020010: true +rhel_08_020011: true +rhel_08_020012: true +rhel_08_020013: true +rhel_08_020014: true +rhel_08_020015: true +rhel_08_020016: true +rhel_08_020017: true +rhel_08_020018: true +rhel_08_020019: true +rhel_08_020020: true +rhel_08_020021: true +rhel_08_020022: true +rhel_08_020023: true +rhel_08_020030: true +rhel_08_020040: true +rhel_08_020041: true +rhel_08_020050: true +rhel_08_020060: true +rhel_08_020070: true +rhel_08_020080: true +rhel_08_020090: true +rhel_08_020100: true +rhel_08_020110: true +rhel_08_020120: true +rhel_08_020130: true +rhel_08_020140: true +rhel_08_020150: true +rhel_08_020160: true +rhel_08_020170: true +rhel_08_020180: true +rhel_08_020190: true +rhel_08_020200: true +rhel_08_020210: true +rhel_08_020220: true +rhel_08_020230: true +rhel_08_020231: true +rhel_08_020240: true +rhel_08_020250: true +rhel_08_020260: true +rhel_08_020270: true +rhel_08_020280: true +rhel_08_020290: true +rhel_08_020300: true +rhel_08_020310: true +rhel_08_020320: true +rhel_08_020350: true rhel_08_030000: false rhel_08_030010: false rhel_08_030020: false @@ -502,13 +518,15 @@ rhel8stig_pam_pwhistory: remember: 5 retries: 3 -# RHEL-08-010320 -# RHEL-08-010330 +# RHEL-08-020010 +# RHEL-08-020011 +# RHEL-08-020012 +# RHEL-08-020013 # pam_faillock settings - accounts must be locked for max time period after 3 unsuccessful attempts within 15 minutes. rhel8stig_pam_faillock: attempts: 3 interval: 900 - unlock_time: 900 + unlock_time: 0 fail_for_root: yes # RHEL-08-030670 @@ -644,4 +662,8 @@ rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-gcm@openssh.com,aes256-c # RHEL-08-010295 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions # to conform to STIG standards this variable must contain -VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 -rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" \ No newline at end of file +rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" + +# RHEL-08-020070 +# This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less +rhel8stig_tmux_lock_after_time: 900 \ No newline at end of file diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3e78d81f..956c91a4 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1618,6 +1618,1293 @@ - complexity-high - mount - home + +- name: "MEDIUM | RHEL-08-010830 | PATCH |Unattended or automatic logon to RHEL 8 via ssh must not be allowed." + lineinfile: + path: /etc/ssh/sshd_config + regexp: ^PermitUserEnvironment + line: 'PermitUserEnvironment no' + notify: restart sshd + when: + - rhel_08_010830 + - rhel8stig_disruption_high + tags: + - RHEL-08-010830 + - ssh + - disruption_high + +- name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." + debug: + msg: + - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." + - "To do this please run sudo chage -l account_name for the accounts you need to check" + - "The results will display the Account Expires information" + - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name' + when: + - rhel_08_020000 + tags: + - RHEL-08-020000 + +- name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020010 + tags: + - RHEL-08-020010 + - pamd + +- name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^deny =|^\# deny =' + line: "deny = {{ rhel8stig_pam_faillock.attempts }}" + when: + - rhel_08_020011 + tags: + - RHEL-08-020011 + - pamd + +- name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020012 + tags: + - RHEL-08-020012 + - pamd + +- name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^fail_interval =|^\# fail_interval =' + line: "fail_interval = {{ rhel8stig_pam_faillock.interval }} }}" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020013 + tags: + - RHEL-08-020013 + - pamd + +- name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020013 + tags: + - RHEL-08-020013 + - pamd + +- name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^unlock_time =|^\# unlock_time =' + line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020015 + tags: + - RHEL-08-020015 + - pamd + +- name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist." + block: + - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist.| Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020016 + tags: + - RHEL-08-020016 + - pamd + +- name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist." + block: + - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^dir =|^\# dir =' + line: "dir = /var/log/faillock" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020017 + tags: + - RHEL-08-020017 + - pamd + +- name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020018 + tags: + - RHEL-08-020018 + - pamd + +- name: "MEDIUM | RHEL-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^silent|^\# silent' + line: "silent" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020019 + tags: + - RHEL-08-020019 + - pamd + +- name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020020 + tags: + - RHEL-08-020020 + - pamd + +- name: "MEDIUM | RHEL-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^audit|^\# audit' + line: "audit" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020021 + tags: + - RHEL-08-020021 + - pamd + +- name: "MEDIUM | RHEL-020022| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020022 + tags: + - RHEL-08-020022 + - pamd + +- name: "MEDIUM | RHEL-020023| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^even_deny_root|^\# even_deny_root' + line: "even_deny_root" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020023 + tags: + - RHEL-08-020023 + - pamd + +- name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." + block: + - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" + command: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" + changed_when: false + failed_when: false + register: rhel_08_020030_lock_enabled + + - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" + lineinfile: + path: "{{ rhel_08_020030_lock_enabled.stdout }}" + regexp: '^lock-enabled' + line: lock-enabled=true + when: rhel_08_020030_lock_enabled.stdout != "" + notify: dconf update + + - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist" + lineinfile: + path: /etc/dconf/db/local.d/00-screensaver + create: yes + regexp: '^lock-enabled' + line: | + [org/gnome/desktop/screensaver] + # Set this to true to lock the screen when the screensaver activates + lock-enabled=true + when: rhel_08_020030_lock_enabled.stdout == "" + notify: dconf update + when: + - rhel_08_020030 + - rhel8stig_dconf_available + tags: + - RHEL-08-020030 + - gui + +- name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." + block: + - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" + dnf: + name: tmux + state: present + + - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Configure tmux" + lineinfile: + path: /etc/tmux.conf + regexp: '^set \-g' + line: "set -g lock-command vlock" + create: yes + when: + - rhel_08_020040 + tags: + - RHEL-08-020040 + - tmux + +- name: " MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization." + lineinfile: + path: /etc/bashrc + regexp: '^\[ -n "$PS1" -a -z "$TMUX" \]' + line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' + when: + - rhel_08_020041 + tags: + - RHEL-08-020041 + - tmux + +- name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." + block: + - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" + shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' + changed_when: false + failed_when: false + register: rhel_08_020050_removal_action + + - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" + shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" + changed_when: false + failed_when: false + register: rhel_08_020050_removal_action_file + + - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist" + lineinfile: + path: /etc/dconf/db/distro.d/20-authselect + create: yes + line: | + [org/gnome/settings-daemon/peripherals/smartcard] + removal-action='lock-screen' + when: rhel_08_020050_removal_action.stdout == "" + notify: dconf update + + - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" + lineinfile: + path: "{{ rhel_08_020050_removal_action.stdout }}" + regexp: ^removal-action= + line: removal-action='lock-screen' + when: rhel_08_020050_removal_action.stdout != "" + notify: dconf update + + - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" + lineinfile: + path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' + line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action + when: rhel_08_020050_removal_action_file.stdout != "" + notify: dconf update + + - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" + lineinfile: + path: /etc/dconf/db/distro.d/locks/20-authselect + create: yes + line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action + when: rhel_08_020050_removal_action_file.stdout == "" + notify: dconf update + when: + - rhel_08_020050 + tags: + - RHEL-08-020050 + - smartcard + +- name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." + block: + - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" + shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' + changed_when: false + failed_when: false + register: rhel_08_020060_idle_delay_param + + - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist" + lineinfile: + path: /etc/dconf/db/local.d/00-screensaver + create: yes + regexp: '^idle-delay' + line: | + [org/gnome/desktop/session] + # Set the lock time out to 900 seconds before the session is considered idle + idle-delay=uint32 900 + notify: dconf update + when: rhel_08_020060_idle_delay_param.stdout == "" + + - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" + lineinfile: + path: "{{ rhel_08_020060_idle_delay_param.stdout }}" + regexp: '^idle-delay=' + line: idle-delay=uint32 900 + notify: dconf update + when: rhel_08_020060_idle_delay_param.stdout != "" + when: + - rhel_08_020060 + - rhel8stig_dconf_available + tags: + - RHEL-08-020060 + - gui + +- name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." + lineinfile: + path: /etc/tmux.conf + regexp: '^set -g lock-after-time' + line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" + when: + - rhel_08_020070 + tags: + - RHEL-08-020070 + - tmux + +- name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings." + lineinfile: + path: /etc/dconf/db/local.d/locks/session + create: yes + line: "{{ item }}" + with_items: + - /org/gnome/desktop/session/idle-delay + - /org/gnome/desktop/screensaver/lock-enabled + - /org/gnome/desktop/screensaver/lock-delay + - /org/gnome/settings-daemon/plugins/media-keys/logout + - /org/gnome/login-screen/disable-user-list + - /org/gnome/login-screen/banner-message-text + - /org/gnome/login-screen/banner-message-enable + - /org/gnome/desktop/lockdown/disable-lock-screen + when: + - rhel_08_020080 + # - rhel8stig_dconf_available + tags: + - RHEL-08-020080 + +# Need to figure out real location of the sssd.conf. STIG and internet say /etc/sssd/sssd.conf but on the test system it's in /usr/lib64/sssd/conf/sssd.conf. Also need some default values/variables +- name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." + lineinfile: + path: "{{ rhel8stig_sssd_conf.stdout }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^\[certmap/testing.test/rule_name]', line: '[certmap/testing.test/rule_name]' } + - { regexp: '^matchrule =', line: 'matchrule =.*EDIPI@mil' } + - { regexp: '^maprule =', line: 'maprule = (userCertificate;binary={cert!bin})' } + - { regexp: 'dmains =', line: 'dmains = testing.test' } + notify: restart sssd + when: + - rhel_08_020090 + tags: + - RHEL-08-020090 + +- name: "MEDIUM | RHEL-08-020100 | PATCH RHEL 8 must ensure a password complexity module is enabled." + lineinfile: + path: "{{ item.path }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: '^password' + with_items: + - { path: /etc/pam.d/system-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } + - { path: /etc/pam.d/password-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } + when: + - rhel_08_020100 + tags: + - RHEL-08-020100 + +- name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + regexp: '^#?\s*ucredit' + line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" + when: + - rhel_08_020110 + tags: + - RHEL-08-020110 + - pwquality + +- name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + regexp: '^#?\s*lcredit' + line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}" + when: + - rhel_08_020120 + tags: + - RHEL-08-020120 + - pwquality + +- name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + regexp: '^#?\s*dcredit' + line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}" + when: + - rhel_08_020130 + tags: + - RHEL-08-020130 + - pwquality + +- name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + regexp: '^#?\s*maxclassrepeat' + line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" + when: + - rhel_08_020140 + tags: + - RHEL-08-020140 + - pwquality + +- name: "MEDIUM | RHEL-020150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + regexp: '^#?\s*maxrepeat' + line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}" + when: + - rhel_08_020150 + tags: + - RHEL-08-020150 + - pwquality + +- name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + regexp: '^#?\s*minclass' + line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}" + when: + - rhel_08_020160 + tags: + - RHEL-08-020160 + - pwquality + +- name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + regexp: '^#?\s*difok' + line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}" + when: + - rhel_08_020170 + tags: + - RHEL-08-020170 + - pwquality + +- name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow." + block: + - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users" + command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: rhel_08_020180_users + + - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction" + command: chage -m 1 {{ item }} + with_items: "{{ rhel_08_020180_users.stdout_lines }}" + when: + - rhel_08_020180 + tags: + - RHEL8-08-020180 + - password + +- name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def." + lineinfile: + path: /etc/login.defs + create: yes + regexp: ^#?PASS_MIN_DAYS + line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}" + when: + - rhel_08_020190 + tags: + - RHEL-08-020190 + - login + +- name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction." + lineinfile: + path: /etc/login.defs + create: yes + regexp: ^#?PASS_MAX_DAYS + line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" + when: + - rhel_08_020200 + tags: + - RHEL-08-020200 + - login + +- name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime." + block: + - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users" + command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" + check_mode: no + changed_when: rhel_08_020210_users.stdout != "" + register: rhel_08_020210_users + + - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user." + command: chage -d '-1 day' {{ item }} + check_mode: "{{ rhel8stig_disruptive_check_mode }}" + with_items: "{{ rhel_08_020210_users.stdout_lines }}" + + - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime" + command: chage -M 60 {{ item }} + check_mode: "{{ rhel8stig_disruptive_check_mode }}" + with_items: "{{ rhel_08_020210_users.stdout_lines }}" + when: + - rhel_08_020210 + - rhel8stig_disruption_high + tags: + - RHEL-08-020210 + - disruption-high + - password + +- name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations." + block: + - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" + pamd: + name: "{{ item }}" + state: before + type: password + control: sufficient + module_path: pam_unix.so + new_type: password + new_control: required + new_module_path: pam_pwhistory.so + with_items: + - "system-auth" + - "password-auth" + + # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent + - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Check for existing password history reuse settings" + command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" + check_mode: no + changed_when: no + failed_when: rhel_08_020220_pw_hist_settings.rc > 1 + register: rhel_08_020220_pw_hist_settings + with_items: + - "system-auth" + - "password-auth" + + # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. + - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" + pamd: + name: "{{ item.item }}" + state: updated + type: password + control: required + module_path: pam_pwhistory.so + module_arguments: + - use_authtok + - remember={{ rhel8stig_pam_pwhistory.remember | default(5) }} + - retry={{ rhel8stig_pam_pwhistory.retries | default(3) }} + with_items: "{{ rhel_08_020220_pw_hist_settings.results }}" + when: item.rc == 1 + when: + - rhel_08_020220 + tags: + - RHEL-08-020220 + - pamd + +- name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + regexp: '^#?\s*minlen' + line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" + when: + - rhel_08_020230 + tags: + - RHEL-08-020230 + - pwquality + +- name: "MEDIUM | RHEL-08-020231 | PATCH | RHEL 8 passwords for new users must have a minimum of 15 characters." + lineinfile: + path: /etc/login.defs + regexp: '^PASS_MIN_LEN|^#PASS_MIN_LEN' + line: "PASS_MIN_LEN 15" + when: + - rhel_08_020231 + tags: + - RHEL-08-020231 + - passwords + +- name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." + block: + - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users" + command: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd + changed_when: false + failed_when: false + register: rhel_08_020240_duplicate_uid_users + + - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" + debug: + msg: + - "ALERT!!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" + - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" + when: + - rhel_08_020240 + tags: + - RHEL-08-020240 + +- name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts." + block: + - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth" + shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth + changed_when: false + failed_when: false + register: rhel_08_020250_sc_auth_sss + + - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth" + shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth + changed_when: false + failed_when: false + register: rhel_08_020250_system_auth_sss + + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" + lineinfile: + path: "{{ rhel8stig_sssd_conf.stdout }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + notify: restart sssd + with_items: + - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } + - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' } + + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth" + lineinfile: + path: /etc/pam.d/smartcard-auth + line: auth sufficient pam_sss.so try_cert_auth + notify: restart sssd + when: rhel_08_020250_sc_auth_sss.stdout == "" + + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth" + pamd: + name: /etc/pam.d/smartcard-auth + state: updated + type: auth + control: sufficient + module_path: pam_sss.so + module_arguments: 'try_cert_auth' + notify: restart sssd + when: rhel_08_020250_sc_auth_sss.stdout != "" + + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth" + pamd: + name: /etc/pam.d/system-auth + state: after + type: auth + control: required + module_path: pam_env.so + new_type: auth + new_control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' + new_module_path: pam_sss.so + module_arguments: try_cert_auth + notify: restart sssd + when: rhel_08_020250_system_auth_sss.stdout == "" + + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth" + pamd: + name: /etc/pam.d/system-auth + state: updated + type: auth + control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' + module_path: pam_env.so + module_arguments: try_cert_auth + notify: restart sssd + when: rhel_08_020250_system_auth_sss.stdout != "" + when: + - rhel_08_020250 + tags: + - RHEL-08-020250 + - pamd + +- name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity." + command: useradd -D -f 35 + when: + - rhel_08_020260 + tags: + - RHEL-08-020260 + - useradd + +- name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + block: + - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + command: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" + changed_when: false + failed_when: false + register: rhel_08_020270_system_users + + - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + debug: + msg: + - "WARNING!!!Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" + - "{{ rhel_08_020270_system_users.stdout_lines }}" + when: + - rhel_08_020270 + tags: + - RHEL-08-020270 + +- name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + regexp: '^#?\s*ocredit' + line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}" + when: + - rhel_08_020280 + tags: + - RHEL-08-020280 + - pwquality + +- name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." + lineinfile: + path: "{{ rhel8stig_sssd_conf.stdout }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + with_items: + - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } + - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } + when: + - rhel_08_020290 + tags: + - RHEL-08-020290 + - sssd + +- name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + regexp: '^#?\s*dictcheck' + line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" + when: + - rhel_08_020300 + tags: + - RHEL-08-020300 + - pwquality + +- name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." + lineinfile: + dest: /etc/login.defs + regexp: ^#?FAIL_DELAY + line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" + when: + - rhel_08_020310 + tags: + - RHEL-08-020310 + - login + +- name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts." + block: + - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts" + command: "grep '^{{ item }}:' /etc/passwd" + check_mode: no + failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1 + changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0 + register: rhel_08_020320_unnecessary_accounts_found + with_items: "{{ rhel8stig_unnecessary_accounts }}" + + - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts" + user: + name: "{{ item }}" + state: absent + remove: "{{ rhel8stig_remove_unnecessary_user_files }}" + register: rhel_08_020320_accounts_removed + with_items: "{{ rhel8stig_unnecessary_accounts }}" + + - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" + include_tasks: parse_etc_passwd.yml + vars: + rhel8stig_passwd_tasks: "RHEL-08-020320" + when: rhel_08_020320_accounts_removed is changed + when: + - rhel_08_020320 + tags: + - RHEL-08-020320 + +- name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "(?i)^#?PrintLastLog" + line: PrintLastLog yes + validate: /usr/sbin/sshd -t -f %s + notify: restart sshd + when: + - rhel_08_020350 + - rhel8stig_ssh_required + tags: + - RHEL-08-020350 + - ssh # ===========below here is old=========== # - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." # dnf: @@ -2753,767 +4040,767 @@ # line: CREATE_HOME yes # when: # - rhel_01_010760 -# tags: -# - REHL-08-010760 -# - login -# - home - -# - name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." -# file: -# path: "{{ item }}" -# mode: 0740 -# with_items: -# - "{{ rhel_08_stig_interactive_homedir_inifiles }}" -# when: -# - rhel_08_010770 -# - rhel8stig_disruption_high -# - rhel_08_stig_interactive_homedir_inifiles is defined -# tags: -# - RHEL-08-010770 -# - complexity-high - -# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." -# block: -# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" -# shell: find / -nouser -# changed_when: false -# failed_when: false -# register: rhel_08_010780_nouser_files - -# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" -# debug: -# msg: -# - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" -# - "{{ rhel_08_010780_nouser_files.stdout_lines }}" -# when: rhel_08_010780_nouser_files.stdout != "" -# when: -# - rhel_08_010780 -# tags: -# - RHEL-08-010780 - -# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." -# block: -# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" -# shell: find / -nogroup -# changed_when: false -# failed_when: false -# register: rhel_08_010790_nogroup_files - -# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" -# debug: -# msg: -# - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" -# - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" -# when: rhel_08_010790_nogroup_files.stdout != "" -# when: -# - rhel_08_010790 -# tags: -# - RHEL-08-010790 - -# - name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." -# debug: -# msg: "WARNING!!!! /home is not mounted on a separate partition" -# changed_when: -# - rhel8stig_audit_complex -# when: -# - rhel_08_010800 -# - not rhel8stig_system_is_container -# - rhel8stig_complex -# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 -# tags: -# - RHEL-08-010800 -# - complexity-high -# - mount -# - home - -- name: "MEDIUM | RHEL-08-010810 | PATCH | RHEL 8 default permissions must be defined in such a way that all authenticated users can only read and modify their own files" - lineinfile: - path: /etc/login.defs - regexp: .*?UMASK.* - line: 'UMASK 077' - when: - - rhel_08_010810 - tags: - - RHEL-08-010810 - - login - - umask - -- name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." - debug: - msg: - - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." - - "To do this please run sudo chage -l account_name for the accounts you need to check" - - "The results will display the Account Expires information" - - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name' - when: - - rhel_08_020000 - tags: - - RHEL-08-020000 - -- name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authsucc" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authsucc' - line: 'auth required pam_faillock.so authsucc' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020010 - tags: - - RHEL-08-020010 - - pamd - -- name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." - block: - - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" - command: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" - changed_when: false - failed_when: false - register: rhel_08_020030_lock_enabled - - - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" - lineinfile: - path: "{{ rhel_08_020030_lock_enabled.stdout }}" - regexp: '^lock-enabled' - line: lock-enabled=true - when: rhel_08_020030_lock_enabled.stdout != "" - notify: dconf update - - - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist" - lineinfile: - path: /etc/dconf/db/local.d/00-screensaver - create: yes - regexp: '^lock-enabled' - line: | - [org/gnome/desktop/screensaver] - # Set this to true to lock the screen when the screensaver activates - lock-enabled=true - when: rhel_08_020030_lock_enabled.stdout == "" - notify: dconf update - when: - - rhel_08_020030 - - rhel8stig_dconf_available - tags: - - RHEL-08-020030 +# tags: +# - REHL-08-010760 +# - login +# - home -- name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." - dnf: - name: kbd - state: present - when: - - rhel_08_020040 - tags: - - RHEL-08-020040 +# - name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." +# file: +# path: "{{ item }}" +# mode: 0740 +# with_items: +# - "{{ rhel_08_stig_interactive_homedir_inifiles }}" +# when: +# - rhel_08_010770 +# - rhel8stig_disruption_high +# - rhel_08_stig_interactive_homedir_inifiles is defined +# tags: +# - RHEL-08-010770 +# - complexity-high -- name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." - block: - - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' - changed_when: false - failed_when: false - register: rhel_08_020050_removal_action +# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." +# block: +# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" +# shell: find / -nouser +# changed_when: false +# failed_when: false +# register: rhel_08_010780_nouser_files - - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" - changed_when: false - failed_when: false - register: rhel_08_020050_removal_action_file +# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" +# debug: +# msg: +# - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" +# - "{{ rhel_08_010780_nouser_files.stdout_lines }}" +# when: rhel_08_010780_nouser_files.stdout != "" +# when: +# - rhel_08_010780 +# tags: +# - RHEL-08-010780 - - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist" - lineinfile: - path: /etc/dconf/db/distro.d/20-authselect - create: yes - line: | - [org/gnome/settings-daemon/peripherals/smartcard] - removal-action='lock-screen' - when: rhel_08_020050_removal_action.stdout == "" - notify: dconf update +# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." +# block: +# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" +# shell: find / -nogroup +# changed_when: false +# failed_when: false +# register: rhel_08_010790_nogroup_files - - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" - lineinfile: - path: "{{ rhel_08_020050_removal_action.stdout }}" - regexp: ^removal-action= - line: removal-action='lock-screen' - when: rhel_08_020050_removal_action.stdout != "" - notify: dconf update +# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" +# debug: +# msg: +# - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" +# - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" +# when: rhel_08_010790_nogroup_files.stdout != "" +# when: +# - rhel_08_010790 +# tags: +# - RHEL-08-010790 - - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" - lineinfile: - path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' - line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action - when: rhel_08_020050_removal_action_file.stdout != "" - notify: dconf update +# - name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." +# debug: +# msg: "WARNING!!!! /home is not mounted on a separate partition" +# changed_when: +# - rhel8stig_audit_complex +# when: +# - rhel_08_010800 +# - not rhel8stig_system_is_container +# - rhel8stig_complex +# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 +# tags: +# - RHEL-08-010800 +# - complexity-high +# - mount +# - home - - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" - lineinfile: - path: /etc/dconf/db/distro.d/locks/20-authselect - create: yes - line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action - when: rhel_08_020050_removal_action_file.stdout == "" - notify: dconf update - when: - - rhel_08_020050 - tags: - - RHEL-08-020050 +# - name: "MEDIUM | RHEL-08-010810 | PATCH | RHEL 8 default permissions must be defined in such a way that all authenticated users can only read and modify their own files" +# lineinfile: +# path: /etc/login.defs +# regexp: .*?UMASK.* +# line: 'UMASK 077' +# when: +# - rhel_08_010810 +# tags: +# - RHEL-08-010810 +# - login +# - umask -- name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." - block: - - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" - shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' - changed_when: false - failed_when: false - register: rhel_08_020060_idle_delay_param +# - name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." +# debug: +# msg: +# - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." +# - "To do this please run sudo chage -l account_name for the accounts you need to check" +# - "The results will display the Account Expires information" +# - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name' +# when: +# - rhel_08_020000 +# tags: +# - RHEL-08-020000 - - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist" - lineinfile: - path: /etc/dconf/db/local.d/00-screensaver - create: yes - regexp: '^idle-delay' - line: | - [org/gnome/desktop/session] - # Set the lock time out to 900 seconds before the session is considered idle - idle-delay=uint32 900 - notify: dconf update - when: rhel_08_020060_idle_delay_param.stdout == "" +# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." +# block: +# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth - - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" - lineinfile: - path: "{{ rhel_08_020060_idle_delay_param.stdout }}" - regexp: '^idle-delay=' - line: idle-delay=uint32 900 - notify: dconf update - when: rhel_08_020060_idle_delay_param.stdout != "" - when: - - rhel_08_020060 - - rhel8stig_dconf_available - tags: - - RHEL-08-020060 +# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth -- name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." - blockinfile: - create: yes - mode: 0644 - dest: "{{ item.dest }}" - state: "{{ item.state }}" - marker: "# {mark} ANSIBLE MANAGED" - block: | - # Set session timeout - STIG ID RHEL-08-020070 - TMOUT={{ rhel8stig_shell_session_timeout.timeout }} - readonly TMOUT - export TMOUT - with_items: - - dest: "{{ rhel8stig_shell_session_timeout.file }}" - state: present - - dest: /etc/profile - state: "{{ (rhel8stig_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" - when: - - rhel_08_020070 - tags: - - RHEL-08-020070 - - profile +# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authsucc" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authsucc' +# line: 'auth required pam_faillock.so authsucc' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020010 +# tags: +# - RHEL-08-020010 +# - pamd -- name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings." - lineinfile: - path: /etc/dconf/db/local.d/locks/session - create: yes - line: "{{ item }}" - with_items: - - /org/gnome/desktop/session/idle-delay - - /org/gnome/desktop/screensaver/lock-enabled - - /org/gnome/desktop/screensaver/lock-delay - - /org/gnome/settings-daemon/plugins/media-keys/logout - - /org/gnome/login-screen/disable-user-list - - /org/gnome/login-screen/banner-message-text - - /org/gnome/login-screen/banner-message-enable - - /org/gnome/desktop/lockdown/disable-lock-screen - when: - - rhel_08_020080 - # - rhel8stig_dconf_available - tags: - - RHEL-08-020080 +# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." +# block: +# - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" +# command: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" +# changed_when: false +# failed_when: false +# register: rhel_08_020030_lock_enabled -# Need to figure out real location of the sssd.conf. STIG and internet say /etc/sssd/sssd.conf but on the test system it's in /usr/lib64/sssd/conf/sssd.conf. Also need some default values/variables -- name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." - lineinfile: - path: "{{ rhel8stig_sssd_conf.stdout }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^\[certmap/testing.test/rule_name]', line: '[certmap/testing.test/rule_name]' } - - { regexp: '^matchrule =', line: 'matchrule =.*EDIPI@mil' } - - { regexp: '^maprule =', line: 'maprule = (userCertificate;binary={cert!bin})' } - - { regexp: 'dmains =', line: 'dmains = testing.test' } - notify: dconf update - when: - - rhel_08_020090 - tags: - - RHEL-08-020090 +# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" +# lineinfile: +# path: "{{ rhel_08_020030_lock_enabled.stdout }}" +# regexp: '^lock-enabled' +# line: lock-enabled=true +# when: rhel_08_020030_lock_enabled.stdout != "" +# notify: dconf update -- name: "MEDIUM | RHEL-08-020100 | PATCH RHEL 8 must ensure a password complexity module is enabled." - lineinfile: - path: "{{ item.path }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: '^password' - with_items: - - { path: /etc/pam.d/system-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } - - { path: /etc/pam.d/password-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } - when: - - rhel_08_020100 - tags: - - RHEL-08-020100 +# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist" +# lineinfile: +# path: /etc/dconf/db/local.d/00-screensaver +# create: yes +# regexp: '^lock-enabled' +# line: | +# [org/gnome/desktop/screensaver] +# # Set this to true to lock the screen when the screensaver activates +# lock-enabled=true +# when: rhel_08_020030_lock_enabled.stdout == "" +# notify: dconf update +# when: +# - rhel_08_020030 +# - rhel8stig_dconf_available +# tags: +# - RHEL-08-020030 -- name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - regexp: '^#?\s*ucredit' - line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" - when: - - rhel_08_020110 - tags: - - RHEL-08-020110 - - pwquality +# - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." +# dnf: +# name: kbd +# state: present +# when: +# - rhel_08_020040 +# tags: +# - RHEL-08-020040 -- name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - regexp: '^#?\s*lcredit' - line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}" - when: - - rhel_08_020120 - tags: - - RHEL-08-020120 - - pwquality +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." +# block: +# - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" +# shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' +# changed_when: false +# failed_when: false +# register: rhel_08_020050_removal_action -- name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - regexp: '^#?\s*dcredit' - line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}" - when: - - rhel_08_020130 - tags: - - RHEL-08-020130 - - pwquality +# - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" +# shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" +# changed_when: false +# failed_when: false +# register: rhel_08_020050_removal_action_file -- name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - regexp: '^#?\s*maxclassrepeat' - line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" - when: - - rhel_08_020140 - tags: - - RHEL-08-020140 - - pwquality +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist" +# lineinfile: +# path: /etc/dconf/db/distro.d/20-authselect +# create: yes +# line: | +# [org/gnome/settings-daemon/peripherals/smartcard] +# removal-action='lock-screen' +# when: rhel_08_020050_removal_action.stdout == "" +# notify: dconf update + +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" +# lineinfile: +# path: "{{ rhel_08_020050_removal_action.stdout }}" +# regexp: ^removal-action= +# line: removal-action='lock-screen' +# when: rhel_08_020050_removal_action.stdout != "" +# notify: dconf update -- name: "MEDIUM | RHEL-020150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - regexp: '^#?\s*maxrepeat' - line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}" - when: - - rhel_08_020150 - tags: - - RHEL-08-020150 - - pwquality +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" +# lineinfile: +# path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' +# line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action +# when: rhel_08_020050_removal_action_file.stdout != "" +# notify: dconf update -- name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - regexp: '^#?\s*minclass' - line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}" - when: - - rhel_08_020160 - tags: - - RHEL-08-020160 - - pwquality +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" +# lineinfile: +# path: /etc/dconf/db/distro.d/locks/20-authselect +# create: yes +# line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action +# when: rhel_08_020050_removal_action_file.stdout == "" +# notify: dconf update +# when: +# - rhel_08_020050 +# tags: +# - RHEL-08-020050 -- name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - regexp: '^#?\s*difok' - line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}" - when: - - rhel_08_020170 - tags: - - RHEL-08-020170 - - pwquality +# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." +# block: +# - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" +# shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' +# changed_when: false +# failed_when: false +# register: rhel_08_020060_idle_delay_param -- name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow." - block: - - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users" - command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: rhel_08_020180_users +# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist" +# lineinfile: +# path: /etc/dconf/db/local.d/00-screensaver +# create: yes +# regexp: '^idle-delay' +# line: | +# [org/gnome/desktop/session] +# # Set the lock time out to 900 seconds before the session is considered idle +# idle-delay=uint32 900 +# notify: dconf update +# when: rhel_08_020060_idle_delay_param.stdout == "" + +# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" +# lineinfile: +# path: "{{ rhel_08_020060_idle_delay_param.stdout }}" +# regexp: '^idle-delay=' +# line: idle-delay=uint32 900 +# notify: dconf update +# when: rhel_08_020060_idle_delay_param.stdout != "" +# when: +# - rhel_08_020060 +# - rhel8stig_dconf_available +# tags: +# - RHEL-08-020060 - - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction" - command: chage -m 1 {{ item }} - with_items: "{{ rhel_08_020180_users.stdout_lines }}" - when: - - rhel_08_020180 - tags: - - RHEL8-08-020180 - - password +# - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." +# blockinfile: +# create: yes +# mode: 0644 +# dest: "{{ item.dest }}" +# state: "{{ item.state }}" +# marker: "# {mark} ANSIBLE MANAGED" +# block: | +# # Set session timeout - STIG ID RHEL-08-020070 +# TMOUT={{ rhel8stig_shell_session_timeout.timeout }} +# readonly TMOUT +# export TMOUT +# with_items: +# - dest: "{{ rhel8stig_shell_session_timeout.file }}" +# state: present +# - dest: /etc/profile +# state: "{{ (rhel8stig_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" +# when: +# - rhel_08_020070 +# tags: +# - RHEL-08-020070 +# - profile -- name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def." - lineinfile: - path: /etc/login.defs - create: yes - regexp: ^#?PASS_MIN_DAYS - line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}" - when: - - rhel_08_020190 - tags: - - RHEL-08-020190 - - login +# - name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings." +# lineinfile: +# path: /etc/dconf/db/local.d/locks/session +# create: yes +# line: "{{ item }}" +# with_items: +# - /org/gnome/desktop/session/idle-delay +# - /org/gnome/desktop/screensaver/lock-enabled +# - /org/gnome/desktop/screensaver/lock-delay +# - /org/gnome/settings-daemon/plugins/media-keys/logout +# - /org/gnome/login-screen/disable-user-list +# - /org/gnome/login-screen/banner-message-text +# - /org/gnome/login-screen/banner-message-enable +# - /org/gnome/desktop/lockdown/disable-lock-screen +# when: +# - rhel_08_020080 +# # - rhel8stig_dconf_available +# tags: +# - RHEL-08-020080 -- name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction." - lineinfile: - path: /etc/login.defs - create: yes - regexp: ^#?PASS_MAX_DAYS - line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" - when: - - rhel_08_020200 - tags: - - RHEL-08-020200 - - login +# # Need to figure out real location of the sssd.conf. STIG and internet say /etc/sssd/sssd.conf but on the test system it's in /usr/lib64/sssd/conf/sssd.conf. Also need some default values/variables +# - name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." +# lineinfile: +# path: "{{ rhel8stig_sssd_conf.stdout }}" +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^\[certmap/testing.test/rule_name]', line: '[certmap/testing.test/rule_name]' } +# - { regexp: '^matchrule =', line: 'matchrule =.*EDIPI@mil' } +# - { regexp: '^maprule =', line: 'maprule = (userCertificate;binary={cert!bin})' } +# - { regexp: 'dmains =', line: 'dmains = testing.test' } +# notify: dconf update +# when: +# - rhel_08_020090 +# tags: +# - RHEL-08-020090 -- name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime." - block: - - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users" - command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" - check_mode: no - changed_when: rhel_08_020210_users.stdout != "" - register: rhel_08_020210_users +# - name: "MEDIUM | RHEL-08-020100 | PATCH RHEL 8 must ensure a password complexity module is enabled." +# lineinfile: +# path: "{{ item.path }}" +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: '^password' +# with_items: +# - { path: /etc/pam.d/system-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } +# - { path: /etc/pam.d/password-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } +# when: +# - rhel_08_020100 +# tags: +# - RHEL-08-020100 - - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user." - command: chage -d '-1 day' {{ item }} - check_mode: "{{ rhel8stig_disruptive_check_mode }}" - with_items: "{{ rhel_08_020210_users.stdout_lines }}" +# - name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# regexp: '^#?\s*ucredit' +# line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" +# when: +# - rhel_08_020110 +# tags: +# - RHEL-08-020110 +# - pwquality - - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime" - command: chage -M 60 {{ item }} - check_mode: "{{ rhel8stig_disruptive_check_mode }}" - with_items: "{{ rhel_08_020210_users.stdout_lines }}" - when: - - rhel_08_020210 - - rhel8stig_disruption_high - tags: - - RHEL-08-020210 - - disruption-high - - password +# - name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# regexp: '^#?\s*lcredit' +# line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}" +# when: +# - rhel_08_020120 +# tags: +# - RHEL-08-020120 +# - pwquality -- name: "MEDIUM | RHEL-08-020220 | PATCH | 8 passwords must be prohibited from reuse for a minimum of five generations." - block: - - name: "MEDIUM | RHEL-08-020220 | PATCH | 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" - pamd: - name: "{{ item }}" - state: before - type: password - control: sufficient - module_path: pam_unix.so - new_type: password - new_control: required - new_module_path: pam_pwhistory.so - with_items: - - "system-auth" - - "password-auth" +# - name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# regexp: '^#?\s*dcredit' +# line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}" +# when: +# - rhel_08_020130 +# tags: +# - RHEL-08-020130 +# - pwquality - # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent - - name: "MEDIUM | RHEL-08-020220 | AUDIT | 8 passwords must be prohibited from reuse for a minimum of five generations. | Check for existing password history reuse settings" - command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" - check_mode: no - changed_when: no - failed_when: rhel_08_020220_pw_hist_settings.rc > 1 - register: rhel_08_020220_pw_hist_settings - with_items: - - "system-auth" - - "password-auth" +# - name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# regexp: '^#?\s*maxclassrepeat' +# line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" +# when: +# - rhel_08_020140 +# tags: +# - RHEL-08-020140 +# - pwquality - # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. - - name: "MEDIUM | RHEL-08-020220 | PATCH | 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" - pamd: - name: "{{ item.item }}" - state: updated - type: password - control: required - module_path: pam_pwhistory.so - module_arguments: - - use_authtok - - remember={{ rhel8stig_pam_pwhistory.remember | default(5) }} - - retry={{ rhel8stig_pam_pwhistory.retries | default(3) }} - with_items: "{{ rhel_08_020220_pw_hist_settings.results }}" - when: item.rc == 1 - when: - - rhel_08_020220 - tags: - - RHEL-08-020220 - - pamd +# - name: "MEDIUM | RHEL-020150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# regexp: '^#?\s*maxrepeat' +# line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}" +# when: +# - rhel_08_020150 +# tags: +# - RHEL-08-020150 +# - pwquality -- name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - regexp: '^#?\s*minlen' - line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" - when: - - rhel_08_020230 - tags: - - RHEL-08-020230 - - pwquality +# - name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# regexp: '^#?\s*minclass' +# line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}" +# when: +# - rhel_08_020160 +# tags: +# - RHEL-08-020160 +# - pwquality -- name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." - block: - - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users" - command: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd - changed_when: false - failed_when: false - register: rhel_08_020240_duplicate_uid_users +# - name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# regexp: '^#?\s*difok' +# line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}" +# when: +# - rhel_08_020170 +# tags: +# - RHEL-08-020170 +# - pwquality - - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" - debug: - msg: - - "ALERT!!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" - - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" - when: - - rhel_08_020240 - tags: - - RHEL-08-020240 +# - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow." +# block: +# - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users" +# command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" +# changed_when: false +# failed_when: false +# register: rhel_08_020180_users + +# - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction" +# command: chage -m 1 {{ item }} +# with_items: "{{ rhel_08_020180_users.stdout_lines }}" +# when: +# - rhel_08_020180 +# tags: +# - RHEL8-08-020180 +# - password + +# - name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def." +# lineinfile: +# path: /etc/login.defs +# create: yes +# regexp: ^#?PASS_MIN_DAYS +# line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}" +# when: +# - rhel_08_020190 +# tags: +# - RHEL-08-020190 +# - login -- name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts." - block: - # - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find sssd.conf file for path" - # find: - # paths: / - # recurse: yes - # patterns: sssd.conf - # register: rhel_08_020250_sssd_conf +# - name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction." +# lineinfile: +# path: /etc/login.defs +# create: yes +# regexp: ^#?PASS_MAX_DAYS +# line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" +# when: +# - rhel_08_020200 +# tags: +# - RHEL-08-020200 +# - login - - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth" - shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth - changed_when: false - failed_when: false - register: rhel_08_020250_sc_auth_sss +# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime." +# block: +# - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users" +# command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" +# check_mode: no +# changed_when: rhel_08_020210_users.stdout != "" +# register: rhel_08_020210_users + +# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user." +# command: chage -d '-1 day' {{ item }} +# check_mode: "{{ rhel8stig_disruptive_check_mode }}" +# with_items: "{{ rhel_08_020210_users.stdout_lines }}" + +# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime" +# command: chage -M 60 {{ item }} +# check_mode: "{{ rhel8stig_disruptive_check_mode }}" +# with_items: "{{ rhel_08_020210_users.stdout_lines }}" +# when: +# - rhel_08_020210 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-020210 +# - disruption-high +# - password - - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth" - shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth - changed_when: false - failed_when: false - register: rhel_08_020250_system_auth_sss +# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations." +# block: +# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" +# pamd: +# name: "{{ item }}" +# state: before +# type: password +# control: sufficient +# module_path: pam_unix.so +# new_type: password +# new_control: required +# new_module_path: pam_pwhistory.so +# with_items: +# - "system-auth" +# - "password-auth" - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" - lineinfile: - path: "{{ rhel8stig_sssd_conf.stdout }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - notify: restart sssd - with_items: - - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } - - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' } +# # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent +# - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Check for existing password history reuse settings" +# command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" +# check_mode: no +# changed_when: no +# failed_when: rhel_08_020220_pw_hist_settings.rc > 1 +# register: rhel_08_020220_pw_hist_settings +# with_items: +# - "system-auth" +# - "password-auth" + +# # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. +# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" +# pamd: +# name: "{{ item.item }}" +# state: updated +# type: password +# control: required +# module_path: pam_pwhistory.so +# module_arguments: +# - use_authtok +# - remember={{ rhel8stig_pam_pwhistory.remember | default(5) }} +# - retry={{ rhel8stig_pam_pwhistory.retries | default(3) }} +# with_items: "{{ rhel_08_020220_pw_hist_settings.results }}" +# when: item.rc == 1 +# when: +# - rhel_08_020220 +# tags: +# - RHEL-08-020220 +# - pamd - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth" - lineinfile: - path: /etc/pam.d/smartcard-auth - line: auth sufficient pam_sss.so try_cert_auth - notify: restart sssd - when: rhel_08_020250_sc_auth_sss.stdout == "" +# - name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# regexp: '^#?\s*minlen' +# line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" +# when: +# - rhel_08_020230 +# tags: +# - RHEL-08-020230 +# - pwquality - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth" - pamd: - name: /etc/pam.d/smartcard-auth - state: updated - type: auth - control: sufficient - module_path: pam_sss.so - module_arguments: 'try_cert_auth' - notify: restart sssd - when: rhel_08_020250_sc_auth_sss.stdout != "" +# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." +# block: +# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users" +# command: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd +# changed_when: false +# failed_when: false +# register: rhel_08_020240_duplicate_uid_users - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth" - pamd: - name: /etc/pam.d/system-auth - state: after - type: auth - control: required - module_path: pam_env.so - new_type: auth - new_control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' - new_module_path: pam_sss.so - module_arguments: try_cert_auth - notify: restart sssd - when: rhel_08_020250_system_auth_sss.stdout == "" +# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" +# debug: +# msg: +# - "ALERT!!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" +# - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" +# when: +# - rhel_08_020240 +# tags: +# - RHEL-08-020240 - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth" - pamd: - name: /etc/pam.d/system-auth - state: updated - type: auth - control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' - module_path: pam_env.so - module_arguments: try_cert_auth - notify: restart sssd - when: rhel_08_020250_system_auth_sss.stdout != "" - when: - - rhel_08_020250 - tags: - - RHEL-08-020250 - - pamd +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts." +# block: +# # - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find sssd.conf file for path" +# # find: +# # paths: / +# # recurse: yes +# # patterns: sssd.conf +# # register: rhel_08_020250_sssd_conf + +# - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth" +# shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth +# changed_when: false +# failed_when: false +# register: rhel_08_020250_sc_auth_sss -- name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity." - command: useradd -D -f 35 - when: - - rhel_08_020260 - tags: - - RHEL-08-020260 - - useradd +# - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth" +# shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth +# changed_when: false +# failed_when: false +# register: rhel_08_020250_system_auth_sss -- name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." - block: - - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." - command: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" - changed_when: false - failed_when: false - register: rhel_08_020270_system_users +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" +# lineinfile: +# path: "{{ rhel8stig_sssd_conf.stdout }}" +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# notify: restart sssd +# with_items: +# - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } +# - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' } - - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." - debug: - msg: - - "WARNING!!!Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" - - "{{ rhel_08_020270_system_users.stdout_lines }}" - when: - - rhel_08_020270 - tags: - - RHEL-08-020270 +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth" +# lineinfile: +# path: /etc/pam.d/smartcard-auth +# line: auth sufficient pam_sss.so try_cert_auth +# notify: restart sssd +# when: rhel_08_020250_sc_auth_sss.stdout == "" + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth" +# pamd: +# name: /etc/pam.d/smartcard-auth +# state: updated +# type: auth +# control: sufficient +# module_path: pam_sss.so +# module_arguments: 'try_cert_auth' +# notify: restart sssd +# when: rhel_08_020250_sc_auth_sss.stdout != "" + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth" +# pamd: +# name: /etc/pam.d/system-auth +# state: after +# type: auth +# control: required +# module_path: pam_env.so +# new_type: auth +# new_control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' +# new_module_path: pam_sss.so +# module_arguments: try_cert_auth +# notify: restart sssd +# when: rhel_08_020250_system_auth_sss.stdout == "" + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth" +# pamd: +# name: /etc/pam.d/system-auth +# state: updated +# type: auth +# control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' +# module_path: pam_env.so +# module_arguments: try_cert_auth +# notify: restart sssd +# when: rhel_08_020250_system_auth_sss.stdout != "" +# when: +# - rhel_08_020250 +# tags: +# - RHEL-08-020250 +# - pamd -- name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - regexp: '^#?\s*ocredit' - line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}" - when: - - rhel_08_020280 - tags: - - RHEL-08-020280 - - pwquality +# - name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity." +# command: useradd -D -f 35 +# when: +# - rhel_08_020260 +# tags: +# - RHEL-08-020260 +# - useradd -- name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." - lineinfile: - path: "{{ rhel8stig_sssd_conf.stdout }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - with_items: - - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } - - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } - when: - - rhel_08_020290 - tags: - - RHEL-08-020290 - - sssd +# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." +# block: +# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." +# command: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" +# changed_when: false +# failed_when: false +# register: rhel_08_020270_system_users -- name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - regexp: '^#?\s*dictcheck' - line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" - when: - - rhel_08_020300 - tags: - - RHEL-08-020300 - - pwquality +# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." +# debug: +# msg: +# - "WARNING!!!Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" +# - "{{ rhel_08_020270_system_users.stdout_lines }}" +# when: +# - rhel_08_020270 +# tags: +# - RHEL-08-020270 -- name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." - lineinfile: - dest: /etc/login.defs - regexp: ^#?FAIL_DELAY - line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" - when: - - rhel_08_020310 - tags: - - RHEL-08-020310 - - login +# - name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# regexp: '^#?\s*ocredit' +# line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}" +# when: +# - rhel_08_020280 +# tags: +# - RHEL-08-020280 +# - pwquality -- name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts." - block: - - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts" - command: "grep '^{{ item }}:' /etc/passwd" - check_mode: no - failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1 - changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0 - register: rhel_08_020320_unnecessary_accounts_found - with_items: "{{ rhel8stig_unnecessary_accounts }}" +# - name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." +# lineinfile: +# path: "{{ rhel8stig_sssd_conf.stdout }}" +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# with_items: +# - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } +# - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } +# when: +# - rhel_08_020290 +# tags: +# - RHEL-08-020290 +# - sssd - - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts" - user: - name: "{{ item }}" - state: absent - remove: "{{ rhel8stig_remove_unnecessary_user_files }}" - register: rhel_08_020320_accounts_removed - with_items: "{{ rhel8stig_unnecessary_accounts }}" +# - name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# regexp: '^#?\s*dictcheck' +# line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" +# when: +# - rhel_08_020300 +# tags: +# - RHEL-08-020300 +# - pwquality - - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" - include_tasks: parse_etc_passwd.yml - vars: - rhel8stig_passwd_tasks: "RHEL-08-020320" - when: rhel_08_020320_accounts_removed is changed - when: - - rhel_08_020320 - tags: - - RHEL-08-020320 +# - name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." +# lineinfile: +# dest: /etc/login.defs +# regexp: ^#?FAIL_DELAY +# line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" +# when: +# - rhel_08_020310 +# tags: +# - RHEL-08-020310 +# - login -- name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "(?i)^#?PrintLastLog" - line: PrintLastLog yes - validate: /usr/sbin/sshd -t -f %s - notify: restart sshd - when: - - rhel_08_020350 - - rhel8stig_ssh_required - tags: - - RHEL-08-020350 - - ssh +# - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts." +# block: +# - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts" +# command: "grep '^{{ item }}:' /etc/passwd" +# check_mode: no +# failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1 +# changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0 +# register: rhel_08_020320_unnecessary_accounts_found +# with_items: "{{ rhel8stig_unnecessary_accounts }}" + +# - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts" +# user: +# name: "{{ item }}" +# state: absent +# remove: "{{ rhel8stig_remove_unnecessary_user_files }}" +# register: rhel_08_020320_accounts_removed +# with_items: "{{ rhel8stig_unnecessary_accounts }}" + +# - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" +# include_tasks: parse_etc_passwd.yml +# vars: +# rhel8stig_passwd_tasks: "RHEL-08-020320" +# when: rhel_08_020320_accounts_removed is changed +# when: +# - rhel_08_020320 +# tags: +# - RHEL-08-020320 + +# - name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." +# lineinfile: +# dest: /etc/ssh/sshd_config +# regexp: "(?i)^#?PrintLastLog" +# line: PrintLastLog yes +# validate: /usr/sbin/sshd -t -f %s +# notify: restart sshd +# when: +# - rhel_08_020350 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-020350 +# - ssh - name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." lineinfile: From f2adb7df07e6791ff45ad022b5fa4a50d2d1eaa5 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 12 Jan 2021 17:04:06 -0500 Subject: [PATCH 09/15] cat2 synced with release of STIG 020351 - 030070 Signed-off-by: George Nalen --- defaults/main.yml | 21 ++- tasks/fix-cat2.yml | 363 +++++++++++++++++++++++++++++++++------------ 2 files changed, 280 insertions(+), 104 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 322a54c8..95b5f642 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -223,14 +223,19 @@ rhel_08_020300: true rhel_08_020310: true rhel_08_020320: true rhel_08_020350: true -rhel_08_030000: false -rhel_08_030010: false -rhel_08_030020: false -rhel_08_030030: false -rhel_08_030040: false -rhel_08_030050: false -rhel_08_030060: false -rhel_08_030070: false +rhel_08_020351: true +rhel_08_020352: true +rhel_08_020353: true +rhel_08_030000: true +rhel_08_030010: true +rhel_08_030020: true +rhel_08_030030: true +rhel_08_030040: true +rhel_08_030050: true +rhel_08_030060: true +rhel_08_030061: true +rhel_08_030062: true +rhel_08_030070: true rhel_08_030080: false rhel_08_030090: false rhel_08_030100: false diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 956c91a4..b05108c1 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2905,6 +2905,177 @@ tags: - RHEL-08-020350 - ssh + +- name: "MEDIUM | RHEL-08-020351 | PATCH | RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." + lineinfile: + path: /etc/login.defs + regexp: .*?UMASK.* + line: 'UMASK 077' + when: + - rhel_08_020351 + tags: + - RHEL-08-020351 + +- name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts." + block: + - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Find umask files" + find: + paths: /home + patterns: '^\.' + contains: 'umask' + recurse: yes + hidden: yes + use_regex: yes + register: rhel8stig_020352_files + + - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" + lineinfile: + path: "{{ item.path }}" + regexp: 'umask.*0([0-6][0-6])' + state: absent + with_items: + - "{{ rhel8stig_020352_files.files }}" + when: rhel8stig_020352_files.matched > 0 + when: + - rhel_08_020352 + tags: + - RHEL-08-020352 + - umask + +- name: "MEDIUM | RHEL-08-020353 | PATCH | RHEL 8 must define default permissions for logon and non-logon shells." + lineinfile: + path: "{{ item }}" + regexp: '^UMASK|^umask' + line: "UMASK 077" + with_items: + - /etc/bashrc + - /etc/csh.cshrc + when: + - rhel_08_020353 + tags: + - RHEL-08-020353 + - umask + +- name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv', line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv' } + - { regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv', line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv' } + - { regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv', line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv' } + - { regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv', line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv' } + notify: restart auditd + when: + - rhel_08_030000 + tags: + - RHEL-08-030000 + - auditd + +- name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8." + lineinfile: + path: /etc/rsyslog.conf + regexp: '^cron.*' + line: 'cron.* /var/log/cron' + when: + - rhel_08_030010 + tags: + - RHEL-08-030010 + - cron + +- name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^action_mail_acct =' + line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}" + register: rhel_08_030020_action_mail_acct_result + failed_when: + - rhel_08_030020_action_mail_acct_result is failed + - rhel_08_030020_action_mail_acct_result.rc != 257 + when: + - rhel_08_030020 + tags: + - RHEL-08-030020 + - auditd + +- name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure." + lineinfile: + path: /etc/aliases + regexp: '^postmaster:' + line: 'postmaster: root' + when: + - rhel_08_030030 + tags: + - RHEL-08-030030 + - aliases + +- name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^disk_error_action =' + line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}" + when: + - rhel_08_030040 + tags: + - RHEL-08-030040 + - auditd + +- name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^max_log_file_action =' + line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" + when: + - rhel_08_030050 + tags: + - RHEL-08-030050 + - auditd + +- name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^disk_full_action =' + line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" + when: + - rhel_08_030060 + tags: + - RHEL-08-030060 + - auditd + +- name: "MEDIUM | RHEL-08-030061 | PATCH | The RHEL 8 audit system must audit local events." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^local_events =' + line: "local_events = yes" + when: + - rhel_08_030061 + tags: + - RHEL-08-030061 + - auditd + +- name: "MEDIUM | RHEL-08-030062 | PATCH | RHEL 8 must label all off-loaded audit logs before sending them to the central log server." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^name_format =' + line: "name_format = hostname" + notify: restart auditd + when: + - rhel_08_030062 + tags: + - RHEL-08-030062 + - auditd + +- name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." + lineinfile: + path: "{{ rhel_08_030070_audit_log_file.stdout }}" + regexp: '^log_group =' + line: "log_group = root" + mode: 0600 + when: + - rhel_08_030070 + tags: + - RHEL-08-030070 # ===========below here is old=========== # - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." # dnf: @@ -4802,110 +4973,110 @@ # - RHEL-08-020350 # - ssh -- name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv', line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv' } - - { regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv', line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv' } - - { regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv', line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv' } - - { regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv', line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv' } - notify: restart auditd - when: - - rhel_08_030000 - tags: - - RHEL-08-030000 - - auditd +# - name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv', line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv' } +# - { regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv', line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv' } +# - { regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv', line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv' } +# - { regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv', line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv' } +# notify: restart auditd +# when: +# - rhel_08_030000 +# tags: +# - RHEL-08-030000 +# - auditd -- name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8." - lineinfile: - path: /etc/rsyslog.conf - regexp: '^cron.*' - line: 'cron.* /var/log/cron' - when: - - rhel_08_030010 - tags: - - RHEL-08-030010 - - cron +# - name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8." +# lineinfile: +# path: /etc/rsyslog.conf +# regexp: '^cron.*' +# line: 'cron.* /var/log/cron' +# when: +# - rhel_08_030010 +# tags: +# - RHEL-08-030010 +# - cron -- name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^action_mail_acct =' - line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}" - register: rhel_08_030020_action_mail_acct_result - failed_when: - - rhel_08_030020_action_mail_acct_result is failed - - rhel_08_030020_action_mail_acct_result.rc != 257 - when: - - rhel_08_030020 - tags: - - RHEL-08-030020 - - auditd +# - name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^action_mail_acct =' +# line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}" +# register: rhel_08_030020_action_mail_acct_result +# failed_when: +# - rhel_08_030020_action_mail_acct_result is failed +# - rhel_08_030020_action_mail_acct_result.rc != 257 +# when: +# - rhel_08_030020 +# tags: +# - RHEL-08-030020 +# - auditd -- name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure." - lineinfile: - path: /etc/aliases - regexp: '^postmaster:' - line: 'postmaster: root' - when: - - rhel_08_030030 - tags: - - RHEL-08-030030 - - aliases +# - name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure." +# lineinfile: +# path: /etc/aliases +# regexp: '^postmaster:' +# line: 'postmaster: root' +# when: +# - rhel_08_030030 +# tags: +# - RHEL-08-030030 +# - aliases -- name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^disk_error_action =' - line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}" - when: - - rhel_08_030040 - tags: - - RHEL-08-030040 - - auditd +# - name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^disk_error_action =' +# line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}" +# when: +# - rhel_08_030040 +# tags: +# - RHEL-08-030040 +# - auditd -- name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^max_log_file_action =' - line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" - when: - - rhel_08_030050 - tags: - - RHEL-08-030050 - - auditd +# - name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^max_log_file_action =' +# line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" +# when: +# - rhel_08_030050 +# tags: +# - RHEL-08-030050 +# - auditd -- name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^disk_full_action =' - line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" - when: - - rhel_08_030060 - tags: - - RHEL-08-030060 - - auditd +# - name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^disk_full_action =' +# line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" +# when: +# - rhel_08_030060 +# tags: +# - RHEL-08-030060 +# - auditd -- name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." - block: - - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | Get audit log file" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " - changed_when: false - failed_when: false - register: rhel_08_030070_audit_log_file +# - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." +# block: +# - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | Get audit log file" +# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " +# changed_when: false +# failed_when: false +# register: rhel_08_030070_audit_log_file - - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | Set permissions on log file" - file: - path: "{{ rhel_08_030070_audit_log_file.stdout }}" - mode: 0600 - when: rhel_08_030070_audit_log_file.stdout != "" - when: - - rhel_08_030070 - tags: - - RHEL-08-030070 +# - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | Set permissions on log file" +# file: +# path: "{{ rhel_08_030070_audit_log_file.stdout }}" +# mode: 0600 +# when: rhel_08_030070_audit_log_file.stdout != "" +# when: +# - rhel_08_030070 +# tags: +# - RHEL-08-030070 - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." block: From c6725715356b611516dd7c6eb5de69f6be9243f8 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 13 Jan 2021 11:06:07 -0500 Subject: [PATCH 10/15] cat2 synced with release of STIG 030080 - 030317 Signed-off-by: George Nalen --- defaults/main.yml | 62 +- tasks/fix-cat2.yml | 1436 +++++++++++++++++++++++++++++--------------- 2 files changed, 995 insertions(+), 503 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 95b5f642..dd4df772 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -236,31 +236,43 @@ rhel_08_030060: true rhel_08_030061: true rhel_08_030062: true rhel_08_030070: true -rhel_08_030080: false -rhel_08_030090: false -rhel_08_030100: false -rhel_08_030110: false -### When logs folder is set to 600 per STIG auditd fails to start. Need to figure out perms -rhel_08_030120: false -rhel_08_030130: false -rhel_08_030140: false -rhel_08_030150: false -rhel_08_030160: false -rhel_08_030170: false -rhel_08_030180: false -rhel_08_030190: false -rhel_08_030200: false -rhel_08_030210: false -rhel_08_030220: false -rhel_08_030230: false -rhel_08_030240: false -rhel_08_030250: false -rhel_08_030260: false -rhel_08_030270: false -rhel_08_030280: false -rhel_08_030290: false -rhel_08_030300: false -rhel_08_030310: false +rhel_08_030080: true +rhel_08_030090: true +rhel_08_030100: true +rhel_08_030110: true +rhel_08_030120: true +rhel_08_030121: true +rhel_08_030122: true +rhel_08_030130: true +rhel_08_030140: true +rhel_08_030150: true +rhel_08_030160: true +rhel_08_030170: true +rhel_08_030171: true +rhel_08_030172: true +rhel_08_030180: true +rhel_08_030190: true +rhel_08_030200: true +rhel_08_030210: true +rhel_08_030220: true +rhel_08_030230: true +rhel_08_030240: true +rhel_08_030250: true +rhel_08_030260: true +rhel_08_030270: true +rhel_08_030280: true +rhel_08_030290: true +rhel_08_030300: true +rhel_08_030301: true +rhel_08_030302: true +rhel_08_030310: true +rhel_08_030311: true +rhel_08_030312: true +rhel_08_030313: true +rhel_08_030314: true +rhel_08_030315: true +rhel_08_030316: true +rhel_08_030317: true rhel_08_030320: false rhel_08_030330: false rhel_08_030340: false diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index b05108c1..43102c1a 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2943,10 +2943,10 @@ - umask - name: "MEDIUM | RHEL-08-020353 | PATCH | RHEL 8 must define default permissions for logon and non-logon shells." - lineinfile: + replace: path: "{{ item }}" - regexp: '^UMASK|^umask' - line: "UMASK 077" + regexp: 'umask\s\d\d\d' + replace: "umask 077" with_items: - /etc/bashrc - /etc/csh.cshrc @@ -3068,7 +3068,7 @@ - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." lineinfile: - path: "{{ rhel_08_030070_audit_log_file.stdout }}" + path: /etc/audit/auditd.conf regexp: '^log_group =' line: "log_group = root" mode: 0600 @@ -3076,174 +3076,654 @@ - rhel_08_030070 tags: - RHEL-08-030070 -# ===========below here is old=========== -# - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." -# dnf: -# name: "*" -# state: latest -# when: -# - not system_is_ec2 -# - rhel_08_010010 -# tags: -# - RHEL-08-010010 -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" -# block: -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^.*banner' -# line: 'Banner /etc/issue' +- name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." + block: + - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file" + shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " + changed_when: false + failed_when: false + register: rhel8stig_030080_audit_log_file -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" -# copy: -# dest: /etc/issue -# content: "{{ rhel8stig_logon_banner }}" -# owner: root -# group: root -# mode: '0644' -# notify: restart sshd -# when: -# # - not system_is_ec2 -# - rhel_08_010040 or -# rhel_08_010060 -# tags: -# - RHEL-08-010040 -# - RHEL-08-010060 + - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner" + file: + path: "{{ rhel8stig_030080_audit_log_file.stdout }}" + owner: root + when: rhel8stig_030080_audit_log_file.stdout != "" + when: + - rhel_08_030080 + tags: + - RHEL-08-030080 -# - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." -# copy: -# dest: /etc/dconf/db/local.d/01-banner-message -# content: | -# [org/gnome/login-screen] -# banner-message-enable=true -# banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' -# mode: '0644' -# owner: root -# group: root -# vars: -# newline: "\n" -# notify: dconf update -# when: -# - rhel_08_010050 -# - rhel8stig_dconf_available -# tags: -# - RHEL-08-010050 +- name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Set audit log group" + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^log_group' + line: "log_group = root" + when: + - rhel_08_030090 + tags: + - RHEL-08-030090 -# - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." -# lineinfile: -# path: /etc/rsyslog.d/50-default.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# create: yes -# mode: '0644' -# notify: restart rsyslog -# with_items: -# - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } -# - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } -# when: -# - rhel_08_010070 -# tags: -# - RHEL-08-010070 +- name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." + block: + - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory" + shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + changed_when: false + failed_when: false + register: rhel_08_030100_audit_log_dir -# - name: "MEDIUM | RHEL-08-010080 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^Ciphers.*' -# line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr -# insertafter: '# Ciphers and keying' -# notify: restart sshd -# when: -# - rhel_08_010080 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010080 -# - ssh + - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner" + file: + path: "{{ rhel_08_030100_audit_log_dir.stdout }}" + owner: root + state: directory + when: rhel_08_030100_audit_log_dir.stdout != "" + when: + - rhel_08_030100 + tags: + - RHEL-08-030100 -# # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." -# block: -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" -# command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem -# changed_when: false -# failed_when: false -# register: rhel_08_010090_certs_list +- name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." + block: + - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" + shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + changed_when: false + failed_when: false + register: rhel_08_030110_audit_log_dir -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" -# debug: -# msg: -# - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" -# - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" -# - "{{ rhel_08_010090_certs_list.stdout_lines }}" -# when: -# - rhel_08_010090 -# tags: -# - RHEL-08-010090 + - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group" + file: + path: "{{ rhel_08_030110_audit_log_dir.stdout }}" + group: root + state: directory + when: rhel_08_030110_audit_log_dir.stdout != "" + when: + - rhel_08_030110 + tags: + - RHEL-08-030110 -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." -# block: -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" -# file: -# path: "{{ rhel8stig_path_to_sshkey }}" -# state: directory -# mode: '0700' +- name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access." + block: + - name: "MEDIUM | RHEL-08-030120 | AUDIT | RHEL 8 audit log directories must have a mode of 700 or less permissive to prevent unauthorized read access. | Get audit log directory" + shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + changed_when: false + failed_when: false + register: rhel_08_030120_audit_log_dir -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" -# openssh_keypair: -# path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" -# when: -# - rhel_08_010100 -# tags: -# - RHEL-08-010100 + # I have this item set to 750, setting to 600 will not allow auditd to work + - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" + file: + path: "{{ rhel_08_030120_audit_log_dir.stdout }}" + mode: 0700 + state: directory + when: rhel_08_030120_audit_log_dir.stdout != "" + when: + - rhel_08_030120 + tags: + - RHEL-08-030120 -# - name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." -# lineinfile: -# path: /etc/login.defs -# regexp: '^ENCRYPT_METHOD.*' -# line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" -# when: -# - rhel_08_010110 -# tags: -# - RHEL-08-010110 -# - login +- name: "MEDIUM | RHEL-08-030121 | PATCH | RHEL 8 audit system must protect auditing rules from unauthorized change." + lineinfile: + path: /etc/audit/audit.rules + regexp: '^-e ' + line: "-e 2" + when: + - rhel_08_030121 + tags: + - RHEL-08-030121 + - auditd -# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." -# block: -# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" -# command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' -# changed_when: false -# failed_when: false -# register: rhel_08_010120_non_fips_hashed_accounts +- name: "MEDIUM | RHEL-08-030122 | PATCH | RHEL 8 audit system must protect logon UIDs from unauthorized change." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^--loginuid-' + line: "--loginuid-immutable" + when: + - rhel_08_030122 + tags: + - RHEL-08-030122 + - auditd -# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" -# command: "passwd -l {{ item }}" -# with_items: -# -"{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" -# when: -# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" +- name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/shadow' + line: '-w /etc/shadow -p wa -k identity' + notify: restart auditd + when: + - rhel_08_030130 + tags: + - RHEL-08-030130 + - auditd -# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" -# debug: -# msg: -# - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" -# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" -# when: -# - not rhel8stig_disruption_high -# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" -# when: -# - rhel_08_010120 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010120 -# - disruption_high +- name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/security/opasswd' + line: -w /etc/security/opasswd -p wa -k identity + notify: restart auditd + when: + - rhel_08_030140 + tags: + - RHEL-08-030140 + - auditd -# - name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" +- name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/passwd' + line: -w /etc/passwd -p wa -k identity + notify: restart auditd + when: + - rhel_08_030150 + tags: + - RHEL-08-030150 + - auditd + +- name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/gshadow' + line: -w /etc/gshadow -p wa -k identity + notify: restart auditd + when: + - rhel_08_030160 + tags: + - RHEL-08-030160 + - auditd + +- name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/group' + line: -w /etc/group -p wa -k identity + notify: restart auditd + when: + - rhel_08_030170 + tags: + - RHEL-08-030170 + - auditd + +- name: "MEDIUM | RHEL-08-030171 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/sudoers ' + line: -w /etc/sudoers -p wa -k identity + notify: restart auditd + when: + - rhel_08_030171 + tags: + - RHEL-08-030171 + - auditd + +- name: "MEDIUM | RHEL-08-030172 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/sudoers.d/' + line: -w /etc/sudoers.d/ -p wa -k identity + notify: restart auditd + when: + - rhel_08_030172 + tags: + - RHEL-08-030172 + - auditd + +- name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." + block: + - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Install audit" + dnf: + name: audit + state: present + + - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Enable and start service" + service: + name: auditd + enabled: yes + state: started + when: + - rhel_08_030180 + tags: + - rhel_08_030180 + - dnf + - auditd + +- name: "MEDIUM | RHEL-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-a always,exit -F path=/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' + line: '-a always,exit -F path=/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' + notify: restart auditd + when: + - rhel_08_030190 + tags: + - RHEL-08-030190 + - auditd + +- name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030200 + tags: + - RHEL-08-030200 + - auditd + +- name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030210 + tags: + - RHEL-08-030210 + - auditd + +- name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030220 + tags: + - RHEL-08-030220 + - auditd + +- name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030230 + tags: + - RHEL-08-030230 + - auditd + +- name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030240 + tags: + - RHEL-08-030240 + - auditd + +- name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage + notify: restart auditd + when: + - rhel_08_030250 + tags: + - RHEL-08-030250 + - auditd + +- name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030260 + tags: + - RHEL-08-030260 + - auditd + +- name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030270 + tags: + - RHEL-08-030270 + - auditd + +- name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh + notify: restart auditd + when: + - rhel_08_030280 + tags: + - RHEL-08-030280 + - auditd + +- name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd + notify: restart auditd + when: + - rhel_08_030290 + tags: + - RHEL-08-030290 + - auditd + +- name: | + "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." + "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount + - -a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount + notify: restart auditd + when: + - rhel_08_030300 or + rhel_08_030302 + tags: + - RHEL-08-030300 + - RHEL-08-030302 + - auditd + +- name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount + notify: restart auditd + when: + - rhel_08_030301 + tags: + - RHEL-08-030301 + - auditd + +- name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030310 + tags: + - RHEL-08-030310 + - auditd + +- name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030311 + tags: + - RHEL-08-030311 + - auditd + +- name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030312 + tags: + - RHEL-08-030312 + - auditd + +- name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030313 + tags: + - RHEL-08-030313 + - auditd + +- name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030314 + tags: + - RHEL-08-030314 + - auditd + +- name: "MEDIUM | RHEL-08-03015 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030315 + tags: + - RHEL-08-030315 + - auditd + +- name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030316 + tags: + - RHEL-08-030316 + - auditd + +- name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030317 + tags: + - RHEL-08-030317 + - auditd +# ===========below here is old=========== +# - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." +# dnf: +# name: "*" +# state: latest +# when: +# - not system_is_ec2 +# - rhel_08_010010 +# tags: +# - RHEL-08-010010 + +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" +# block: +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^.*banner' +# line: 'Banner /etc/issue' + +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" +# copy: +# dest: /etc/issue +# content: "{{ rhel8stig_logon_banner }}" +# owner: root +# group: root +# mode: '0644' +# notify: restart sshd +# when: +# # - not system_is_ec2 +# - rhel_08_010040 or +# rhel_08_010060 +# tags: +# - RHEL-08-010040 +# - RHEL-08-010060 + +# - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." +# copy: +# dest: /etc/dconf/db/local.d/01-banner-message +# content: | +# [org/gnome/login-screen] +# banner-message-enable=true +# banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' +# mode: '0644' +# owner: root +# group: root +# vars: +# newline: "\n" +# notify: dconf update +# when: +# - rhel_08_010050 +# - rhel8stig_dconf_available +# tags: +# - RHEL-08-010050 + +# - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." +# lineinfile: +# path: /etc/rsyslog.d/50-default.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# create: yes +# mode: '0644' +# notify: restart rsyslog +# with_items: +# - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } +# - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } +# when: +# - rhel_08_010070 +# tags: +# - RHEL-08-010070 + +# - name: "MEDIUM | RHEL-08-010080 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^Ciphers.*' +# line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr +# insertafter: '# Ciphers and keying' +# notify: restart sshd +# when: +# - rhel_08_010080 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010080 +# - ssh + +# # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." +# block: +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" +# command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem +# changed_when: false +# failed_when: false +# register: rhel_08_010090_certs_list + +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" +# debug: +# msg: +# - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" +# - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" +# - "{{ rhel_08_010090_certs_list.stdout_lines }}" +# when: +# - rhel_08_010090 +# tags: +# - RHEL-08-010090 + +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." +# block: +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" +# file: +# path: "{{ rhel8stig_path_to_sshkey }}" +# state: directory +# mode: '0700' + +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" +# openssh_keypair: +# path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" +# when: +# - rhel_08_010100 +# tags: +# - RHEL-08-010100 + +# - name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." +# lineinfile: +# path: /etc/login.defs +# regexp: '^ENCRYPT_METHOD.*' +# line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" +# when: +# - rhel_08_010110 +# tags: +# - RHEL-08-010110 +# - login + +# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." +# block: +# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" +# command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' +# changed_when: false +# failed_when: false +# register: rhel_08_010120_non_fips_hashed_accounts + +# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" +# command: "passwd -l {{ item }}" +# with_items: +# -"{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" +# when: +# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" + +# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" +# debug: +# msg: +# - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" +# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" +# when: +# - not rhel8stig_disruption_high +# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" +# when: +# - rhel_08_010120 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010120 +# - disruption_high + +# - name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" # pamd: # name: "{{ item }}" # type: password @@ -5078,355 +5558,355 @@ # tags: # - RHEL-08-030070 -- name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." - block: - - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " - changed_when: false - failed_when: false - register: rhel_08_030080_audit_log_file +# - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." +# block: +# - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file" +# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " +# changed_when: false +# failed_when: false +# register: rhel_08_030080_audit_log_file - - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner" - file: - path: "{{ rhel_08_030080_audit_log_file.stdout }}" - owner: root - when: rhel_08_030080_audit_log_file.stdout != "" - when: - - rhel_08_030080 - tags: - - RHEL-08-030080 +# - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner" +# file: +# path: "{{ rhel_08_030080_audit_log_file.stdout }}" +# owner: root +# when: rhel_08_030080_audit_log_file.stdout != "" +# when: +# - rhel_08_030080 +# tags: +# - RHEL-08-030080 -- name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access." - block: - - name: "MEDIUM | RHEL-08-030090 | AUDIT | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Get audit log file" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " - changed_when: false - failed_when: false - register: rhel_08_030090_audit_log_file +# - name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access." +# block: +# - name: "MEDIUM | RHEL-08-030090 | AUDIT | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Get audit log file" +# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " +# changed_when: false +# failed_when: false +# register: rhel_08_030090_audit_log_file - - name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Set audit log group" - file: - path: "{{ rhel_08_030090_audit_log_file.stdout }}" - group: root - when: rhel_08_030090_audit_log_file.stdout != "" - when: - - rhel_08_030090 - tags: - - RHEL-08-030090 +# - name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Set audit log group" +# file: +# path: "{{ rhel_08_030090_audit_log_file.stdout }}" +# group: root +# when: rhel_08_030090_audit_log_file.stdout != "" +# when: +# - rhel_08_030090 +# tags: +# - RHEL-08-030090 -- name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." - block: - - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' - changed_when: false - failed_when: false - register: rhel_08_030100_audit_log_dir +# - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." +# block: +# - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory" +# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' +# changed_when: false +# failed_when: false +# register: rhel_08_030100_audit_log_dir - - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner" - file: - path: "{{ rhel_08_030100_audit_log_dir.stdout }}" - owner: root - state: directory - when: rhel_08_030100_audit_log_dir.stdout != "" - when: - - rhel_08_030100 - tags: - - RHEL-08-030100 +# - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner" +# file: +# path: "{{ rhel_08_030100_audit_log_dir.stdout }}" +# owner: root +# state: directory +# when: rhel_08_030100_audit_log_dir.stdout != "" +# when: +# - rhel_08_030100 +# tags: +# - RHEL-08-030100 -- name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." - block: - - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' - changed_when: false - failed_when: false - register: rhel_08_030110_audit_log_dir +# - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." +# block: +# - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" +# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' +# changed_when: false +# failed_when: false +# register: rhel_08_030110_audit_log_dir - - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group" - file: - path: "{{ rhel_08_030110_audit_log_dir.stdout }}" - group: root - state: directory - when: rhel_08_030110_audit_log_dir.stdout != "" - when: - - rhel_08_030110 - tags: - - RHEL-08-030110 +# - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group" +# file: +# path: "{{ rhel_08_030110_audit_log_dir.stdout }}" +# group: root +# state: directory +# when: rhel_08_030110_audit_log_dir.stdout != "" +# when: +# - rhel_08_030110 +# tags: +# - RHEL-08-030110 -- name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0600 or less permissive to prevent unauthorized read access." - block: - - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0600 or less permissive to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' - changed_when: false - failed_when: false - register: rhel_08_030120_audit_log_dir +# - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0600 or less permissive to prevent unauthorized read access." +# block: +# - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0600 or less permissive to prevent unauthorized read access. | Get audit log directory" +# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' +# changed_when: false +# failed_when: false +# register: rhel_08_030120_audit_log_dir - # I have this item set to 750, setting to 600 will not allow auditd to work - - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0600 or less permissive to prevent unauthorized read access. | Set audit log dir perms" - file: - path: "{{ rhel_08_030120_audit_log_dir.stdout }}" - mode: 0750 - state: directory - when: rhel_08_030120_audit_log_dir.stdout != "" - when: - - rhel_08_030120 - tags: - - RHEL-08-030120 +# # I have this item set to 750, setting to 600 will not allow auditd to work +# - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0600 or less permissive to prevent unauthorized read access. | Set audit log dir perms" +# file: +# path: "{{ rhel_08_030120_audit_log_dir.stdout }}" +# mode: 0750 +# state: directory +# when: rhel_08_030120_audit_log_dir.stdout != "" +# when: +# - rhel_08_030120 +# tags: +# - RHEL-08-030120 -- name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/shadow' - line: '-w /etc/shadow -p wa -k identity' - notify: restart auditd - when: - - rhel_08_030130 - tags: - - RHEL-08-030130 - - auditd +# - name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/shadow' +# line: '-w /etc/shadow -p wa -k identity' +# notify: restart auditd +# when: +# - rhel_08_030130 +# tags: +# - RHEL-08-030130 +# - auditd -- name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/security/opasswd' - line: -w /etc/security/opasswd -p wa -k identity - notify: restart auditd - when: - - rhel_08_030140 - tags: - - RHEL-08-030140 - - auditd +# - name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/security/opasswd' +# line: -w /etc/security/opasswd -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030140 +# tags: +# - RHEL-08-030140 +# - auditd -- name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/passwd' - line: -w /etc/passwd -p wa -k identity - notify: restart auditd - when: - - rhel_08_030150 - tags: - - RHEL-08-030150 - - auditd +# - name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/passwd' +# line: -w /etc/passwd -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030150 +# tags: +# - RHEL-08-030150 +# - auditd -- name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/gshadow' - line: -w /etc/gshadow -p wa -k identity - notify: restart auditd - when: - - rhel_08_030160 - tags: - - RHEL-08-030160 - - auditd +# - name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/gshadow' +# line: -w /etc/gshadow -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030160 +# tags: +# - RHEL-08-030160 +# - auditd -- name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/group' - line: -w /etc/group -p wa -k identity - notify: restart auditd - when: - - rhel_08_030170 - tags: - - RHEL-08-030170 - - auditd +# - name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/group' +# line: -w /etc/group -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030170 +# tags: +# - RHEL-08-030170 +# - auditd -- name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." - block: - - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Install audit" - dnf: - name: audit - state: present +# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." +# block: +# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Install audit" +# dnf: +# name: audit +# state: present - - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Enable and start service" - service: - name: auditd - enabled: yes - state: started - when: - - rhel_08_030180 - tags: - - rhel_08_030180 - - dnf - - auditd +# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Enable and start service" +# service: +# name: auditd +# enabled: yes +# state: started +# when: +# - rhel_08_030180 +# tags: +# - rhel_08_030180 +# - dnf +# - auditd -- name: "MEDIUM | RHEL-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-a always,exit -F path=/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' - line: '-a always,exit -F path=/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' - notify: restart auditd - when: - - rhel_08_030190 - tags: - - RHEL-08-030190 - - auditd +# - name: "MEDIUM | RHEL-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-a always,exit -F path=/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' +# line: '-a always,exit -F path=/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' +# notify: restart auditd +# when: +# - rhel_08_030190 +# tags: +# - RHEL-08-030190 +# - auditd -- name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030200 - tags: - - RHEL-08-030200 - - auditd +# - name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030200 +# tags: +# - RHEL-08-030200 +# - auditd -- name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030210 - tags: - - RHEL-08-030210 - - auditd +# - name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030210 +# tags: +# - RHEL-08-030210 +# - auditd -- name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030220 - tags: - - RHEL-08-030220 - - auditd +# - name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030220 +# tags: +# - RHEL-08-030220 +# - auditd -- name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030230 - tags: - - RHEL-08-030230 - - auditd +# - name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030230 +# tags: +# - RHEL-08-030230 +# - auditd -- name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030240 - tags: - - RHEL-08-030240 - - auditd +# - name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030240 +# tags: +# - RHEL-08-030240 +# - auditd -- name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage - notify: restart auditd - when: - - rhel_08_030250 - tags: - - RHEL-08-030250 - - auditd +# - name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage +# notify: restart auditd +# when: +# - rhel_08_030250 +# tags: +# - RHEL-08-030250 +# - auditd -- name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030260 - tags: - - RHEL-08-030260 - - auditd +# - name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030260 +# tags: +# - RHEL-08-030260 +# - auditd -- name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030270 - tags: - - RHEL-08-030270 - - auditd +# - name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030270 +# tags: +# - RHEL-08-030270 +# - auditd -- name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh - notify: restart auditd - when: - - rhel_08_030280 - tags: - - RHEL-08-030280 - - auditd +# - name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh +# notify: restart auditd +# when: +# - rhel_08_030280 +# tags: +# - RHEL-08-030280 +# - auditd -- name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd - notify: restart auditd - when: - - rhel_08_030290 - tags: - - RHEL-08-030290 - - auditd +# - name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd +# notify: restart auditd +# when: +# - rhel_08_030290 +# tags: +# - RHEL-08-030290 +# - auditd -- name: "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - - -a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - notify: restart auditd - when: - - rhel_08_030300 - tags: - - RHEL-08-030300 - - auditd +# - name: "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +# - -a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +# notify: restart auditd +# when: +# - rhel_08_030300 +# tags: +# - RHEL-08-030300 +# - auditd -- name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030310 - tags: - - RHEL-08-030310 - - auditd +# - name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030310 +# tags: +# - RHEL-08-030310 +# - auditd - name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." lineinfile: From e420e39b05de7c1ccb677e52b39efe425bc59b2f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 13 Jan 2021 17:18:36 -0500 Subject: [PATCH 11/15] cat2 synced with release of STIG 030320 - 040160 Signed-off-by: George Nalen --- defaults/main.yml | 141 ++- tasks/fix-cat2.yml | 2798 +++++++++++++++++++++++++++++++------------- tasks/prelim.yml | 16 +- 3 files changed, 2057 insertions(+), 898 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index dd4df772..510ca716 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -273,64 +273,87 @@ rhel_08_030314: true rhel_08_030315: true rhel_08_030316: true rhel_08_030317: true -rhel_08_030320: false -rhel_08_030330: false -rhel_08_030340: false -rhel_08_030350: false -rhel_08_030360: false -rhel_08_030370: false -rhel_08_030380: false -rhel_08_030390: false -rhel_08_030400: false -rhel_08_030410: false -rhel_08_030420: false -rhel_08_030430: false -rhel_08_030440: false -rhel_08_030450: false -rhel_08_030460: false -rhel_08_030470: false -rhel_08_030480: false -rhel_08_030490: false -rhel_08_030500: false -rhel_08_030510: false -rhel_08_030520: false -rhel_08_030530: false -rhel_08_030540: false -rhel_08_030550: false -rhel_08_030560: false -rhel_08_030570: false -rhel_08_030580: false -rhel_08_030590: false -rhel_08_030600: false -rhel_08_030610: false -rhel_08_030620: false -rhel_08_030630: false -rhel_08_030640: false +rhel_08_030320: true +rhel_08_030330: true +rhel_08_030340: true +rhel_08_030350: true +rhel_08_030360: true +rhel_08_030361: true +rhel_08_030362: true +rhel_08_030363: true +rhel_08_030364: true +rhel_08_030365: true +rhel_08_030370: true +rhel_08_030380: true +rhel_08_030390: true +rhel_08_030400: true +rhel_08_030410: true +rhel_08_030420: true +rhel_08_030430: true +rhel_08_030440: true +rhel_08_030450: true +rhel_08_030460: true +rhel_08_030470: true +rhel_08_030480: true +rhel_08_030490: true +rhel_08_030500: true +rhel_08_030510: true +rhel_08_030520: true +rhel_08_030530: true +rhel_08_030540: true +rhel_08_030550: true +rhel_08_030560: true +rhel_08_030570: true +rhel_08_030580: true +rhel_08_030590: true +rhel_08_030600: true +rhel_08_030610: true +rhel_08_030620: true +rhel_08_030630: true +rhel_08_030640: true # !!!!!!!!!---------- handlers are overwriting the config change for this item -rhel_08_030650: false -rhel_08_030660: false -rhel_08_030670: false -rhel_08_030680: false -rhel_08_030690: false -rhel_08_030700: false -rhel_08_030710: false -rhel_08_030720: false -rhel_08_030730: false -rhel_08_030740: false -rhel_08_040020: false -rhel_08_040030: false -rhel_08_040040: false -rhel_08_040050: false -rhel_08_040070: false -rhel_08_040080: false -rhel_08_040090: false -rhel_08_040100: false -rhel_08_040110: false -rhel_08_040120: false -rhel_08_040130: false -rhel_08_040140: false -rhel_08_040150: false -rhel_08_040160: false +rhel_08_030650: true +rhel_08_030660: true +rhel_08_030670: true +rhel_08_030680: true +rhel_08_030690: true +rhel_08_030700: true +rhel_08_030710: true +rhel_08_030720: true +rhel_08_030730: true +rhel_08_030740: true +rhel_08_040001: true +rhel_08_040002: true +rhel_08_040003: true +rhel_08_040020: true +rhel_08_040030: true +# rhel_08_040040: false +# rhel_08_040050: false +rhel_08_040070: true +rhel_08_040080: true +rhel_08_040090: true +rhel_08_040100: true +rhel_08_040110: true +rhel_08_040111: true +rhel_08_040120: true +rhel_08_040121: true +rhel_08_040122: true +rhel_08_040123: true +rhel_08_040124: true +rhel_08_040125: true +rhel_08_040126: true +rhel_08_040127: true +rhel_08_040128: true +rhel_08_040129: true +rhel_08_040130: true +rhel_08_040131: true +rhel_08_040132: true +rhel_08_040133: true +rhel_08_040134: true +rhel_08_040135: true +rhel_08_040140: true +rhel_08_040150: true +rhel_08_040160: true rhel_08_040210: false rhel_08_040220: false rhel_08_040230: false @@ -586,7 +609,9 @@ rhel8stig_login_defaults: create_home: 'yes' # RHEL-08-030690 uncomment and set the value to a remote IP address that can receive audit logs -rhel8stig_audisp_remote_server: 10.10.10.10 +rhel8stig_remotelog_server: + server: 10.10.10.10 + port: 9999 # RHEL-08-030020 rhel8stig_auditd_mail_acct: root diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 43102c1a..9cc4bf78 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3556,6 +3556,1152 @@ tags: - RHEL-08-030317 - auditd + +- name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh + notify: restart auditd + when: + - rhel_08_030320 + tags: + - RHEL-08-030320 + - auditd + +- name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030330 + tags: + - RHEL-08-030330 + - auditd + +- name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check + notify: restart auditd + when: + - rhel_08_030340 + tags: + - RHEL-08-030340 + - auditd + +- name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd + notify: restart auditd + when: + - rhel_08_030350 + tags: + - RHEL-08-030350 + - auditd + +- name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + - -a always,exit -F arch=b64 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + notify: restart auditd + when: + - rhel_08_030360 + tags: + - RHEL-08-030360 + - auditd + +- name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030361 + tags: + - RHEL-08-030361 + - auditd + +- name: "MEDIUM | RHEL-0-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030362 + tags: + - RHEL-08-030362 + - auditd + +- name: "MEDIUM | RHEL-08-030363 | PATCH | Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030363 + tags: + - RHEL-08-030363 + - auditd + +- name: "MEDIUM | RHEL-08-030364 | PATCH | Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030364 + tags: + - RHEL-08-030364 + - auditd + +- name: "MEDIUM | RHEL-08-030365 | PATCH | Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030365 + tags: + - RHEL-08-030365 + - auditd + +- name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd + notify: restart auditd + when: + - rhel_08_030370 + tags: + - RHEL-08-030370 + - auditd + +- name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + notify: restart auditd + when: + - rhel_08_030380 + tags: + - RHEL-08-030380 + - auditd + +- name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + - -a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + notify: restart auditd + when: + - rhel_08_030390 + tags: + - RHEL-08-030390 + - auditd + +- name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab + notify: restart auditd + when: + - rhel_08_030400 + tags: + - RHEL-08-030400 + - auditd + +- name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd + notify: restart auditd + when: + - rhel_08_030410 + tags: + - RHEL-08-030410 + - auditd + +- name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030420 + tags: + - RHEL-08-030420 + - auditd + +- name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030430 + tags: + - RHEL-08-030430 + - auditd + +- name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030440 + tags: + - RHEL-08-030440 + - auditd + +- name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030450 + tags: + - RHEL-08-030450 + - auditd + +- name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030460 + tags: + - RHEL-08-030460 + - auditd + +- name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030470 + tags: + - RHEL-08-030470 + - auditd + +- name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030480 + tags: + - RHEL-08-030480 + - auditd + +- name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030490 + tags: + - RHEL-08-030490 + - auditd + +- name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030500 + tags: + - RHEL-08-030500 + - auditd + +- name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030510 + tags: + - RHEL-08-030510 + - auditd + +- name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + notify: restart auditd + when: + - rhel_08_030520 + tags: + - RHEL-08-030520 + - auditd + +- name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030530 + tags: + - RHEL-08-030530 + - auditd + +- name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030540 + tags: + - RHEL-08-030540 + - auditd + +- name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd + notify: restart auditd + when: + - rhel_08_030550 + tags: + - RHEL-08-030550 + - auditd + +- name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod + notify: restart auditd + when: + - rhel_08_030560 + tags: + - RHEL-08-030560 + - auditd + +- name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030570 + tags: + - RHEL-08-030570 + - auditd + +- name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules + notify: restart auditd + when: + - rhel_08_030580 + tags: + - RHEL-08-030580 + - auditd + +- name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -w /var/log/faillock -p wa -k logins + notify: restart auditd + when: + - rhel_08_030590 + tags: + - RHEL-08-030590 + - auditd + +- name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -w /var/log/lastlog -p wa -k logins + notify: restart auditd + when: + - rhel_08_030600 + tags: + - RHEL-08-030600 + - auditd + +- name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." + file: + path: "{{ item }}" + mode: 0640 + with_items: + - /etc/audit/rules.d/audit.rules + - /etc/audit/auditd.conf + when: + - rhel_08_030610 + tags: + - RHEL-08-030610 + - permissions + +- name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." + block: + - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms" + shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " + changed_when: false + failed_when: false + register: rhel_08_030620_tools + + - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" + file: + path: "{{ item }}" + mode: 0755 + with_items: + - "{{ rhel_08_030620_tools.stdout_lines }}" + when: + - rhel_08_030620 + tags: + - RHEL-08-030620 + - permissions + +- name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." + file: + path: "{{ item }}" + owner: root + with_items: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/audisp-remote + - /sbin/audisp-syslog + - /sbin/augenrules + when: + - rhel_08_030630 + tags: + - RHEL-08-030630 + - permissions + +- name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." + file: + path: "{{ item }}" + owner: root + with_items: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/audisp-remote + - /sbin/audisp-syslog + - /sbin/augenrules + when: + - rhel_08_030640 + tags: + - RHEL-08-030640 + - permissions + +- name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." + lineinfile: + path: /etc/aide.conf + line: "{{ item }}" + with_items: + - "# Audit Tools" + - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + when: + - rhel_08_030650 + tags: + - RHEL-08-030650 + - aide + +- name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility." + block: + - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition" + shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' + changed_when: false + failed_when: false + register: rhel_08_030660_audit_log_path + + - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition" + shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" + changed_when: false + failed_when: false + register: rhel_08_030660_audit_log_partition + + - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" + debug: + msg: + - "ALERT!!!Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" + - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" + - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}" + when: + - rhel_08_030660 + tags: + - RHEL-08-030660 + +- name: "MEDIUM | RHEL-08-030670 | PATCH | RHEL 8 must have the packages required for offloading audit logs installed." + dnf: + name: rsyslog + state: present + when: + - rhel_08_030670 + tags: + - RHEL-08-030670 + - rsyslog + +- name: "MEDIUM | RHEL-08-030680 | PATCH | RHEL 8 must have the packages required for encrypting offloaded audit logs installed." + dnf: + name: gnutls + state: present + when: + - rhel_08_030680 + tags: + - RHEL-08-030680 + - gnutls + +- name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." + lineinfile: + path: /etc/rsyslog.conf + regexp: '^.*\@\@' + line: "*.* @@{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" + when: + - rhel_08_030690 + tags: + - RHEL-08-030690 + - auditd + +- name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^overflow_action =' + line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}' + notify: restart auditd + when: + - rhel_08_030700 + tags: + - RHEL-08-030700 + - auditd + +- name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." + lineinfile: + path: /etc/rsyslog.conf + create: yes + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^\$DefaultNetstreamDriver', line: '$DefaultNetstreamDriver gtls' } + - { regexp: '^\$ActionSendStreamDriverMode', line: '$ActionSendStreamDriverMode 1' } + when: + - rhel_08_030710 + tags: + - RHEL-08-030710 + - auditd + +- name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must authenticate the remote logging server for off-loading audit logs." + lineinfile: + path: /etc/rsyslog.conf + regexp: '^\$ActionSendStreamDriverAuthMode' + line: "$ActionSendStreamDriverAuthMode x509/name" + notify: restart auditd + when: + - rhel_08_030720 + tags: + - rhel_08_030720 + - auditd + +- name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." + lineinfile: + path: /etc/audit/auditd.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^space_left =', line: 'space_left = 25%' } + - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } + when: + - rhel_08_030730 + tags: + - RHEL-08-030730 + - auditd + +- name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." + lineinfile: + path: /etc/chrony.conf + regexp: '^server' + line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16' + notify: restart {{ rhel8stig_time_service }} + when: + - rhel_08_030740 + tags: + - RHEL-08-030740 + - chronyd + +- name: "MEDIUM | RHEL-08-040001 | PATCH | RHEL 8 must not have any automated bug reporting tools installed." + shell: dnf remove abrt* + failed_when: false + args: + warn: false + when: + - rhel_08_040001 + tags: + - RHEL-08-040001 + - dnf + - abrt + +- name: "MEDIUM | RHEL-08-040002 | PATCH | RHEL 8 must not have the sendmail package installed." + dnf: + name: sendmail + state: absent + when: + - rhel_08_040002 + tags: + - RHEL-08-040002 + - dnf + - sendmail + +- name: "MEDIUM | RHEL-08-040003 | PATCH | RHEL 8 must not have the gssproxy package installed." + dnf: + name: gssproxy + state: absent + when: + - rhel_08_040003 + tags: + - RHEL-08-040003 + - dnf + - gssproxy + +- name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + create: yes + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + notify: reboot system + with_items: + - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } + - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } + when: + - rhel_08_040020 + tags: + - RHEL-08-040020 + - camera + +- name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." + block: + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block" + block: + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld" + shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u + register: rhel8stig_PPSM_CLSA_check_firewalld + changed_when: false + failed_when: false + check_mode: no + when: + - rhel_08_040030 + tags: + - RHEL-08-040030 + - firewall + + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" + debug: + msg: + - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." + - "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}" + changed_when: true + when: + - rhel_08_040030 + - rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines is defined + tags: + - RHEL-08-040030 + - firewall + when: + - rhel_08_040030 + - not rhel8stig_system_is_chroot + - not rhel8stig_system_is_container + - rhel8stig_firewall_service == "firewalld" + - rhel8stig_start_firewall_service + tags: + - RHEL-08-040030 + - firewall + + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block" + block: + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables" + shell: iptables-save | grep -i accept | grep -i input + register: rhel8stig_PPSM_CLSA_check_iptables + changed_when: false + failed_when: false + check_mode: no + when: rhel_08_040030 + tags: + - RHEL-08-040030 + - firewall + + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" + debug: + msg: + - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}." + - "{{ rhel8stig_PPSM_CLSA_check_iptables.stdout_lines }}" + changed_when: true + when: + - rhel_08_040030 + - rhel8stig_PPSM_CLSA_check_iptables.stdout_lines is defined + tags: + - RHEL-08-040030 + - firewall + when: + - rhel_08_040030 + - not rhel8stig_system_is_chroot + - not rhel8stig_system_is_container + - rhel8stig_firewall_service == "iptables" + - rhel8stig_start_firewall_service + tags: + - RHEL-08-040030 + - firewall + + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use" + debug: + msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." + changed_when: true + when: + - rhel_08_040030 + - not rhel8stig_start_firewall_service + tags: + - RHEL-08-040030 + - firewall + when: + - rhel_08_040030 + - not rhel8stig_system_is_chroot + - not rhel8stig_system_is_container + - rhel8stig_disruptive + tags: + - RHEL-08-040030 + - firewall + +- name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required." + block: + - name: "MEDIUM | RHEL-08-040070 | AUDIT | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error" + shell: "systemctl show autofs | grep LoadState | cut -d= -f2" + changed_when: false + failed_when: false + register: rhel_08_040070_autofs_status + + - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists" + service: + name: autofs + state: stopped + enabled: no + when: rhel_08_040070_autofs_status.stdout == "loaded" + when: + - rhel_08_040070 + tags: + - RHEL-08-040070 + - autofs + +- name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." + lineinfile: + path: "{{ item.path }}" + create: yes + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + with_items: + - { path: /etc/modprobe.d/usb-storage.conf, regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } + - { path: /etc/modprobe.d/blacklist.conf, regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} + when: + - rhel_08_040080 + tags: + - RHEL-08-040080 + - usb_devices + +- name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." + block: + - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" + dnf: + name: firewalld + state: present + when: rhel8stig_firewall_service == "firewalld" + + - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" + dnf: + name: iptables-services + state: present + when: rhel8stig_firewall_service == "iptables" + + - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" + service: + name: "{{ rhel8stig_firewall_service }}" + state: started + enabled: yes + when: + - rhel_08_040100 + tags: + - RHEL-08-040100 + - firewall + - "{{ rhel8stig_firewall_service }}" + +- name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." + block: + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" + firewalld: + zone: "{{ rhel8stig_custom_firewall_zone }}" + permanent: true + state: present + + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" + firewalld: + zone: "{{ rhel8stig_custom_firewall_zone }}" + permanent: true + state: enabled + service: "{{ item }}" + with_items: + - "{{ rhel8stig_white_list_services }}" + + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" + command: firewall-cmd --reload + changed_when: rhel_08_040090_zone_reload.rc == 0 + failed_when: rhel_08_040090_zone_reload.rc >= 2 + register: rhel_08_040090_zone_reload + + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default" + command: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" + changed_when: rhel_08_040090_default_zone_set.rc == 0 + failed_when: rhel_08_040090_default_zone_set.rc >= 2 + register: rhel_08_040090_default_zone_set + when: + - rhel_08_040090 + tags: + - RHEL-08-040090 + - firewall + +- name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." + block: + - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" + command: rpm -q NetworkManager + args: + warn: no + check_mode: no + changed_when: no + register: rhel_08_nmcli_available + failed_when: no + + - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" + command: nmcli radio wifi + register: rhel_08_wifi_enabled + check_mode: no + changed_when: rhel_08_wifi_enabled.stdout != "disabled" + when: rhel_08_nmcli_available.rc == 0 + + - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" + command: nmcli radio wifi off + when: rhel_08_wifi_enabled is changed + when: + - rhel_08_040110 + tags: + - RHEL-08-040110 + - wifi + +- name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled." + lineinfile: + path: /etc/modprobe.d/bluetooth.conf + regexp: '^install bluetooth ' + line: "install bluetooth /bin/true" + create: yes + notify: reboot system + when: + - rhel_08_040111 + tags: + - RHEL-08-040111 + - bluetooth + +- name: | + "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." + "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." + "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." + block: + - name: | + "MEDIUM | RHEL-08-040120 | AUDIT | RHEL 8 must mount /dev/shm with the nodev option." + "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option." + "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option." + shell: mount | grep /dev/shm + changed_when: false + failed_when: false + register: rhel8stig_040120_dev_shm_status + + - name: | + "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." + "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." + "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." + mount: + path: /dev/shm + state: mounted + src: tmpfs + fstype: tmpfs + opts: "defaults{{ rhel_08_040120 | ternary (',nodev', '')}}{{ rhel_08_040121 | ternary (',nosuid', '') }}{{ rhel_08_040122 | ternary (',noexec', '') }}" + when: rhel8stig_040120_dev_shm_status.stdout != "" + when: + - rhel_08_040120 or + rhel_08_040121 or + rhel_08_040122 + tags: + - RHEL-08-040120 + - RHEL-08-040121 + - RHEL-08-040122 + - mounts + +- name: | + "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." + "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." + "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." + block: + - name: | + "MEDIUM | RHEL-08-040123 | AUDIT | RHEL 8 must mount /tmp with the nodev option." + "MEDIUM | RHEL-08-040124 | AUDIT | RHEL 8 must mount /tmp with the nosuid option." + "MEDIUM | RHEL-08-040125 | AUDIT | RHEL 8 must mount /tmp with the noexec option." + shell: mount | grep /tmp + changed_when: false + failed_when: false + register: rhel8stig_040123_dev_status + + - name: | + "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." + "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." + "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." + mount: + path: /tmp + state: mounted + src: xfs + fstype: xfs + opts: "defaults{{ rhel_08_040123 | ternary (',nodev', '')}}{{ rhel_08_040124 | ternary (',nosuid', '') }}{{ rhel_08_040125 | ternary (',noexec', '') }}" + when: rhel8stig_040123_dev_status.stdout != "" + when: + - rhel_08_040123 or + rhel_08_040124 or + rhel_08_040125 + tags: + - RHEL-08-040123 + - RHEL-08-040124 + - RHEL-08-04125 + - mounts + +- name: | + "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." + "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." + "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." + block: + - name: | + "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." + "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." + "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." + shell: mount | grep /var/log + changed_when: false + failed_when: false + register: rhel8stig_040126_var_log_status + + - name: | + "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." + "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." + "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." + mount: + path: /var/log + state: mounted + src: xfs + fstype: xfs + opts: "defaults{{ rhel_08_040126 | ternary (',nodev', '')}}{{ rhel_08_040127 | ternary (',nosuid', '') }}{{ rhel_08_040128 | ternary (',noexec', '') }}" + when: rhel8stig_040126_var_log_status.stdout != "" + when: + - rhel_08_040126 or + rhel_08_040127 or + rhel_08_040128 + tags: + - RHEL-08-040126 + - RHEL-08-040127 + - RHEL-08-040128 + - mounts + +- name: | + "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." + "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." + "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." + block: + - name: | + "MEDIUM | RHEL-08-040129 | AUDIT | RHEL 8 must mount /var/log/audit with the nodev option." + "MEDIUM | RHEL-08-040130 | AUDIT | RHEL 8 must mount /var/log/audit with the nosuid option." + "MEDIUM | RHEL-08-040131 | AUDIT | RHEL 8 must mount /var/log/audit with the noexec option." + shell: mount | grep /var/log/audit + changed_when: false + failed_when: false + register: rhel8stig_040129_var_log_audit_status + + - name: | + "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." + "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." + "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." + mount: + path: /var/log/audit + state: mounted + src: xfs + fstype: xfs + opts: "defaults{{ rhel_08_040129 | ternary (',nodev', '')}}{{ rhel_08_040130 | ternary (',nosuid', '') }}{{ rhel_08_040131 | ternary (',noexec', '') }}" + when: rhel8stig_040129_var_log_audit_status.stdout != "" + when: + - rhel_08_040129 or + rhel_08_040130 or + rhel_08_040131 + tags: + - RHEL-08-040129 + - RHEL-08-040130 + - RHEL-08-040131 + - mounts + +- name: | + "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" + "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." + "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." + block: + - name: | + "MEDIUM | RHEL-08-040132 | AUDIT | RHEL 8 must mount /var/tmp with the nodev option" + "MEDIUM | RHEL-08-040133 | AUDIT | RHEL 8 must mount /var/tmp with the nosuid option." + "MEDIUM | RHEL-08-040134 | AUDIT | RHEL 8 must mount /var/tmp with the noexec option." + shell: mount | grep /var/tmp + changed_when: false + failed_when: false + register: rhel8stig_040132_var_tmp_status + + - name: | + "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" + "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." + "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." + mount: + path: /var/tmp + state: mounted + src: xfs + fstype: xfs + opts: "defaults{{ rhel_08_040132 | ternary (',nodev', '')}}{{ rhel_08_040133 | ternary (',nosuid', '') }}{{ rhel_08_040134 | ternary (',noexec', '') }}" + when: rhel8stig_040132_var_tmp_status.stdout != "" + when: + - rhel_08_040132 or + rhel_08_040133 or + rhel_08_040134 + tags: + - RHEL-08-040132 + - RHEL-08-040133 + - RHEL-08-040134 + - mounts + +- name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." + block: + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" + dnf: + name: fapolicyd + state: present + + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" + shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts + changed_when: false + failed_when: false + + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" + service: + name: fapolicyd + state: started + enabled: yes + + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " + lineinfile: + path: /etc/fapolicyd/fapolicyd.rules + line: "{{ item }}" + with_items: + - "{{ rhel8stig_fapolicy_white_list }}" + + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" + lineinfile: + path: /etc/fapolicyd/fapolicyd.conf + regexp: '^permissive =' + line: 'permissive = 0' + when: + - rhel_08_040135 + tags: + - RHEL-08-040135 + - fapolicyd + # ===========below here is old=========== # - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." # dnf: @@ -5908,895 +7054,895 @@ # - RHEL-08-030310 # - auditd -- name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh - notify: restart auditd - when: - - rhel_08_030320 - tags: - - RHEL-08-030320 - - auditd - -- name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030330 - tags: - - RHEL-08-030330 - - auditd - -- name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check - notify: restart auditd - when: - - rhel_08_030340 - tags: - - RHEL-08-030340 - - auditd - -- name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd - notify: restart auditd - when: - - rhel_08_030350 - tags: - - RHEL-08-030350 - - auditd - -- name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - notify: restart auditd - when: - - rhel_08_030360 - tags: - - RHEL-08-030360 - - auditd - -- name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd - notify: restart auditd - when: - - rhel_08_030370 - tags: - - RHEL-08-030370 - - auditd - -- name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - notify: restart auditd - when: - - rhel_08_030380 - tags: - - RHEL-08-030380 - - auditd - -- name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - notify: restart auditd - when: - - rhel_08_030390 - tags: - - RHEL-08-030390 - - auditd - -- name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab - notify: restart auditd - when: - - rhel_08_030400 - tags: - - RHEL-08-030400 - - auditd - -- name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd - notify: restart auditd - when: - - rhel_08_030410 - tags: - - RHEL-08-030410 - - auditd +# - name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh +# notify: restart auditd +# when: +# - rhel_08_030320 +# tags: +# - RHEL-08-030320 +# - auditd -- name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030420 - tags: - - RHEL-08-030420 - - auditd +# - name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030330 +# tags: +# - RHEL-08-030330 +# - auditd -- name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030430 - tags: - - RHEL-08-030430 - - auditd +# - name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check +# notify: restart auditd +# when: +# - rhel_08_030340 +# tags: +# - RHEL-08-030340 +# - auditd + +# - name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +# notify: restart auditd +# when: +# - rhel_08_030350 +# tags: +# - RHEL-08-030350 +# - auditd -- name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030440 - tags: - - RHEL-08-030440 - - auditd +# - name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# - -a always,exit -F arch=b64 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# notify: restart auditd +# when: +# - rhel_08_030360 +# tags: +# - RHEL-08-030360 +# - auditd -- name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030450 - tags: - - RHEL-08-030450 - - auditd +# - name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd +# notify: restart auditd +# when: +# - rhel_08_030370 +# tags: +# - RHEL-08-030370 +# - auditd -- name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030460 - tags: - - RHEL-08-030460 - - auditd +# - name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# notify: restart auditd +# when: +# - rhel_08_030380 +# tags: +# - RHEL-08-030380 +# - auditd -- name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030470 - tags: - - RHEL-08-030470 - - auditd +# - name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# - -a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# notify: restart auditd +# when: +# - rhel_08_030390 +# tags: +# - RHEL-08-030390 +# - auditd -- name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030480 - tags: - - RHEL-08-030480 - - auditd +# - name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab +# notify: restart auditd +# when: +# - rhel_08_030400 +# tags: +# - RHEL-08-030400 +# - auditd -- name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030490 - tags: - - RHEL-08-030490 - - auditd +# - name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +# notify: restart auditd +# when: +# - rhel_08_030410 +# tags: +# - RHEL-08-030410 +# - auditd -- name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030500 - tags: - - RHEL-08-030500 - - auditd +# - name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030420 +# tags: +# - RHEL-08-030420 +# - auditd -- name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030510 - tags: - - RHEL-08-030510 - - auditd +# - name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030430 +# tags: +# - RHEL-08-030430 +# - auditd -- name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd - when: - - rhel_08_030520 - tags: - - RHEL-08-030520 - - auditd +# - name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030440 +# tags: +# - RHEL-08-030440 +# - auditd -- name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030530 - tags: - - RHEL-08-030530 - - auditd +# - name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030450 +# tags: +# - RHEL-08-030450 +# - auditd -- name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030540 - tags: - - RHEL-08-030540 - - auditd +# - name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030460 +# tags: +# - RHEL-08-030460 +# - auditd -- name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd - notify: restart auditd - when: - - rhel_08_030550 - tags: - - RHEL-08-030550 - - auditd +# - name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030470 +# tags: +# - RHEL-08-030470 +# - auditd -- name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod - notify: restart auditd - when: - - rhel_08_030560 - tags: - - RHEL-08-030560 - - auditd +# - name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030480 +# tags: +# - RHEL-08-030480 +# - auditd -- name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030570 - tags: - - RHEL-08-030570 - - auditd +# - name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030490 +# tags: +# - RHEL-08-030490 +# - auditd -- name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -w /bin/kmod -p x -k modules - notify: restart auditd - when: - - rhel_08_030580 - tags: - - RHEL-08-030580 - - auditd +# - name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030500 +# tags: +# - RHEL-08-030500 +# - auditd -- name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -w /var/log/faillock -p wa -k logins - notify: restart auditd - when: - - rhel_08_030590 - tags: - - RHEL-08-030590 - - auditd +# - name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030510 +# tags: +# - RHEL-08-030510 +# - auditd -- name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -w /var/log/lastlog -p wa -k logins - notify: restart auditd - when: - - rhel_08_030600 - tags: - - RHEL-08-030600 - - auditd +# - name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030520 +# tags: +# - RHEL-08-030520 +# - auditd -- name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." - file: - path: "{{ item }}" - mode: 0640 - with_items: - - /etc/audit/rules.d/audit.rules - - /etc/audit/auditd.conf - when: - - rhel_08_030610 - tags: - - RHEL-08-030610 - - permissions +# - name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030530 +# tags: +# - RHEL-08-030530 +# - auditd -- name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." - block: - - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms" - shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " - changed_when: false - failed_when: false - register: rhel_08_030620_tools +# - name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030540 +# tags: +# - RHEL-08-030540 +# - auditd - - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" - file: - path: "{{ item }}" - mode: 0755 - with_items: - - "{{ rhel_08_030620_tools.stdout_lines }}" - when: - - rhel_08_030620 - tags: - - RHEL-08-030620 - - permissions +# - name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +# notify: restart auditd +# when: +# - rhel_08_030550 +# tags: +# - RHEL-08-030550 +# - auditd -- name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." - file: - path: "{{ item }}" - owner: root - with_items: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/audisp-remote - - /sbin/audisp-syslog - - /sbin/augenrules - when: - - rhel_08_030630 - tags: - - RHEL-08-030630 - - permissions +# - name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod +# notify: restart auditd +# when: +# - rhel_08_030560 +# tags: +# - RHEL-08-030560 +# - auditd -- name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." - file: - path: "{{ item }}" - owner: root - with_items: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/audisp-remote - - /sbin/audisp-syslog - - /sbin/augenrules - when: - - rhel_08_030640 - tags: - - RHEL-08-030640 - - permissions +# - name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030570 +# tags: +# - RHEL-08-030570 +# - auditd -- name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." - lineinfile: - path: /etc/aide.conf - line: "{{ item }}" - with_items: - - "# Audit Tools" - - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 - when: - - rhel_08_030650 - tags: - - RHEL-08-030650 - - aide +# - name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -w /bin/kmod -p x -k modules +# notify: restart auditd +# when: +# - rhel_08_030580 +# tags: +# - RHEL-08-030580 +# - auditd + +# - name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -w /var/log/faillock -p wa -k logins +# notify: restart auditd +# when: +# - rhel_08_030590 +# tags: +# - RHEL-08-030590 +# - auditd -- name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility." - block: - - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition" - shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' - changed_when: false - failed_when: false - register: rhel_08_030660_audit_log_path +# - name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -w /var/log/lastlog -p wa -k logins +# notify: restart auditd +# when: +# - rhel_08_030600 +# tags: +# - RHEL-08-030600 +# - auditd - - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition" - shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" - changed_when: false - failed_when: false - register: rhel_08_030660_audit_log_partition +# - name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." +# file: +# path: "{{ item }}" +# mode: 0640 +# with_items: +# - /etc/audit/rules.d/audit.rules +# - /etc/audit/auditd.conf +# when: +# - rhel_08_030610 +# tags: +# - RHEL-08-030610 +# - permissions - - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" - debug: - msg: - - "ALERT!!!Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" - - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" - - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}" - when: - - rhel_08_030660 - tags: - - RHEL-08-030660 +# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." +# block: +# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms" +# shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " +# changed_when: false +# failed_when: false +# register: rhel_08_030620_tools -- name: "MEDIUM | RHEL-08-030670 | PATCH | The RHEL 8 remote audit system must take appropriate action when audit storage is full." - lineinfile: - path: /etc/audit/audisp-remote.conf - regexp: '^disk_full_action =' - line: "disk_full_action = {{ rhel8stig_audisp_disk_full_action }}" - when: - - rhel_08_030670 - tags: - - RHEL-08-030670 - - auditd +# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" +# file: +# path: "{{ item }}" +# mode: 0755 +# with_items: +# - "{{ rhel_08_030620_tools.stdout_lines }}" +# when: +# - rhel_08_030620 +# tags: +# - RHEL-08-030620 +# - permissions -- name: "MEDIUM | RHEL-08-030680 | PATCH | The RHEL 8 audit system must take appropriate action when the network cannot be used to off-load audit records." - lineinfile: - path: /etc/audit/audisp-remote.conf - regexp: '^network_failure_action =' - line: 'network_failure_action = {{ rhel8stig_audisp_network_failure_action }}' - when: - - rhel_08_030680 - tags: - - RHEL-08-030680 - - auditd +# - name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." +# file: +# path: "{{ item }}" +# owner: root +# with_items: +# - /sbin/auditctl +# - /sbin/aureport +# - /sbin/ausearch +# - /sbin/autrace +# - /sbin/auditd +# - /sbin/audisp-remote +# - /sbin/audisp-syslog +# - /sbin/augenrules +# when: +# - rhel_08_030630 +# tags: +# - RHEL-08-030630 +# - permissions -- name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." - lineinfile: - path: /etc/audit/audisp-remote.conf - regexp: '^remote_server =' - line: 'remote_server = {{ rhel8stig_audisp_remote_server }}' - when: - - rhel_08_030690 - tags: - - RHEL-08-030690 - - auditd +# - name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." +# file: +# path: "{{ item }}" +# owner: root +# with_items: +# - /sbin/auditctl +# - /sbin/aureport +# - /sbin/ausearch +# - /sbin/autrace +# - /sbin/auditd +# - /sbin/audisp-remote +# - /sbin/audisp-syslog +# - /sbin/augenrules +# when: +# - rhel_08_030640 +# tags: +# - RHEL-08-030640 +# - permissions -- name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." - lineinfile: - path: /etc/audit/audispd.conf - create: yes - regexp: '^overflow_action =' - line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}' - notify: restart auditd - when: - - rhel_08_030700 - tags: - - RHEL-08-030700 - - auditd +# - name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." +# lineinfile: +# path: /etc/aide.conf +# line: "{{ item }}" +# with_items: +# - "# Audit Tools" +# - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 +# when: +# - rhel_08_030650 +# tags: +# - RHEL-08-030650 +# - aide -- name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." - lineinfile: - path: /etc/audit/audisp-remote.conf - create: yes - regexp: '^transport =' - line: 'transport = krb5' - when: - - rhel_08_030710 - tags: - - RHEL-08-030710 - - auditd +# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility." +# block: +# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition" +# shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' +# changed_when: false +# failed_when: false +# register: rhel_08_030660_audit_log_path -- name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must be configured to off-load audit logs to a different system or storage media." - lineinfile: - path: /etc/audit/plugins.d/au-remote.conf - create: yes - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '.*?active =', line: 'active = yes '} - - { regexp: '.*?direction =', line: 'direction = out' } - - { regexp: '.*?path =', line: 'path = /sbin/audisp-remote' } - - { regexp: '.*?type =', line: 'type = always' } - notify: restart auditd - when: - - rhel_08_030720 - tags: - - rhel_08_030720 - - auditd +# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition" +# shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" +# changed_when: false +# failed_when: false +# register: rhel_08_030660_audit_log_partition -- name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." - lineinfile: - path: /etc/audit/auditd.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^space_left =', line: 'space_left = 25%' } - - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } - when: - - rhel_08_030730 - tags: - - RHEL-08-030730 - - auditd +# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" +# debug: +# msg: +# - "ALERT!!!Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" +# - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" +# - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}" +# when: +# - rhel_08_030660 +# tags: +# - RHEL-08-030660 -- name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - lineinfile: - path: /etc/chrony.conf - regexp: '^server' - line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16' - notify: restart {{ rhel8stig_time_service }} - when: - - rhel_08_030740 - tags: - - RHEL-08-030740 - - chronyd +# - name: "MEDIUM | RHEL-08-030670 | PATCH | The RHEL 8 remote audit system must take appropriate action when audit storage is full." +# lineinfile: +# path: /etc/audit/audisp-remote.conf +# regexp: '^disk_full_action =' +# line: "disk_full_action = {{ rhel8stig_audisp_disk_full_action }}" +# when: +# - rhel_08_030670 +# tags: +# - RHEL-08-030670 +# - auditd -- name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." - lineinfile: - path: /etc/modprobe.d/blacklist.conf - create: yes - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - with_items: - - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } - - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } - when: - - rhel_08_040020 - tags: - - RHEL-08-040020 - - camera +# - name: "MEDIUM | RHEL-08-030680 | PATCH | The RHEL 8 audit system must take appropriate action when the network cannot be used to off-load audit records." +# lineinfile: +# path: /etc/audit/audisp-remote.conf +# regexp: '^network_failure_action =' +# line: 'network_failure_action = {{ rhel8stig_audisp_network_failure_action }}' +# when: +# - rhel_08_030680 +# tags: +# - RHEL-08-030680 +# - auditd -- name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." - block: - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block" - block: - - name: "MEDIUM | RHEL-08-040030 | PATCH | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld" - shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u - register: rhel8stig_PPSM_CLSA_check_firewalld - changed_when: false - failed_when: false - check_mode: no - when: - - rhel_08_040030 - tags: - - RHEL-08-040030 - - firewall +# - name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." +# lineinfile: +# path: /etc/audit/audisp-remote.conf +# regexp: '^remote_server =' +# line: 'remote_server = {{ rhel8stig_audisp_remote_server }}' +# when: +# - rhel_08_030690 +# tags: +# - RHEL-08-030690 +# - auditd - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" - debug: - msg: - - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." - - "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}" - changed_when: true - when: - - rhel_08_040030 - - rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines is defined - tags: - - RHEL-08-040030 - - firewall - when: - - rhel_08_040030 - - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container - - rhel8stig_firewall_service == "firewalld" - - rhel8stig_start_firewall_service - tags: - - RHEL-08-040030 - - firewall +# - name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." +# lineinfile: +# path: /etc/audit/audispd.conf +# create: yes +# regexp: '^overflow_action =' +# line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}' +# notify: restart auditd +# when: +# - rhel_08_030700 +# tags: +# - RHEL-08-030700 +# - auditd - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block" - block: - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables" - shell: iptables-save | grep -i accept | grep -i input - register: rhel8stig_PPSM_CLSA_check_iptables - changed_when: false - failed_when: false - check_mode: no - when: rhel_08_040030 - tags: - - RHEL-08-040030 - - firewall +# - name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." +# lineinfile: +# path: /etc/audit/audisp-remote.conf +# create: yes +# regexp: '^transport =' +# line: 'transport = krb5' +# when: +# - rhel_08_030710 +# tags: +# - RHEL-08-030710 +# - auditd - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" - debug: - msg: - - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}." - - "{{ rhel8stig_PPSM_CLSA_check_iptables.stdout_lines }}" - changed_when: true - when: - - rhel_08_040030 - - rhel8stig_PPSM_CLSA_check_iptables.stdout_lines is defined - tags: - - RHEL-08-040030 - - firewall - when: - - rhel_08_040030 - - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container - - rhel8stig_firewall_service == "iptables" - - rhel8stig_start_firewall_service - tags: - - RHEL-08-040030 - - firewall +# - name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must be configured to off-load audit logs to a different system or storage media." +# lineinfile: +# path: /etc/audit/plugins.d/au-remote.conf +# create: yes +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '.*?active =', line: 'active = yes '} +# - { regexp: '.*?direction =', line: 'direction = out' } +# - { regexp: '.*?path =', line: 'path = /sbin/audisp-remote' } +# - { regexp: '.*?type =', line: 'type = always' } +# notify: restart auditd +# when: +# - rhel_08_030720 +# tags: +# - rhel_08_030720 +# - auditd - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use" - debug: - msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." - changed_when: true - when: - - rhel_08_040030 - - not rhel8stig_start_firewall_service - tags: - - RHEL-08-040030 - - firewall - when: - - rhel_08_040030 - - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container - - rhel8stig_disruptive - tags: - - RHEL-08-040030 - - firewall +# - name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^space_left =', line: 'space_left = 25%' } +# - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } +# when: +# - rhel_08_030730 +# tags: +# - RHEL-08-030730 +# - auditd -- name: "MEDIUM | RHEL-08-040040 | PATCH | RHEL 8 must prevent shell access for the root account." - user: - name: root - shell: /sbin/nologin - when: - - rhel_08_040040 - tags: - - RHEL-08-040040 - - users +# - name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." +# lineinfile: +# path: /etc/chrony.conf +# regexp: '^server' +# line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16' +# notify: restart {{ rhel8stig_time_service }} +# when: +# - rhel_08_030740 +# tags: +# - RHEL-08-030740 +# - chronyd -- name: "MEDIUM | RHEL-08-040050 | PATCH | RHEL 8 must prevent direct logon into the root account." - user: - name: root - password_lock: yes - when: - - rhel_08_040050 - tags: - - RHEL-08-040050 - - users +# - name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." +# lineinfile: +# path: /etc/modprobe.d/blacklist.conf +# create: yes +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# with_items: +# - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } +# - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } +# when: +# - rhel_08_040020 +# tags: +# - RHEL-08-040020 +# - camera -- name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required." - block: - - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error" - shell: "systemctl show autofs | grep LoadState | cut -d= -f2" - changed_when: false - failed_when: false - register: rhel_08_040070_autofs_status +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." +# block: +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block" +# block: +# - name: "MEDIUM | RHEL-08-040030 | PATCH | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld" +# shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u +# register: rhel8stig_PPSM_CLSA_check_firewalld +# changed_when: false +# failed_when: false +# check_mode: no +# when: +# - rhel_08_040030 +# tags: +# - RHEL-08-040030 +# - firewall + +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" +# debug: +# msg: +# - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." +# - "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}" +# changed_when: true +# when: +# - rhel_08_040030 +# - rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines is defined +# tags: +# - RHEL-08-040030 +# - firewall +# when: +# - rhel_08_040030 +# - not rhel8stig_system_is_chroot +# - not rhel8stig_system_is_container +# - rhel8stig_firewall_service == "firewalld" +# - rhel8stig_start_firewall_service +# tags: +# - RHEL-08-040030 +# - firewall + +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block" +# block: +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables" +# shell: iptables-save | grep -i accept | grep -i input +# register: rhel8stig_PPSM_CLSA_check_iptables +# changed_when: false +# failed_when: false +# check_mode: no +# when: rhel_08_040030 +# tags: +# - RHEL-08-040030 +# - firewall + +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" +# debug: +# msg: +# - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}." +# - "{{ rhel8stig_PPSM_CLSA_check_iptables.stdout_lines }}" +# changed_when: true +# when: +# - rhel_08_040030 +# - rhel8stig_PPSM_CLSA_check_iptables.stdout_lines is defined +# tags: +# - RHEL-08-040030 +# - firewall +# when: +# - rhel_08_040030 +# - not rhel8stig_system_is_chroot +# - not rhel8stig_system_is_container +# - rhel8stig_firewall_service == "iptables" +# - rhel8stig_start_firewall_service +# tags: +# - RHEL-08-040030 +# - firewall - - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists" - service: - name: autofs - state: stopped - enabled: no - when: rhel_08_040070_autofs_status.stdout == "loaded" - when: - - rhel_08_040070 - tags: - - RHEL-08-040070 - - autofs +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use" +# debug: +# msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." +# changed_when: true +# when: +# - rhel_08_040030 +# - not rhel8stig_start_firewall_service +# tags: +# - RHEL-08-040030 +# - firewall +# when: +# - rhel_08_040030 +# - not rhel8stig_system_is_chroot +# - not rhel8stig_system_is_container +# - rhel8stig_disruptive +# tags: +# - RHEL-08-040030 +# - firewall -- name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." - lineinfile: - path: "{{ item.path }}" - create: yes - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - with_items: - - { path: /etc/modprobe.d/usb-storage.conf, regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } - - { path: /etc/modprobe.d/blacklist.conf, regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} - when: - - rhel_08_040080 - tags: - - RHEL-08-040080 - - usb_devices +# - name: "MEDIUM | RHEL-08-040040 | PATCH | RHEL 8 must prevent shell access for the root account." +# user: +# name: root +# shell: /sbin/nologin +# when: +# - rhel_08_040040 +# tags: +# - RHEL-08-040040 +# - users -- name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." - block: - - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" - dnf: - name: firewalld - state: present - when: rhel8stig_firewall_service == "firewalld" +# - name: "MEDIUM | RHEL-08-040050 | PATCH | RHEL 8 must prevent direct logon into the root account." +# user: +# name: root +# password_lock: yes +# when: +# - rhel_08_040050 +# tags: +# - RHEL-08-040050 +# - users - - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" - dnf: - name: iptables-services - state: present - when: rhel8stig_firewall_service == "iptables" +# - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required." +# block: +# - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error" +# shell: "systemctl show autofs | grep LoadState | cut -d= -f2" +# changed_when: false +# failed_when: false +# register: rhel_08_040070_autofs_status - - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" - service: - name: "{{ rhel8stig_firewall_service }}" - state: started - enabled: yes - when: - - rhel_08_040100 - tags: - - RHEL-08-040100 - - firewall - - "{{ rhel8stig_firewall_service }}" +# - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists" +# service: +# name: autofs +# state: stopped +# enabled: no +# when: rhel_08_040070_autofs_status.stdout == "loaded" +# when: +# - rhel_08_040070 +# tags: +# - RHEL-08-040070 +# - autofs -- name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." - block: - - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" - firewalld: - zone: "{{ rhel8stig_custom_firewall_zone }}" - permanent: true - state: present +# - name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." +# lineinfile: +# path: "{{ item.path }}" +# create: yes +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# with_items: +# - { path: /etc/modprobe.d/usb-storage.conf, regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } +# - { path: /etc/modprobe.d/blacklist.conf, regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} +# when: +# - rhel_08_040080 +# tags: +# - RHEL-08-040080 +# - usb_devices - - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" - firewalld: - zone: "{{ rhel8stig_custom_firewall_zone }}" - permanent: true - state: enabled - service: "{{ item }}" - with_items: - - "{{ rhel8stig_white_list_services }}" +# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." +# block: +# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" +# dnf: +# name: firewalld +# state: present +# when: rhel8stig_firewall_service == "firewalld" - - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" - command: firewall-cmd --reload - changed_when: rhel_08_040090_zone_reload.rc == 0 - failed_when: rhel_08_040090_zone_reload.rc >= 2 - register: rhel_08_040090_zone_reload +# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" +# dnf: +# name: iptables-services +# state: present +# when: rhel8stig_firewall_service == "iptables" - - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default" - command: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" - changed_when: rhel_08_040090_default_zone_set.rc == 0 - failed_when: rhel_08_040090_default_zone_set.rc >= 2 - register: rhel_08_040090_default_zone_set - when: - - rhel_08_040090 - tags: - - RHEL-08-040090 - - firewall +# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" +# service: +# name: "{{ rhel8stig_firewall_service }}" +# state: started +# enabled: yes +# when: +# - rhel_08_040100 +# tags: +# - RHEL-08-040100 +# - firewall +# - "{{ rhel8stig_firewall_service }}" -- name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." - block: - - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" - command: rpm -q NetworkManager - args: - warn: no - check_mode: no - changed_when: no - register: rhel_08_nmcli_available - failed_when: no +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." +# block: +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" +# firewalld: +# zone: "{{ rhel8stig_custom_firewall_zone }}" +# permanent: true +# state: present - - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" - command: nmcli radio wifi - register: rhel_08_wifi_enabled - check_mode: no - changed_when: rhel_08_wifi_enabled.stdout != "disabled" - when: rhel_08_nmcli_available.rc == 0 +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" +# firewalld: +# zone: "{{ rhel8stig_custom_firewall_zone }}" +# permanent: true +# state: enabled +# service: "{{ item }}" +# with_items: +# - "{{ rhel8stig_white_list_services }}" + +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" +# command: firewall-cmd --reload +# changed_when: rhel_08_040090_zone_reload.rc == 0 +# failed_when: rhel_08_040090_zone_reload.rc >= 2 +# register: rhel_08_040090_zone_reload + +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default" +# command: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" +# changed_when: rhel_08_040090_default_zone_set.rc == 0 +# failed_when: rhel_08_040090_default_zone_set.rc >= 2 +# register: rhel_08_040090_default_zone_set +# when: +# - rhel_08_040090 +# tags: +# - RHEL-08-040090 +# - firewall - - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" - command: nmcli radio wifi off - when: rhel_08_wifi_enabled is changed - when: - - rhel_08_040110 - tags: - - RHEL-08-040110 - - wifi +# - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." +# block: +# - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" +# command: rpm -q NetworkManager +# args: +# warn: no +# check_mode: no +# changed_when: no +# register: rhel_08_nmcli_available +# failed_when: no -- name: "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with secure options." - mount: - path: /dev/shm - state: mounted - src: tmpfs - fstype: tmpfs - opts: defaults,nodev,nosuid,noexec - when: - - rhel_08_040120 - tags: - - RHEL-08-040120 +# - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" +# command: nmcli radio wifi +# register: rhel_08_wifi_enabled +# check_mode: no +# changed_when: rhel_08_wifi_enabled.stdout != "disabled" +# when: rhel_08_nmcli_available.rc == 0 -- name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." - block: - - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" - dnf: - name: fapolicyd - state: present +# - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" +# command: nmcli radio wifi off +# when: rhel_08_wifi_enabled is changed +# when: +# - rhel_08_040110 +# tags: +# - RHEL-08-040110 +# - wifi - - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" - shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts - changed_when: false - failed_when: false +# - name: "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with secure options." +# mount: +# path: /dev/shm +# state: mounted +# src: tmpfs +# fstype: tmpfs +# opts: defaults,nodev,nosuid,noexec +# when: +# - rhel_08_040120 +# tags: +# - RHEL-08-040120 - - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" - service: - name: fapolicyd - state: started - enabled: yes +# - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." +# block: +# - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" +# dnf: +# name: fapolicyd +# state: present - - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " - lineinfile: - path: /etc/fapolicyd/fapolicyd.rules - line: "{{ item }}" - with_items: - - "{{ rhel8stig_fapolicy_white_list }}" +# - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" +# shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts +# changed_when: false +# failed_when: false - - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" - lineinfile: - path: /etc/fapolicyd/fapolicyd.conf - regexp: '^permissive =' - line: 'permissive = 0' - when: - - rhel_08_040130 - tags: - - RHEL-08-040130 - - fapolicyd +# - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" +# service: +# name: fapolicyd +# state: started +# enabled: yes + +# - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " +# lineinfile: +# path: /etc/fapolicyd/fapolicyd.rules +# line: "{{ item }}" +# with_items: +# - "{{ rhel8stig_fapolicy_white_list }}" + +# - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" +# lineinfile: +# path: /etc/fapolicyd/fapolicyd.conf +# regexp: '^permissive =' +# line: 'permissive = 0' +# when: +# - rhel_08_040130 +# tags: +# - RHEL-08-040130 +# - fapolicyd - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." block: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 70280488..4f9d7612 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -173,20 +173,14 @@ - high - RHEL-08-010020 -- name: "PRELIM | RHEL-08-030620 | RHEL-08-030630 | RHEL-08-030640 | RHEL-08-030650 | RHEL-08-030670 | RHEL-08-030680 | RHEL-08-030690 | RHEL-08-030700 | RHEL-08-030710 | RHEL-08-030720 | Install audit remote plugin." +- name: "PRELIM | RHEL-08-030620 | RHEL-08-030630 | RHEL-08-030640 | RHEL-08-030650 | Install audit remote plugin." dnf: name: audispd-plugins when: - rhel_08_030620 or rhel_08_030630 or rhel_08_030640 or - rhel_08_030650 or - rhel_08_030670 or - rhel_08_030680 or - rhel_08_030690 or - rhel_08_030700 or - rhel_08_030710 or - rhel_08_030720 + rhel_08_030650 tags: - cat2 - medium @@ -195,12 +189,6 @@ - RHEL-08-030630 - RHEL-08-030640 - RHEL-08-030650 - - RHEL-08-030670 - - RHEL-08-030680 - - RHEL-08-030690 - - RHEL-08-030700 - - RHEL-08-030710 - - RHEL-08-030720 # - name: "PRELIM | RHEL-08-030330 | Determine audit log partition." # block: From c5c34318523743694f8a86f6b713d9167532cdc2 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 14 Jan 2021 13:32:16 -0500 Subject: [PATCH 12/15] cat2 synced with release of STIG 040161 - 040380 Signed-off-by: George Nalen --- defaults/main.yml | 38 +- tasks/fix-cat2.yml | 1408 ++++++++++++++++++++++++++++++-------------- tasks/prelim.yml | 8 +- 3 files changed, 990 insertions(+), 464 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 510ca716..2c26062c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -354,18 +354,32 @@ rhel_08_040135: true rhel_08_040140: true rhel_08_040150: true rhel_08_040160: true -rhel_08_040210: false -rhel_08_040220: false -rhel_08_040230: false -rhel_08_040240: false -rhel_08_040250: false -rhel_08_040260: false -rhel_08_040270: false -rhel_08_040280: false -rhel_08_040290: false -rhel_08_040320: false -rhel_08_040330: false -rhel_08_040350: false +rhel_08_040161: true +rhel_08_040162: true +rhel_08_040180: true +rhel_08_040210: true +rhel_08_040220: true +rhel_08_040230: true +rhel_08_040240: true +rhel_08_040250: true +rhel_08_040260: true +rhel_08_040261: true +rhel_08_040262: true +rhel_08_040270: true +rhel_08_040280: true +rhel_08_040281: true +rhel_08_040282: true +rhel_08_040283: true +rhel_08_040284: true +rhel_08_040285: true +rhel_08_040290: true +rhel_08_040320: true +rhel_08_040330: true +rhel_08_040340: true +rhel_08_040341: true +rhel_08_040350: true +rhel_08_040370: true +rhel_08_040380: true # CAT 3 rules rhel_08_010171: true diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 9cc4bf78..beacd003 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4235,14 +4235,18 @@ - dnf - sendmail -- name: "MEDIUM | RHEL-08-040003 | PATCH | RHEL 8 must not have the gssproxy package installed." +- name: | + "MEDIUM | RHEL-08-040003 | PATCH | RHEL 8 must not have the gssproxy package installed." + "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." dnf: name: gssproxy state: absent when: - - rhel_08_040003 + - rhel_08_040003 or + rhel_08_040370 tags: - RHEL-08-040003 + - RHEL-08-040370 - dnf - gssproxy @@ -4702,172 +4706,674 @@ - RHEL-08-040135 - fapolicyd -# ===========below here is old=========== -# - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." -# dnf: -# name: "*" -# state: latest -# when: -# - not system_is_ec2 -# - rhel_08_010010 -# tags: -# - RHEL-08-010010 +- name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." + block: + - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Install usbguard" + dnf: + name: usbguard + state: present -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" -# block: -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^.*banner' -# line: 'Banner /etc/issue' + - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Start/Enable service" + service: + name: usbguard + state: started + enabled: yes + when: + - rhel_08_040140 + tags: + - RHEL-08-040140 + - usbguard -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" -# copy: -# dest: /etc/issue -# content: "{{ rhel8stig_logon_banner }}" -# owner: root -# group: root -# mode: '0644' -# notify: restart sshd -# when: -# # - not system_is_ec2 -# - rhel_08_010040 or -# rhel_08_010060 -# tags: -# - RHEL-08-010040 -# - RHEL-08-010060 +- name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." + block: + - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" + dnf: + name: nftables + state: present -# - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." -# copy: -# dest: /etc/dconf/db/local.d/01-banner-message -# content: | -# [org/gnome/login-screen] -# banner-message-enable=true -# banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' -# mode: '0644' -# owner: root -# group: root -# vars: -# newline: "\n" -# notify: dconf update -# when: -# - rhel_08_010050 -# - rhel8stig_dconf_available -# tags: -# - RHEL-08-010050 + - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" + service: + name: nftables + state: started + enabled: yes -# - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." -# lineinfile: -# path: /etc/rsyslog.d/50-default.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# create: yes -# mode: '0644' -# notify: restart rsyslog -# with_items: -# - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } -# - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } -# when: -# - rhel_08_010070 -# tags: -# - RHEL-08-010070 + - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" + lineinfile: + path: /etc/firewalld/firewalld.conf + regexp: '^FirewallBackend=' + line: 'FirewallBackend=nftables' + when: + - rhel_08_040150 + tags: + - RHEL-08-040150 + - firewall + - nftables -# - name: "MEDIUM | RHEL-08-010080 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^Ciphers.*' -# line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr -# insertafter: '# Ciphers and keying' -# notify: restart sshd -# when: -# - rhel_08_010080 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010080 -# - ssh +- name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." + block: + - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Install openssh-server" + dnf: + name: openssh-server + state: present -# # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." -# block: -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" -# command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem -# changed_when: false -# failed_when: false -# register: rhel_08_010090_certs_list + - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" + service: + name: sshd + state: started + enabled: yes + when: + - rhel_08_040160 + tags: + - rhel_08_040160 + - ssh -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" -# debug: -# msg: -# - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" -# - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" -# - "{{ rhel_08_010090_certs_list.stdout_lines }}" -# when: -# - rhel_08_010090 -# tags: -# - RHEL-08-010090 +- name: "MEDIUM | RHEL-0-040161 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^RekeyLimit ' + line: "RekeyLimit 1G 1h" + notify: restart sshd + when: + - rhel_08_040161 + tags: + - RHEL-08-040161 + - sshd -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." -# block: -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" -# file: -# path: "{{ rhel8stig_path_to_sshkey }}" -# state: directory -# mode: '0700' +- name: "MEDIUM | RHEL-08-040162 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections by the client." + lineinfile: + path: /etc/ssh/ssh_config + regexp: '^RekeyLimit ' + line: "RekeyLimit 1G 1h" + notify: restart sshd + when: + - rhel_08_040162 + tags: + - RHEL-08-040162 + - sshd -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" -# openssh_keypair: -# path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" -# when: -# - rhel_08_010100 -# tags: -# - RHEL-08-010100 +- name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." + systemd: + name: debug-shell.service + state: stopped + enabled: no + masked: yes + daemon_reload: yes + when: + - rhel_08_040180 + tags: + - RHEL-08-040180 + - debug-shell -# - name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." -# lineinfile: -# path: /etc/login.defs -# regexp: '^ENCRYPT_METHOD.*' -# line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" -# when: -# - rhel_08_010110 -# tags: -# - RHEL-08-010110 -# - login +- name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted." + block: + - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + with_items: + - net.ipv4.conf.default.accept_redirects + - net.ipv6.conf.default.accept_redirects -# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." -# block: -# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" -# command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' -# changed_when: false -# failed_when: false -# register: rhel_08_010120_non_fips_hashed_accounts + - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } + - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } + when: + - rhel_08_040210 + tags: + - RHEL-08-040210 + - icmp -# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" -# command: "passwd -l {{ item }}" -# with_items: -# -"{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" -# when: -# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" +- name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." + block: + - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects in sysctl" + sysctl: + name: net.ipv4.conf.all.send_redirects + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" -# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" -# debug: -# msg: -# - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" -# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" -# when: -# - not rhel8stig_disruption_high -# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" -# when: -# - rhel_08_010120 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010120 -# - disruption_high + - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects default value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.all.send_redirects' + line: 'net.ipv4.conf.all.send_redirects=0' + when: + - rhel_08_040220 + tags: + - RHEL-08-040220 + - icmp + +- name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." + block: + - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast in sysctl" + sysctl: + name: net.ipv4.icmp_echo_ignore_broadcasts + state: present + value: '1' + reload: "{{ rhel8stig_sysctl_reload }}" + + - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast default value to 1" + lineinfile: + name: /etc/sysctl.conf + regexp: '^net.ipv4.icmp_echo_ignore_broadcasts' + line: 'net.ipv4.icmp_echo_ignore_broadcasts=1' + when: + - rhel_08_040230 + tags: + - RHEL-08-040230 + - icmp + +- name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets." + block: + - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + with_items: + - net.ipv4.conf.all.accept_source_route + - net.ipv6.conf.all.accept_source_route + + - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route default value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } + - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } + when: + - rhel_08_040240 + tags: + - RHEL-08-040240 + - icmp + +- name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default." + block: + - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + with_items: + - net.ipv4.conf.default.accept_source_route + - net.ipv6.conf.default.accept_source_route + + - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } + - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } + when: + - rhel_08_040250 + tags: + - RHEL-08-040250 + - icmp + +- name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router." + block: + - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + with_items: + - net.ipv4.ip_forward + - net.ipv6.conf.all.forwarding + + - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^net.ipv4.ip_forward', line: 'net.ipv4.ip_forward=0' } + - { regexp: '^net.ipv6.conf.all.forwarding', line: 'net.ipv6.conf.all.forwarding=0' } + + when: + - rhel_08_040260 + - not rhel8stig_system_is_router + tags: + - RHEL-08-040260 + - icmp + +- name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces." + block: + - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra in sysctl" + sysctl: + name: net.ipv6.conf.all.accept_ra + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload}}" + + - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv6.conf.all.accept_ra' + line: 'net.ipv6.conf.all.accept_ra=0' + when: + - rhel_08_040261 + - not rhel8stig_system_is_router + tags: + - RHEL-08-040261 + - icmp + +- name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default." + block: + - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra in sysctl" + sysctl: + name: net.ipv6.conf.default.accept_ra + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + + - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra to value 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv6.conf.default.accept_ra' + line: 'net.ipv6.conf.default.accept_ra=0' + when: + - rhel_08_040262 + - not rhel8stig_system_is_router + tags: + - RHEL-08-040262 + - icmp + +- name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." + block: + - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects in sysctl" + sysctl: + name: net.ipv4.conf.default.send_redirects + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + + - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.default.send_redirects' + line: 'net.ipv4.conf.default.send_redirects=0' + when: + - rhel_08_040270 + tags: + - RHEL-08-040270 + - icmp + +- name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." + block: + - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + with_items: + - net.ipv4.conf.all.accept_redirects + - net.ipv6.conf.all.accept_redirects + + - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" + lineinfile: + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } + - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } + when: + - rhel_08_040280 + tags: + - RHEL-08-040280 + - icmp + +- name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.unprivileged_bpf_disabled' + line: 'kernel.unprivileged_bpf_disabled = 1' + notify: sysctl system + when: + - rhel_08_040281 + tags: + - RHEL-08-040281 + - sysctl + +- name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.yama.ptrace_scope' + line: 'kernel.yama.ptrace_scope = 1' + notify: sysctl system + when: + - rhel_08_040282 + tags: + - RHEL-08-040282 + - sysctl + +- name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.kptr_restrict' + line: 'kernel.kptr_restrict = 1' + notify: sysctl system + when: + - rhel_08_040283 + tags: + - RHEL-08-040283 + - sysctl + +- name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^user.max_user_namespaces' + line: 'user.max_user_namespaces = 0' + notify: sysctl system + when: + - rhel_08_040284 + tags: + - RHEL-08-040284 + - sysctl + +- name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^net.ipv4.conf.all.rp_filter' + line: 'net.ipv4.conf.all.rp_filter = 1' + notify: sysctl system + when: + - rhel_08_040285 + tags: + - RHEL-08-040285 + - sysctl + +- name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying." + block: + - name: "MEDIUM | RHEL-08-040290 | AUDIT | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Check if postfix is installed." + command: rpm -q postfix + failed_when: no + check_mode: no + changed_when: no + register: rhel_08_040290_rpm_audit + + - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" + command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" + check_mode: no + when: '"postfix-" in rhel_08_040290_rpm_audit.stdout' + when: + - rhel_08_040290 + tags: + - RHEL-08-040290 + +- name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." + package: + name: + - '@x11' + - xorg-11-server-common + state: absent + when: + - rhel_08_040320 + - not rhel8stig_gui + +- name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." + block: + - name: "MEDIUM | RHEL-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" + shell: "ip link | grep -i promisc | cut -d ':' -f 2" + check_mode: no + failed_when: no + changed_when: rhel_08_040670_promisc_check.stdout != '' + ignore_errors: yes + register: rhel_08_040670_promisc_check + + - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" + shell: "ip link set dev {{ item }} promisc off" + with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" + when: + - rhel_08_040330 + - not rhel8stig_net_promisc_mode_required + tags: + - RHEL-08-040330 + +- name: "HIGH | RHEL-08-040340 | PATCH | Remote X connections for interactive users must be encrypted in RHEL 8." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^.*X11Forwarding' + line: 'X11Forwarding yes' + create: yes + notify: restart sshd + when: + - rhel_08_040340 + - rhel8stig_ssh_required + tags: + - RHEL-08-040340 + - ssh + +- name: "MEDIUM | RHEL-08-040341 | PATCH | The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^X11UseLocalhost' + line: 'X11UseLocalhost yes' + when: + - rhel_08_040341 + tags: + - RHEL-08-040341 + - ssh + +- name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." + lineinfile: + path: /etc/xinetd.d/tftp + regexp: "(?i)^.*server_args.*=" + line: "\tserver_args\t\t= -s /var/lib/tftpboot" + insertafter: "\tserver\t\t\t=" + state: present + register: result + failed_when: + - result is failed + - result.rc != 257 + when: + - rhel_08_040350 + - rhel8stig_tftp_required + tags: + - RHEL-08-040350 + - tftp + +- name: "MEDIUM | RHEL-08-040380 | PATCH | The iprutils package must not be installed unless mission essential on RHEL 8." + dnf: + name: iprutils + state: absent + when: + - rhel_08_040380 + tags: + - RHEL-08-040380 + - iprutils + +- name: "MEDIUM | RHEL-08-040390 | PATCH | The tuned package must not be installed unless mission essential on RHEL 8." + dnf: + name: tuned + state: absent + when: + - rhel_08_040390 + tags: + - RHEL-08-040390 + - tuned + +# ===========below here is old=========== +# - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." +# dnf: +# name: "*" +# state: latest +# when: +# - not system_is_ec2 +# - rhel_08_010010 +# tags: +# - RHEL-08-010010 + +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" +# block: +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^.*banner' +# line: 'Banner /etc/issue' + +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" +# copy: +# dest: /etc/issue +# content: "{{ rhel8stig_logon_banner }}" +# owner: root +# group: root +# mode: '0644' +# notify: restart sshd +# when: +# # - not system_is_ec2 +# - rhel_08_010040 or +# rhel_08_010060 +# tags: +# - RHEL-08-010040 +# - RHEL-08-010060 + +# - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." +# copy: +# dest: /etc/dconf/db/local.d/01-banner-message +# content: | +# [org/gnome/login-screen] +# banner-message-enable=true +# banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' +# mode: '0644' +# owner: root +# group: root +# vars: +# newline: "\n" +# notify: dconf update +# when: +# - rhel_08_010050 +# - rhel8stig_dconf_available +# tags: +# - RHEL-08-010050 + +# - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." +# lineinfile: +# path: /etc/rsyslog.d/50-default.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# create: yes +# mode: '0644' +# notify: restart rsyslog +# with_items: +# - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } +# - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } +# when: +# - rhel_08_010070 +# tags: +# - RHEL-08-010070 + +# - name: "MEDIUM | RHEL-08-010080 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^Ciphers.*' +# line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr +# insertafter: '# Ciphers and keying' +# notify: restart sshd +# when: +# - rhel_08_010080 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010080 +# - ssh + +# # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." +# block: +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" +# command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem +# changed_when: false +# failed_when: false +# register: rhel_08_010090_certs_list + +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" +# debug: +# msg: +# - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" +# - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" +# - "{{ rhel_08_010090_certs_list.stdout_lines }}" +# when: +# - rhel_08_010090 +# tags: +# - RHEL-08-010090 + +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." +# block: +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" +# file: +# path: "{{ rhel8stig_path_to_sshkey }}" +# state: directory +# mode: '0700' + +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" +# openssh_keypair: +# path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" +# when: +# - rhel_08_010100 +# tags: +# - RHEL-08-010100 + +# - name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." +# lineinfile: +# path: /etc/login.defs +# regexp: '^ENCRYPT_METHOD.*' +# line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" +# when: +# - rhel_08_010110 +# tags: +# - RHEL-08-010110 +# - login + +# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." +# block: +# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" +# command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' +# changed_when: false +# failed_when: false +# register: rhel_08_010120_non_fips_hashed_accounts + +# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" +# command: "passwd -l {{ item }}" +# with_items: +# -"{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" +# when: +# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" + +# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" +# debug: +# msg: +# - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" +# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" +# when: +# - not rhel8stig_disruption_high +# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" +# when: +# - rhel_08_010120 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010120 +# - disruption_high # - name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" # pamd: @@ -7944,327 +8450,327 @@ # - RHEL-08-040130 # - fapolicyd -- name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." - block: - - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Install usbguard" - dnf: - name: usbguard - state: present - - - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Start/Enable service" - service: - name: usbguard - state: started - enabled: yes - when: - - rhel_08_040140 - tags: - - RHEL-08-040140 - - usbguard - -- name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." - block: - - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" - dnf: - name: nftables - state: present +# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." +# block: +# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Install usbguard" +# dnf: +# name: usbguard +# state: present - - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" - service: - name: nftables - state: started - enabled: yes +# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Start/Enable service" +# service: +# name: usbguard +# state: started +# enabled: yes +# when: +# - rhel_08_040140 +# tags: +# - RHEL-08-040140 +# - usbguard - - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" - lineinfile: - path: /etc/firewalld/firewalld.conf - regexp: '^FirewallBackend=' - line: 'FirewallBackend=nftables' - when: - - rhel_08_040150 - tags: - - RHEL-08-040150 - - firewall - - nftables +# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." +# block: +# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" +# dnf: +# name: nftables +# state: present -- name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." - block: - - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Install openssh-server" - dnf: - name: openssh-server - state: present +# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" +# service: +# name: nftables +# state: started +# enabled: yes - - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" - service: - name: sshd - state: started - enabled: yes - when: - - rhel_08_040160 - tags: - - rhel_08_040160 - - ssh +# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" +# lineinfile: +# path: /etc/firewalld/firewalld.conf +# regexp: '^FirewallBackend=' +# line: 'FirewallBackend=nftables' +# when: +# - rhel_08_040150 +# tags: +# - RHEL-08-040150 +# - firewall +# - nftables -- name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted." - block: - - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - with_items: - - net.ipv4.conf.default.accept_redirects - - net.ipv6.conf.default.accept_redirects +# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." +# block: +# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Install openssh-server" +# dnf: +# name: openssh-server +# state: present - - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } - - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } - when: - - rhel_08_040210 - tags: - - RHEL-08-040210 - - icmp +# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" +# service: +# name: sshd +# state: started +# enabled: yes +# when: +# - rhel_08_040160 +# tags: +# - rhel_08_040160 +# - ssh -- name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." - block: - - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects in sysctl" - sysctl: - name: net.ipv4.conf.all.send_redirects - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" +# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted." +# block: +# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.conf.default.accept_redirects +# - net.ipv6.conf.default.accept_redirects - - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects default value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.all.send_redirects' - line: 'net.ipv4.conf.all.send_redirects=0' - when: - - rhel_08_040220 - tags: - - RHEL-08-040220 - - icmp +# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } +# - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } +# when: +# - rhel_08_040210 +# tags: +# - RHEL-08-040210 +# - icmp -- name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." - block: - - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast in sysctl" - sysctl: - name: net.ipv4.icmp_echo_ignore_broadcasts - state: present - value: '1' - reload: "{{ rhel8stig_sysctl_reload }}" +# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." +# block: +# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects in sysctl" +# sysctl: +# name: net.ipv4.conf.all.send_redirects +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" - - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast default value to 1" - lineinfile: - name: /etc/sysctl.conf - regexp: '^net.ipv4.icmp_echo_ignore_broadcasts' - line: 'net.ipv4.icmp_echo_ignore_broadcasts=1' - when: - - rhel_08_040230 - tags: - - RHEL-08-040230 - - icmp +# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects default value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^net.ipv4.conf.all.send_redirects' +# line: 'net.ipv4.conf.all.send_redirects=0' +# when: +# - rhel_08_040220 +# tags: +# - RHEL-08-040220 +# - icmp -- name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets." - block: - - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - with_items: - - net.ipv4.conf.all.accept_source_route - - net.ipv6.conf.all.accept_source_route +# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." +# block: +# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast in sysctl" +# sysctl: +# name: net.ipv4.icmp_echo_ignore_broadcasts +# state: present +# value: '1' +# reload: "{{ rhel8stig_sysctl_reload }}" - - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route default value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } - - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } - when: - - rhel_08_040240 - tags: - - RHEL-08-040240 - - icmp +# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast default value to 1" +# lineinfile: +# name: /etc/sysctl.conf +# regexp: '^net.ipv4.icmp_echo_ignore_broadcasts' +# line: 'net.ipv4.icmp_echo_ignore_broadcasts=1' +# when: +# - rhel_08_040230 +# tags: +# - RHEL-08-040230 +# - icmp -- name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default." - block: - - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - with_items: - - net.ipv4.conf.default.accept_source_route - - net.ipv6.conf.default.accept_source_route +# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets." +# block: +# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.conf.all.accept_source_route +# - net.ipv6.conf.all.accept_source_route - - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } - - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } - when: - - rhel_08_040250 - tags: - - RHEL-08-040250 - - icmp +# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route default value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } +# - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } +# when: +# - rhel_08_040240 +# tags: +# - RHEL-08-040240 +# - icmp -- name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router." - block: - - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - with_items: - - net.ipv4.ip_forward - - net.ipv6.conf.all.forwarding +# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default." +# block: +# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.conf.default.accept_source_route +# - net.ipv6.conf.default.accept_source_route - - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.ip_forward', line: 'net.ipv4.ip_forward=0' } - - { regexp: '^net.ipv6.conf.all.forwarding', line: 'net.ipv6.conf.all.forwarding=0' } +# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } +# - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } +# when: +# - rhel_08_040250 +# tags: +# - RHEL-08-040250 +# - icmp - when: - - rhel_08_040260 - - not rhel8stig_system_is_router - tags: - - RHEL-08-040260 - - icmp +# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router." +# block: +# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.ip_forward +# - net.ipv6.conf.all.forwarding -- name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." - block: - - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects in sysctl" - sysctl: - name: net.ipv4.conf.default.send_redirects - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" +# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.ip_forward', line: 'net.ipv4.ip_forward=0' } +# - { regexp: '^net.ipv6.conf.all.forwarding', line: 'net.ipv6.conf.all.forwarding=0' } - - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.default.send_redirects' - line: 'net.ipv4.conf.default.send_redirects=0' - when: - - rhel_08_040270 - tags: - - RHEL-08-040270 - - icmp +# when: +# - rhel_08_040260 +# - not rhel8stig_system_is_router +# tags: +# - RHEL-08-040260 +# - icmp -- name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." - block: - - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - with_items: - - net.ipv4.conf.all.accept_redirects - - net.ipv6.conf.all.accept_redirects +# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." +# block: +# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects in sysctl" +# sysctl: +# name: net.ipv4.conf.default.send_redirects +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" - - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" - lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } - - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } - when: - - rhel_08_040280 - tags: - - RHEL-08-040280 - - icmp +# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^net.ipv4.conf.default.send_redirects' +# line: 'net.ipv4.conf.default.send_redirects=0' +# when: +# - rhel_08_040270 +# tags: +# - RHEL-08-040270 +# - icmp -- name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying." - block: - - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Check if postfix is installed." - command: rpm -q postfix - failed_when: no - check_mode: no - changed_when: no - register: rhel_08_040290_rpm_audit +# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." +# block: +# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.conf.all.accept_redirects +# - net.ipv6.conf.all.accept_redirects - - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" - command: "/usr/sbin/postconf -n smtpd_client_restrictions" - check_mode: no - changed_when: no - register: rhel_08_040290_postconf_audit - when: rhel_08_040290_rpm_audit.rc == 0 +# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } +# - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } +# when: +# - rhel_08_040280 +# tags: +# - RHEL-08-040280 +# - icmp - - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set reject" - command: "/usr/sbin/postconf -e 'smtpd_client_restrictions=permit_mynetworks, reject'" - when: - - rhel_08_040290_rpm_audit.rc == 0 - - rhel_08_040290_postconf_audit.stdout != 'smtpd_client_restrictions = permit_mynetworks, reject' - when: - - rhel_08_040290 - tags: - - RHEL-08-040290 +# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying." +# block: +# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Check if postfix is installed." +# command: rpm -q postfix +# failed_when: no +# check_mode: no +# changed_when: no +# register: rhel_08_040290_rpm_audit -- name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." - dnf: - name: - -@x11 - - xorg-11-server-common - state: absent - when: - - rhel_08_040320 - - not rhel8stig_gui +# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" +# command: "/usr/sbin/postconf -n smtpd_client_restrictions" +# check_mode: no +# changed_when: no +# register: rhel_08_040290_postconf_audit +# when: rhel_08_040290_rpm_audit.rc == 0 -- name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." - block: - - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" - shell: "ip link | grep -i promisc | cut -d ':' -f 2" - check_mode: no - failed_when: no - changed_when: rhel_08_040670_promisc_check.stdout != '' - ignore_errors: yes - register: rhel_08_040670_promisc_check +# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set reject" +# command: "/usr/sbin/postconf -e 'smtpd_client_restrictions=permit_mynetworks, reject'" +# when: +# - rhel_08_040290_rpm_audit.rc == 0 +# - rhel_08_040290_postconf_audit.stdout != 'smtpd_client_restrictions = permit_mynetworks, reject' +# when: +# - rhel_08_040290 +# tags: +# - RHEL-08-040290 - - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" - shell: "ip link set dev {{ item }} promisc off" - with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" - when: - - rhel_08_040330 - - not rhel8stig_net_promisc_mode_required - tags: - - RHEL-08-040330 +# - name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." +# dnf: +# name: +# -@x11 +# - xorg-11-server-common +# state: absent +# when: +# - rhel_08_040320 +# - not rhel8stig_gui -- name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." - lineinfile: - path: /etc/xinetd.d/tftp - regexp: "(?i)^.*server_args.*=" - line: "\tserver_args\t\t= -s /var/lib/tftpboot" - insertafter: "\tserver\t\t\t=" - state: present - register: result - failed_when: - - result is failed - - result.rc != 257 - when: - - rhel_08_040350 - - rhel8stig_tftp_required - tags: - - RHEL-08-040350 \ No newline at end of file +# - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." +# block: +# - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" +# shell: "ip link | grep -i promisc | cut -d ':' -f 2" +# check_mode: no +# failed_when: no +# changed_when: rhel_08_040670_promisc_check.stdout != '' +# ignore_errors: yes +# register: rhel_08_040670_promisc_check + +# - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" +# shell: "ip link set dev {{ item }} promisc off" +# with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" +# when: +# - rhel_08_040330 +# - not rhel8stig_net_promisc_mode_required +# tags: +# - RHEL-08-040330 + +# - name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." +# lineinfile: +# path: /etc/xinetd.d/tftp +# regexp: "(?i)^.*server_args.*=" +# line: "\tserver_args\t\t= -s /var/lib/tftpboot" +# insertafter: "\tserver\t\t\t=" +# state: present +# register: result +# failed_when: +# - result is failed +# - result.rc != 257 +# when: +# - rhel_08_040350 +# - rhel8stig_tftp_required +# tags: +# - RHEL-08-040350 \ No newline at end of file diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 4f9d7612..76f36683 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -335,4 +335,10 @@ rhel_08_010373 or rhel_08_010374 or rhel_08_010375 or - rhel_08_010376 \ No newline at end of file + rhel_08_010376 or + rhel_08_040280 or + rhel_08_040281 or + rhel_08_040282 or + rhel_08_040283 or + rhel_08_040284 or + rhel_08_040285 \ No newline at end of file From ba666cf5ce67471ae0f45abe0b5429cac316f582 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 15 Jan 2021 13:41:18 -0500 Subject: [PATCH 13/15] Added 040390 and implemented 010580 Signed-off-by: George Nalen --- defaults/main.yml | 3 ++- tasks/fix-cat2.yml | 54 ++++++++++++++++++++++++++++++++++++---------- 2 files changed, 45 insertions(+), 12 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2c26062c..b4f6736f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ rhel8stig_report_dir: /tmp rhel8stig_cat1_patch: true rhel8stig_cat2_patch: true -rhel8stig_cat3_patch: false +rhel8stig_cat3_patch: true # We've defined complexity-high to mean that we cannot automatically remediate # the rule in question. In the future this might mean that the remediation @@ -380,6 +380,7 @@ rhel_08_040341: true rhel_08_040350: true rhel_08_040370: true rhel_08_040380: true +rhel_08_040390: true # CAT 3 rules rhel_08_010171: true diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index beacd003..40237186 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1014,9 +1014,43 @@ - boot - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions." - command: /bin/true - changed_when: false - failed_when: false + block: + - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" + shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' + changed_when: no + check_mode: no + register: rhel8stig_010580_mounts_nodev + + - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Split results" + set_fact: + rhel8stig_010580_mounts: "{{ rhel8stig_010580_mounts_nodev .stdout_lines | map('regex_replace', ld_mount_regex, ld_mount_yaml) | map('from_yaml') | list }}" + + with_items: "{{ rhel8stig_010580_mounts_nodev.stdout_lines }}" + vars: + ld_mount_regex: >- + ^(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*) + ld_mount_yaml: | + device: >-4 + \g + mpoint: >-4 + \g + fs: >-4 + \g + opts: >-4 + \g + + - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Set value" + mount: + path: "{{ item.mpoint }}" + state: mounted + src: "{{ item.device }}" + fstype: "{{ item.fs }}" + opts: "{{ item.opts }},nodev" + with_items: + - "{{ rhel8stig_010580_mounts }}" + when: + - item.device != "/" + - "'odev' not in item.opts" when: - rhel_08_010580 tags: @@ -1026,11 +1060,11 @@ - name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent code from being executed on file systems that contain user home directories." mount: - path: /home - state: mounted - src: "{{ home_mount.device }}" - fstype: "{{ home_mount.fstype }}" - opts: "{{ home_mount.options }},noexec" + path: /home + state: mounted + src: "{{ home_mount.device }}" + fstype: "{{ home_mount.fstype }}" + opts: "{{ home_mount.options }},noexec" when: - rhel_08_010590 - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 @@ -5118,9 +5152,7 @@ - name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." package: - name: - - '@x11' - - xorg-11-server-common + name: xorg-x11-server-common state: absent when: - rhel_08_040320 From 5007c712dc62785711937ed1dd4850d93c9b23da Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 15 Jan 2021 16:27:42 -0500 Subject: [PATCH 14/15] Final cleanup for sync with v1.0 of RHEL8 STIG release Signed-off-by: George Nalen --- README.md | 2 +- defaults/main.yml | 25 +- tasks/fix-cat1.yml | 129 -- tasks/fix-cat2.yml | 3576 +------------------------------------------- tasks/fix-cat3.yml | 115 -- 5 files changed, 8 insertions(+), 3839 deletions(-) diff --git a/README.md b/README.md index 727b9f73..d8721946 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ RHEL 8 DISA STIG Configure a RHEL 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`. -This role is based on RHEL 8 DISA STIG: [Version 1, Rel .01 released on May 11, 2020](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R0-1_IDraftSTIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 1 released on January 5, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R1_STIG.zip). Requirements ------------ diff --git a/defaults/main.yml b/defaults/main.yml index b4f6736f..6a30c7b5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -49,18 +49,13 @@ system_is_ec2: false # CAT 1 rules rhel_08_010000: true rhel_08_010020: true -# rhel_08_010030: true rhel_08_010140: true rhel_08_010150: true -# rhel_08_010170: true - Moved to cat2 rhel_08_010370: true rhel_08_010371: true rhel_08_010460: true -# rhel_08_010450: true -# rhel_08_010460: true rhel_08_010470: true rhel_08_010820: true -# rhel_08_010830: true rhel_08_020330: true rhel_08_040000: true rhel_08_040010: true @@ -68,10 +63,8 @@ rhel_08_040060: true rhel_08_040170: true rhel_08_040171: true rhel_08_040172: true -# rhel_08_040180: true rhel_08_040190: true rhel_08_040200: true -# rhel_08_040340: true rhel_08_040360: true # CAT 2 rules @@ -81,7 +74,6 @@ rhel_08_010040: true rhel_08_010050: true rhel_08_010060: true rhel_08_010070: true -# rhel_08_010080: true rhel_08_010090: true rhel_08_010100: true rhel_08_010110: true @@ -101,8 +93,6 @@ rhel_08_010230: true rhel_08_010240: true rhel_08_010250: true rhel_08_010260: true -# rhel_08_010270: true -# rhel_08_010280: true rhel_08_010290: true rhel_08_010291: true rhel_08_010293: true @@ -119,7 +109,6 @@ rhel_08_010372: true rhel_08_010373: true rhel_08_010374: true # !!!!!!!!!!!!!!!--------------!!!!!!!!!!!!!!!!!!CHANGE TO TRUE BEFORE FINALIZATION. SET TO FALSE TO PREVENT THE VAGRANT USER FROM AUTHENTICATING WHEN USING SUDO (380/381) -# below set to false when running, don't change back to true after testing rhel_08_010380: false rhel_08_010381: false rhel_08_010390: true @@ -158,9 +147,7 @@ rhel_08_010672: true rhel_08_010673: true rhel_08_010674: true rhel_08_010675: true -# below set to false when running, don't change back after testing -rhel_08_010680: false -# check to make sure I'm doing this one right +rhel_08_010680: true rhel_08_010690: true rhel_08_010700: true rhel_08_010710: true @@ -173,7 +160,6 @@ rhel_08_010770: true rhel_08_010780: true rhel_08_010790: true rhel_08_010800: true -# rhel_08_010810: false rhel_08_010830: true rhel_08_020000: true rhel_08_020010: true @@ -311,7 +297,6 @@ rhel_08_030610: true rhel_08_030620: true rhel_08_030630: true rhel_08_030640: true -# !!!!!!!!!---------- handlers are overwriting the config change for this item rhel_08_030650: true rhel_08_030660: true rhel_08_030670: true @@ -327,8 +312,6 @@ rhel_08_040002: true rhel_08_040003: true rhel_08_040020: true rhel_08_040030: true -# rhel_08_040040: false -# rhel_08_040050: false rhel_08_040070: true rhel_08_040080: true rhel_08_040090: true @@ -389,11 +372,9 @@ rhel_08_010375: true rhel_08_010376: true rhel_08_010440: true rhel_08_010471: true -# rhel_08_010530: true rhel_08_010540: true rhel_08_010541: true rhel_08_010542: true -# rhel_08_020020: true rhel_08_020024: true rhel_08_020042: true rhel_08_020340: true @@ -664,8 +645,8 @@ rhel8stig_nfs_mounts_query: "[?starts_with(fstype, 'nfs')].mount" # RHEL-08-010680 rhel8stig_dns_servers: - - 9.9.9.9 - - 149.112.112.112 + - 8.8.8.8 + - 8.8.4.4 rhel8stig_int_gid: 1000 diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index ac9917b7..f4aaddfd 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -416,132 +416,3 @@ tags: - RHEL-08-040360 - ftp - -#=============old below this line - -# - name: "HIGH | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection." -# block: -# - name: "HIGH | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout" -# command: lsblk -# changed_when: false -# failed_when: false -# register: rhel_08_010030_partition_layout - -# - name: "HIGH | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning" -# debug: -# msg: -# - 'WARNING!! Below is partition layout. Please run the "sudo more /etc/crypttab" command to confirm' -# - "every persistent disk partition has an entry. If partitions other than psuedo file systems (such as /var or /sys) this is a finding" -# - "{{ rhel_08_010030_partition_layout.stdout_lines }}" - -# when: rhel_08_010030 -# tags: -# - RHEL-08-010030 - - -# - name: | -# "HIGH | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services." -# "HIGH | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." -# selinux: -# state: enforcing -# policy: targeted -# check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" -# notify: reboot system -# when: -# - rhel_08_010170 or rhel_08_010450 -# - not rhel8stig_system_is_container -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010170 -# - RHEL-08-010450 -# - selinux -# - disruption_high - -# - name: "HIGH | RHEL-08-010830 | PATCH |Unattended or automatic logon to RHEL 8 via ssh must not be allowed." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: ^PermitUserEnvironment -# line: 'PermitUserEnvironment no' -# notify: restart sshd -# when: -# - rhel_08_010830 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010830 -# - disruption_high -# -# - name: "HIGH | RHEL-08-040180 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed." -# copy: -# dest: /etc/dconf/db/local.d/00-disable-CAD -# content: | -# [org/gnome/settings-daemon/plugins/media-keys] -# logout='' -# mode: '0644' -# notify: dconf update -# when: -# - rhel_08_040180 -# - rhel8stig_dconf_available -# tags: -# - RHEL-08-040180 - -# - name: "HIGH | RHEL-08-040190 | PATCH | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support." -# dnf: -# name: tftp-server -# state: absent -# when: -# - rhel_08_040190 -# - not rhel8stig_tftp_required -# tags: -# - RHEL-08-040190 -# - tftp - -# - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system." -# block: -# - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Get list of non-root accounts with UID of 0" -# shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" -# changed_when: false -# failed_when: false -# register: rhel_08_040200_nonroot_uid - -# - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Lock non-root account with UID of 0" -# command: "passwd -l {{ item }}" -# with_items: -# - "{{ rhel_08_040200_nonroot_uid.stdout_lines }}" -# when: rhel_08_040200_nonroot_uid.stdout != "" - -# - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Display accounts that were locked" -# debug: -# msg: -# - "WARNING!! The following accounts were locked since they had UID of 0 and were not the root user" -# - " {{ rhel_08_040200_nonroot_uid.stdout_lines }}" -# when: rhel_08_040200_nonroot_uid.stdout != "" -# when: -# - rhel_08_040200 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-040200 -# - disruption_high - -# - name: "HIGH | RHEL-08-040340 | PATCH | Remote X connections for interactive users must be encrypted in RHEL 8." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '^.*X11Forwarding' -# line: 'X11Forwarding yes' -# create: yes -# notify: restart sshd -# when: -# - rhel_08_040340 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-040340 -# - ssh - -# - name: "HIGH | RHEL-08-040360 | PATCH | A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8." -# dnf: -# name: vsftpd -# state: absent -# when: -# - rhel_08_040360 -# tags: -# - RHEL-08-040360 -# - ftp \ No newline at end of file diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 40237186..930fc68a 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1023,7 +1023,7 @@ - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Split results" set_fact: - rhel8stig_010580_mounts: "{{ rhel8stig_010580_mounts_nodev .stdout_lines | map('regex_replace', ld_mount_regex, ld_mount_yaml) | map('from_yaml') | list }}" + rhel8stig_010580_mounts: "{{ rhel8stig_010580_mounts_nodev.stdout_lines | map('regex_replace', ld_mount_regex, ld_mount_yaml) | map('from_yaml') | list }}" with_items: "{{ rhel8stig_010580_mounts_nodev.stdout_lines }}" vars: @@ -1038,6 +1038,7 @@ \g opts: >-4 \g + when: rhel8stig_010580_mounts_nodev.stdout != "" - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Set value" mount: @@ -1047,10 +1048,11 @@ fstype: "{{ item.fs }}" opts: "{{ item.opts }},nodev" with_items: - - "{{ rhel8stig_010580_mounts }}" + - "{{ rhel8stig_010580_mounts | default([]) }}" when: - item.device != "/" - "'odev' not in item.opts" + - rhel8stig_010580_mounts_nodev.stdout != "" when: - rhel_08_010580 tags: @@ -1430,7 +1432,6 @@ tags: - RHEL-08-010680 -# I can't figure what is needed here. It looks simple but the fix doesn't show enough details to fill in the gaps of what's needed. - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." block: - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" @@ -2480,7 +2481,6 @@ tags: - RHEL-08-020080 -# Need to figure out real location of the sssd.conf. STIG and internet say /etc/sssd/sssd.conf but on the test system it's in /usr/lib64/sssd/conf/sssd.conf. Also need some default values/variables - name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." lineinfile: path: "{{ rhel8stig_sssd_conf.stdout }}" @@ -3185,7 +3185,6 @@ failed_when: false register: rhel_08_030120_audit_log_dir - # I have this item set to 750, setting to 600 will not allow auditd to work - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" file: path: "{{ rhel_08_030120_audit_log_dir.stdout }}" @@ -5239,3570 +5238,3 @@ tags: - RHEL-08-040390 - tuned - -# ===========below here is old=========== -# - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." -# dnf: -# name: "*" -# state: latest -# when: -# - not system_is_ec2 -# - rhel_08_010010 -# tags: -# - RHEL-08-010010 - -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" -# block: -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^.*banner' -# line: 'Banner /etc/issue' - -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" -# copy: -# dest: /etc/issue -# content: "{{ rhel8stig_logon_banner }}" -# owner: root -# group: root -# mode: '0644' -# notify: restart sshd -# when: -# # - not system_is_ec2 -# - rhel_08_010040 or -# rhel_08_010060 -# tags: -# - RHEL-08-010040 -# - RHEL-08-010060 - -# - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." -# copy: -# dest: /etc/dconf/db/local.d/01-banner-message -# content: | -# [org/gnome/login-screen] -# banner-message-enable=true -# banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' -# mode: '0644' -# owner: root -# group: root -# vars: -# newline: "\n" -# notify: dconf update -# when: -# - rhel_08_010050 -# - rhel8stig_dconf_available -# tags: -# - RHEL-08-010050 - -# - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." -# lineinfile: -# path: /etc/rsyslog.d/50-default.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# create: yes -# mode: '0644' -# notify: restart rsyslog -# with_items: -# - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } -# - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } -# when: -# - rhel_08_010070 -# tags: -# - RHEL-08-010070 - -# - name: "MEDIUM | RHEL-08-010080 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^Ciphers.*' -# line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr -# insertafter: '# Ciphers and keying' -# notify: restart sshd -# when: -# - rhel_08_010080 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010080 -# - ssh - -# # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." -# block: -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" -# command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem -# changed_when: false -# failed_when: false -# register: rhel_08_010090_certs_list - -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" -# debug: -# msg: -# - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" -# - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" -# - "{{ rhel_08_010090_certs_list.stdout_lines }}" -# when: -# - rhel_08_010090 -# tags: -# - RHEL-08-010090 - -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." -# block: -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" -# file: -# path: "{{ rhel8stig_path_to_sshkey }}" -# state: directory -# mode: '0700' - -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" -# openssh_keypair: -# path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" -# when: -# - rhel_08_010100 -# tags: -# - RHEL-08-010100 - -# - name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." -# lineinfile: -# path: /etc/login.defs -# regexp: '^ENCRYPT_METHOD.*' -# line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" -# when: -# - rhel_08_010110 -# tags: -# - RHEL-08-010110 -# - login - -# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." -# block: -# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" -# command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' -# changed_when: false -# failed_when: false -# register: rhel_08_010120_non_fips_hashed_accounts - -# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" -# command: "passwd -l {{ item }}" -# with_items: -# -"{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" -# when: -# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" - -# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" -# debug: -# msg: -# - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" -# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" -# when: -# - not rhel8stig_disruption_high -# - rhel_08_010120_non_fips_hashed_accounts.stdout != "" -# when: -# - rhel_08_010120 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010120 -# - disruption_high - -# - name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" -# pamd: -# name: "{{ item }}" -# type: password -# control: sufficient -# module_path: pam_unix.so -# module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" -# state: args_present -# with_items: -# - password-auth -# - system-auth -# when: -# - rhel_08_010130 -# tags: -# - RHEL-08-010130 - -# - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Add sha512 argument" -# pamd: -# name: "{{ item }}" -# type: password -# control: sufficient -# module_path: pam_unix.so -# module_arguments: sha512 -# state: args_present -# with_items: -# - password-auth -# - system-auth -# when: -# - rhel_08_010160 -# tags: -# - RHEL-08-010160 - -# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." -# block: -# - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" -# shell: "find / ! -user root -type d -perm -0002 -exec ls -lLd {} \\; | sed 's/.* //'" -# changed_when: false -# failed_when: false -# register: rhel_08_010180_public_not_root_owned - -# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Chown non-root public folders" -# file: -# path: "{{ item }}" -# owner: root -# group: root -# with_items: -# - "{{ rhel_08_010180_public_not_root_owned.stdout_lines }}" -# when: -# - rhel_08_010180 -# tags: -# - RHEL-08-010180 - -# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." -# block: -# - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" -# shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" -# changed_when: false -# failed_when: false -# register: rhel_08_010190_world_writable_files - -# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" -# file: -# path: "{{ item }}" -# mode: '1777' -# with_items: -# - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" -# when: -# - rhel_08_010190 -# tags: -# - RHEL-08-010190 - -# - name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# notify: restart sshd -# with_items: -# - { regexp: '^.*ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} -# - { regexp: '^.*ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } -# when: -# - rhel_08_010200 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010200 -# - ssh - -# - name: | -# "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." -# "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." -# "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." -# file: -# path: /var/log/messages -# owner: root -# group: root -# mode: '0640' -# when: -# - rhel_08_010210 or -# rhel_08_010220 or -# rhel_08_010230 -# tags: -# - RHEL-08-010210 -# - RHEL-08-010220 -# - RHEL-08-010230 - -# - name: | -# "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0770 or less permissive." -# "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." -# "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." -# file: -# path: /var/log -# owner: root -# group: root -# mode: '0770' -# when: -# - rhel_08_010240 or -# rhel_08_010250 or -# rhel_08_010260 -# tags: -# - RHEL-08-010240 -# - RHEL-08-010250 -# - RHEL-08-010260 - -# - name: | -# "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive." -# "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root." -# block: -# - name: | -# "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive. | Find audit log files" -# "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root. | Find audit log files" -# shell: cat /etc/audit/auditd.conf | grep "^log_file " | cut -f2 -d= | sed 's/^[ \t]*//;s/[ \t]*$//' -# changed_when: false -# failed_when: false -# register: rhel_08_010270_audit_log_location - -# # I have this set to 750 since 600 is too restrictive for auditd to work -# - name: | -# "MEDIUM | RHEL-08-010270 | PATCH | The audit log files in RHEL 8 must have mode 0600 or less permissive. | Set permissions" -# "MEDIUM | RHEL-08-010280 | PATCH | RHEL 8 audit log files must be owned by root. | Set permissions" -# file: -# path: "{{ rhel_08_010270_audit_log_location.stdout }}" -# owner: root -# mode: '0750' -# when: -# - rhel_08_010270 or -# rhel_08_010280 -# tags: -# - RHEL-08-010270 -# - RHEL-08-010280 - -# - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." -# block: -# - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" -# command: fips-mode-setup --check -# changed_when: false -# failed_when: false -# register: rhel_08_010290_pre_fips_check - -# - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" -# command: fips-mode-setup --enable -# register: rhel_08_010290_fips_enable -# notify: reboot system -# when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' -# when: -# - rhel_08_010290 -# tags: -# - RHEL-08-010290 -# - FIPS - -# - name: | -# "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive." -# "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root." -# "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root." -# block: -# - name: | -# "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive" -# "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" -# "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root. | Get commands no group-owned by root" -# shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" -# changed_when: false -# failed_when: false -# register: rhel_08_010300_commands - -# - name: | -# "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions" -# "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions" -# "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root. | Set permissions" -# file: -# path: "{{ item }}" -# owner: root -# group: root -# mode: '0755' -# force: yes -# with_items: -# - "{{ rhel_08_010300_commands.stdout_lines }}" -# when: -# - rhel_08_010300 or -# rhel_08_010310 or -# rhel_08_010320 -# tags: -# - RHEL-08-010300 -# - RHEL-08-010310 -# - RHEL-08-010320 - -# - name: | -# "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive." -# "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root." -# "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root." -# block: -# - name: | -# "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" -# "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" -# "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" -# shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" -# changed_when: false -# failed_when: false -# register: rhel_08_010330_library_files - -# - name: | -# "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" -# "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" -# "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" -# file: -# path: "{{ item }}" -# owner: root -# group: root -# mode: '0755' -# with_items: -# - "{{ rhel_08_010330_library_files.stdout_lines }}" -# when: -# - rhel_08_010330 or -# rhel_08_010340 or -# rhel_08_010350 -# tags: -# - RHEL-08-010330 -# - RHEL-08-010340 -# - RHEL-08-010350 - -# - name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." -# cron: -# name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' -# user: "{{ rhel8stig_aide_cron.user }}" -# cron_file: "{{ rhel8stig_aide_cron.cron_file }}" -# job: "{{ rhel8stig_aide_cron.job + ((rhel8stig_aide_cron.notify_by_mail) | ternary(rhel8stig_aide_cron.notify_cmd,'')) }}" -# minute: "{{ rhel8stig_aide_cron.minute | default((rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | -# ternary('0', omit)) | default(omit) }}" -# hour: "{{ rhel8stig_aide_cron.hour | default((rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['daily', 'weekly', 'monthly']) | -# ternary('0', omit)) | default(omit) }}" -# weekday: "{{ rhel8stig_aide_cron.weekday | default((rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['weekly']) | -# ternary('0', omit)) | default(omit) }}" -# day: "{{ rhel8stig_aide_cron.day | default((rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['monthly']) | -# ternary('1', omit)) | default(omit) }}" -# special_time: "{{ (rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | -# ternary(omit, rhel8stig_aide_cron.special_time) }}" -# when: -# - rhel_08_010360 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010360 -# - aide - -# - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation and changing roles." -# block: -# - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation and changing roles. | Remove NOPASSWD" -# replace: -# path: "{{ item }}" -# regexp: '^([^#].*)NOPASSWD(.*)' -# replace: '\1PASSWD\2' -# with_items: -# - "{{ rhel8stig_sudoers_files.stdout_lines }}" - -# - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation and changing roles. | Remove !authenticate" -# replace: -# path: "{{ item }}" -# regexp: '^([^#].*)!authenticate(.*)' -# replace: '\1authenticate\2' -# with_items: -# - "{{ rhel8stig_sudoers_files.stdout_lines }}" -# when: -# - rhel_08_010380 -# - rhel8stig_using_password_auth -# tags: -# - RHEL-08-010380 -# - sudoers - -# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." -# block: -# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" -# dnf: -# name: esc -# state: present -# when: rhel8stig_gui - -# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" -# dnf: -# name: openssl-pkcs11 -# state: present -# when: -# - rhel_08_010390 -# tags: -# - RHEL-08-010390 -# - multifactor - -# - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." -# # block: -# # - name: "MEDIUM | RHEL-08-010400 | AUDIT | RHEL 8 must implement certificate status checking for multifactor authentication | Find sssd_config location." -# # shell: find / -name sssd.conf -# # changed_when: false -# # failed_when: false -# # register: rhel_08_010400_sssd_config - -# # - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication | Set certificate_verification." -# lineinfile: -# path: '{{ rhel8stig_sssd_conf.stdout }}' -# regexp: '^certificate_verification = {{ item }}' -# state: absent -# with_items: -# - 'no_ocsp, no_verification' -# - no_ocsp -# - no_verification -# notify: restart sssd -# when: -# - rhel_08_010400 -# tags: -# - RHEL-08-010400 - -# - name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." -# dnf: -# name: opensc -# state: present -# when: -# - rhel_08_010410 -# tags: -# - RHEL-08-010410 - -# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution." -# block: -# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state" -# shell: dmesg |grep "NX (" -# changed_when: false -# failed_when: false -# register: rhel_08_010420_nx_bit_state - -# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set" -# debug: -# msg: -# - "Good News! You are setup with execute disable active." -# when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout' - -# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" -# debug: -# msg: -# - "ALERT!! You do not have execute disable active. Please change the setting in your BIOS settings" -# when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' -# when: -# - rhel_08_010420 -# tags: -# - RHEL-08-010420 - -# - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." -# sysctl: -# name: kernel.randomize_va_space -# value: '2' -# state: present -# reload: "{{ rhel8stig_sysctl_reload }}" -# sysctl_set: yes -# ignoreerrors: yes -# when: -# - rhel_08_010430 -# tags: -# - RHEL-08-010430 -# - sysctl - -# - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." -# block: -# - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files" -# find: -# paths: /etc/ssh -# recurse: yes -# file_type: file -# patterns: 'ssh_host*_key.pub' -# hidden: true -# changed_when: false -# failed_when: false -# register: rhel_08_010480_public_files - -# - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" -# file: -# path: "{{ item.path }}" -# mode: '0644' -# with_items: -# - "{{ rhel_08_010480_public_files.files }}" -# notify: restart sshd -# when: -# - rhel_08_010480 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010480 -# - ssh - -# - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0600 or less permissive." -# block: -# - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Find files" -# find: -# paths: /etc/ssh -# recurse: yes -# file_type: file -# patterns: 'ssh_host*key' -# hidden: true -# changed_when: false -# failed_when: false -# register: rhel_08_010490_private_host_key_files - -# - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Set permissions" -# file: -# path: "{{ item.path }}" -# mode: '0600' -# with_items: -# - "{{ rhel_08_010490_private_host_key_files.files }}" -# notify: restart sshd -# when: -# - rhel_08_010490 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010490 -# - ssh - -# - name: "MEDIUM | RHEL-08-010500 | PATCH | The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '#StrictModes.(yes|no)|StrictModes.(yes|no)' -# line: 'StrictModes yes' -# notify: restart sshd -# when: -# - rhel_08_010500 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010500 -# - ssh - -# - name: "MEDIUM | RHEL-08-010510 | PATCH | The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '^#Compression.(yes|delayed|no)|^Compression.(yes|delayed|no)' -# line: 'Compression {{ rhel8stig_sshd_compression }}' -# notify: restart sshd -# when: -# - rhel_08_010510 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010510 -# - ssh - -# - name: "MEDIUM | RHEL-08-010520 | PATCH | The RHEL 8 SSH daemon must not allow authentication using known host’s authentication." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '#IgnoreUserKnownHosts.(yes|no)|IgnoreUserKnownHosts.(yes|no)' -# line: 'IgnoreUserKnownHosts yes' -# notify: restart sshd -# when: -# - rhel_08_010520 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010520 -# - ssh - -# - name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '^#PermitRootLogin.(yes|without-password|forced-commands-only|no)|^PermitRootLogin.(yes|without-password|forced-commands-only|no)' -# line: 'PermitRootLogin no' -# notify: restart sshd -# when: -# - rhel_08_010550 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010550 -# - ssh - -# - name: "MEDIUM | RHEL-08-010560 | PATCH | The auditd service must be running in RHEL 8." -# service: -# name: auditd -# state: started -# enabled: yes -# when: -# - rhel_08_010560 -# - not rhel8stig_system_is_container -# tags: -# - RHEL-08-010560 -# - auditd - -# - name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." -# mount: -# path: /home -# state: mounted -# src: "{{ home_mount.device }}" -# fstype: "{{ home_mount.fstype }}" -# opts: "{{ home_mount.options }},nosuid" -# when: -# - rhel_08_010570 -# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 -# - "'nosuid' not in home_mount.options" -# vars: -# home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" -# tags: -# - RHEL-08-010570 - -# The cotnrol in the stig has the same title as the RHEL-08-010570 control -# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." -# mount: -# path: /home -# state: mounted -# src: "{{ home_mount.device }}" -# fstype: "{{ home_mount.fstype }}" -# opts: "{{ home_mount.options }},nodev" -# when: -# - rhel_08_010580 -# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 -# - "'nodev' not in home_mount.options" -# vars: -# home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" -# tags: -# - RHEL-08-010580 - -# The control in the stig has the same title as RHEL-01-01570 -# - name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." -# mount: -# path: /home -# state: mounted -# src: "{{ home_mount.device }}" -# fstype: "{{ home_mount.fstype }}" -# opts: "{{ home_mount.options }},noexec" -# when: -# - rhel_08_010590 -# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 -# - "'noexec' not in home_mount.options" -# vars: -# home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" -# tags: -# - RHEL-08-010590 - -# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." -# block: -# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nodev to /media" -# mount: -# path: /media -# state: mounted -# src: "{{ removable_mount.device }}" -# fstype: "{{ removable_mount.fstype }}" -# opts: "{{ removable_mount.options }},nodev" -# when: -# - rhel_08_010600 -# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 -# - "'nodev' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - -# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nodev to /mnt" -# mount: -# path: /mnt -# state: mounted -# src: "{{ removable_mount2.device }}" -# fstype: "{{ removable_mount2.fstype }}" -# opts: "{{ removable_mount2.options }},nodev" -# when: -# - rhel_08_010600 -# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 -# - "'nodev' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" -# when: -# - rhel_08_010600 -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# tags: -# - RHEL-08-010600 - -# # The control has the same title as RHEL-08-010600 -# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." -# block: -# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set noexec to /media" -# mount: -# path: /media -# state: mounted -# src: "{{ removable_mount.device }}" -# fstype: "{{ removable_mount.fstype }}" -# opts: "{{ removable_mount.options }},noexec" -# when: -# - rhel_08_010600 -# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 -# - "'noexec' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - -# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set noexec to /mnt" -# mount: -# path: /mnt -# state: mounted -# src: "{{ removable_mount2.device }}" -# fstype: "{{ removable_mount2.fstype }}" -# opts: "{{ removable_mount2.options }},noexec" -# when: -# - rhel_08_010610 -# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 -# - "'noexec' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" -# when: -# - rhel_08_010610 -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# tags: -# - RHEL-08-010610 - -# The control has the same title as RHEL-08-010600 -# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." -# block: -# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media" -# mount: -# path: /media -# state: mounted -# src: "{{ removable_mount.device }}" -# fstype: "{{ removable_mount.fstype }}" -# opts: "{{ removable_mount.options }},nosuid" -# when: -# - rhel_08_010620 -# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 -# - "'nosuid' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - -# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" -# mount: -# path: /mnt -# state: mounted -# src: "{{ removable_mount2.device }}" -# fstype: "{{ removable_mount2.fstype }}" -# opts: "{{ removable_mount2.options }},nosuid" -# when: -# - rhel_08_010620 -# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 -# - "'nosuid' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" -# when: -# - rhel_08_010620 -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# tags: -# - RHEL-08-010620 - -# - name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)." -# mount: -# path: "{{ item }}" -# src: "{{ ansible_mounts | json_query(device_query) }}" -# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" -# opts: "{{ ansible_mounts | json_query(options_query) }},noexec" -# state: mounted -# vars: -# device_query: '[?mount == `{{ item }}`] | [0].device' -# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' -# options_query: '[?mount == `{{ item }}`] | [0].options' -# with_items: "{{ rhel8stig_nfs_mounts }}" -# when: -# - rhel_08_010630 -# - "'noexec' not in (ansible_mounts | json_query(options_query))" -# tags: -# - RHEL-08-010630 - -# - name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)." -# mount: -# path: "{{ item }}" -# src: "{{ ansible_mounts | json_query(device_query) }}" -# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" -# opts: "{{ ansible_mounts | json_query(options_query) }},nodev" -# state: mounted -# vars: -# device_query: '[?mount == `{{ item }}`] | [0].device' -# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' -# options_query: '[?mount == `{{ item }}`] | [0].options' -# with_items: "{{ rhel8stig_nfs_mounts }}" -# when: -# - rhel_08_010640 -# - "'nodev' not in (ansible_mounts | json_query(options_query))" -# tags: -# - RHEL-08-010640 - -# - name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)." -# mount: -# path: "{{ item }}" -# src: "{{ ansible_mounts | json_query(device_query) }}" -# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" -# opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" -# state: mounted -# vars: -# device_query: '[?mount == `{{ item }}`] | [0].device' -# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' -# options_query: '[?mount == `{{ item }}`] | [0].options' -# with_items: "{{ rhel8stig_nfs_mounts }}" -# when: -# - rhel_08_010650 -# - "'nosuid' not in (ansible_mounts | json_query(options_query))" -# tags: -# - RHEL-08-010650 - -# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs." -# block: -# - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions" -# shell: find {{ item.mount }} -xdev -type f -perm -002 -# changed_when: false -# failed_when: false -# register: rhel_08_010660_world_writable_files -# with_items: -# - "{{ ansible_mounts }}" - -# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening" -# set_fact: -# rhel_08_010660_change_perms: "{{ rhel_08_010660_world_writable_files.results | map(attribute='stdout_lines') | flatten }}" - -# - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Compare to home directories" -# include_tasks: audit_homedirinifiles.yml -# loop: -# - "{{ rhel_08_stig_interactive_homedir_inifiles }}" -# loop_control: -# loop_var: ini_item -# when: -# - rhel_08_010660_change_perms != [] - -# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions" -# file: -# path: "{{ item }}" -# mode: '0755' -# state: file -# with_items: -# - "{{ rhel_08_010660_change_perms }}" -# when: -# - rhel_08_010660_change_perms != [] -# when: -# - rhel_08_010660 -# - rhel8stig_disruption_high -# # - rhel_08_stig_interactive_homedir_inifiles is defined -# tags: -# - RHEL-010660 - -# - name: "MEDIUM | RHEL-08-010670 | PATCH | In the event of a system failure, RHEL 8 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes." -# service: -# name: kdump -# enabled: yes -# state: started -# when: -# - rhel_08_010670 -# tags: -# - RHEL-08-010670 - -# # NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." -# block: -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf" -# shell: grep "dns" /etc/nsswitch.conf | grep -v "#" -# changed_when: no -# failed_when: false -# check_mode: no -# register: rhel_08_010680_nsswitch_check - -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf" -# command: grep "# Generated by NetworkManager" /etc/resolv.conf -# changed_when: no -# failed_when: false -# check_mode: no -# register: rhel_08_010680_networkmanager_check - - -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf" -# shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l -# changed_when: no -# failed_when: false -# check_mode: no -# register: rhel_08_010680_nameserver_count - -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf" -# shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf -# when: -# - "'dns' not in rhel_08_010680_nsswitch_check.stdout" - -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf" -# lineinfile: -# dest: /etc/resolv.conf -# regexp: '^nameserver' -# line: namserver "{{ item }}" -# insertafter: '^search' -# with_items: -# - "{{ rhel8stig_dns_servers }}" -# when: -# - rhel_08_010680_networkmanager_check != '# Generated by NetworkManager' -# - rhel_08_010680_nameserver_count.stdout|int < 2 - -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp." -# debug: -# msg: "The file /etc/resolv.conf is managed by network manager and shows less than two DNS servers configured. Please correct this in your DHCP configurations." -# changed_when: true -# when: -# - rhel_08_010680_networkmanager_check == '# Generated by NetworkManager' -# - rhel_08_010680_nameserver_count.stdout|int < 2 -# when: -# - rhel_08_010680 -# - not rhel8stig_system_is_chroot -# - not rhel8stig_system_is_container -# tags: -# - RHEL-08-010680 - -# # I can't figure what is needed here. It looks simple but the fix doesn't show enough details to fill in the gaps of what's needed. -# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." -# block: -# - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" -# shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath -# with_items: "{{ rhel_08_stig_interactive_homedir_results }}" -# register: rhel_08_010690_ini_path_grep_list -# changed_when: no -# failed_when: false - -# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." -# debug: -# msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. -# with_items: -# - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" - -# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." -# lineinfile: -# path: "{{ item }}" -# regexp: "^PATH=" -# line: "{{ rhel_08_010690_user_path }}" -# with_items: -# - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" -# when: -# - rhel_08_010690 -# - rhel8stig_disruption_high -# - rhel8stig_change_user_path -# tags: -# - RHEL-08-010690 -# - complexity-high - -# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." -# block: -# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories" -# command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 -# changed_when: false -# failed_when: false -# register: rhel_08_010700_world_writable_directories - -# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" -# file: -# path: "{{ item }}" -# owner: root -# with_items: -# - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" -# when: rhel_08_010700_world_writable_directories.stdout != "" -# when: -# - rhel_08_010700 -# tags: -# - RHEL-08-010700 - -# - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group." -# block: -# - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories" -# command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 -# changed_when: false -# failed_when: false -# register: rhel_08_010710_world_writable_directories - -# - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" -# file: -# path: "{{ item }}" -# group: root -# with_items: -# - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" -# when: rhel_08_010710_world_writable_directories.stdout != "" -# when: -# - rhel_08_010710 -# tags: -# - RHEL-08-010710 - -# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file." -# block: -# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory" -# shell: pwck -r | grep user | cut -f2 -d"'" -# changed_when: false -# failed_when: false -# register: rhel_08_010720_users_no_home_dir - -# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory" -# shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' -# changed_when: false -# failed_when: false -# register: rhel_08_010720_user_list - -# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" -# debug: -# msg: -# - "WARNING!!!!The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" -# - "{{ rhel_08_010720_user_list.stdout_lines }}" -# when: rhel_08_010720_user_list.stdout != "" -# when: -# - rhel_08_010720 -# tags: -# - RHEL-08-010720 - -# - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." -# block: -# - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." -# shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) -# changed_when: false -# failed_when: false -# register: rhel_08_010730_home_directories - -# - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." -# file: -# path: "{{ item }}" -# mode: 0750 -# with_items: -# - "{{ rhel_08_010730_home_directories.stdout_lines }}" -# when: rhel_08_010730_home_directories.stdout != "" -# when: -# - rhel_08_010730 -# tags: -# - RHEL-08-010730 - -# - name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." -# file: -# path: "{{ item.dir }}" -# group: "{{ item.gid }}" -# state: directory -# with_items: "{{ rhel8stig_passwd }}" -# loop_control: -# label: "{{ rhel8stig_passwd_label }}" -# when: -# - rhel_08_010740 -# - item.uid >= rhel8stig_interactive_uid_start -# tags: -# - RHEL-08-010740 - -# - name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." -# file: -# path: "{{ item.dir }}" -# state: directory -# with_items: "{{ rhel8stig_passwd }}" -# loop_control: -# label: "{{ rhel8stig_passwd_label }}" -# when: -# - rhel_08_010750 -# - item.uid >= rhel8stig_interactive_uid_start -# tags: -# - RHEL-08-010750 - -# - name: "MEDIUM | REHL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." -# lineinfile: -# path: /etc/login.defs -# regexp: '.*?CREATE_HOME.*' -# line: CREATE_HOME yes -# when: -# - rhel_01_010760 -# tags: -# - REHL-08-010760 -# - login -# - home - -# - name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." -# file: -# path: "{{ item }}" -# mode: 0740 -# with_items: -# - "{{ rhel_08_stig_interactive_homedir_inifiles }}" -# when: -# - rhel_08_010770 -# - rhel8stig_disruption_high -# - rhel_08_stig_interactive_homedir_inifiles is defined -# tags: -# - RHEL-08-010770 -# - complexity-high - -# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." -# block: -# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" -# shell: find / -nouser -# changed_when: false -# failed_when: false -# register: rhel_08_010780_nouser_files - -# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" -# debug: -# msg: -# - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" -# - "{{ rhel_08_010780_nouser_files.stdout_lines }}" -# when: rhel_08_010780_nouser_files.stdout != "" -# when: -# - rhel_08_010780 -# tags: -# - RHEL-08-010780 - -# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." -# block: -# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" -# shell: find / -nogroup -# changed_when: false -# failed_when: false -# register: rhel_08_010790_nogroup_files - -# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" -# debug: -# msg: -# - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" -# - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" -# when: rhel_08_010790_nogroup_files.stdout != "" -# when: -# - rhel_08_010790 -# tags: -# - RHEL-08-010790 - -# - name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." -# debug: -# msg: "WARNING!!!! /home is not mounted on a separate partition" -# changed_when: -# - rhel8stig_audit_complex -# when: -# - rhel_08_010800 -# - not rhel8stig_system_is_container -# - rhel8stig_complex -# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 -# tags: -# - RHEL-08-010800 -# - complexity-high -# - mount -# - home - -# - name: "MEDIUM | RHEL-08-010810 | PATCH | RHEL 8 default permissions must be defined in such a way that all authenticated users can only read and modify their own files" -# lineinfile: -# path: /etc/login.defs -# regexp: .*?UMASK.* -# line: 'UMASK 077' -# when: -# - rhel_08_010810 -# tags: -# - RHEL-08-010810 -# - login -# - umask - -# - name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." -# debug: -# msg: -# - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." -# - "To do this please run sudo chage -l account_name for the accounts you need to check" -# - "The results will display the Account Expires information" -# - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name' -# when: -# - rhel_08_020000 -# tags: -# - RHEL-08-020000 - -# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." -# block: -# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authsucc" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authsucc' -# line: 'auth required pam_faillock.so authsucc' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020010 -# tags: -# - RHEL-08-020010 -# - pamd - -# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." -# block: -# - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" -# command: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" -# changed_when: false -# failed_when: false -# register: rhel_08_020030_lock_enabled - -# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" -# lineinfile: -# path: "{{ rhel_08_020030_lock_enabled.stdout }}" -# regexp: '^lock-enabled' -# line: lock-enabled=true -# when: rhel_08_020030_lock_enabled.stdout != "" -# notify: dconf update - -# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist" -# lineinfile: -# path: /etc/dconf/db/local.d/00-screensaver -# create: yes -# regexp: '^lock-enabled' -# line: | -# [org/gnome/desktop/screensaver] -# # Set this to true to lock the screen when the screensaver activates -# lock-enabled=true -# when: rhel_08_020030_lock_enabled.stdout == "" -# notify: dconf update -# when: -# - rhel_08_020030 -# - rhel8stig_dconf_available -# tags: -# - RHEL-08-020030 - -# - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." -# dnf: -# name: kbd -# state: present -# when: -# - rhel_08_020040 -# tags: -# - RHEL-08-020040 - -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." -# block: -# - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" -# shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' -# changed_when: false -# failed_when: false -# register: rhel_08_020050_removal_action - -# - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" -# shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" -# changed_when: false -# failed_when: false -# register: rhel_08_020050_removal_action_file - -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist" -# lineinfile: -# path: /etc/dconf/db/distro.d/20-authselect -# create: yes -# line: | -# [org/gnome/settings-daemon/peripherals/smartcard] -# removal-action='lock-screen' -# when: rhel_08_020050_removal_action.stdout == "" -# notify: dconf update - -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" -# lineinfile: -# path: "{{ rhel_08_020050_removal_action.stdout }}" -# regexp: ^removal-action= -# line: removal-action='lock-screen' -# when: rhel_08_020050_removal_action.stdout != "" -# notify: dconf update - -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" -# lineinfile: -# path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' -# line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action -# when: rhel_08_020050_removal_action_file.stdout != "" -# notify: dconf update - -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" -# lineinfile: -# path: /etc/dconf/db/distro.d/locks/20-authselect -# create: yes -# line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action -# when: rhel_08_020050_removal_action_file.stdout == "" -# notify: dconf update -# when: -# - rhel_08_020050 -# tags: -# - RHEL-08-020050 - -# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." -# block: -# - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" -# shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' -# changed_when: false -# failed_when: false -# register: rhel_08_020060_idle_delay_param - -# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist" -# lineinfile: -# path: /etc/dconf/db/local.d/00-screensaver -# create: yes -# regexp: '^idle-delay' -# line: | -# [org/gnome/desktop/session] -# # Set the lock time out to 900 seconds before the session is considered idle -# idle-delay=uint32 900 -# notify: dconf update -# when: rhel_08_020060_idle_delay_param.stdout == "" - -# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" -# lineinfile: -# path: "{{ rhel_08_020060_idle_delay_param.stdout }}" -# regexp: '^idle-delay=' -# line: idle-delay=uint32 900 -# notify: dconf update -# when: rhel_08_020060_idle_delay_param.stdout != "" -# when: -# - rhel_08_020060 -# - rhel8stig_dconf_available -# tags: -# - RHEL-08-020060 - -# - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." -# blockinfile: -# create: yes -# mode: 0644 -# dest: "{{ item.dest }}" -# state: "{{ item.state }}" -# marker: "# {mark} ANSIBLE MANAGED" -# block: | -# # Set session timeout - STIG ID RHEL-08-020070 -# TMOUT={{ rhel8stig_shell_session_timeout.timeout }} -# readonly TMOUT -# export TMOUT -# with_items: -# - dest: "{{ rhel8stig_shell_session_timeout.file }}" -# state: present -# - dest: /etc/profile -# state: "{{ (rhel8stig_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" -# when: -# - rhel_08_020070 -# tags: -# - RHEL-08-020070 -# - profile - -# - name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings." -# lineinfile: -# path: /etc/dconf/db/local.d/locks/session -# create: yes -# line: "{{ item }}" -# with_items: -# - /org/gnome/desktop/session/idle-delay -# - /org/gnome/desktop/screensaver/lock-enabled -# - /org/gnome/desktop/screensaver/lock-delay -# - /org/gnome/settings-daemon/plugins/media-keys/logout -# - /org/gnome/login-screen/disable-user-list -# - /org/gnome/login-screen/banner-message-text -# - /org/gnome/login-screen/banner-message-enable -# - /org/gnome/desktop/lockdown/disable-lock-screen -# when: -# - rhel_08_020080 -# # - rhel8stig_dconf_available -# tags: -# - RHEL-08-020080 - -# # Need to figure out real location of the sssd.conf. STIG and internet say /etc/sssd/sssd.conf but on the test system it's in /usr/lib64/sssd/conf/sssd.conf. Also need some default values/variables -# - name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." -# lineinfile: -# path: "{{ rhel8stig_sssd_conf.stdout }}" -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^\[certmap/testing.test/rule_name]', line: '[certmap/testing.test/rule_name]' } -# - { regexp: '^matchrule =', line: 'matchrule =.*EDIPI@mil' } -# - { regexp: '^maprule =', line: 'maprule = (userCertificate;binary={cert!bin})' } -# - { regexp: 'dmains =', line: 'dmains = testing.test' } -# notify: dconf update -# when: -# - rhel_08_020090 -# tags: -# - RHEL-08-020090 - -# - name: "MEDIUM | RHEL-08-020100 | PATCH RHEL 8 must ensure a password complexity module is enabled." -# lineinfile: -# path: "{{ item.path }}" -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: '^password' -# with_items: -# - { path: /etc/pam.d/system-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } -# - { path: /etc/pam.d/password-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } -# when: -# - rhel_08_020100 -# tags: -# - RHEL-08-020100 - -# - name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# regexp: '^#?\s*ucredit' -# line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" -# when: -# - rhel_08_020110 -# tags: -# - RHEL-08-020110 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# regexp: '^#?\s*lcredit' -# line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}" -# when: -# - rhel_08_020120 -# tags: -# - RHEL-08-020120 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# regexp: '^#?\s*dcredit' -# line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}" -# when: -# - rhel_08_020130 -# tags: -# - RHEL-08-020130 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# regexp: '^#?\s*maxclassrepeat' -# line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" -# when: -# - rhel_08_020140 -# tags: -# - RHEL-08-020140 -# - pwquality - -# - name: "MEDIUM | RHEL-020150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# regexp: '^#?\s*maxrepeat' -# line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}" -# when: -# - rhel_08_020150 -# tags: -# - RHEL-08-020150 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# regexp: '^#?\s*minclass' -# line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}" -# when: -# - rhel_08_020160 -# tags: -# - RHEL-08-020160 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# regexp: '^#?\s*difok' -# line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}" -# when: -# - rhel_08_020170 -# tags: -# - RHEL-08-020170 -# - pwquality - -# - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow." -# block: -# - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users" -# command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" -# changed_when: false -# failed_when: false -# register: rhel_08_020180_users - -# - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction" -# command: chage -m 1 {{ item }} -# with_items: "{{ rhel_08_020180_users.stdout_lines }}" -# when: -# - rhel_08_020180 -# tags: -# - RHEL8-08-020180 -# - password - -# - name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def." -# lineinfile: -# path: /etc/login.defs -# create: yes -# regexp: ^#?PASS_MIN_DAYS -# line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}" -# when: -# - rhel_08_020190 -# tags: -# - RHEL-08-020190 -# - login - -# - name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction." -# lineinfile: -# path: /etc/login.defs -# create: yes -# regexp: ^#?PASS_MAX_DAYS -# line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" -# when: -# - rhel_08_020200 -# tags: -# - RHEL-08-020200 -# - login - -# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime." -# block: -# - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users" -# command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" -# check_mode: no -# changed_when: rhel_08_020210_users.stdout != "" -# register: rhel_08_020210_users - -# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user." -# command: chage -d '-1 day' {{ item }} -# check_mode: "{{ rhel8stig_disruptive_check_mode }}" -# with_items: "{{ rhel_08_020210_users.stdout_lines }}" - -# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime" -# command: chage -M 60 {{ item }} -# check_mode: "{{ rhel8stig_disruptive_check_mode }}" -# with_items: "{{ rhel_08_020210_users.stdout_lines }}" -# when: -# - rhel_08_020210 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-020210 -# - disruption-high -# - password - -# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations." -# block: -# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" -# pamd: -# name: "{{ item }}" -# state: before -# type: password -# control: sufficient -# module_path: pam_unix.so -# new_type: password -# new_control: required -# new_module_path: pam_pwhistory.so -# with_items: -# - "system-auth" -# - "password-auth" - -# # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent -# - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Check for existing password history reuse settings" -# command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" -# check_mode: no -# changed_when: no -# failed_when: rhel_08_020220_pw_hist_settings.rc > 1 -# register: rhel_08_020220_pw_hist_settings -# with_items: -# - "system-auth" -# - "password-auth" - -# # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. -# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" -# pamd: -# name: "{{ item.item }}" -# state: updated -# type: password -# control: required -# module_path: pam_pwhistory.so -# module_arguments: -# - use_authtok -# - remember={{ rhel8stig_pam_pwhistory.remember | default(5) }} -# - retry={{ rhel8stig_pam_pwhistory.retries | default(3) }} -# with_items: "{{ rhel_08_020220_pw_hist_settings.results }}" -# when: item.rc == 1 -# when: -# - rhel_08_020220 -# tags: -# - RHEL-08-020220 -# - pamd - -# - name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# regexp: '^#?\s*minlen' -# line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" -# when: -# - rhel_08_020230 -# tags: -# - RHEL-08-020230 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." -# block: -# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users" -# command: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd -# changed_when: false -# failed_when: false -# register: rhel_08_020240_duplicate_uid_users - -# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" -# debug: -# msg: -# - "ALERT!!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" -# - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" -# when: -# - rhel_08_020240 -# tags: -# - RHEL-08-020240 - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts." -# block: -# # - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find sssd.conf file for path" -# # find: -# # paths: / -# # recurse: yes -# # patterns: sssd.conf -# # register: rhel_08_020250_sssd_conf - -# - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth" -# shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth -# changed_when: false -# failed_when: false -# register: rhel_08_020250_sc_auth_sss - -# - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth" -# shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth -# changed_when: false -# failed_when: false -# register: rhel_08_020250_system_auth_sss - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" -# lineinfile: -# path: "{{ rhel8stig_sssd_conf.stdout }}" -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# notify: restart sssd -# with_items: -# - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } -# - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' } - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth" -# lineinfile: -# path: /etc/pam.d/smartcard-auth -# line: auth sufficient pam_sss.so try_cert_auth -# notify: restart sssd -# when: rhel_08_020250_sc_auth_sss.stdout == "" - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth" -# pamd: -# name: /etc/pam.d/smartcard-auth -# state: updated -# type: auth -# control: sufficient -# module_path: pam_sss.so -# module_arguments: 'try_cert_auth' -# notify: restart sssd -# when: rhel_08_020250_sc_auth_sss.stdout != "" - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth" -# pamd: -# name: /etc/pam.d/system-auth -# state: after -# type: auth -# control: required -# module_path: pam_env.so -# new_type: auth -# new_control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' -# new_module_path: pam_sss.so -# module_arguments: try_cert_auth -# notify: restart sssd -# when: rhel_08_020250_system_auth_sss.stdout == "" - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth" -# pamd: -# name: /etc/pam.d/system-auth -# state: updated -# type: auth -# control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' -# module_path: pam_env.so -# module_arguments: try_cert_auth -# notify: restart sssd -# when: rhel_08_020250_system_auth_sss.stdout != "" -# when: -# - rhel_08_020250 -# tags: -# - RHEL-08-020250 -# - pamd - -# - name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity." -# command: useradd -D -f 35 -# when: -# - rhel_08_020260 -# tags: -# - RHEL-08-020260 -# - useradd - -# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." -# block: -# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." -# command: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" -# changed_when: false -# failed_when: false -# register: rhel_08_020270_system_users - -# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." -# debug: -# msg: -# - "WARNING!!!Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" -# - "{{ rhel_08_020270_system_users.stdout_lines }}" -# when: -# - rhel_08_020270 -# tags: -# - RHEL-08-020270 - -# - name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# regexp: '^#?\s*ocredit' -# line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}" -# when: -# - rhel_08_020280 -# tags: -# - RHEL-08-020280 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." -# lineinfile: -# path: "{{ rhel8stig_sssd_conf.stdout }}" -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# with_items: -# - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } -# - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } -# when: -# - rhel_08_020290 -# tags: -# - RHEL-08-020290 -# - sssd - -# - name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# regexp: '^#?\s*dictcheck' -# line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" -# when: -# - rhel_08_020300 -# tags: -# - RHEL-08-020300 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." -# lineinfile: -# dest: /etc/login.defs -# regexp: ^#?FAIL_DELAY -# line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" -# when: -# - rhel_08_020310 -# tags: -# - RHEL-08-020310 -# - login - -# - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts." -# block: -# - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts" -# command: "grep '^{{ item }}:' /etc/passwd" -# check_mode: no -# failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1 -# changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0 -# register: rhel_08_020320_unnecessary_accounts_found -# with_items: "{{ rhel8stig_unnecessary_accounts }}" - -# - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts" -# user: -# name: "{{ item }}" -# state: absent -# remove: "{{ rhel8stig_remove_unnecessary_user_files }}" -# register: rhel_08_020320_accounts_removed -# with_items: "{{ rhel8stig_unnecessary_accounts }}" - -# - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" -# include_tasks: parse_etc_passwd.yml -# vars: -# rhel8stig_passwd_tasks: "RHEL-08-020320" -# when: rhel_08_020320_accounts_removed is changed -# when: -# - rhel_08_020320 -# tags: -# - RHEL-08-020320 - -# - name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." -# lineinfile: -# dest: /etc/ssh/sshd_config -# regexp: "(?i)^#?PrintLastLog" -# line: PrintLastLog yes -# validate: /usr/sbin/sshd -t -f %s -# notify: restart sshd -# when: -# - rhel_08_020350 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-020350 -# - ssh - -# - name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv', line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv' } -# - { regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv', line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv' } -# - { regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv', line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv' } -# - { regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv', line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv' } -# notify: restart auditd -# when: -# - rhel_08_030000 -# tags: -# - RHEL-08-030000 -# - auditd - -# - name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8." -# lineinfile: -# path: /etc/rsyslog.conf -# regexp: '^cron.*' -# line: 'cron.* /var/log/cron' -# when: -# - rhel_08_030010 -# tags: -# - RHEL-08-030010 -# - cron - -# - name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^action_mail_acct =' -# line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}" -# register: rhel_08_030020_action_mail_acct_result -# failed_when: -# - rhel_08_030020_action_mail_acct_result is failed -# - rhel_08_030020_action_mail_acct_result.rc != 257 -# when: -# - rhel_08_030020 -# tags: -# - RHEL-08-030020 -# - auditd - -# - name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure." -# lineinfile: -# path: /etc/aliases -# regexp: '^postmaster:' -# line: 'postmaster: root' -# when: -# - rhel_08_030030 -# tags: -# - RHEL-08-030030 -# - aliases - -# - name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^disk_error_action =' -# line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}" -# when: -# - rhel_08_030040 -# tags: -# - RHEL-08-030040 -# - auditd - -# - name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^max_log_file_action =' -# line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" -# when: -# - rhel_08_030050 -# tags: -# - RHEL-08-030050 -# - auditd - -# - name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^disk_full_action =' -# line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" -# when: -# - rhel_08_030060 -# tags: -# - RHEL-08-030060 -# - auditd - -# - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." -# block: -# - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | Get audit log file" -# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " -# changed_when: false -# failed_when: false -# register: rhel_08_030070_audit_log_file - -# - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | Set permissions on log file" -# file: -# path: "{{ rhel_08_030070_audit_log_file.stdout }}" -# mode: 0600 -# when: rhel_08_030070_audit_log_file.stdout != "" -# when: -# - rhel_08_030070 -# tags: -# - RHEL-08-030070 - -# - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." -# block: -# - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file" -# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " -# changed_when: false -# failed_when: false -# register: rhel_08_030080_audit_log_file - -# - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner" -# file: -# path: "{{ rhel_08_030080_audit_log_file.stdout }}" -# owner: root -# when: rhel_08_030080_audit_log_file.stdout != "" -# when: -# - rhel_08_030080 -# tags: -# - RHEL-08-030080 - -# - name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access." -# block: -# - name: "MEDIUM | RHEL-08-030090 | AUDIT | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Get audit log file" -# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " -# changed_when: false -# failed_when: false -# register: rhel_08_030090_audit_log_file - -# - name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Set audit log group" -# file: -# path: "{{ rhel_08_030090_audit_log_file.stdout }}" -# group: root -# when: rhel_08_030090_audit_log_file.stdout != "" -# when: -# - rhel_08_030090 -# tags: -# - RHEL-08-030090 - -# - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." -# block: -# - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory" -# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' -# changed_when: false -# failed_when: false -# register: rhel_08_030100_audit_log_dir - -# - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner" -# file: -# path: "{{ rhel_08_030100_audit_log_dir.stdout }}" -# owner: root -# state: directory -# when: rhel_08_030100_audit_log_dir.stdout != "" -# when: -# - rhel_08_030100 -# tags: -# - RHEL-08-030100 - -# - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." -# block: -# - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" -# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' -# changed_when: false -# failed_when: false -# register: rhel_08_030110_audit_log_dir - -# - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group" -# file: -# path: "{{ rhel_08_030110_audit_log_dir.stdout }}" -# group: root -# state: directory -# when: rhel_08_030110_audit_log_dir.stdout != "" -# when: -# - rhel_08_030110 -# tags: -# - RHEL-08-030110 - -# - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0600 or less permissive to prevent unauthorized read access." -# block: -# - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0600 or less permissive to prevent unauthorized read access. | Get audit log directory" -# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' -# changed_when: false -# failed_when: false -# register: rhel_08_030120_audit_log_dir - -# # I have this item set to 750, setting to 600 will not allow auditd to work -# - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0600 or less permissive to prevent unauthorized read access. | Set audit log dir perms" -# file: -# path: "{{ rhel_08_030120_audit_log_dir.stdout }}" -# mode: 0750 -# state: directory -# when: rhel_08_030120_audit_log_dir.stdout != "" -# when: -# - rhel_08_030120 -# tags: -# - RHEL-08-030120 - -# - name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/shadow' -# line: '-w /etc/shadow -p wa -k identity' -# notify: restart auditd -# when: -# - rhel_08_030130 -# tags: -# - RHEL-08-030130 -# - auditd - -# - name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/security/opasswd' -# line: -w /etc/security/opasswd -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030140 -# tags: -# - RHEL-08-030140 -# - auditd - -# - name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/passwd' -# line: -w /etc/passwd -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030150 -# tags: -# - RHEL-08-030150 -# - auditd - -# - name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/gshadow' -# line: -w /etc/gshadow -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030160 -# tags: -# - RHEL-08-030160 -# - auditd - -# - name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/group' -# line: -w /etc/group -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030170 -# tags: -# - RHEL-08-030170 -# - auditd - -# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." -# block: -# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Install audit" -# dnf: -# name: audit -# state: present - -# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Enable and start service" -# service: -# name: auditd -# enabled: yes -# state: started -# when: -# - rhel_08_030180 -# tags: -# - rhel_08_030180 -# - dnf -# - auditd - -# - name: "MEDIUM | RHEL-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-a always,exit -F path=/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' -# line: '-a always,exit -F path=/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' -# notify: restart auditd -# when: -# - rhel_08_030190 -# tags: -# - RHEL-08-030190 -# - auditd - -# - name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030200 -# tags: -# - RHEL-08-030200 -# - auditd - -# - name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030210 -# tags: -# - RHEL-08-030210 -# - auditd - -# - name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030220 -# tags: -# - RHEL-08-030220 -# - auditd - -# - name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030230 -# tags: -# - RHEL-08-030230 -# - auditd - -# - name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030240 -# tags: -# - RHEL-08-030240 -# - auditd - -# - name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage -# notify: restart auditd -# when: -# - rhel_08_030250 -# tags: -# - RHEL-08-030250 -# - auditd - -# - name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030260 -# tags: -# - RHEL-08-030260 -# - auditd - -# - name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030270 -# tags: -# - RHEL-08-030270 -# - auditd - -# - name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh -# notify: restart auditd -# when: -# - rhel_08_030280 -# tags: -# - RHEL-08-030280 -# - auditd - -# - name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd -# notify: restart auditd -# when: -# - rhel_08_030290 -# tags: -# - RHEL-08-030290 -# - auditd - -# - name: "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount -# - -a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount -# notify: restart auditd -# when: -# - rhel_08_030300 -# tags: -# - RHEL-08-030300 -# - auditd - -# - name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030310 -# tags: -# - RHEL-08-030310 -# - auditd - -# - name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh -# notify: restart auditd -# when: -# - rhel_08_030320 -# tags: -# - RHEL-08-030320 -# - auditd - -# - name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030330 -# tags: -# - RHEL-08-030330 -# - auditd - -# - name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check -# notify: restart auditd -# when: -# - rhel_08_030340 -# tags: -# - RHEL-08-030340 -# - auditd - -# - name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd -# notify: restart auditd -# when: -# - rhel_08_030350 -# tags: -# - RHEL-08-030350 -# - auditd - -# - name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# - -a always,exit -F arch=b64 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# notify: restart auditd -# when: -# - rhel_08_030360 -# tags: -# - RHEL-08-030360 -# - auditd - -# - name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd -# notify: restart auditd -# when: -# - rhel_08_030370 -# tags: -# - RHEL-08-030370 -# - auditd - -# - name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# notify: restart auditd -# when: -# - rhel_08_030380 -# tags: -# - RHEL-08-030380 -# - auditd - -# - name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# - -a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# notify: restart auditd -# when: -# - rhel_08_030390 -# tags: -# - RHEL-08-030390 -# - auditd - -# - name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab -# notify: restart auditd -# when: -# - rhel_08_030400 -# tags: -# - RHEL-08-030400 -# - auditd - -# - name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd -# notify: restart auditd -# when: -# - rhel_08_030410 -# tags: -# - RHEL-08-030410 -# - auditd - -# - name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030420 -# tags: -# - RHEL-08-030420 -# - auditd - -# - name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030430 -# tags: -# - RHEL-08-030430 -# - auditd - -# - name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030440 -# tags: -# - RHEL-08-030440 -# - auditd - -# - name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030450 -# tags: -# - RHEL-08-030450 -# - auditd - -# - name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030460 -# tags: -# - RHEL-08-030460 -# - auditd - -# - name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030470 -# tags: -# - RHEL-08-030470 -# - auditd - -# - name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030480 -# tags: -# - RHEL-08-030480 -# - auditd - -# - name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030490 -# tags: -# - RHEL-08-030490 -# - auditd - -# - name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030500 -# tags: -# - RHEL-08-030500 -# - auditd - -# - name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030510 -# tags: -# - RHEL-08-030510 -# - auditd - -# - name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030520 -# tags: -# - RHEL-08-030520 -# - auditd - -# - name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030530 -# tags: -# - RHEL-08-030530 -# - auditd - -# - name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030540 -# tags: -# - RHEL-08-030540 -# - auditd - -# - name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd -# notify: restart auditd -# when: -# - rhel_08_030550 -# tags: -# - RHEL-08-030550 -# - auditd - -# - name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod -# notify: restart auditd -# when: -# - rhel_08_030560 -# tags: -# - RHEL-08-030560 -# - auditd - -# - name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030570 -# tags: -# - RHEL-08-030570 -# - auditd - -# - name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -w /bin/kmod -p x -k modules -# notify: restart auditd -# when: -# - rhel_08_030580 -# tags: -# - RHEL-08-030580 -# - auditd - -# - name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -w /var/log/faillock -p wa -k logins -# notify: restart auditd -# when: -# - rhel_08_030590 -# tags: -# - RHEL-08-030590 -# - auditd - -# - name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -w /var/log/lastlog -p wa -k logins -# notify: restart auditd -# when: -# - rhel_08_030600 -# tags: -# - RHEL-08-030600 -# - auditd - -# - name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." -# file: -# path: "{{ item }}" -# mode: 0640 -# with_items: -# - /etc/audit/rules.d/audit.rules -# - /etc/audit/auditd.conf -# when: -# - rhel_08_030610 -# tags: -# - RHEL-08-030610 -# - permissions - -# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." -# block: -# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms" -# shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " -# changed_when: false -# failed_when: false -# register: rhel_08_030620_tools - -# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" -# file: -# path: "{{ item }}" -# mode: 0755 -# with_items: -# - "{{ rhel_08_030620_tools.stdout_lines }}" -# when: -# - rhel_08_030620 -# tags: -# - RHEL-08-030620 -# - permissions - -# - name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." -# file: -# path: "{{ item }}" -# owner: root -# with_items: -# - /sbin/auditctl -# - /sbin/aureport -# - /sbin/ausearch -# - /sbin/autrace -# - /sbin/auditd -# - /sbin/audisp-remote -# - /sbin/audisp-syslog -# - /sbin/augenrules -# when: -# - rhel_08_030630 -# tags: -# - RHEL-08-030630 -# - permissions - -# - name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." -# file: -# path: "{{ item }}" -# owner: root -# with_items: -# - /sbin/auditctl -# - /sbin/aureport -# - /sbin/ausearch -# - /sbin/autrace -# - /sbin/auditd -# - /sbin/audisp-remote -# - /sbin/audisp-syslog -# - /sbin/augenrules -# when: -# - rhel_08_030640 -# tags: -# - RHEL-08-030640 -# - permissions - -# - name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." -# lineinfile: -# path: /etc/aide.conf -# line: "{{ item }}" -# with_items: -# - "# Audit Tools" -# - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 -# when: -# - rhel_08_030650 -# tags: -# - RHEL-08-030650 -# - aide - -# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility." -# block: -# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition" -# shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' -# changed_when: false -# failed_when: false -# register: rhel_08_030660_audit_log_path - -# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition" -# shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" -# changed_when: false -# failed_when: false -# register: rhel_08_030660_audit_log_partition - -# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" -# debug: -# msg: -# - "ALERT!!!Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" -# - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" -# - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}" -# when: -# - rhel_08_030660 -# tags: -# - RHEL-08-030660 - -# - name: "MEDIUM | RHEL-08-030670 | PATCH | The RHEL 8 remote audit system must take appropriate action when audit storage is full." -# lineinfile: -# path: /etc/audit/audisp-remote.conf -# regexp: '^disk_full_action =' -# line: "disk_full_action = {{ rhel8stig_audisp_disk_full_action }}" -# when: -# - rhel_08_030670 -# tags: -# - RHEL-08-030670 -# - auditd - -# - name: "MEDIUM | RHEL-08-030680 | PATCH | The RHEL 8 audit system must take appropriate action when the network cannot be used to off-load audit records." -# lineinfile: -# path: /etc/audit/audisp-remote.conf -# regexp: '^network_failure_action =' -# line: 'network_failure_action = {{ rhel8stig_audisp_network_failure_action }}' -# when: -# - rhel_08_030680 -# tags: -# - RHEL-08-030680 -# - auditd - -# - name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." -# lineinfile: -# path: /etc/audit/audisp-remote.conf -# regexp: '^remote_server =' -# line: 'remote_server = {{ rhel8stig_audisp_remote_server }}' -# when: -# - rhel_08_030690 -# tags: -# - RHEL-08-030690 -# - auditd - -# - name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." -# lineinfile: -# path: /etc/audit/audispd.conf -# create: yes -# regexp: '^overflow_action =' -# line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}' -# notify: restart auditd -# when: -# - rhel_08_030700 -# tags: -# - RHEL-08-030700 -# - auditd - -# - name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." -# lineinfile: -# path: /etc/audit/audisp-remote.conf -# create: yes -# regexp: '^transport =' -# line: 'transport = krb5' -# when: -# - rhel_08_030710 -# tags: -# - RHEL-08-030710 -# - auditd - -# - name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must be configured to off-load audit logs to a different system or storage media." -# lineinfile: -# path: /etc/audit/plugins.d/au-remote.conf -# create: yes -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '.*?active =', line: 'active = yes '} -# - { regexp: '.*?direction =', line: 'direction = out' } -# - { regexp: '.*?path =', line: 'path = /sbin/audisp-remote' } -# - { regexp: '.*?type =', line: 'type = always' } -# notify: restart auditd -# when: -# - rhel_08_030720 -# tags: -# - rhel_08_030720 -# - auditd - -# - name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^space_left =', line: 'space_left = 25%' } -# - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } -# when: -# - rhel_08_030730 -# tags: -# - RHEL-08-030730 -# - auditd - -# - name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." -# lineinfile: -# path: /etc/chrony.conf -# regexp: '^server' -# line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16' -# notify: restart {{ rhel8stig_time_service }} -# when: -# - rhel_08_030740 -# tags: -# - RHEL-08-030740 -# - chronyd - -# - name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." -# lineinfile: -# path: /etc/modprobe.d/blacklist.conf -# create: yes -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# with_items: -# - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } -# - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } -# when: -# - rhel_08_040020 -# tags: -# - RHEL-08-040020 -# - camera - -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." -# block: -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block" -# block: -# - name: "MEDIUM | RHEL-08-040030 | PATCH | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld" -# shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u -# register: rhel8stig_PPSM_CLSA_check_firewalld -# changed_when: false -# failed_when: false -# check_mode: no -# when: -# - rhel_08_040030 -# tags: -# - RHEL-08-040030 -# - firewall - -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" -# debug: -# msg: -# - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." -# - "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}" -# changed_when: true -# when: -# - rhel_08_040030 -# - rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines is defined -# tags: -# - RHEL-08-040030 -# - firewall -# when: -# - rhel_08_040030 -# - not rhel8stig_system_is_chroot -# - not rhel8stig_system_is_container -# - rhel8stig_firewall_service == "firewalld" -# - rhel8stig_start_firewall_service -# tags: -# - RHEL-08-040030 -# - firewall - -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block" -# block: -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables" -# shell: iptables-save | grep -i accept | grep -i input -# register: rhel8stig_PPSM_CLSA_check_iptables -# changed_when: false -# failed_when: false -# check_mode: no -# when: rhel_08_040030 -# tags: -# - RHEL-08-040030 -# - firewall - -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" -# debug: -# msg: -# - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}." -# - "{{ rhel8stig_PPSM_CLSA_check_iptables.stdout_lines }}" -# changed_when: true -# when: -# - rhel_08_040030 -# - rhel8stig_PPSM_CLSA_check_iptables.stdout_lines is defined -# tags: -# - RHEL-08-040030 -# - firewall -# when: -# - rhel_08_040030 -# - not rhel8stig_system_is_chroot -# - not rhel8stig_system_is_container -# - rhel8stig_firewall_service == "iptables" -# - rhel8stig_start_firewall_service -# tags: -# - RHEL-08-040030 -# - firewall - -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use" -# debug: -# msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." -# changed_when: true -# when: -# - rhel_08_040030 -# - not rhel8stig_start_firewall_service -# tags: -# - RHEL-08-040030 -# - firewall -# when: -# - rhel_08_040030 -# - not rhel8stig_system_is_chroot -# - not rhel8stig_system_is_container -# - rhel8stig_disruptive -# tags: -# - RHEL-08-040030 -# - firewall - -# - name: "MEDIUM | RHEL-08-040040 | PATCH | RHEL 8 must prevent shell access for the root account." -# user: -# name: root -# shell: /sbin/nologin -# when: -# - rhel_08_040040 -# tags: -# - RHEL-08-040040 -# - users - -# - name: "MEDIUM | RHEL-08-040050 | PATCH | RHEL 8 must prevent direct logon into the root account." -# user: -# name: root -# password_lock: yes -# when: -# - rhel_08_040050 -# tags: -# - RHEL-08-040050 -# - users - -# - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required." -# block: -# - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error" -# shell: "systemctl show autofs | grep LoadState | cut -d= -f2" -# changed_when: false -# failed_when: false -# register: rhel_08_040070_autofs_status - -# - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists" -# service: -# name: autofs -# state: stopped -# enabled: no -# when: rhel_08_040070_autofs_status.stdout == "loaded" -# when: -# - rhel_08_040070 -# tags: -# - RHEL-08-040070 -# - autofs - -# - name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." -# lineinfile: -# path: "{{ item.path }}" -# create: yes -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# with_items: -# - { path: /etc/modprobe.d/usb-storage.conf, regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } -# - { path: /etc/modprobe.d/blacklist.conf, regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} -# when: -# - rhel_08_040080 -# tags: -# - RHEL-08-040080 -# - usb_devices - -# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." -# block: -# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" -# dnf: -# name: firewalld -# state: present -# when: rhel8stig_firewall_service == "firewalld" - -# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" -# dnf: -# name: iptables-services -# state: present -# when: rhel8stig_firewall_service == "iptables" - -# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" -# service: -# name: "{{ rhel8stig_firewall_service }}" -# state: started -# enabled: yes -# when: -# - rhel_08_040100 -# tags: -# - RHEL-08-040100 -# - firewall -# - "{{ rhel8stig_firewall_service }}" - -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." -# block: -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" -# firewalld: -# zone: "{{ rhel8stig_custom_firewall_zone }}" -# permanent: true -# state: present - -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" -# firewalld: -# zone: "{{ rhel8stig_custom_firewall_zone }}" -# permanent: true -# state: enabled -# service: "{{ item }}" -# with_items: -# - "{{ rhel8stig_white_list_services }}" - -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" -# command: firewall-cmd --reload -# changed_when: rhel_08_040090_zone_reload.rc == 0 -# failed_when: rhel_08_040090_zone_reload.rc >= 2 -# register: rhel_08_040090_zone_reload - -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default" -# command: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" -# changed_when: rhel_08_040090_default_zone_set.rc == 0 -# failed_when: rhel_08_040090_default_zone_set.rc >= 2 -# register: rhel_08_040090_default_zone_set -# when: -# - rhel_08_040090 -# tags: -# - RHEL-08-040090 -# - firewall - -# - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." -# block: -# - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" -# command: rpm -q NetworkManager -# args: -# warn: no -# check_mode: no -# changed_when: no -# register: rhel_08_nmcli_available -# failed_when: no - -# - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" -# command: nmcli radio wifi -# register: rhel_08_wifi_enabled -# check_mode: no -# changed_when: rhel_08_wifi_enabled.stdout != "disabled" -# when: rhel_08_nmcli_available.rc == 0 - -# - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" -# command: nmcli radio wifi off -# when: rhel_08_wifi_enabled is changed -# when: -# - rhel_08_040110 -# tags: -# - RHEL-08-040110 -# - wifi - -# - name: "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with secure options." -# mount: -# path: /dev/shm -# state: mounted -# src: tmpfs -# fstype: tmpfs -# opts: defaults,nodev,nosuid,noexec -# when: -# - rhel_08_040120 -# tags: -# - RHEL-08-040120 - -# - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." -# block: -# - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" -# dnf: -# name: fapolicyd -# state: present - -# - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" -# shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts -# changed_when: false -# failed_when: false - -# - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" -# service: -# name: fapolicyd -# state: started -# enabled: yes - -# - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " -# lineinfile: -# path: /etc/fapolicyd/fapolicyd.rules -# line: "{{ item }}" -# with_items: -# - "{{ rhel8stig_fapolicy_white_list }}" - -# - name: "MEDIUM | RHEL-040130 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" -# lineinfile: -# path: /etc/fapolicyd/fapolicyd.conf -# regexp: '^permissive =' -# line: 'permissive = 0' -# when: -# - rhel_08_040130 -# tags: -# - RHEL-08-040130 -# - fapolicyd - -# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." -# block: -# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Install usbguard" -# dnf: -# name: usbguard -# state: present - -# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Start/Enable service" -# service: -# name: usbguard -# state: started -# enabled: yes -# when: -# - rhel_08_040140 -# tags: -# - RHEL-08-040140 -# - usbguard - -# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." -# block: -# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" -# dnf: -# name: nftables -# state: present - -# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" -# service: -# name: nftables -# state: started -# enabled: yes - -# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" -# lineinfile: -# path: /etc/firewalld/firewalld.conf -# regexp: '^FirewallBackend=' -# line: 'FirewallBackend=nftables' -# when: -# - rhel_08_040150 -# tags: -# - RHEL-08-040150 -# - firewall -# - nftables - -# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." -# block: -# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Install openssh-server" -# dnf: -# name: openssh-server -# state: present - -# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" -# service: -# name: sshd -# state: started -# enabled: yes -# when: -# - rhel_08_040160 -# tags: -# - rhel_08_040160 -# - ssh - -# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted." -# block: -# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.conf.default.accept_redirects -# - net.ipv6.conf.default.accept_redirects - -# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } -# - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } -# when: -# - rhel_08_040210 -# tags: -# - RHEL-08-040210 -# - icmp - -# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." -# block: -# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects in sysctl" -# sysctl: -# name: net.ipv4.conf.all.send_redirects -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" - -# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects default value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^net.ipv4.conf.all.send_redirects' -# line: 'net.ipv4.conf.all.send_redirects=0' -# when: -# - rhel_08_040220 -# tags: -# - RHEL-08-040220 -# - icmp - -# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." -# block: -# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast in sysctl" -# sysctl: -# name: net.ipv4.icmp_echo_ignore_broadcasts -# state: present -# value: '1' -# reload: "{{ rhel8stig_sysctl_reload }}" - -# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast default value to 1" -# lineinfile: -# name: /etc/sysctl.conf -# regexp: '^net.ipv4.icmp_echo_ignore_broadcasts' -# line: 'net.ipv4.icmp_echo_ignore_broadcasts=1' -# when: -# - rhel_08_040230 -# tags: -# - RHEL-08-040230 -# - icmp - -# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets." -# block: -# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.conf.all.accept_source_route -# - net.ipv6.conf.all.accept_source_route - -# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route default value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } -# - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } -# when: -# - rhel_08_040240 -# tags: -# - RHEL-08-040240 -# - icmp - -# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default." -# block: -# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.conf.default.accept_source_route -# - net.ipv6.conf.default.accept_source_route - -# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } -# - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } -# when: -# - rhel_08_040250 -# tags: -# - RHEL-08-040250 -# - icmp - -# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router." -# block: -# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.ip_forward -# - net.ipv6.conf.all.forwarding - -# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.ip_forward', line: 'net.ipv4.ip_forward=0' } -# - { regexp: '^net.ipv6.conf.all.forwarding', line: 'net.ipv6.conf.all.forwarding=0' } - -# when: -# - rhel_08_040260 -# - not rhel8stig_system_is_router -# tags: -# - RHEL-08-040260 -# - icmp - -# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." -# block: -# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects in sysctl" -# sysctl: -# name: net.ipv4.conf.default.send_redirects -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" - -# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^net.ipv4.conf.default.send_redirects' -# line: 'net.ipv4.conf.default.send_redirects=0' -# when: -# - rhel_08_040270 -# tags: -# - RHEL-08-040270 -# - icmp - -# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." -# block: -# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.conf.all.accept_redirects -# - net.ipv6.conf.all.accept_redirects - -# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } -# - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } -# when: -# - rhel_08_040280 -# tags: -# - RHEL-08-040280 -# - icmp - -# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying." -# block: -# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Check if postfix is installed." -# command: rpm -q postfix -# failed_when: no -# check_mode: no -# changed_when: no -# register: rhel_08_040290_rpm_audit - -# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" -# command: "/usr/sbin/postconf -n smtpd_client_restrictions" -# check_mode: no -# changed_when: no -# register: rhel_08_040290_postconf_audit -# when: rhel_08_040290_rpm_audit.rc == 0 - -# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set reject" -# command: "/usr/sbin/postconf -e 'smtpd_client_restrictions=permit_mynetworks, reject'" -# when: -# - rhel_08_040290_rpm_audit.rc == 0 -# - rhel_08_040290_postconf_audit.stdout != 'smtpd_client_restrictions = permit_mynetworks, reject' -# when: -# - rhel_08_040290 -# tags: -# - RHEL-08-040290 - -# - name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." -# dnf: -# name: -# -@x11 -# - xorg-11-server-common -# state: absent -# when: -# - rhel_08_040320 -# - not rhel8stig_gui - -# - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." -# block: -# - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" -# shell: "ip link | grep -i promisc | cut -d ':' -f 2" -# check_mode: no -# failed_when: no -# changed_when: rhel_08_040670_promisc_check.stdout != '' -# ignore_errors: yes -# register: rhel_08_040670_promisc_check - -# - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" -# shell: "ip link set dev {{ item }} promisc off" -# with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" -# when: -# - rhel_08_040330 -# - not rhel8stig_net_promisc_mode_required -# tags: -# - RHEL-08-040330 - -# - name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." -# lineinfile: -# path: /etc/xinetd.d/tftp -# regexp: "(?i)^.*server_args.*=" -# line: "\tserver_args\t\t= -s /var/lib/tftpboot" -# insertafter: "\tserver\t\t\t=" -# state: present -# register: result -# failed_when: -# - result is failed -# - result.rc != 257 -# when: -# - rhel_08_040350 -# - rhel8stig_tftp_required -# tags: -# - RHEL-08-040350 \ No newline at end of file diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 9c6b8dce..89515b84 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -469,118 +469,3 @@ - RHEL-08-040300 - RHEL-08-040310 - aide - -# ======= below this line is old -# - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8." -# block: -# - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Find .conf files" -# find: -# paths: /etc -# recurse: yes -# file_type: any -# depth: 2 -# patterns: -# - yum.conf -# - dnf.conf -# register: rhel_08_010440_package_confs - -# - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Set settings" -# lineinfile: -# path: "{{ item.path }}" -# regexp: '^.*clean_requirements_on_remove' -# line: 'clean_requirements_on_remove=True' -# with_items: -# - "{{ rhel_08_010440_package_confs.files }}" -# when: -# - rhel_08_010440 -# tags: -# - RHEL-08-010440 - -# - name: "LOW | RHEL-08-010530 | AUDIT | The RHEL 8 must use a separate file system for the system audit data path." -# debug: -# msg: -# - "WARNING!! /var/log/audit is not mounted on a seperate partition" -# changed_when: -# - rhel8stig_audit_complex -# when: -# - rhel_08_010530 -# - not rhel8stig_system_is_container -# - rhel8stig_complex -# - ansible_mounts | selectattr('mount', 'match', '^/var/log/audit$') | list | length == 0 -# tags: -# - RHEL-08-010530 -# - complexity_high -# - mount -# - auditd - -# - name: "LOW | RHEL-08-010540 | AUDIT | The RHEL 8 must use a separate file system for /var." -# debug: -# msg: "WARNING: /var is not mounted on a separate partition" -# changed_when: -# - rhel8stig_audit_complex -# when: -# - rhel_08_010540 -# - not rhel8stig_system_is_container -# - rhel8stig_complex -# - ansible_mounts | selectattr('mount', 'match', '^/var$') | list | length == 0 -# tags: -# - RHEL-08-021320 -# - complexity-high -# - mount -# - var - -# - name: "LOW | RHEL-08-020020 | PATCH | RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types." -# lineinfile: -# path: /etc/security/limits.conf -# regexp: '^\* hard maxlogins' -# line: '* hard maxlogins 10' -# insertbefore: '^# End of file' -# create: yes -# when: -# - rhel_08_020020 -# tags: -# - RHEL-08-020020 - -# - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon." -# block: -# - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon. | Set session required for pam_lastlog.so" -# pamd: -# name: postlogin -# type: session -# control: optional -# new_control: required -# module_path: pam_lastlog.so -# state: updated - -# - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon. | Remove default=1 and optional control" -# pamd: -# name: postlogin -# type: session -# state: args_absent -# control: "{{ item }}" -# module_path: pam_lastlog.so -# module_arguments: silent -# with_items: -# - '[default=1]' -# - required -# when: -# - rhel_08_020340 -# tags: -# - RHEL-08-020340 - -# - name: | -# "LOW | RHEL-08-040300 | PATCH | The RHEL 8 file integrity tool must be configured to verify extended attributes." -# "LOW | RHEL-08-040310 | PATCH | The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs)." -# template: -# src: aide.conf.j2 -# dest: /etc/aide.conf -# owner: root -# group: root -# mode: '0600' -# when: -# - rhel_08_040300 -# - rhel_08_040310 -# tags: -# - RHEL-08-040300 -# - RHEL-08-040310 -# - aide From 13d033e75be4cea48c6592f742907758805abf57 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 15 Jan 2021 16:48:36 -0500 Subject: [PATCH 15/15] adjusted 010680 for testing Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 930fc68a..0ce1cbe2 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1429,6 +1429,7 @@ - rhel_08_010680 - not rhel8stig_system_is_chroot - not rhel8stig_system_is_container + - not system_is_ec2 tags: - RHEL-08-010680