From a0b79aef8756cc8d4f8d74f1d089338b85c3cde5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 13 Jul 2021 12:10:38 +0100 Subject: [PATCH 001/110] cat1_initial v1.2 Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 +- tasks/Cat_1/RHEL-08-010000.yml | 10 ++ tasks/Cat_1/RHEL-08-010020.yml | 118 +++++++++++++++++++++ tasks/Cat_1/RHEL-08-010140_010150.yml | 55 ++++++++++ tasks/Cat_1/RHEL-08-010370.yml | 26 +++++ tasks/Cat_1/RHEL-08-010371.yml | 12 +++ tasks/Cat_1/RHEL-08-010460.yml | 11 ++ tasks/Cat_1/RHEL-08-010470.yml | 22 ++++ tasks/Cat_1/RHEL-08-010820.yml | 13 +++ tasks/Cat_1/RHEL-08-020330.yml | 25 +++++ tasks/Cat_1/RHEL-08-040000.yml | 10 ++ tasks/Cat_1/RHEL-08-040010.yml | 10 ++ tasks/Cat_1/RHEL-08-040170.yml | 20 ++++ tasks/Cat_1/RHEL-08-040171.yml | 35 +++++++ tasks/Cat_1/RHEL-08-040172.yml | 12 +++ tasks/Cat_1/RHEL-08-040190.yml | 12 +++ tasks/Cat_1/RHEL-08-040200.yml | 28 +++++ tasks/Cat_1/RHEL-08-040360.yml | 11 ++ tasks/pre_LE_audit.yml | 145 ++++++++++++++++++++++++++ 19 files changed, 577 insertions(+), 2 deletions(-) create mode 100644 tasks/Cat_1/RHEL-08-010000.yml create mode 100644 tasks/Cat_1/RHEL-08-010020.yml create mode 100644 tasks/Cat_1/RHEL-08-010140_010150.yml create mode 100644 tasks/Cat_1/RHEL-08-010370.yml create mode 100644 tasks/Cat_1/RHEL-08-010371.yml create mode 100644 tasks/Cat_1/RHEL-08-010460.yml create mode 100644 tasks/Cat_1/RHEL-08-010470.yml create mode 100644 tasks/Cat_1/RHEL-08-010820.yml create mode 100644 tasks/Cat_1/RHEL-08-020330.yml create mode 100644 tasks/Cat_1/RHEL-08-040000.yml create mode 100644 tasks/Cat_1/RHEL-08-040010.yml create mode 100644 tasks/Cat_1/RHEL-08-040170.yml create mode 100644 tasks/Cat_1/RHEL-08-040171.yml create mode 100644 tasks/Cat_1/RHEL-08-040172.yml create mode 100644 tasks/Cat_1/RHEL-08-040190.yml create mode 100644 tasks/Cat_1/RHEL-08-040200.yml create mode 100644 tasks/Cat_1/RHEL-08-040360.yml create mode 100644 tasks/pre_LE_audit.yml diff --git a/defaults/main.yml b/defaults/main.yml index 98ab2b5a..8ac7f551 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -418,8 +418,8 @@ rhel8stig_change_user_path: false # These are the minimum supported releases. # (Red Hat has support for older versions if you pay extra for it.) rhel8stig_min_supported_os_ver: - RedHat: "8.0" - CentOS: "8.0" + RedHat: "8.4" + CentOS: "8.4" # RHEL-08-040260 # If system is not router, run tasks that disable router functions. diff --git a/tasks/Cat_1/RHEL-08-010000.yml b/tasks/Cat_1/RHEL-08-010000.yml new file mode 100644 index 00000000..c687030d --- /dev/null +++ b/tasks/Cat_1/RHEL-08-010000.yml @@ -0,0 +1,10 @@ +--- + +- name: "RHEL-08-010000 | HIGH | AUDIT | The RHEL 8 must be a vendor-supported release." + debug: + msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} + changed_when: ansible_distribution_version is not version_compare(rhel8stig_min_supported_os_ver[ansible_distribution], '>=') + when: + - rhel_08_010000 + tags: + - RHEL-08-010000 diff --git a/tasks/Cat_1/RHEL-08-010020.yml b/tasks/Cat_1/RHEL-08-010020.yml new file mode 100644 index 00000000..83363ddf --- /dev/null +++ b/tasks/Cat_1/RHEL-08-010020.yml @@ -0,0 +1,118 @@ +--- + +- name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." + block: + - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." + dnf: + name: dracut-fips + state: present + notify: rebuild initramfs + + - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" + command: fips-mode-setup --enable + register: rhel_08_010020_kernel_fips_enable + changed_when: rhel_08_010020_kernel_fips_enable.rc == 0 + + - name: "RHEL-08-010020 | HIGH | AUDIT | Check if prelink package is installed" + command: rpm -q prelink + args: + warn: no + changed_when: no + failed_when: no + check_mode: no + register: rhel_08_010020_prelink_installed + + - name: "RHEL-08-010020 | HIGH | PATCH | Disable prelinking." + lineinfile: + dest: /etc/sysconfig/prelink + regexp: ^#?PRELINKING + line: PRELINKING=no + when: rhel_08_010020_prelink_installed.rc == 0 + notify: undo existing prelinking + + - name: "RHEL-08-010020 | HIGH | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" + command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub + check_mode: no + failed_when: no + changed_when: rhel_08_010020_default_grub_missing_audit.rc > 0 + register: rhel_08_010020_default_grub_missing_audit + + - name: "RHEL-08-010020 | HIGH | AUDIT | parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" + command: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline + check_mode: no + changed_when: no + failed_when: rhel_08_010020_grub_cmdline_linux_audit.rc > 1 + when: rhel_08_010020_default_grub_missing_audit is changed + register: rhel_08_010020_grub_cmdline_linux_audit + + - name: "RHEL-08-010020 | HIGH | PATCH | Copy over a sane /etc/default/grub" + template: + src: etc_default_grub.j2 + dest: /etc/default/grub + owner: root + group: root + mode: 0644 + vars: + grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}" + when: rhel_08_010020_default_grub_missing_audit is changed + + - name: "RHEL-08-010020 | HIGH | PATCH | fips=1 must be in /etc/default/grub" + replace: + path: /etc/default/grub + regexp: "{{ rhel8stig_regexp_quoted_params }}" + replace: "{{ rhel8stig_replace_quoted_params }}" + vars: + key: GRUB_CMDLINE_LINUX + param: fips + value: 1 + append: yes # this is the default + when: + - not ansible_check_mode or + rhel_08_010020_default_grub_missing_audit is not changed + notify: + - confirm grub2 user cfg + + - name: "RHEL-08-010020 | HIGH | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." + replace: + path: /etc/default/grub + regexp: "{{ rhel8stig_regexp_quoted_params }}" + replace: "{{ rhel8stig_replace_quoted_params }}" + with_items: + - "{{ ansible_mounts | json_query(query) }}" + vars: + query: "[?mount=='{{ rhel8stig_boot_part }}'] | [0]" + key: GRUB_CMDLINE_LINUX + param: boot + value: UUID={{ item.uuid }} + insert: yes + when: + - rhel8stig_boot_part not in ['/', ''] + - not ansible_check_mode or + rhel_08_010020_default_grub_missing_audit is not changed + notify: confirm grub2 user cfg + register: result + + - name: "RHEL-08-010020 | HIGH | AUDIT | Verify kernel parameters in /etc/default/grub" + command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub + check_mode: no + with_items: + - fips=1 + - boot=UUID={{ ansible_mounts | json_query(query) }} + vars: + query: "[?mount=='{{ rhel8stig_boot_part }}'].uuid | [0]" + register: rhel_08_010020_audit + when: + - not ansible_check_mode or + rhel_08_010020_default_grub_missing_audit is not changed + - rhel8stig_boot_part not in ['/', ''] or + 'boot=' not in item + changed_when: + - ansible_check_mode + - rhel_08_010020_audit is failed + failed_when: + - rhel_08_010020_audit is failed + - not ansible_check_mode or + rhel_08_010020_audit.rc > 1 + when: rhel_08_010020 + tags: + - RHEL-08-010020 diff --git a/tasks/Cat_1/RHEL-08-010140_010150.yml b/tasks/Cat_1/RHEL-08-010140_010150.yml new file mode 100644 index 00000000..841f5584 --- /dev/null +++ b/tasks/Cat_1/RHEL-08-010140_010150.yml @@ -0,0 +1,55 @@ +--- + +name: | + "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance." + "RHEL-08-010150 | HIGH |PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes." + block: + # the createuser.cfg task is a workaround for the the ansible bug https://github.com/ansible/ansible/pull/59823 + - name: | + "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Create user.cfg" + "RHEL-08-010150 | HIGH |PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Create user.cfg" + shell: test -f {{ file_q }} && echo exists || {{ create_cmd }} + args: + warn: no + check_mode: "{{ ansible_check_mode is not defined }}" + register: rhel8stig_create_grub_user_cfg + changed_when: + - rhel8stig_create_grub_user_cfg.stdout == "created" + failed_when: + - rhel8stig_create_grub_user_cfg.stdout != "created" + - rhel8stig_create_grub_user_cfg.stdout != "exists" + vars: + file_q: "{{ (rhel8stig_grub_cfg_path | dirname ~ '/user.cfg') | quote }}" + create_cmd: "({{ ansible_check_mode | ternary('', 'touch ' ~ file_q ~ ' && ') }}echo created)" + + - name: | + "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set Grub Password" + "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set Grub Password" + lineinfile: + path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg" + create: yes + regexp: ^GRUB2_PASSWORD= + line: GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }} + owner: root + group: root + mode: 0640 + notify: confirm grub2 user cfg + + - name: | + "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set UEFI superusers" + "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set UEFI superusers" + lineinfile: + dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg" + regexp: '^set superusers' + line: 'set superusers="{{ rhel8stig_boot_superuser }}"' + insertafter: '### BEGIN /etc/grub.d/01_users ###' + notify: confirm grub2 user cfg + when: + - not system_is_ec2 + - rhel_08_010140 or + rhel_08_010150 + tags: + - RHEL-08-010140 + - RHEL-08-010150 + - grub + - bootloader diff --git a/tasks/Cat_1/RHEL-08-010370.yml b/tasks/Cat_1/RHEL-08-010370.yml new file mode 100644 index 00000000..93789a96 --- /dev/null +++ b/tasks/Cat_1/RHEL-08-010370.yml @@ -0,0 +1,26 @@ +--- + +- name: "RHEL-08-010370 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." + block: + - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Gather Repos" + find: + paths: /etc/yum.repos.d + pattern: '*.repo' + register: rhel_08_010370_repos_files_list_full + + - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Flatten result" + set_fact: + rhel_08_010370_repos_files_list: "{{ rhel_08_010370_repos_files_list_full.files | map(attribute='path') | flatten }}" + + - name: "RHEL-08-010370 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Set gpgcheck" + lineinfile: + path: "{{ item }}" + regexp: '^gpgcheck' + line: gpgcheck=1 + with_items: + - "{{ rhel_08_010370_repos_files_list }}" + when: + - rhel_08_010370 + tags: + - RHEL-08-010370 + - yum diff --git a/tasks/Cat_1/RHEL-08-010371.yml b/tasks/Cat_1/RHEL-08-010371.yml new file mode 100644 index 00000000..0660a120 --- /dev/null +++ b/tasks/Cat_1/RHEL-08-010371.yml @@ -0,0 +1,12 @@ +--- + +- name: "RHEL-08-010371 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." + lineinfile: + path: /etc/dnf/dnf.conf + regexp: '^localpkg_gpgcheck=' + line: localpkg_gpgcheck=True + when: + - rhel_08_010371 + tags: + - RHEL-08-010371 + - dnf diff --git a/tasks/Cat_1/RHEL-08-010460.yml b/tasks/Cat_1/RHEL-08-010460.yml new file mode 100644 index 00000000..1b45e4a6 --- /dev/null +++ b/tasks/Cat_1/RHEL-08-010460.yml @@ -0,0 +1,11 @@ +--- + +- name: "RHEL-08-010460 | HIGH | PATCH | There must be no shosts.equiv files on the RHEL 8 operating system." + file: + path: /etc/ssh/shosts.equiv + state: absent + when: + - rhel_08_010460 + tags: + - RHEL-08-010460 + - shosts diff --git a/tasks/Cat_1/RHEL-08-010470.yml b/tasks/Cat_1/RHEL-08-010470.yml new file mode 100644 index 00000000..c2ed3e8d --- /dev/null +++ b/tasks/Cat_1/RHEL-08-010470.yml @@ -0,0 +1,22 @@ +--- + +- name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system." + block: + - name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Find .shosts files" + find: + path: '/' + recurse: yes + patterns: '*.shosts' + register: rhel_08_010470_shost_files + + - name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Remove .shosts files" + file: + path: "{{ item.path }}" + state: absent + with_items: + - "{{ rhel_08_010470_shost_files.files }}" + when: + - rhel_08_010470 + tags: + - RHEL-08-010470 + - shosts diff --git a/tasks/Cat_1/RHEL-08-010820.yml b/tasks/Cat_1/RHEL-08-010820.yml new file mode 100644 index 00000000..82470413 --- /dev/null +++ b/tasks/Cat_1/RHEL-08-010820.yml @@ -0,0 +1,13 @@ +--- + +- name: "RHEL-08-010820 | HIGH | PATCH | Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed." + lineinfile: + path: /etc/gdm/custom.conf + regexp: (?i)automaticloginenable + line: AutomaticLoginEnable=false + insertafter: '\[daemon\]' + when: + - rhel8stig_gui + - rhel_08_010820 + tags: + - RHEL-08-010820 diff --git a/tasks/Cat_1/RHEL-08-020330.yml b/tasks/Cat_1/RHEL-08-020330.yml new file mode 100644 index 00000000..4f5f0ac4 --- /dev/null +++ b/tasks/Cat_1/RHEL-08-020330.yml @@ -0,0 +1,25 @@ +--- + +- name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords." + block: + - name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Remove nullok" + replace: + path: "{{ item }}" + regexp: ' nullok' + replace: '' + with_items: + - /etc/pam.d/system-auth + - /etc/pam.d/password-auth + + - name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Set PermitEmptyPasswords to no" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?PermitEmptyPasswords' + line: 'PermitEmptyPasswords no' + notify: restart sshd + when: + - rhel_08_020330 + - rhel8stig_disruption_high + tags: + - RHEL-08-020330 + - disruption_high diff --git a/tasks/Cat_1/RHEL-08-040000.yml b/tasks/Cat_1/RHEL-08-040000.yml new file mode 100644 index 00000000..0dddea18 --- /dev/null +++ b/tasks/Cat_1/RHEL-08-040000.yml @@ -0,0 +1,10 @@ +--- + +- name: "RHEL-08-040000 | HIGH | PATCH | RHEL 8 must not have the telnet-server package installed." + dnf: + name: telnet-server + state: absent + when: + - rhel_08_040000 + tags: + - RHEL-08-040000 diff --git a/tasks/Cat_1/RHEL-08-040010.yml b/tasks/Cat_1/RHEL-08-040010.yml new file mode 100644 index 00000000..cf180b62 --- /dev/null +++ b/tasks/Cat_1/RHEL-08-040010.yml @@ -0,0 +1,10 @@ +--- + +- name: "RHEL-08-040010 | HIGH | PATCH | RHEL 8 must not have the rsh-server package installed." + dnf: + name: rsh-server + state: absent + when: + - rhel_08_040010 + tags: + - RHEL-08-040010 diff --git a/tasks/Cat_1/RHEL-08-040170.yml b/tasks/Cat_1/RHEL-08-040170.yml new file mode 100644 index 00000000..645153ae --- /dev/null +++ b/tasks/Cat_1/RHEL-08-040170.yml @@ -0,0 +1,20 @@ +--- + +- name: "RHEL-08-040170 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8." + block: + - name: "RHEL-08-040170 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Mask ctrl-alt-del.target" + systemd: + name: ctrl-alt-del.target + masked: yes + notify: systemctl daemon-reload + + - name: "RHEL-08-040170 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Create symlink to /dev/null" + file: + src: /dev/null + dest: /etc/systemd/system/ctrl-alt-del.target + state: link + notify: systemctl daemon-reload + when: + - rhel_08_040170 + tags: + - RHEL-08-040170 diff --git a/tasks/Cat_1/RHEL-08-040171.yml b/tasks/Cat_1/RHEL-08-040171.yml new file mode 100644 index 00000000..b73528c1 --- /dev/null +++ b/tasks/Cat_1/RHEL-08-040171.yml @@ -0,0 +1,35 @@ +--- + +- name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed." + block: + - name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Check for setting existing" + command: grep -s logout /etc/dconf/db/local.d/* + changed_when: false + failed_when: false + register: rhel_08_040171_logout_settings_status + + - name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Add if missing" + lineinfile: + path: /etc/dconf/db/local.d/00-disable-CAD + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + owner: root + group: root + mode: 0644 + with_items: + - { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' } + - { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' } + when: rhel_08_040171_logout_settings_status.stdout | length == 0 + + - name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Edit if exists" + replace: + path: "{{ rhel_08_040171_logout_settings_status.stdout }}" + regexp: '^[L|l]ogout=.*' + replace: "logout=''" + when: rhel_08_040171_logout_settings_status.stdout | length > 0 + when: + - rhel_08_040171 + tags: + - RHEL-08-040171 diff --git a/tasks/Cat_1/RHEL-08-040172.yml b/tasks/Cat_1/RHEL-08-040172.yml new file mode 100644 index 00000000..fab3249b --- /dev/null +++ b/tasks/Cat_1/RHEL-08-040172.yml @@ -0,0 +1,12 @@ +--- + +- name: "RHEL-08-040172 | HIGH | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled." + lineinfile: + path: /etc/systemd/system.conf + regexp: '^CtrlAltDelBurstAction=|^#CtrlAltDelBurstAction=' + line: CtrlAltDelBurstAction=none + notify: systemctl daemon-reload + when: + - rhel_08_040172 + tags: + - RHEL-08-040172 diff --git a/tasks/Cat_1/RHEL-08-040190.yml b/tasks/Cat_1/RHEL-08-040190.yml new file mode 100644 index 00000000..53ce3097 --- /dev/null +++ b/tasks/Cat_1/RHEL-08-040190.yml @@ -0,0 +1,12 @@ +--- + +- name: "RHEL-08-040190 | HIGH | PATCH | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support." + dnf: + name: tftp-server + state: absent + when: + - rhel_08_040190 + - not rhel8stig_tftp_required + tags: + - RHEL-08-040190 + - tftp diff --git a/tasks/Cat_1/RHEL-08-040200.yml b/tasks/Cat_1/RHEL-08-040200.yml new file mode 100644 index 00000000..11848043 --- /dev/null +++ b/tasks/Cat_1/RHEL-08-040200.yml @@ -0,0 +1,28 @@ +--- + +- name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system." + block: + - name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Get list of non-root accounts with UID of 0" + shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" + changed_when: false + failed_when: false + register: rhel_08_040200_nonroot_uid + + - name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Lock non-root account with UID of 0" + command: "passwd -l {{ item }}" + with_items: + - "{{ rhel_08_040200_nonroot_uid.stdout_lines }}" + when: rhel_08_040200_nonroot_uid.stdout | length > 0 + + - name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Display accounts that were locked" + debug: + msg: + - "WARNING!! The following accounts were locked since they had UID of 0 and were not the root user" + - " {{ rhel_08_040200_nonroot_uid.stdout_lines }}" + when: rhel_08_040200_nonroot_uid.stdout | length > 0 + when: + - rhel_08_040200 + - rhel8stig_disruption_high + tags: + - RHEL-08-040200 + - disruption_high diff --git a/tasks/Cat_1/RHEL-08-040360.yml b/tasks/Cat_1/RHEL-08-040360.yml new file mode 100644 index 00000000..2f314808 --- /dev/null +++ b/tasks/Cat_1/RHEL-08-040360.yml @@ -0,0 +1,11 @@ +--- + +- name: "RHEL-08-040360 | HIGH | PATCH | A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8." + dnf: + name: vsftpd + state: absent + when: + - rhel_08_040360 + tags: + - RHEL-08-040360 + - ftp diff --git a/tasks/pre_LE_audit.yml b/tasks/pre_LE_audit.yml new file mode 100644 index 00000000..4d65dda2 --- /dev/null +++ b/tasks/pre_LE_audit.yml @@ -0,0 +1,145 @@ +--- + +- name: Setup the LE audit + include_tasks: LE_audit_setup.yml + when: + - rhel8stig_setup_audit + tags: + - setup_audit + +- name: "Ensure {{ goss_audit_dir }} exists" + file: + path: "{{ goss_audit_dir }}" + state: directory + mode: '0755' + +- name: If using git for content set up + block: + - name: Install git + package: + name: git + state: present + vars: + ansible_python_interpreter: "{{ python2_bin }}" + + - name: retrieve audit content files from git + git: + repo: "{{ rhel8stig_audit_file_git }}" + dest: "{{ goss_audit_dir }}" + version: "{{ rhel8stig_audit_git_version }}" + when: + - rhel8stig_audit_content == 'git' + +- name: copy to audit content files to server + copy: + src: "{{ rhel8stig_audit_local_copy }}" + dest: "{{ goss_audit_dir }}" + mode: 0644 + when: + - rhel8stig_audit_content == 'copy' + +- name: get audit content from url + get_url: + url: "{{ rhel8stig_audit_files_url }}" + dest: "{{ goss_audit_dir }}" + when: + - rhel8stig_audit_content == 'get_url' + +- name: Check Goss is available + block: + - name: Check for goss file + stat: + path: "{{ goss_bin }}" + register: goss_available + + - name: If audit ensure goss is available + assert: + msg: "Audit has been selected: unable to find goss binary at {{ goss_bin }}" + when: + - not goss_available.stat.exists + when: + - rhel8stig_run_audit + +- name: "Check whether machine is UEFI-based" + stat: + path: /sys/firmware/efi + register: rhel8_efi_boot + tags: + - goss_template + +- name: set bootloader type + block: + - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" + set_fact: + rhel8stig_bootloader_path: /boot/efi/EFI/redhat + rhel8stig_legacy_boot: false + when: + - rhel8_efi_boot.stat.exists + - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path + + - name: "PRELIM | set fact if UEFI boot | CentOS " + set_fact: + rhel8stig_bootloader_path: /boot/efi/EFI/centos + rhel8stig_legacy_boot: false + when: + - rhel8_efi_boot.stat.exists + - ansible_distribution == 'CentOS' + + - name: "PRELIM | set if not UEFI boot" + set_fact: + rhel8stig_bootloader_path: /boot/grub2/ + rhel8stig_legacy_boot: true + when: not rhel8_efi_boot.stat.exists + + - name: output bootloader and efi state + debug: + msg: + - "bootloader path set to {{ rhel8stig_bootloader_path }}" + - "legacy boot equals {{ rhel8stig_legacy_boot }}" + +- name: Copy ansible default vars values to test audit + template: + src: ansible_vars_goss.yml + dest: "{{ goss_vars_path }}" + mode: 0600 + when: + - rhel8stig_run_audit + tags: + - goss_template + +- name: "Run pre_remediation {{ benchmark }} audit" + goss: + goss_path: "{{ goss_bin }}" + path: "{{ goss_file }}" + vars_path: "{{ goss_vars_path }}" + format: "{{ goss_format }}" + output_file: "{{ pre_audit_outfile }}" + failed_when: false + +- name: Capture audit data if json format + block: + - name: "capture data {{ pre_audit_outfile }}" + command: "cat {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false + + - name: Capture pre-audit result + set_fact: + pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}" + vars: + summary: 'summary."summary-line"' + when: + - goss_format == "json" + +- name: Capture audit data if documentation format + block: + - name: "capture data {{ pre_audit_outfile }}" + command: "tail -2 {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false + + - name: Capture pre-audit result + set_fact: + pre_audit_summary: "{{ pre_audit.stdout_lines }}" + when: + - goss_format == "documentation" From 98e26f3dfd86346691090f86ec5211bf8438a9e3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 13 Jul 2021 12:10:53 +0100 Subject: [PATCH 002/110] cat1_initial audit Signed-off-by: Mark Bolwell --- templates/ansible_goss_vars.yml.j2 | 39 ++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 templates/ansible_goss_vars.yml.j2 diff --git a/templates/ansible_goss_vars.yml.j2 b/templates/ansible_goss_vars.yml.j2 new file mode 100644 index 00000000..5b08feb6 --- /dev/null +++ b/templates/ansible_goss_vars.yml.j2 @@ -0,0 +1,39 @@ +# turn the categories on/off +rhel8stig_cat1: true + +# Some tests may need to scan every filesystem or have an impact on a system +# these may need be scheduled to minimise impact +run_heavy_tests: true +timeout_ms: 20000 + +# If using the supplied graphical interface +rhel8stig_gui: false + +# Sets up the system dependant on bootloader +legacy_boot: {{ rhel8stig_legacy_boot }} +rhel8stig_bootloader_path: {{ rhel8stig_bootloader_path }} + + +# Cat 1 rules +RHEL_08_010000: {{ rhel_08_010000 }} +RHEL_08_010020: {{ rhel_08_010020 }} +RHEL_08_010140: {{ rhel_08_010140 }} +RHEL_08_010150: {{ rhel_08_010150 }} +RHEL_08_010370: {{ rhel_08_010370 }} +RHEL_08_010371: {{ rhel_08_010371 }} +RHEL_08_010460: {{ rhel_08_010460 }} +RHEL_08_010470: {{ rhel_08_010470 }} +RHEL_08_010820: {{ rhel_08_010820 }} +RHEL_08_020330: {{ rhel_08_020330 }} +RHEL_08_040000: {{ rhel_08_040000 }} +RHEL_08_040010: {{ rhel_08_040010 }} +RHEL_08_040170: {{ rhel_08_040170 }} +RHEL_08_040171: {{ rhel_08_040171 }} +RHEL_08_040172: {{ rhel_08_040172 }} +RHEL_08_040190: {{ rhel_08_040190 }} +RHEL_08_040200: {{ rhel_08_040200 }} +RHEL_08_040360: {{ rhel_08_040360 }} + + + +rhel8stig_password_hash: {{ rhel8stig_password_hash }} \ No newline at end of file From 80440fc014b89722119943e58954afce4948a4ff Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 13 Jul 2021 12:40:43 +0100 Subject: [PATCH 003/110] Updated for v1.2 Signed-off-by: Mark Bolwell --- tasks/Cat_1/RHEL-08-010140_010150.yml | 20 +------------------- tasks/Cat_1/RHEL-08-010370.yml | 6 ++++++ tasks/Cat_1/RHEL-08-040000.yml | 1 + tasks/Cat_1/RHEL-08-040010.yml | 1 + tasks/Cat_1/RHEL-08-040171.yml | 1 + tasks/Cat_1/RHEL-08-040190.yml | 1 + tasks/Cat_1/RHEL-08-040360.yml | 1 + 7 files changed, 12 insertions(+), 19 deletions(-) diff --git a/tasks/Cat_1/RHEL-08-010140_010150.yml b/tasks/Cat_1/RHEL-08-010140_010150.yml index 841f5584..cad04b8d 100644 --- a/tasks/Cat_1/RHEL-08-010140_010150.yml +++ b/tasks/Cat_1/RHEL-08-010140_010150.yml @@ -4,24 +4,6 @@ name: | "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance." "RHEL-08-010150 | HIGH |PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes." block: - # the createuser.cfg task is a workaround for the the ansible bug https://github.com/ansible/ansible/pull/59823 - - name: | - "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Create user.cfg" - "RHEL-08-010150 | HIGH |PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Create user.cfg" - shell: test -f {{ file_q }} && echo exists || {{ create_cmd }} - args: - warn: no - check_mode: "{{ ansible_check_mode is not defined }}" - register: rhel8stig_create_grub_user_cfg - changed_when: - - rhel8stig_create_grub_user_cfg.stdout == "created" - failed_when: - - rhel8stig_create_grub_user_cfg.stdout != "created" - - rhel8stig_create_grub_user_cfg.stdout != "exists" - vars: - file_q: "{{ (rhel8stig_grub_cfg_path | dirname ~ '/user.cfg') | quote }}" - create_cmd: "({{ ansible_check_mode | ternary('', 'touch ' ~ file_q ~ ' && ') }}echo created)" - - name: | "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set Grub Password" "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set Grub Password" @@ -29,7 +11,7 @@ name: | path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg" create: yes regexp: ^GRUB2_PASSWORD= - line: GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }} + line: "GRUB2_PASSWORD=grub.pbkdf2.sha512.{{ rhel8stig_bootloader_password_hash }}" owner: root group: root mode: 0640 diff --git a/tasks/Cat_1/RHEL-08-010370.yml b/tasks/Cat_1/RHEL-08-010370.yml index 93789a96..27f03fab 100644 --- a/tasks/Cat_1/RHEL-08-010370.yml +++ b/tasks/Cat_1/RHEL-08-010370.yml @@ -2,6 +2,12 @@ - name: "RHEL-08-010370 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." block: + - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Dnf Default" + lineinfile: + path: /etc/dnf/dnf.conf + regexp: '^gpgcheck=' + line: gpgcheck=1 + - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Gather Repos" find: paths: /etc/yum.repos.d diff --git a/tasks/Cat_1/RHEL-08-040000.yml b/tasks/Cat_1/RHEL-08-040000.yml index 0dddea18..485d9752 100644 --- a/tasks/Cat_1/RHEL-08-040000.yml +++ b/tasks/Cat_1/RHEL-08-040000.yml @@ -6,5 +6,6 @@ state: absent when: - rhel_08_040000 + - - "'telnet-server' in ansible_facts.packages" tags: - RHEL-08-040000 diff --git a/tasks/Cat_1/RHEL-08-040010.yml b/tasks/Cat_1/RHEL-08-040010.yml index cf180b62..a71e06d4 100644 --- a/tasks/Cat_1/RHEL-08-040010.yml +++ b/tasks/Cat_1/RHEL-08-040010.yml @@ -6,5 +6,6 @@ state: absent when: - rhel_08_040010 + - "'rsh-server' in ansible_facts.packages" tags: - RHEL-08-040010 diff --git a/tasks/Cat_1/RHEL-08-040171.yml b/tasks/Cat_1/RHEL-08-040171.yml index b73528c1..0be5e4e5 100644 --- a/tasks/Cat_1/RHEL-08-040171.yml +++ b/tasks/Cat_1/RHEL-08-040171.yml @@ -31,5 +31,6 @@ when: rhel_08_040171_logout_settings_status.stdout | length > 0 when: - rhel_08_040171 + - "'gnome-desktop' in ansible_facts.packages" tags: - RHEL-08-040171 diff --git a/tasks/Cat_1/RHEL-08-040190.yml b/tasks/Cat_1/RHEL-08-040190.yml index 53ce3097..77ea9b34 100644 --- a/tasks/Cat_1/RHEL-08-040190.yml +++ b/tasks/Cat_1/RHEL-08-040190.yml @@ -6,6 +6,7 @@ state: absent when: - rhel_08_040190 + - "'tftp-server' in ansible_facts.packages" - not rhel8stig_tftp_required tags: - RHEL-08-040190 diff --git a/tasks/Cat_1/RHEL-08-040360.yml b/tasks/Cat_1/RHEL-08-040360.yml index 2f314808..a778b979 100644 --- a/tasks/Cat_1/RHEL-08-040360.yml +++ b/tasks/Cat_1/RHEL-08-040360.yml @@ -6,6 +6,7 @@ state: absent when: - rhel_08_040360 + - "'vsftpd' in ansible_facts.packages" tags: - RHEL-08-040360 - ftp From 0a92df1d2689e2a9b34bda3195744d413edf0d53 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 13 Jul 2021 12:40:52 +0100 Subject: [PATCH 004/110] added more vars for cat1 Signed-off-by: Mark Bolwell --- templates/ansible_goss_vars.yml.j2 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/templates/ansible_goss_vars.yml.j2 b/templates/ansible_goss_vars.yml.j2 index 5b08feb6..7f48b9de 100644 --- a/templates/ansible_goss_vars.yml.j2 +++ b/templates/ansible_goss_vars.yml.j2 @@ -1,5 +1,5 @@ # turn the categories on/off -rhel8stig_cat1: true +rhel8stig_cat1: {{ rhel8stig_cat1_patch }} # Some tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact @@ -36,4 +36,5 @@ RHEL_08_040360: {{ rhel_08_040360 }} -rhel8stig_password_hash: {{ rhel8stig_password_hash }} \ No newline at end of file +rhel8stig_password_hash: {{ rhel8stig_bootloader_password_hash }} +rhel8stig_boot_superuser: {{ rhel8stig_boot_superuser }} \ No newline at end of file From 3dd2803886bdc97bbe1e66ab295b122673d338d1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 13 Jul 2021 19:08:34 +0100 Subject: [PATCH 005/110] extended tags Signed-off-by: Mark Bolwell --- tasks/Cat_1/RHEL-08-010000.yml | 7 +++++++ tasks/Cat_1/RHEL-08-010020.yml | 5 +++++ tasks/Cat_1/RHEL-08-010140_010150.yml | 7 +++++++ tasks/Cat_1/RHEL-08-010370.yml | 5 +++++ tasks/Cat_1/RHEL-08-010371.yml | 5 +++++ tasks/Cat_1/RHEL-08-010460.yml | 5 +++++ tasks/Cat_1/RHEL-08-010470.yml | 5 +++++ tasks/Cat_1/RHEL-08-010820.yml | 5 +++++ tasks/Cat_1/RHEL-08-020330.yml | 5 +++++ tasks/Cat_1/RHEL-08-040000.yml | 5 +++++ tasks/Cat_1/RHEL-08-040010.yml | 5 +++++ tasks/Cat_1/RHEL-08-040170.yml | 5 +++++ tasks/Cat_1/RHEL-08-040171.yml | 6 ++++++ tasks/Cat_1/RHEL-08-040172.yml | 5 +++++ tasks/Cat_1/RHEL-08-040190.yml | 5 +++++ tasks/Cat_1/RHEL-08-040200.yml | 5 +++++ tasks/Cat_1/RHEL-08-040360.yml | 5 +++++ 17 files changed, 90 insertions(+) diff --git a/tasks/Cat_1/RHEL-08-010000.yml b/tasks/Cat_1/RHEL-08-010000.yml index c687030d..5b0c9548 100644 --- a/tasks/Cat_1/RHEL-08-010000.yml +++ b/tasks/Cat_1/RHEL-08-010000.yml @@ -8,3 +8,10 @@ - rhel_08_010000 tags: - RHEL-08-010000 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230221r627750_rule + - V-230221 + + diff --git a/tasks/Cat_1/RHEL-08-010020.yml b/tasks/Cat_1/RHEL-08-010020.yml index 83363ddf..01d91976 100644 --- a/tasks/Cat_1/RHEL-08-010020.yml +++ b/tasks/Cat_1/RHEL-08-010020.yml @@ -116,3 +116,8 @@ when: rhel_08_010020 tags: - RHEL-08-010020 + - CAT1 + - CCI-000068 + - SRG-OS-000033-GPOS-00014 + - SV-230223r627750_rule + - V-230223 diff --git a/tasks/Cat_1/RHEL-08-010140_010150.yml b/tasks/Cat_1/RHEL-08-010140_010150.yml index cad04b8d..7bc84729 100644 --- a/tasks/Cat_1/RHEL-08-010140_010150.yml +++ b/tasks/Cat_1/RHEL-08-010140_010150.yml @@ -33,5 +33,12 @@ name: | tags: - RHEL-08-010140 - RHEL-08-010150 + - CAT1 + - CCI-000213 + - SRG-OS-000080-GPOS-00048 + - SV-230234r627750_rule + - SV-230235r627750_rule + - V-230234 + - V-230235 - grub - bootloader diff --git a/tasks/Cat_1/RHEL-08-010370.yml b/tasks/Cat_1/RHEL-08-010370.yml index 27f03fab..1e5ce8ab 100644 --- a/tasks/Cat_1/RHEL-08-010370.yml +++ b/tasks/Cat_1/RHEL-08-010370.yml @@ -29,4 +29,9 @@ - rhel_08_010370 tags: - RHEL-08-010370 + - CAT1 + - CCI-001749 + - SRG-OS-000366-GPOS-00153 + - SV-230264r627750_rule + - V-230264 - yum diff --git a/tasks/Cat_1/RHEL-08-010371.yml b/tasks/Cat_1/RHEL-08-010371.yml index 0660a120..c6d8118d 100644 --- a/tasks/Cat_1/RHEL-08-010371.yml +++ b/tasks/Cat_1/RHEL-08-010371.yml @@ -9,4 +9,9 @@ - rhel_08_010371 tags: - RHEL-08-010371 + - CAT1 + - CCI-001749 + - SRG-OS-000366-GPOS-00153 + - SV-230265r627750_rule + - V-230265 - dnf diff --git a/tasks/Cat_1/RHEL-08-010460.yml b/tasks/Cat_1/RHEL-08-010460.yml index 1b45e4a6..6f0beb01 100644 --- a/tasks/Cat_1/RHEL-08-010460.yml +++ b/tasks/Cat_1/RHEL-08-010460.yml @@ -8,4 +8,9 @@ - rhel_08_010460 tags: - RHEL-08-010460 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230283r627750_rule + - V-230283 - shosts diff --git a/tasks/Cat_1/RHEL-08-010470.yml b/tasks/Cat_1/RHEL-08-010470.yml index c2ed3e8d..1b0a82b3 100644 --- a/tasks/Cat_1/RHEL-08-010470.yml +++ b/tasks/Cat_1/RHEL-08-010470.yml @@ -19,4 +19,9 @@ - rhel_08_010470 tags: - RHEL-08-010470 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230284r627750_rule + - V-230284 - shosts diff --git a/tasks/Cat_1/RHEL-08-010820.yml b/tasks/Cat_1/RHEL-08-010820.yml index 82470413..d091092d 100644 --- a/tasks/Cat_1/RHEL-08-010820.yml +++ b/tasks/Cat_1/RHEL-08-010820.yml @@ -11,3 +11,8 @@ - rhel_08_010820 tags: - RHEL-08-010820 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00229 + - SV-230329r627750_rule + - V-230329 diff --git a/tasks/Cat_1/RHEL-08-020330.yml b/tasks/Cat_1/RHEL-08-020330.yml index 4f5f0ac4..51e7088e 100644 --- a/tasks/Cat_1/RHEL-08-020330.yml +++ b/tasks/Cat_1/RHEL-08-020330.yml @@ -22,4 +22,9 @@ - rhel8stig_disruption_high tags: - RHEL-08-020330 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230380r627750_rule + - V-230380 - disruption_high diff --git a/tasks/Cat_1/RHEL-08-040000.yml b/tasks/Cat_1/RHEL-08-040000.yml index 485d9752..9e4e3f90 100644 --- a/tasks/Cat_1/RHEL-08-040000.yml +++ b/tasks/Cat_1/RHEL-08-040000.yml @@ -9,3 +9,8 @@ - - "'telnet-server' in ansible_facts.packages" tags: - RHEL-08-040000 + - CAT1 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230487r627750_rule + - V-230487 diff --git a/tasks/Cat_1/RHEL-08-040010.yml b/tasks/Cat_1/RHEL-08-040010.yml index a71e06d4..74e2aa18 100644 --- a/tasks/Cat_1/RHEL-08-040010.yml +++ b/tasks/Cat_1/RHEL-08-040010.yml @@ -9,3 +9,8 @@ - "'rsh-server' in ansible_facts.packages" tags: - RHEL-08-040010 + - CAT1 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230492r627750_rule + - V-230492 diff --git a/tasks/Cat_1/RHEL-08-040170.yml b/tasks/Cat_1/RHEL-08-040170.yml index 645153ae..27ad2996 100644 --- a/tasks/Cat_1/RHEL-08-040170.yml +++ b/tasks/Cat_1/RHEL-08-040170.yml @@ -18,3 +18,8 @@ - rhel_08_040170 tags: - RHEL-08-040170 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230529r627750_rule + - V-230529 diff --git a/tasks/Cat_1/RHEL-08-040171.yml b/tasks/Cat_1/RHEL-08-040171.yml index 0be5e4e5..cbff5791 100644 --- a/tasks/Cat_1/RHEL-08-040171.yml +++ b/tasks/Cat_1/RHEL-08-040171.yml @@ -34,3 +34,9 @@ - "'gnome-desktop' in ansible_facts.packages" tags: - RHEL-08-040171 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230530r646883_rule + - V-230530 + diff --git a/tasks/Cat_1/RHEL-08-040172.yml b/tasks/Cat_1/RHEL-08-040172.yml index fab3249b..2353879d 100644 --- a/tasks/Cat_1/RHEL-08-040172.yml +++ b/tasks/Cat_1/RHEL-08-040172.yml @@ -10,3 +10,8 @@ - rhel_08_040172 tags: - RHEL-08-040172 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230531r627750_rule + - V-230531 diff --git a/tasks/Cat_1/RHEL-08-040190.yml b/tasks/Cat_1/RHEL-08-040190.yml index 77ea9b34..0e0fb3b0 100644 --- a/tasks/Cat_1/RHEL-08-040190.yml +++ b/tasks/Cat_1/RHEL-08-040190.yml @@ -10,4 +10,9 @@ - not rhel8stig_tftp_required tags: - RHEL-08-040190 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230533r627750_rule + - V-230533 - tftp diff --git a/tasks/Cat_1/RHEL-08-040200.yml b/tasks/Cat_1/RHEL-08-040200.yml index 11848043..07f02c2b 100644 --- a/tasks/Cat_1/RHEL-08-040200.yml +++ b/tasks/Cat_1/RHEL-08-040200.yml @@ -25,4 +25,9 @@ - rhel8stig_disruption_high tags: - RHEL-08-040200 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230534r627750_rule + - V-230534 - disruption_high diff --git a/tasks/Cat_1/RHEL-08-040360.yml b/tasks/Cat_1/RHEL-08-040360.yml index a778b979..1fc4f9c9 100644 --- a/tasks/Cat_1/RHEL-08-040360.yml +++ b/tasks/Cat_1/RHEL-08-040360.yml @@ -9,4 +9,9 @@ - "'vsftpd' in ansible_facts.packages" tags: - RHEL-08-040360 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230558r627750_rule + - V-230558 - ftp From e376f1e18e17e26912331609a90561fd17734ea0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 13 Jul 2021 19:09:23 +0100 Subject: [PATCH 006/110] Added testing config Signed-off-by: Mark Bolwell --- tasks/Cat_1/main.yml | 20 +++++++++++ tasks/main.old | 79 ++++++++++++++++++++++++++++++++++++++++++++ tasks/main.yml | 28 ++++++++-------- testing.yml | 11 ++++++ 4 files changed, 124 insertions(+), 14 deletions(-) create mode 100644 tasks/Cat_1/main.yml create mode 100644 tasks/main.old create mode 100644 testing.yml diff --git a/tasks/Cat_1/main.yml b/tasks/Cat_1/main.yml new file mode 100644 index 00000000..d2ba6478 --- /dev/null +++ b/tasks/Cat_1/main.yml @@ -0,0 +1,20 @@ +--- + +- name: Include Cat 1 tasks + include_tasks: RHEL-08-010000.yml + include_tasks: RHEL-08-010020.yml + include_tasks: RHEL-08-010140_010150.yml + include_tasks: RHEL-08-010370.yml + include_tasks: RHEL-08-010371.yml + include_tasks: RHEL-08-010460.yml + include_tasks: RHEL-08-010470.yml + include_tasks: RHEL-08-010820.yml + include_tasks: RHEL-08-020330.yml + include_tasks: RHEL-08-040000.yml + include_tasks: RHEL-08-040010.yml + include_tasks: RHEL-08-040170.yml + include_tasks: RHEL-08-040171.yml + include_tasks: RHEL-08-040172.yml + include_tasks: RHEL-08-040190.yml + include_tasks: RHEL-08-040200.yml + include_tasks: RHEL-08-040360.yml diff --git a/tasks/main.old b/tasks/main.old new file mode 100644 index 00000000..9086f6cf --- /dev/null +++ b/tasks/main.old @@ -0,0 +1,79 @@ +--- +- name: Gather distribution info + setup: + gather_subset: distribution,!all,!min + when: + - ansible_distribution is not defined + tags: + - always + +- name: Check OS version and family + assert: + that: ansible_os_family == 'RedHat' and ansible_distribution_major_version is version_compare('8', '==') + msg: "This role can only be run against RHEL/CENTOS 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + tags: + - always + +- name: Check ansible version + assert: + that: ansible_version.full is version_compare(rhel8stig_min_ansible_version, '>=') + msg: You must use Ansible {{ rhel8stig_min_ansible_version }} or greater + tags: + - always + +- name: Check if using resolv.conf template settings are changed + assert: + that: + - rhel8_stig_resolv_domain != 'example.com' + - rhel8_stig_resolv_search | length > 0 + msg: "You are set to change your resolv.conf file this can be very disruptive if not configured correctly" + + when: + - rhel8_stig_use_resolv_template + - rhel_08_010680 + tags: + - always + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - always + +# - name: Install OpenSCAP and run a report +# import_tasks: audit_oscap_scan_before.yml +# when: rhel8stig_oscap_scan +# tags: +# - oscapreport + +- import_tasks: prelim.yml + become: yes + tags: + - prelim_tasks + +- name: Include CAT I patches + import_tasks: fix-cat1.yml + when: rhel8stig_cat1_patch | bool + tags: + - cat1 + - high + +- name: Include CAT II patches + import_tasks: fix-cat2.yml + when: rhel8stig_cat2_patch | bool + tags: + - cat2 + - medium + +- name: Include CAT III patches + import_tasks: fix-cat3.yml + when: rhel8stig_cat3_patch | bool + tags: + - cat3 + - low + +# - name: run the OpenSCAP reporting tool again +# import_tasks: audit_oscap_scan_after.yml +# when: rhel8stig_oscap_scan +# tags: +# - oscapreport diff --git a/tasks/main.yml b/tasks/main.yml index 9086f6cf..efc9b860 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -52,25 +52,25 @@ - prelim_tasks - name: Include CAT I patches - import_tasks: fix-cat1.yml - when: rhel8stig_cat1_patch | bool + import_tasks: cat_1/main.yml + when: rhel8stig_cat1_patch tags: - cat1 - high -- name: Include CAT II patches - import_tasks: fix-cat2.yml - when: rhel8stig_cat2_patch | bool - tags: - - cat2 - - medium +#- name: Include CAT II patches +# import_tasks: fix-cat2.yml +# tags: +# - cat2 +## when: rhel8stig_cat2_patch | bool +# - medium -- name: Include CAT III patches - import_tasks: fix-cat3.yml - when: rhel8stig_cat3_patch | bool - tags: - - cat3 - - low +#- name: Include CAT III patches +# import_tasks: fix-cat3.yml +# when: rhel8stig_cat3_patch | bool +# tags: +# - cat3 +# - low # - name: run the OpenSCAP reporting tool again # import_tasks: audit_oscap_scan_after.yml diff --git a/testing.yml b/testing.yml new file mode 100644 index 00000000..f3207c8b --- /dev/null +++ b/testing.yml @@ -0,0 +1,11 @@ +--- +- hosts: all + become: true + vars: + is_container: false + + roles: + - role: "{{ playbook_dir }}" + rhel8cis_system_is_container: "{{ is_container | default(false) }}" + rhel8cis_skip_for_travis: false + rhel8cis_oscap_scan: yes From 5ea476d09d9b42472923c80ac6d3d9cd9e2297d0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 14 Jul 2021 12:00:08 +0100 Subject: [PATCH 007/110] Added audit steps Signed-off-by: Mark Bolwell --- defaults/main.yml | 78 ++++++++- library/goss.py | 162 ++++++++++++++++++ tasks/Cat_1/main.yml | 34 ++-- tasks/LE_audit_setup.yml | 22 +++ tasks/main.yml | 42 +++-- tasks/post_remediation_audit.yml | 49 ++++++ ...LE_audit.yml => pre_remediation_audit.yml} | 42 ++--- ...s_vars.yml.j2 => ansible_vars_goss.yml.j2} | 10 ++ 8 files changed, 386 insertions(+), 53 deletions(-) create mode 100644 library/goss.py create mode 100644 tasks/LE_audit_setup.yml create mode 100644 tasks/post_remediation_audit.yml rename tasks/{pre_LE_audit.yml => pre_remediation_audit.yml} (82%) rename templates/{ansible_goss_vars.yml.j2 => ansible_vars_goss.yml.j2} (83%) diff --git a/defaults/main.yml b/defaults/main.yml index 8ac7f551..d866b0b5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,8 @@ --- +## Benchmark name used by audting control role +# The audit variable found at the base +benchmark: RHEL8-STIG + rhel8stig_cat1_patch: true rhel8stig_cat2_patch: true @@ -34,12 +38,31 @@ rhel8stig_system_is_chroot: "{{ ansible_is_chroot | default(False) }}" # tweak role to run in a non-privileged container rhel8stig_system_is_container: false -# rhel8cis is left off the front of this var for consistency in testing pipeline +# rhel8cis/stig is left off the front of this var for consistency in testing pipeline # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks system_is_ec2: false # Whether to skip the reboot -rhel8stig_skip_reboot: false +rhel8stig_skip_reboot: true + + +### Goss is required on the remote host +setup_audit: false +# How to retrieve audit binary +# Options are copy or download - detailed settings at the bottom of this file +# you will need to access to either github or the file already dowmloaded +get_goss_file: download + +# how to get audit files onto host options +# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +rhel8stig_audit_content: git + +# enable audits to run - this runs the audit and get the latest content +run_audit: false + +### End Goss enablements #### +#### Detailed settings found at the end of this document #### + # These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules. # PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group @@ -441,8 +464,7 @@ rhel8stig_tftp_required: no # RHEL-08-010140 and RHEL-08-020280 # Password protect the boot loader -rhel8stig_bootloader_password: 'Boot1tUp!' -rhel8stig_bootloader_password_hash: "{{ rhel8stig_bootloader_password | grub2_hash(salt='KeokpkECTJeoDhEA5XtiLQ') }}" +rhel8stig_bootloader_password_hash: grub.pbkdf2.sha512.changethispassword rhel8stig_boot_superuser: root # AIDE settings @@ -721,3 +743,51 @@ rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1 # RHEL-08-020070 # This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less rhel8stig_tmux_lock_after_time: 900 + +#### Goss Configuration Settings #### + +### Goss binary settings ### +goss_version: + release: v0.3.16 + checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb' +audit_bin_path: /usr/local/bin/ +audit_bin: "{{ audit_bin_path }}goss" +audit_format: json + +# if get_goss_file == download change accordingly +goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" + +## if get_goss_file - copy the following needs to be updated for your environment +## it is expected that it will be copied from somewhere accessible to the control node +## e.g copy from ansible control node to remote host +copy_goss_from_path: /some/accessible/path + +### Goss Audit Benchmark file ### +## managed by the control rhel8cis_audit_content +# git +rhel8cis_audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +rhel8cis_audit_git_version: main + +# copy: +rhel8cis_audit_local_copy: "some path to copy from" + +# get_url: +rhel8cis_audit_files_url: "some url maybe s3?" + +# Where the goss audit configuration will be stored +rhel8cis_audit_files: "/var/tmp/{{ benchmark }}-Audit/" + +## Goss configuration information +# Where the goss configs and outputs are stored +audit_out_dir: '/var/tmp' +audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" + +## The following should not need changing +goss_file: "{{ audit_conf_dir }}goss.yml" +audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" +audit_results: | + The pre remediation results are: {{ pre_audit_summary }}. + The post remediation results are: {{ post_audit_summary }}. + Full breakdown can be found in {{ audit_out_dir }} diff --git a/library/goss.py b/library/goss.py new file mode 100644 index 00000000..76cf3ea5 --- /dev/null +++ b/library/goss.py @@ -0,0 +1,162 @@ +#!/usr/bin/env python3 +# FROM: https://github.com/indusbox/goss-ansible + +import os + +from ansible.module_utils.basic import AnsibleModule + + +DOCUMENTATION = ''' +--- +module: goss +author: Mathieu Corbin +short_description: Launch goss (https://github.com/aelsabbahy/goss) tests +description: + - Launch goss tests. + This module always returns `changed = false` for idempotence. +options: + path: + required: true + description: + - Test file to validate. + The test file must be on the remote machine. + goss_path: + required: false + description: + - Path location for the goss executable. + Default is "goss" (ie.`no absolute path, goss executable must be available in $PATH). + vars_path: + required: false + description: + - Path location for a variables YAML/JSON file to use as templating inputs. + format: + required: false + description: + - Output goss format. + Goss format list : goss v --format => [documentation json junit nagios nagios_verbose rspecish tap silent]. + Default is "rspecish". + format_options: + required: false + description: + - Extra options passed to the formatter, valid options: [perfdata pretty verbose] + Goss format options: goss -v --format json --format_options pretty + default: null + output_file: + required: false + description: + - Save the result of the goss command in a file whose path is output_file +examples: + - name: run goss against the gossfile /path/to/file.yml + goss: + path: "/path/to/file.yml" + - name: run goss against the gossfile /path/to/file.yml with nagios output + goss: + path: "/path/to/file.yml" + format: "nagios" + - name: run /usr/local/bin/goss against the gossfile /path/to/file.yml + goss: + path: "/path/to/file.yml" + goss_path: "/usr/local/bin/goss" + - name: run /usr/local/bin/goss with a variables file + goss: + vars_path: "/path/to/file.yml" + - name: run goss against multiple gossfiles and write the result in JSON format to /my/output/ for each file + goss: + path: "{{ item }}" + format: json + output_file : /my/output/{{ item }} + with_items: "{{ goss_files }}" +''' + + +def check(module, test_file_path, output_format, format_options, goss_path, vars_path): + """ + Launch goss validate command on the file + """ + cmd = f'{ goss_path } --gossfile { test_file_path }' + # goss parent command flags + if vars_path is not None: + cmd += f' --vars { vars_path }' + + # validate sub-command flags + cmd += ' validate' + if output_format is not None: + cmd += f' --format { output_format }' + if format_options is not None: + cmd += f' --format { output_format } --format-options { format_options }' + + + return module.run_command(cmd) + + +def write_result(output_file_path, out): + """ + Write goss result to output_file_path + """ + if output_file_path is not None: + with open(output_file_path, 'w') as output_file: + output_file.write(out) + + +def run_module(): + module = AnsibleModule( + argument_spec=dict( + path=dict(required=True, type='str'), + format=dict(required=False, type='str'), + output_file=dict(required=False, type='str'), + format_options=dict(required=False, type='str'), + vars_path=dict(required=False, type='str'), + goss_path=dict(required=False, default='goss', type='str'), + ), + supports_check_mode=False + ) + + test_file_path = module.params['path'] + output_format = module.params['format'] # goss output format + format_options = module.params['format_options'] # goss format options + output_file_path = module.params['output_file'] + goss_path = module.params['goss_path'] + vars_path = module.params['vars_path'] + + test_file_path = os.path.expanduser(test_file_path) + + if not os.access(test_file_path, os.R_OK): + module.fail_json(msg=f'Test file { test_file_path } not readable') + + if os.path.isdir(test_file_path): + module.fail_json(msg=f'Test file { test_file_path } must be a file but is a path') + + if format_options is not None: + format_options = (format_options) + options = ('pretty', 'perfdata', 'verbose') + if format_options not in options: + module.fail_json(msg=f' format_options { format_options } - must be one of perfdata, pretty or verbose') + + rc, out, err = check(module, test_file_path, output_format, format_options, goss_path, vars_path) + + + if output_file_path is not None: + output_file_path = os.path.expanduser(output_file_path) + + if output_file_path.endswith(os.sep): + module.fail_json(msg=f'output_file { output_file_path } must be a file') + + output_dirname = os.path.dirname(output_file_path) + + if not os.path.exists(output_dirname): + module.fail_json(msg=f'directory { output_dirname } does not exists') + + if not os.access(os.path.dirname(output_file_path), os.W_OK): + module.fail_json(msg=f'Destination { output_dirname } not writable') + + write_result(output_file_path, out) + + if rc is not None and rc != 0: + error_msg = 'err : { err } ; out : { out }' + module.fail_json(msg=error_msg) + + module.exit_json(stdout=out, changed=False) + + +if __name__ == '__main__': + run_module() \ No newline at end of file diff --git a/tasks/Cat_1/main.yml b/tasks/Cat_1/main.yml index d2ba6478..91ffabee 100644 --- a/tasks/Cat_1/main.yml +++ b/tasks/Cat_1/main.yml @@ -1,20 +1,20 @@ --- - name: Include Cat 1 tasks - include_tasks: RHEL-08-010000.yml - include_tasks: RHEL-08-010020.yml - include_tasks: RHEL-08-010140_010150.yml - include_tasks: RHEL-08-010370.yml - include_tasks: RHEL-08-010371.yml - include_tasks: RHEL-08-010460.yml - include_tasks: RHEL-08-010470.yml - include_tasks: RHEL-08-010820.yml - include_tasks: RHEL-08-020330.yml - include_tasks: RHEL-08-040000.yml - include_tasks: RHEL-08-040010.yml - include_tasks: RHEL-08-040170.yml - include_tasks: RHEL-08-040171.yml - include_tasks: RHEL-08-040172.yml - include_tasks: RHEL-08-040190.yml - include_tasks: RHEL-08-040200.yml - include_tasks: RHEL-08-040360.yml + include: RHEL-08-010000.yml +- include: RHEL-08-010020.yml +- include: RHEL-08-010140_010150.yml +- include: RHEL-08-010370.yml +- include: RHEL-08-010371.yml +- include: RHEL-08-010460.yml +- include: RHEL-08-010470.yml +- include: RHEL-08-010820.yml +- include: RHEL-08-020330.yml +- include: RHEL-08-040000.yml +- include: RHEL-08-040010.yml +- include: RHEL-08-040170.yml +- include: RHEL-08-040171.yml +- include: RHEL-08-040172.yml +- include: RHEL-08-040190.yml +- include: RHEL-08-040200.yml +- include: RHEL-08-040360.yml diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml new file mode 100644 index 00000000..61a4cdf1 --- /dev/null +++ b/tasks/LE_audit_setup.yml @@ -0,0 +1,22 @@ +--- + +- name: Download audit binary + get_url: + url: "{{ goss_url }}" + dest: "{{ audit_bin }}" + owner: root + group: root + checksum: "{{ goss_version.checksum }}" + mode: 0555 + when: + - get_goss_file == 'download' + +- name: copy audit binary + copy: + src: + dest: "{{ audit_bin }}" + mode: 0555 + owner: root + group: root + when: + - get_goss_file == 'copy' diff --git a/tasks/main.yml b/tasks/main.yml index efc9b860..dbb9d333 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -21,6 +21,16 @@ tags: - always +- name: Check rhel8stig_bootloader_password_hash variable has been changed + assert: + that: rhel8stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' + msg: "This role will not be able to run single user password commands as rhel8stig_bootloader_password_hash variable has not been set" + + when: + - not system_is_ec2 + - rhel_08_010140 or + rhel_08_010150 + - name: Check if using resolv.conf template settings are changed assert: that: @@ -40,17 +50,15 @@ tags: - always -# - name: Install OpenSCAP and run a report -# import_tasks: audit_oscap_scan_before.yml -# when: rhel8stig_oscap_scan -# tags: -# - oscapreport - - import_tasks: prelim.yml become: yes tags: - prelim_tasks +- import_tasks: pre_remediation_audit.yml + when: + - run_audit + - name: Include CAT I patches import_tasks: cat_1/main.yml when: rhel8stig_cat1_patch @@ -72,8 +80,20 @@ # - cat3 # - low -# - name: run the OpenSCAP reporting tool again -# import_tasks: audit_oscap_scan_after.yml -# when: rhel8stig_oscap_scan -# tags: -# - oscapreport +- name: flush handlers + meta: flush_handlers + +- name: Reboot system + reboot: + when: + - not rhel8stig_skip_reboot + +- import_tasks: post_remediation_audit.yml + when: + - run_audit + +- name: Show Audit Summary + debug: + msg: "{{ audit_results.split('\n') }}" + when: + - run_audit \ No newline at end of file diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml new file mode 100644 index 00000000..6bfa7719 --- /dev/null +++ b/tasks/post_remediation_audit.yml @@ -0,0 +1,49 @@ +--- + +- name: "Run post_remediation {{ benchmark }} audit" + goss: + goss_path: "{{ audit_bin }}" + path: "{{ goss_file }}" + vars_path: "{{ audit_vars_path }}" + format: "{{ audit_format }}" + output_file: "{{ post_audit_outfile }}" + failed_when: false + environment: + GOSS_FMT_OPTIONS: Pretty + +- name: ensure audit files readable by users + file: + path: "{{ item }}" + mode: 0644 + state: file + loop: + - "{{ post_audit_outfile }}" + - "{{ pre_audit_outfile }}" + +- name: Capture audit data if json format + block: + - name: "capture data {{ post_audit_outfile }}" + command: "cat {{ post_audit_outfile }}" + register: post_audit + changed_when: false + + - name: Capture post-audit result + set_fact: + post_audit_summary: "{{ post_audit.stdout | from_json |json_query(summary) }}" + vars: + summary: 'summary."summary-line"' + when: + - audit_format == "json" + +- name: Capture audit data if documentation format + block: + - name: "capture data {{ post_audit_outfile }}" + command: "tail -2 {{ post_audit_outfile }}" + register: post_audit + changed_when: false + + - name: Capture post-audit result + set_fact: + post_audit_summary: "{{ post_audit.stdout_lines }}" + when: + - audit_format == "documentation" diff --git a/tasks/pre_LE_audit.yml b/tasks/pre_remediation_audit.yml similarity index 82% rename from tasks/pre_LE_audit.yml rename to tasks/pre_remediation_audit.yml index 4d65dda2..813f1c9f 100644 --- a/tasks/pre_LE_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -3,13 +3,13 @@ - name: Setup the LE audit include_tasks: LE_audit_setup.yml when: - - rhel8stig_setup_audit + - setup_audit tags: - setup_audit -- name: "Ensure {{ goss_audit_dir }} exists" +- name: "Ensure {{ audit_conf_dir }} exists" file: - path: "{{ goss_audit_dir }}" + path: "{{ audit_conf_dir }}" state: directory mode: '0755' @@ -19,13 +19,11 @@ package: name: git state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - name: retrieve audit content files from git git: repo: "{{ rhel8stig_audit_file_git }}" - dest: "{{ goss_audit_dir }}" + dest: "{{ audit_conf_dir }}" version: "{{ rhel8stig_audit_git_version }}" when: - rhel8stig_audit_content == 'git' @@ -33,7 +31,7 @@ - name: copy to audit content files to server copy: src: "{{ rhel8stig_audit_local_copy }}" - dest: "{{ goss_audit_dir }}" + dest: "{{ audit_conf_dir }}" mode: 0644 when: - rhel8stig_audit_content == 'copy' @@ -41,7 +39,7 @@ - name: get audit content from url get_url: url: "{{ rhel8stig_audit_files_url }}" - dest: "{{ goss_audit_dir }}" + dest: "{{ audit_conf_dir }}" when: - rhel8stig_audit_content == 'get_url' @@ -49,16 +47,16 @@ block: - name: Check for goss file stat: - path: "{{ goss_bin }}" + path: "{{ audit_bin }}" register: goss_available - name: If audit ensure goss is available assert: - msg: "Audit has been selected: unable to find goss binary at {{ goss_bin }}" + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" when: - not goss_available.stat.exists when: - - rhel8stig_run_audit + - run_audit - name: "Check whether machine is UEFI-based" stat: @@ -99,22 +97,24 @@ - name: Copy ansible default vars values to test audit template: - src: ansible_vars_goss.yml - dest: "{{ goss_vars_path }}" + src: ansible_vars_goss.yml.j2 + dest: "{{ audit_vars_path }}" mode: 0600 when: - - rhel8stig_run_audit + - run_audit tags: - goss_template - name: "Run pre_remediation {{ benchmark }} audit" goss: - goss_path: "{{ goss_bin }}" - path: "{{ goss_file }}" - vars_path: "{{ goss_vars_path }}" - format: "{{ goss_format }}" - output_file: "{{ pre_audit_outfile }}" + goss_path: "{{ audit_bin }}" + path: "{{ goss_file }}" + vars_path: "{{ audit_vars_path }}" + format: "{{ audit_format }}" + output_file: "{{ pre_audit_outfile }}" failed_when: false + environment: + GOSS_FMT_OPTIONS: Pretty - name: Capture audit data if json format block: @@ -129,7 +129,7 @@ vars: summary: 'summary."summary-line"' when: - - goss_format == "json" + - audit_format == "json" - name: Capture audit data if documentation format block: @@ -142,4 +142,4 @@ set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: - - goss_format == "documentation" + - audit_format == "documentation" diff --git a/templates/ansible_goss_vars.yml.j2 b/templates/ansible_vars_goss.yml.j2 similarity index 83% rename from templates/ansible_goss_vars.yml.j2 rename to templates/ansible_vars_goss.yml.j2 index 7f48b9de..a05ef11e 100644 --- a/templates/ansible_goss_vars.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,3 +1,13 @@ +## metadata for Audit benchmark +rhel8stig_benchmark: +- "type: STIG" +- "version: '1.2'" +- "os: RHEL 8" +- "epoch: {{ ansible_date_time.epoch }}" +- "hostname: {{ ansible_hostname }}" + +rhel8stig_os_distribution: {{ ansible_distribution | lower }} + # turn the categories on/off rhel8stig_cat1: {{ rhel8stig_cat1_patch }} From 8ea4ffd38015d25623b0e53bf51929b302fa1258 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 14 Jul 2021 12:00:27 +0100 Subject: [PATCH 008/110] improved logic using ansible_fips Signed-off-by: Mark Bolwell --- tasks/Cat_1/RHEL-08-010020.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tasks/Cat_1/RHEL-08-010020.yml b/tasks/Cat_1/RHEL-08-010020.yml index 01d91976..0e4cd73d 100644 --- a/tasks/Cat_1/RHEL-08-010020.yml +++ b/tasks/Cat_1/RHEL-08-010020.yml @@ -7,11 +7,15 @@ name: dracut-fips state: present notify: rebuild initramfs + when: + - not ansible_fips - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" command: fips-mode-setup --enable register: rhel_08_010020_kernel_fips_enable changed_when: rhel_08_010020_kernel_fips_enable.rc == 0 + when: + - not ansible_fips - name: "RHEL-08-010020 | HIGH | AUDIT | Check if prelink package is installed" command: rpm -q prelink From 6b5e9b271d780ad09184203539d91e9c69cbed25 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 14 Jul 2021 12:00:49 +0100 Subject: [PATCH 009/110] fixed layout Signed-off-by: Mark Bolwell --- tasks/Cat_1/RHEL-08-010140_010150.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/Cat_1/RHEL-08-010140_010150.yml b/tasks/Cat_1/RHEL-08-010140_010150.yml index 7bc84729..2ffb41c4 100644 --- a/tasks/Cat_1/RHEL-08-010140_010150.yml +++ b/tasks/Cat_1/RHEL-08-010140_010150.yml @@ -1,25 +1,25 @@ --- -name: | +- name: | "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance." "RHEL-08-010150 | HIGH |PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes." block: - name: | - "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set Grub Password" - "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set Grub Password" + "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set Grub Password" + "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set Grub Password" lineinfile: path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg" create: yes regexp: ^GRUB2_PASSWORD= - line: "GRUB2_PASSWORD=grub.pbkdf2.sha512.{{ rhel8stig_bootloader_password_hash }}" + line: "GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}" owner: root group: root mode: 0640 notify: confirm grub2 user cfg - name: | - "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set UEFI superusers" - "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set UEFI superusers" + "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set UEFI superusers" + "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set UEFI superusers" lineinfile: dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg" regexp: '^set superusers' From 6f0e8c8f8767aa9a193de8ee4e7dcc837d5b95c2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 14 Jul 2021 13:58:42 +0100 Subject: [PATCH 010/110] Added Rocky Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index d866b0b5..d1f7e8dc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -443,6 +443,7 @@ rhel8stig_change_user_path: false rhel8stig_min_supported_os_ver: RedHat: "8.4" CentOS: "8.4" + Rocky: "8.4" # RHEL-08-040260 # If system is not router, run tasks that disable router functions. From 3aaa17ddff7ce7e81d2da03dd0a5c9cf93636dd2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 14 Jul 2021 14:42:53 +0100 Subject: [PATCH 011/110] standardise layout Signed-off-by: Mark Bolwell --- tasks/pre_remediation_audit.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 813f1c9f..393d3ae5 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -15,10 +15,19 @@ - name: If using git for content set up block: - - name: Install git + - name: Install git (rh8 python3) package: name: git state: present + when: ansible_distribution_major_version == 8 + + - name: Install git (rh7 python2) + package: + name: git + state: present + vars: + ansible_python_interpreter: "{{ python2_bin }}" + when: ansible_distribution_major_version == 7 - name: retrieve audit content files from git git: From b9ce11c6b7337c365f6fad492e18d11782f2ec75 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Aug 2021 17:27:23 +0100 Subject: [PATCH 012/110] audit alignment updates Signed-off-by: Mark Bolwell --- tasks/main.yml | 26 +- tasks/pre_remediation_audit.yml | 2 +- templates/ansible_vars_goss.yml.j2 | 365 ++++++++++++++++++++++++++++- 3 files changed, 378 insertions(+), 15 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index dbb9d333..397cfc8f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -66,19 +66,19 @@ - cat1 - high -#- name: Include CAT II patches -# import_tasks: fix-cat2.yml -# tags: -# - cat2 -## when: rhel8stig_cat2_patch | bool -# - medium - -#- name: Include CAT III patches -# import_tasks: fix-cat3.yml -# when: rhel8stig_cat3_patch | bool -# tags: -# - cat3 -# - low +- name: Include CAT II patches + import_tasks: fix-cat2.yml + when: rhel8stig_cat2_patch + tags: + - cat2 + - medium + +- name: Include CAT III patches + import_tasks: fix-cat3.yml + when: rhel8stig_cat3_patch | bool + tags: + - cat3 + - low - name: flush handlers meta: flush_handlers diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 393d3ae5..8f665771 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -78,7 +78,7 @@ block: - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" set_fact: - rhel8stig_bootloader_path: /boot/efi/EFI/redhat + rhel8stig_bootloader_path: /boot/efi/EFI/{{ ansible_distribution | lower }} rhel8stig_legacy_boot: false when: - rhel8_efi_boot.stat.exists diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index a05ef11e..18370471 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -8,8 +8,12 @@ rhel8stig_benchmark: rhel8stig_os_distribution: {{ ansible_distribution | lower }} +rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' -%}false{% else -%}true{% endif -%} + # turn the categories on/off rhel8stig_cat1: {{ rhel8stig_cat1_patch }} +rhel8stig_cat2: {{ rhel8stig_cat2_patch }} +rhel8stig_cat3: {{ rhel8stig_cat3_patch }} # Some tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact @@ -19,6 +23,9 @@ timeout_ms: 20000 # If using the supplied graphical interface rhel8stig_gui: false +# system acts or requires router networking options +rhel8stig_system_is_router: {{ rhel8stig_system_is_router }} + # Sets up the system dependant on bootloader legacy_boot: {{ rhel8stig_legacy_boot }} rhel8stig_bootloader_path: {{ rhel8stig_bootloader_path }} @@ -44,7 +51,363 @@ RHEL_08_040190: {{ rhel_08_040190 }} RHEL_08_040200: {{ rhel_08_040200 }} RHEL_08_040360: {{ rhel_08_040360 }} +# Cat 2 rules +RHEL_08_010010: {{ rhel_08_010010 }} +RHEL_08_010030: {{ rhel_08_010030 }} +RHEL_08_010040: {{ rhel_08_010040 }} # Variable options below +RHEL_08_010050: {{ rhel_08_010050 }} # Variable options below +RHEL_08_010060: {{ rhel_08_010060 }} # Variable options below +RHEL_08_010070: {{ rhel_08_010070 }} +RHEL_08_010090: {{ rhel_08_010090 }} +RHEL_08_010100: {{ rhel_08_010100 }} +RHEL_08_010110: {{ rhel_08_010110 }} +RHEL_08_010120: {{ rhel_08_010120 }} +RHEL_08_010130: {{ rhel_08_010130 }} +RHEL_08_010151: {{ rhel_08_010151 }} +RHEL_08_010160: {{ rhel_08_010160 }} +RHEL_08_010161: {{ rhel_08_010161 }} +RHEL_08_010162: {{ rhel_08_010162 }} +RHEL_08_010163: {{ rhel_08_010162 }} ### to be fixed as not yet written for V1r2 +RHEL_08_010170: {{ rhel_08_010170 }} +RHEL_08_010180: {{ rhel_08_010180 }} +RHEL_08_010190: {{ rhel_08_010190 }} +RHEL_08_010200: {{ rhel_08_010200 }} +RHEL_08_010210: {{ rhel_08_010210 }} +RHEL_08_010220: {{ rhel_08_010220 }} +RHEL_08_010230: {{ rhel_08_010230 }} +RHEL_08_010240: {{ rhel_08_010240 }} +RHEL_08_010250: {{ rhel_08_010250 }} +RHEL_08_010260: {{ rhel_08_010260 }} +RHEL_08_010290: {{ rhel_08_010290 }} +RHEL_08_010291: {{ rhel_08_010291 }} +RHEL_08_010293: {{ rhel_08_010293 }} +RHEL_08_010294: {{ rhel_08_010294 }} +RHEL_08_010295: {{ rhel_08_010295 }} +RHEL_08_010300: {{ rhel_08_010300 }} +RHEL_08_010310: {{ rhel_08_010310 }} +RHEL_08_010320: {{ rhel_08_010320 }} +RHEL_08_010330: {{ rhel_08_010330 }} +RHEL_08_010340: {{ rhel_08_010340 }} +RHEL_08_010350: {{ rhel_08_010350 }} +RHEL_08_010360: {{ rhel_08_010360 }} +RHEL_08_010372: {{ rhel_08_010372 }} +RHEL_08_010373: {{ rhel_08_010373 }} +RHEL_08_010374: {{ rhel_08_010374 }} +RHEL_08_010380: {{ rhel_08_010380 }} +RHEL_08_010381: {{ rhel_08_010380 }} +RHEL_08_010382: {{ rhel_08_010380 }} ### to be fixed as not yet written for V1r2 +RHEL_08_010383: {{ rhel_08_010380 }} ### to be fixed as not yet written for V1r2 +RHEL_08_010384: {{ rhel_08_010380 }} ### to be fixed as not yet written for V1r2 +RHEL_08_010390: {{ rhel_08_010390 }} +RHEL_08_010400: {{ rhel_08_010400 }} +RHEL_08_010410: {{ rhel_08_010410 }} +RHEL_08_010420: {{ rhel_08_010420 }} +RHEL_08_010421: {{ rhel_08_010421 }} +RHEL_08_010422: {{ rhel_08_010422 }} +RHEL_08_010423: {{ rhel_08_010423 }} +RHEL_08_010430: {{ rhel_08_010430 }} +RHEL_08_010450: {{ rhel_08_010450 }} +RHEL_08_010480: {{ rhel_08_010480 }} +RHEL_08_010490: {{ rhel_08_010490 }} +RHEL_08_010500: {{ rhel_08_010500 }} +RHEL_08_010510: {{ rhel_08_010510 }} +RHEL_08_010520: {{ rhel_08_010520 }} +RHEL_08_010521: {{ rhel_08_010521 }} +RHEL_08_010543: {{ rhel_08_010543 }} +RHEL_08_010550: {{ rhel_08_010550 }} +RHEL_08_010560: {{ rhel_08_010560 }} +RHEL_08_010561: {{ rhel_08_010561 }} +RHEL_08_010570: {{ rhel_08_010570 }} +RHEL_08_010571: {{ rhel_08_010171 }} +RHEL_08_010580: {{ rhel_08_010580 }} +RHEL_08_010590: {{ rhel_08_010590 }} +RHEL_08_010600: {{ rhel_08_010600 }} +RHEL_08_010610: {{ rhel_08_010610 }} +RHEL_08_010620: {{ rhel_08_010620 }} +RHEL_08_010630: {{ rhel_08_010630 }} +RHEL_08_010640: {{ rhel_08_010640 }} +RHEL_08_010650: {{ rhel_08_010650 }} +RHEL_08_010660: {{ rhel_08_010660 }} +RHEL_08_010670: {{ rhel_08_010670 }} +RHEL_08_010671: {{ rhel_08_010671 }} +RHEL_08_010672: {{ rhel_08_010672 }} +RHEL_08_010673: {{ rhel_08_010673 }} +RHEL_08_010674: {{ rhel_08_010674 }} +RHEL_08_010675: {{ rhel_08_010675 }} +RHEL_08_010680: {{ rhel_08_010680 }} +RHEL_08_010690: {{ rhel_08_010690 }} +RHEL_08_010700: {{ rhel_08_010700 }} +RHEL_08_010710: {{ rhel_08_010710 }} +RHEL_08_010720: {{ rhel_08_010720 }} +RHEL_08_010730: {{ rhel_08_010730 }} +RHEL_08_010740: {{ rhel_08_010740 }} +RHEL_08_010750: {{ rhel_08_010750 }} +RHEL_08_010760: {{ rhel_08_010760 }} +RHEL_08_010770: {{ rhel_08_010770 }} +RHEL_08_010780: {{ rhel_08_010780 }} +RHEL_08_010790: {{ rhel_08_010790 }} +RHEL_08_010800: {{ rhel_08_010800 }} +RHEL_08_010830: {{ rhel_08_010830 }} + +RHEL_08_020000: {{ rhel_08_020000 }} +RHEL_08_020010: {{ rhel_08_020010 }} +RHEL_08_020011: {{ rhel_08_020011 }} +RHEL_08_020012: {{ rhel_08_020012 }} +RHEL_08_020013: {{ rhel_08_020013 }} +RHEL_08_020014: {{ rhel_08_020014 }} +RHEL_08_020015: {{ rhel_08_020015 }} +RHEL_08_020016: {{ rhel_08_020016 }} +RHEL_08_020017: {{ rhel_08_020017 }} +RHEL_08_020018: {{ rhel_08_020018 }} +RHEL_08_020019: {{ rhel_08_020019 }} +RHEL_08_020020: {{ rhel_08_020020 }} +RHEL_08_020021: {{ rhel_08_020021 }} +RHEL_08_020022: {{ rhel_08_020022 }} +RHEL_08_020023: {{ rhel_08_020023 }} +RHEL_08_020030: {{ rhel_08_020024 }} +RHEL_08_020040: {{ rhel_08_020040 }} +RHEL_08_020041: {{ rhel_08_020041 }} +RHEL_08_020050: {{ rhel_08_020050 }} +RHEL_08_020060: {{ rhel_08_020060 }} +RHEL_08_020070: {{ rhel_08_020070 }} +RHEL_08_020080: {{ rhel_08_020080 }} +RHEL_08_020090: {{ rhel_08_020090 }} # TODO +RHEL_08_020100: {{ rhel_08_020100 }} +RHEL_08_020110: {{ rhel_08_020110 }} +RHEL_08_020120: {{ rhel_08_020120 }} +RHEL_08_020130: {{ rhel_08_020130 }} +RHEL_08_020140: {{ rhel_08_020140 }} +RHEL_08_020150: {{ rhel_08_020150 }} +RHEL_08_020160: {{ rhel_08_020160 }} +RHEL_08_020170: {{ rhel_08_020170 }} +RHEL_08_020180: {{ rhel_08_020180 }} +RHEL_08_020190: {{ rhel_08_020190 }} +RHEL_08_020200: {{ rhel_08_020200 }} +RHEL_08_020210: {{ rhel_08_020210 }} +RHEL_08_020220: {{ rhel_08_020220 }} +RHEL_08_020230: {{ rhel_08_020230 }} +RHEL_08_020231: {{ rhel_08_020231 }} +RHEL_08_020240: {{ rhel_08_020240 }} +RHEL_08_020250: {{ rhel_08_020250 }} +RHEL_08_020260: {{ rhel_08_020260 }} +RHEL_08_020270: {{ rhel_08_020270 }} +RHEL_08_020280: {{ rhel_08_020280 }} +RHEL_08_020290: {{ rhel_08_020290 }} +RHEL_08_020300: {{ rhel_08_020300 }} +RHEL_08_020310: {{ rhel_08_020310 }} +RHEL_08_020320: {{ rhel_08_020320 }} +RHEL_08_020350: {{ rhel_08_020350 }} +RHEL_08_020351: {{ rhel_08_020351 }} +RHEL_08_020352: {{ rhel_08_020352 }} +RHEL_08_020353: {{ rhel_08_020353 }} +RHEL_08_030000: {{ rhel_08_030000 }} +RHEL_08_030010: {{ rhel_08_030010 }} +RHEL_08_030020: {{ rhel_08_030020 }} +RHEL_08_030030: {{ rhel_08_030030 }} +RHEL_08_030040: {{ rhel_08_030040 }} +RHEL_08_030050: {{ rhel_08_030050 }} +RHEL_08_030060: {{ rhel_08_030060 }} +RHEL_08_030061: {{ rhel_08_030061 }} +RHEL_08_030062: {{ rhel_08_030062 }} +RHEL_08_030070: {{ rhel_08_030070 }} +RHEL_08_030080: {{ rhel_08_030080 }} +RHEL_08_030090: {{ rhel_08_030090 }} +RHEL_08_030100: {{ rhel_08_030100 }} +RHEL_08_030110: {{ rhel_08_030110 }} +RHEL_08_030120: {{ rhel_08_030120 }} +RHEL_08_030121: {{ rhel_08_030121 }} +RHEL_08_030122: {{ rhel_08_030122 }} +RHEL_08_030130: {{ rhel_08_030130 }} +RHEL_08_030140: {{ rhel_08_030140 }} +RHEL_08_030150: {{ rhel_08_030150 }} +RHEL_08_030160: {{ rhel_08_030160 }} +RHEL_08_030170: {{ rhel_08_030170 }} +RHEL_08_030171: {{ rhel_08_030171 }} +RHEL_08_030172: {{ rhel_08_030172 }} +RHEL_08_030180: {{ rhel_08_030180 }} +RHEL_08_030190: {{ rhel_08_030190 }} +RHEL_08_030200: {{ rhel_08_030200 }} +RHEL_08_030210: {{ rhel_08_030210 }} +RHEL_08_030220: {{ rhel_08_030220 }} +RHEL_08_030230: {{ rhel_08_030230 }} +RHEL_08_030240: {{ rhel_08_030240 }} +RHEL_08_030250: {{ rhel_08_030250 }} +RHEL_08_030260: {{ rhel_08_030260 }} +RHEL_08_030270: {{ rhel_08_030270 }} +RHEL_08_030280: {{ rhel_08_030280 }} +RHEL_08_030290: {{ rhel_08_030290 }} +RHEL_08_030300: {{ rhel_08_030300 }} +RHEL_08_030301: {{ rhel_08_030301 }} +RHEL_08_030302: {{ rhel_08_030302 }} +RHEL_08_030310: {{ rhel_08_030310 }} +RHEL_08_030311: {{ rhel_08_030311 }} +RHEL_08_030312: {{ rhel_08_030312 }} +RHEL_08_030313: {{ rhel_08_030313 }} +RHEL_08_030314: {{ rhel_08_030314 }} +RHEL_08_030315: {{ rhel_08_030315 }} +RHEL_08_030316: {{ rhel_08_030316 }} +RHEL_08_030317: {{ rhel_08_030317 }} +RHEL_08_030320: {{ rhel_08_030320 }} +RHEL_08_030330: {{ rhel_08_030330 }} +RHEL_08_030340: {{ rhel_08_030340 }} +RHEL_08_030350: {{ rhel_08_030350 }} +RHEL_08_030360: {{ rhel_08_030360 }} +RHEL_08_030361: {{ rhel_08_030361 }} +RHEL_08_030362: {{ rhel_08_030362 }} +RHEL_08_030363: {{ rhel_08_030363 }} +RHEL_08_030364: {{ rhel_08_030364 }} +RHEL_08_030365: {{ rhel_08_030365 }} +RHEL_08_030370: {{ rhel_08_030370 }} +RHEL_08_030380: {{ rhel_08_030380 }} +RHEL_08_030390: {{ rhel_08_030390 }} +RHEL_08_030400: {{ rhel_08_030400 }} +RHEL_08_030410: {{ rhel_08_030410 }} +RHEL_08_030420: {{ rhel_08_030420 }} +RHEL_08_030430: {{ rhel_08_030430 }} +RHEL_08_030440: {{ rhel_08_030440 }} +RHEL_08_030450: {{ rhel_08_030450 }} +RHEL_08_030460: {{ rhel_08_030460 }} +RHEL_08_030470: {{ rhel_08_030470 }} +RHEL_08_030480: {{ rhel_08_030480 }} +RHEL_08_030490: {{ rhel_08_030490 }} +RHEL_08_030500: {{ rhel_08_030500 }} +RHEL_08_030510: {{ rhel_08_030510 }} +RHEL_08_030520: {{ rhel_08_030520 }} +RHEL_08_030530: {{ rhel_08_030530 }} +RHEL_08_030540: {{ rhel_08_030540 }} +RHEL_08_030550: {{ rhel_08_030550 }} +RHEL_08_030560: {{ rhel_08_030560 }} +RHEL_08_030570: {{ rhel_08_030570 }} +RHEL_08_030580: {{ rhel_08_030580 }} +RHEL_08_030590: {{ rhel_08_030590 }} +RHEL_08_030600: {{ rhel_08_030600 }} +RHEL_08_030610: {{ rhel_08_030610 }} +RHEL_08_030620: {{ rhel_08_030620 }} +RHEL_08_030630: {{ rhel_08_030630 }} +RHEL_08_030640: {{ rhel_08_030640 }} +RHEL_08_030650: {{ rhel_08_030650 }} +RHEL_08_030660: {{ rhel_08_030660 }} +RHEL_08_030670: {{ rhel_08_030370 }} +RHEL_08_030680: {{ rhel_08_030380 }} +RHEL_08_030690: {{ rhel_08_030090 }} +RHEL_08_030700: {{ rhel_08_030700 }} +RHEL_08_030710: {{ rhel_08_030710 }} +RHEL_08_030720: {{ rhel_08_030720 }} +RHEL_08_030730: {{ rhel_08_030730 }} +RHEL_08_030740: {{ rhel_08_030740 }} +RHEL_08_040001: {{ rhel_08_040001 }} +RHEL_08_040002: {{ rhel_08_040002 }} +RHEL_08_040020: {{ rhel_08_040020 }} +RHEL_08_040030: {{ rhel_08_040030 }} +RHEL_08_040070: {{ rhel_08_040070 }} +RHEL_08_040080: {{ rhel_08_040080 }} +RHEL_08_040090: {{ rhel_08_040090 }} +RHEL_08_040100: {{ rhel_08_040100 }} +RHEL_08_040110: {{ rhel_08_040110 }} +RHEL_08_040111: {{ rhel_08_040111 }} +RHEL_08_040120: {{ rhel_08_040120 }} +RHEL_08_040121: {{ rhel_08_040121 }} +RHEL_08_040122: {{ rhel_08_040122 }} +RHEL_08_040123: {{ rhel_08_040123 }} +RHEL_08_040124: {{ rhel_08_040124 }} +RHEL_08_040125: {{ rhel_08_040125 }} +RHEL_08_040126: {{ rhel_08_040126 }} +RHEL_08_040127: {{ rhel_08_040127 }} +RHEL_08_040128: {{ rhel_08_040128 }} +RHEL_08_040129: {{ rhel_08_040129 }} +RHEL_08_040130: {{ rhel_08_040130 }} +RHEL_08_040131: {{ rhel_08_040131 }} +RHEL_08_040132: {{ rhel_08_040132 }} +RHEL_08_040133: {{ rhel_08_040133 }} +RHEL_08_040134: {{ rhel_08_040134 }} +RHEL_08_040135: {{ rhel_08_040135 }} +RHEL_08_040140: {{ rhel_08_040140 }} +RHEL_08_040150: {{ rhel_08_040150 }} +RHEL_08_040160: {{ rhel_08_040160 }} +RHEL_08_040161: {{ rhel_08_040161 }} +RHEL_08_040162: {{ rhel_08_040162 }} +RHEL_08_040180: {{ rhel_08_040180 }} +RHEL_08_040210: {{ rhel_08_040210 }} +RHEL_08_040220: {{ rhel_08_040220 }} +RHEL_08_040230: {{ rhel_08_040230 }} +RHEL_08_040240: {{ rhel_08_040240 }} +RHEL_08_040250: {{ rhel_08_040250 }} +RHEL_08_040260: {{ rhel_08_040260 }} +RHEL_08_040261: {{ rhel_08_040261 }} +RHEL_08_040262: {{ rhel_08_040262 }} +RHEL_08_040270: {{ rhel_08_040270 }} +RHEL_08_040280: {{ rhel_08_040280 }} +RHEL_08_040281: {{ rhel_08_040281 }} +RHEL_08_040282: {{ rhel_08_040282 }} +RHEL_08_040283: {{ rhel_08_040283 }} +RHEL_08_040284: {{ rhel_08_040284 }} +RHEL_08_040285: {{ rhel_08_040285 }} +RHEL_08_040290: {{ rhel_08_040290 }} +RHEL_08_040320: {{ rhel_08_040320 }} +RHEL_08_040330: {{ rhel_08_040330 }} +RHEL_08_040340: {{ rhel_08_040340 }} +RHEL_08_040341: {{ rhel_08_040341 }} +RHEL_08_040350: {{ rhel_08_040350 }} +RHEL_08_040370: {{ rhel_08_040370 }} +RHEL_08_040380: {{ rhel_08_040380 }} +RHEL_08_040390: {{ rhel_08_040390 }} + +# Cat 3 controls +RHEL_08_010171: {{ rhel_08_010171 }} +RHEL_08_010292: {{ rhel_08_010292 }} +RHEL_08_010375: {{ rhel_08_010375 }} +RHEL_08_010376: {{ rhel_08_010376 }} +RHEL_08_010440: {{ rhel_08_010440 }} +RHEL_08_010471: {{ rhel_08_010471 }} +RHEL_08_010540: {{ rhel_08_010540 }} +RHEL_08_010541: {{ rhel_08_010541 }} +RHEL_08_010542: {{ rhel_08_010542 }} +RHEL_08_020024: {{ rhel_08_020024 }} +RHEL_08_020042: {{ rhel_08_020042 }} +RHEL_08_020340: {{ rhel_08_020340 }} +RHEL_08_030063: {{ rhel_08_030063 }} +RHEL_08_030601: {{ rhel_08_030601 }} +RHEL_08_030602: {{ rhel_08_030602 }} +RHEL_08_030603: {{ rhel_08_030603 }} +RHEL_08_030741: {{ rhel_08_030741 }} +RHEL_08_030742: {{ rhel_08_030742 }} +RHEL_08_040004: {{ rhel_08_040004 }} +RHEL_08_040021: {{ rhel_08_040021 }} +RHEL_08_040022: {{ rhel_08_040022 }} +RHEL_08_040023: {{ rhel_08_040023 }} +RHEL_08_040024: {{ rhel_08_040024 }} +RHEL_08_040025: {{ rhel_08_040025 }} +RHEL_08_040026: {{ rhel_08_040026 }} +RHEL_08_040300: {{ rhel_08_040300 }} +RHEL_08_040310: {{ rhel_08_040310 }} +# Variables rhel8stig_password_hash: {{ rhel8stig_bootloader_password_hash }} -rhel8stig_boot_superuser: {{ rhel8stig_boot_superuser }} \ No newline at end of file +rhel8stig_boot_superuser: {{ rhel8stig_boot_superuser }} + +# RHEL_08_010040-010050-010060 +rhel8stig_banner_file: /etc/issue +rhel8stig_logon_banner: '[You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions\: \-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. \-At any time, the USG may inspect and seize data stored on this IS. \-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests\--not for your personal benefit or privacy. \-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.]' + + +# RHEL_08_010680 to change if using hostfile only - seperate checks +rhel8stig_uses_dns: true + +# RHEL_08_010360 if run via ansible it is placed in cron.d setting as manually set in cron.daily +rhel8stig_aide_cron_file: /etc/cron.d/aide + +# RHEL_08_030040 - Options are SYSLOG, SINGLE, and HALT to fit STIG standards +rhel8stig_auditd_disk_error_action: {{ rhel8stig_auditd_disk_error_action }} + +# RHEL_08_030050 - Options are SYSLOG or KEEP_LOGS to fit STIG standards +rhel8stig_auditd_max_log_file_action: {{ rhel8stig_auditd_max_log_file_action }} + +# RHEL_08_030060 - Options are SYSLOG, HALT, and SINGLE to fit STIG standards +rhel8stig_auditd_disk_full_action: {{ rhel8stig_auditd_disk_full_action }} + +# RHEL_08_030690 if using remote syslog server +rhel8stig_remotelog_server: {{ rhel8stig_remotelog_server.server }} +rhel8stig_remotelog_port: {{ rhel8stig_remotelog_server.port }} + +# RHEL_08_040260-62 From bc4471a53f3ca496133bafc03f37fe9a7b6c1f02 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Aug 2021 17:33:14 +0100 Subject: [PATCH 013/110] updated vars for audit Signed-off-by: Mark Bolwell --- defaults/main.yml | 14 +++++++------- tasks/pre_remediation_audit.yml | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d1f7e8dc..9df54c0b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -55,7 +55,7 @@ get_goss_file: download # how to get audit files onto host options # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf -rhel8stig_audit_content: git +audit_content: git # enable audits to run - this runs the audit and get the latest content run_audit: false @@ -764,19 +764,19 @@ goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version. copy_goss_from_path: /some/accessible/path ### Goss Audit Benchmark file ### -## managed by the control rhel8cis_audit_content +## managed by the control audit_content # git -rhel8cis_audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -rhel8cis_audit_git_version: main +audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +audit_git_version: main # copy: -rhel8cis_audit_local_copy: "some path to copy from" +audit_local_copy: "some path to copy from" # get_url: -rhel8cis_audit_files_url: "some url maybe s3?" +audit_files_url: "some url maybe s3?" # Where the goss audit configuration will be stored -rhel8cis_audit_files: "/var/tmp/{{ benchmark }}-Audit/" +audit_files: "/var/tmp/{{ benchmark }}-Audit/" ## Goss configuration information # Where the goss configs and outputs are stored diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 8f665771..f6c997e8 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -31,26 +31,26 @@ - name: retrieve audit content files from git git: - repo: "{{ rhel8stig_audit_file_git }}" + repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" - version: "{{ rhel8stig_audit_git_version }}" + version: "{{ audit_git_version }}" when: - - rhel8stig_audit_content == 'git' + - audit_content == 'git' - name: copy to audit content files to server copy: - src: "{{ rhel8stig_audit_local_copy }}" + src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dir }}" mode: 0644 when: - - rhel8stig_audit_content == 'copy' + - audit_content == 'copy' - name: get audit content from url get_url: - url: "{{ rhel8stig_audit_files_url }}" + url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" when: - - rhel8stig_audit_content == 'get_url' + - audit_content == 'get_url' - name: Check Goss is available block: From 99a2fc16e90505102f577b427cb22b0f70d667a5 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 9 Aug 2021 12:48:00 -0400 Subject: [PATCH 014/110] Updated fix-cat2.yml to have latest just incase Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 11114 ++++++++++++++++++++++--------------------- 1 file changed, 5735 insertions(+), 5379 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 59595d09..fff57ae9 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1,5449 +1,5805 @@ --- -- name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." - dnf: - name: "*" - state: latest - when: - - not system_is_ec2 - - rhel_08_010010 - tags: - - RHEL-08-010010 - -- name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection." - block: - - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout" - command: lsblk - changed_when: false - failed_when: false - register: rhel_08_010030_partition_layout - - - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning" - debug: - msg: - - 'WARNING!! Below is partition layout. Please run the "sudo more /etc/crypttab" command to confirm' - - "every persistent disk partition has an entry. If partitions other than psuedo file systems (such as /var or /sys) this is a finding" - - "{{ rhel_08_010030_partition_layout.stdout_lines }}" - - when: rhel_08_010030 - tags: - - RHEL-08-010030 - -- name: | - "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." - "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" - block: - - name: | - "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" - "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?Banner' - line: 'Banner /etc/issue' - - - name: | - "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" - "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" - copy: - dest: "{{ item }}" - content: "{{ rhel8stig_logon_banner }}" - owner: root - group: root - mode: '0644' - notify: restart sshd - with_items: - - /etc/issue - - /etc/issue.net - when: - # - not system_is_ec2 - - rhel_08_010040 or - rhel_08_010060 - tags: - - RHEL-08-010040 - - RHEL-08-010060 - -- name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." - copy: - dest: /etc/dconf/db/local.d/01-banner-message - content: | - [org/gnome/login-screen] - banner-message-enable=true - banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' - mode: '0644' - owner: root - group: root - vars: - newline: "\n" - notify: dconf update - when: - - rhel_08_010050 - - "'dconf' in ansible_facts.packages" - - rhel8stig_always_configure_dconf - - tags: - - RHEL-08-010050 - -- name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." - lineinfile: - path: /etc/rsyslog.d/50-default.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - create: yes - mode: '0644' - notify: restart rsyslog - with_items: - - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } - - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } - when: - - rhel_08_010070 - tags: - - RHEL-08-010070 - -# This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. -- name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." - block: - - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" - command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem - changed_when: false - failed_when: false - register: rhel_08_010090_certs_list - - - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" - debug: - msg: - - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" - - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" - - "{{ rhel_08_010090_certs_list.stdout_lines }}" - when: - - rhel_08_010090 - tags: - - RHEL-08-010090 - -- name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." - block: - - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" - file: - path: "{{ rhel8stig_path_to_sshkey }}" - state: directory - mode: '0700' - - - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" - openssh_keypair: - path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" - when: - - rhel_08_010100 - tags: - - RHEL-08-010100 - -- name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." - lineinfile: - path: /etc/login.defs - regexp: '^ENCRYPT_METHOD.*' - line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" - when: - - rhel_08_010110 - tags: - - RHEL-08-010110 - - login - -- name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." - block: - - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" - command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' - changed_when: false - failed_when: false - register: rhel_08_010120_non_fips_hashed_accounts - - - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" - command: "passwd -l {{ item }}" - args: - warn: no - with_items: - - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" - when: - - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 - - - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" - debug: - msg: - - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" - - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" - when: - - not rhel8stig_disruption_high - - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 - when: - - rhel_08_010120 - - rhel8stig_disruption_high - tags: - - RHEL-08-010120 - - disruption_high - -- name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" - pamd: - name: "{{ item }}" - type: password - control: sufficient - module_path: pam_unix.so - module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" - state: args_present - with_items: - - password-auth - - system-auth - when: - - rhel_08_010130 - tags: - - RHEL-08-010130 - -- name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." - lineinfile: - path: /usr/lib/systemd/system/rescue.service - regexp: '^ExecStart=' - line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" - create: yes - owner: root - group: root - mode: 0644 - - when: - - rhel_08_010151 - tags: - - RHEL-08-010151 - - systemd - -- name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Add sha512 argument" - pamd: - name: "{{ item }}" - type: password - control: sufficient - module_path: pam_unix.so - module_arguments: sha512 - state: args_present - with_items: - - password-auth - - system-auth - when: - - rhel_08_010160 - tags: - - RHEL-08-010160 - -- name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication." - block: - - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" - find: - path: / - patterns: '*.keytab' - recurse: yes - register: rhel8stig_010161_keytab_files - - - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Remove .keytab files" - file: - path: "{{ item.path }}" - state: absent - with_items: - - "{{ rhel8stig_010161_keytab_files.files }}" - when: rhel8stig_010161_keytab_files.matched > 0 - when: - - rhel_08_010161 - tags: - - RHEL-08-010161 - - kerberos - -- name: "MEDIUM | RHEL-08-010162 | PATCH | The krb5-workstation package must not be installed on RHEL 8." - dnf: - name: krb5-workstation - state: absent - when: - - rhel_08_010162 - tags: - - RHEL-08-010162 - - kerberos - -- name: | - "MEDIUM | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services." - "MEDIUM | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." - selinux: - state: enforcing - policy: targeted - check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" - notify: reboot system - when: - - rhel_08_010170 or rhel_08_010450 - - not rhel8stig_system_is_container - - rhel8stig_disruption_high - tags: - - RHEL-08-010170 - - RHEL-08-010450 - - selinux - - disruption_high - -- name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." - block: - - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" - shell: "find / ! -user root -type d -perm -0002 -exec ls -lLd {} \\; | sed 's/.* //'" - changed_when: false - failed_when: false - register: rhel_08_010180_public_not_root_owned - - - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Chown non-root public folders" - file: - path: "{{ item }}" - owner: root - group: root - with_items: - - "{{ rhel_08_010180_public_not_root_owned.stdout_lines }}" - when: - - rhel_08_010180 - tags: - - RHEL-08-010180 - -- name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." - block: - - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" - shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" - changed_when: false - failed_when: false - register: rhel_08_010190_world_writable_files - - - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" - file: - path: "{{ item }}" - mode: '1777' - with_items: - - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" - when: - - rhel_08_010190 - tags: - - RHEL-08-010190 - -- name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." - lineinfile: - path: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - notify: restart sshd - with_items: - - { regexp: '(?i)^#?ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} - - { regexp: '(?i)^#?ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } - when: - - rhel_08_010200 - - rhel8stig_ssh_required - tags: - - RHEL-08-010200 - - ssh - -- name: | - "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." - "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." - "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." - file: - path: /var/log/messages - owner: root - group: root - mode: '0640' - when: - - rhel_08_010210 or - rhel_08_010220 or - rhel_08_010230 - tags: - - RHEL-08-010210 - - RHEL-08-010220 - - RHEL-08-010230 - -- name: | - "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." - "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." - "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." - file: - path: /var/log - owner: root - group: root - mode: '0755' - when: - - rhel_08_010240 or - rhel_08_010250 or - rhel_08_010260 - tags: - - RHEL-08-010240 - - RHEL-08-010250 - - RHEL-08-010260 - -- name: | - "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." - "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" - block: - - name: | - "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" - "MEDIUM | RHEL-08-010291 | AUDIT | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Get current FIPS mode state" - command: fips-mode-setup --check - changed_when: false - failed_when: false - register: rhel_08_010290_pre_fips_check - - - name: | - "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" - "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Enable FIPS" - command: fips-mode-setup --enable - register: rhel_08_010290_fips_enable - notify: reboot system - when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' - - - name: | - "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" - "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Add ssh ciphers" - lineinfile: - path: "{{ item.path }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - notify: reboot system - with_items: - - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^MACs', line: "MACs {{ rhel8stig_ssh_macs_settings }}" } - - { path: /etc/crypto-policies/back-ends/opensshserver.config, regexp: '^CRYPTO_POLICY=', line: "CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" } - when: - - rhel_08_010290 or - rhel_08_010291 - tags: - - RHEL-08-010290 - - RHEL-08-010291 - - fips - -- name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." - block: - - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" - command: fips-mode-setup --check - changed_when: false - failed_when: false - register: rhel_08_010293_pre_fips_check - - - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" - command: fips-mode-setup --enable - register: rhel_08_010290_fips_enable - notify: reboot system - when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' - when: - - rhel_08_010293 - tags: - - RHEL-08-010293 - - fips - -- name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." - lineinfile: - path: /etc/crypto-policies/back-ends/opensslcnf.config - regexp: '^MinProtocol =' - line: "MinProtocol = TLSv1.2" - notify: reboot system - when: - - rhel_08_010294 - tags: - - RHEL-08-010294 - - openssl - -- name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package" - lineinfile: - path: /etc/crypto-policies/back-ends/gnutls.config - regexp: '^(.*\+VERS-ALL:)' - line: '\1{{ rhel8stig_gnutls_encryption }}' - backrefs: true - create: yes - owner: root - group: root - mode: 0640 - notify: reboot system - when: - - rhel_08_010295 - tags: - - RHEL-08-010295 - - gnutls - -- name: | - "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive." - "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root." - "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root." - block: - - name: | - "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive" - "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" - "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root. | Get commands no group-owned by root" - shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" - args: - warn: no - changed_when: false - failed_when: false - register: rhel_08_010300_commands - - - name: | - "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions" - "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions" - "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root. | Set permissions" - file: - path: "{{ item }}" - owner: root - group: root - mode: '0755' - force: yes - with_items: - - "{{ rhel_08_010300_commands.stdout_lines }}" - when: - - rhel_08_010300 or - rhel_08_010310 or - rhel_08_010320 - tags: - - RHEL-08-010300 - - RHEL-08-010310 - - RHEL-08-010320 - -- name: | - "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive." - "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root." - "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root." - block: - - name: | - "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" - "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root. | Get library files not owned by root" - "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" - shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" - args: - warn: no - changed_when: false - failed_when: false - register: rhel_08_010330_library_files - - - name: | - "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" - "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" - "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" - file: - path: "{{ item }}" - owner: root - group: root - mode: '0755' - with_items: - - "{{ rhel_08_010330_library_files.stdout_lines }}" - when: - - rhel_08_010330 or - rhel_08_010340 or - rhel_08_010350 - tags: - - RHEL-08-010330 - - RHEL-08-010340 - - RHEL-08-010350 - -- name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." - cron: - name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' - user: "{{ rhel8stig_aide_cron.user }}" - cron_file: "{{ rhel8stig_aide_cron.cron_file }}" - job: "{{ rhel8stig_aide_cron.job + ((rhel8stig_aide_cron.notify_by_mail) | ternary(rhel8stig_aide_cron.notify_cmd,'')) }}" - minute: "{{ rhel8stig_aide_cron.minute | default((rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | - ternary('0', omit)) | default(omit) }}" - hour: "{{ rhel8stig_aide_cron.hour | default((rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['daily', 'weekly', 'monthly']) | - ternary('0', omit)) | default(omit) }}" - weekday: "{{ rhel8stig_aide_cron.weekday | default((rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['weekly']) | - ternary('0', omit)) | default(omit) }}" - day: "{{ rhel8stig_aide_cron.day | default((rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['monthly']) | - ternary('1', omit)) | default(omit) }}" - special_time: "{{ (rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | - ternary(omit, rhel8stig_aide_cron.special_time) }}" - when: - - rhel_08_010360 - - rhel8stig_disruption_high - tags: - - RHEL-08-010360 - - aide - -- name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." - block: - - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if using numbered link files" - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^kernel.kexec_load_disabled =' - line: "kernel.kexec_load_disabled = 1" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched > 0 - - rhel8stig_sysctlconf_filename.files[0].islnk - - - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if no numbered link files" - lineinfile: - path: /etc/sysctl.conf - regexp: '^kernel.kexec_load_disabled =' - line: "kernel.kexec_load_disabled = 1" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched == 0 or - not rhel8stig_sysctlconf_filename.files[0].islnk - when: - - rhel_08_010372 - tags: - - RHEL-08-010372 - - sysctl - -- name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks." - block: - - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if using numbered link files" - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^fs.protected_symlinks =' - line: "fs.protected_symlinks = 1" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched > 0 - - rhel8stig_sysctlconf_filename.files[0].islnk - - - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if no numbered link files" - lineinfile: - path: /etc/sysctl.conf - regexp: '^fs.protected_symlinks =' - line: "fs.protected_symlinks = 1" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched == 0 or - not rhel8stig_sysctlconf_filename.files[0].islnk - when: - - rhel_08_010373 - tags: - - RHEL-08-010373 - - sysctl - -- name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." - block: - - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if using numbered link files" - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^fs.protected_hardlinks =' - line: "fs.protected_hardlinks = 1" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched > 0 - - rhel8stig_sysctlconf_filename.files[0].islnk - - - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if no numbered link files" - lineinfile: - path: /etc/sysctl.conf - regexp: '^fs.protected_hardlinks =' - line: "fs.protected_hardlinks = 1" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched == 0 or - not rhel8stig_sysctlconf_filename.files[0].islnk - when: - - rhel_08_010374 - tags: - - RHEL-08-010374 - - sysctl - -- name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." - replace: - path: "{{ item }}" - regexp: '^([^#].*)NOPASSWD(.*)' - replace: '\1PASSWD\2' - with_items: - - "{{ rhel8stig_sudoers_files.stdout_lines }}" - when: - - rhel_08_010380 - - rhel8stig_using_password_auth - tags: - - RHEL-08-010380 - - sudoers - -- name: "MEDIUM | RHEL-08-010381 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation." - replace: - path: "{{ item }}" - regexp: '^([^#].*)!authenticate(.*)' - replace: '\1authenticate\2' - with_items: - - "{{ rhel8stig_sudoers_files.stdout_lines }}" - when: - - rhel_08_010381 - - rhel8stig_using_password_auth - tags: - - RHEL-08-010381 - - sudoers - -- name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." - block: - - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" - dnf: - name: esc - state: present - when: rhel8stig_gui - - - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" - dnf: - name: openssl-pkcs11 - state: present - when: - - rhel_08_010390 - tags: - - RHEL-08-010390 - - multifactor - -- name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." - lineinfile: - path: '{{ rhel8stig_sssd_conf }}' - regexp: '^certificate_verification = {{ item }}' - state: absent - with_items: - - 'no_ocsp, no_verification' - - no_ocsp - - no_verification - notify: restart sssd - when: - - "'sssd' in ansible_facts.packages" - - rhel8stig_sssd_conf_present.stat.exists - - rhel_08_010400 - tags: - - RHEL-08-010400 - -- name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." - dnf: - name: opensc - state: present - when: - - rhel_08_010410 - tags: - - RHEL-08-010410 - - opensc - - piv - -- name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution." - block: - - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state" - shell: dmesg |grep "NX (" - changed_when: false - failed_when: false - register: rhel_08_010420_nx_bit_state - - - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set" - debug: - msg: - - "Good News! You are setup with execute disable active." - when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout' - - - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" - debug: - msg: - - "ALERT!! You do not have execute disable active. Please change the setting in your BIOS settings" - when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' - when: - - rhel_08_010420 - tags: - - RHEL-08-010420 - -- name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks." - block: - - name: "MEDIUM | RHEL-08-010421 | AUDIT | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: no - changed_when: false - failed_when: false - register: rhel8stig_010421_grub_cmdline_linux - - - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active" - shell: grubby --update-kernel=ALL --args="page_poison=1" - - - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010421_grub_cmdline_linux.stdout }} page_poison=1"' - when: '"page_poison=" not in rhel8stig_010421_grub_cmdline_linux.stdout' - - - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if exists" - replace: - path: /etc/default/grub - regexp: 'page_poison=([^\s|"])+' - replace: "page_poison=1" - when: '"page_poison=" in rhel8stig_010421_grub_cmdline_linux.stdout' - when: - - rhel_08_010421 - tags: - - RHEL-08-010421 - - grub - -- name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls." - block: - - name: "MEDIUM | RHEL-08-010422 | AUDIT | RHEL 8 must disable virtual syscalls. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: no - changed_when: false - failed_when: false - register: rhel8stig_010422_grub_cmdline_linux - - - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active" - shell: grubby --update-kernel=ALL --args="vsyscall=none" - - - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010422_grub_cmdline_linux.stdout }} vsyscall=none"' - when: '"vsyscall=" not in rhel8stig_010422_grub_cmdline_linux.stdout' - - - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if exists" - replace: - path: /etc/default/grub - regexp: 'vsyscall=([^\s|"])+' - replace: "vsyscall=none" - when: '"vsyscall=" in rhel8stig_010422_grub_cmdline_linux.stdout' - when: - - rhel_08_010422 - tags: - - RHEL-08-010422 - - grub - -- name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks." - block: - - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: no - changed_when: false - failed_when: false - register: rhel8stig_010423_grub_cmdline_linux - - - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active" - shell: grubby --update-kernel=ALL --args="slub_debug=P" - - - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010423_grub_cmdline_linux.stdout }} slub_debug=P"' - when: '"slub_debug=" not in rhel8stig_010423_grub_cmdline_linux.stdout' - - - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if exists" - replace: - path: /etc/default/grub - regexp: 'slub_debug=([^\s|"])+' - replace: "slub_debug=P" - when: '"slub_debug=" in rhel8stig_010423_grub_cmdline_linux.stdout' - when: - - rhel_08_010423 - tags: - - RHEL-08-010423 - - grub - -- name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." - sysctl: - name: kernel.randomize_va_space - value: '2' - state: present - reload: "{{ rhel8stig_sysctl_reload }}" - sysctl_set: yes - ignoreerrors: yes - notify: sysctl system - when: - - rhel_08_010430 - tags: - - RHEL-08-010430 - - sysctl - -- name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." - block: - - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files" - find: - paths: /etc/ssh - recurse: yes - file_type: file - patterns: 'ssh_host*_key.pub' - hidden: true - changed_when: false - failed_when: false - register: rhel_08_010480_public_files - - - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" - file: - path: "{{ item.path }}" - mode: '0644' - with_items: - - "{{ rhel_08_010480_public_files.files }}" - notify: restart sshd - when: - - rhel_08_010480 - - rhel8stig_ssh_required - tags: - - RHEL-08-010480 - - ssh - -- name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." - block: - - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Find files" - find: - paths: /etc/ssh - recurse: yes - file_type: file - patterns: 'ssh_host*key' - hidden: true - changed_when: false - failed_when: false - register: rhel_08_010490_private_host_key_files - - - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" - file: - path: "{{ item.path }}" - mode: '0640' - with_items: - - "{{ rhel_08_010490_private_host_key_files.files }}" - notify: restart sshd - when: - - rhel_08_010490 - - rhel8stig_ssh_required - tags: - - RHEL-08-010490 - - ssh - -- name: "MEDIUM | RHEL-08-010500 | PATCH | The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?StrictModes' - line: 'StrictModes yes' - notify: restart sshd - when: - - rhel_08_010500 - - rhel8stig_ssh_required - tags: - - RHEL-08-010500 - - ssh - -- name: "MEDIUM | RHEL-08-010510 | PATCH | The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?Compression' - line: 'Compression {{ rhel8stig_sshd_compression }}' - notify: restart sshd - when: - - rhel_08_010510 - - rhel8stig_ssh_required - tags: - - RHEL-08-010510 - - ssh - -- name: "MEDIUM | RHEL-08-010520 | PATCH | The RHEL 8 SSH daemon must not allow authentication using known host’s authentication." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?IgnoreUserKnownHosts' - line: 'IgnoreUserKnownHosts yes' - notify: restart sshd - when: - - rhel_08_010520 - - rhel8stig_ssh_required - tags: - - RHEL-08-010520 - - ssh - -- name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow unused methods of authentication." - lineinfile: - path: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '(?i)^#?KerberosAuthentication', line: "KerberosAuthentication no" } - - { regexp: '(?i)^#?GSSAPIAuthentication', line: "GSSAPIAuthentication no" } - notify: restart sshd - when: - - rhel_08_010521 - tags: - - RHEL-08-010521 - - ssh - -- name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." - debug: - msg: "WARNING!!!! /tmp is not mounted on a separate partition" - changed_when: - - rhel8stig_audit_complex - when: - - rhel_08_010543 - - not rhel8stig_system_is_container - - rhel8stig_complex - - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 - tags: - - RHEL-08-010543 - - complexity-high - - mount - - tmp - -- name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?PermitRootLogin' - line: 'PermitRootLogin no' - notify: restart sshd - when: - - rhel_08_010550 - - rhel8stig_ssh_required - tags: - - RHEL-08-010550 - - ssh - -- name: "MEDIUM | RHEL-08-010560 | PATCH | The auditd service must be running in RHEL 8." - service: - name: auditd - state: started - enabled: yes - when: - - rhel_08_010560 - - not rhel8stig_system_is_container - tags: - - RHEL-08-010560 - - auditd - -- name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." - service: - name: rsyslog.service - state: started - enabled: true - when: - - rhel_08_010561 - tags: - - RHEL-08-010561 - - rsyslog - -- name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." - mount: - path: /home - state: mounted - src: "{{ home_mount.device }}" - fstype: "{{ home_mount.fstype }}" - opts: "{{ home_mount.options }},nosuid" - when: - - rhel_08_010570 - - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 - - "'nosuid' not in home_mount.options" - vars: - home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" - tags: - - RHEL-08-010570 - - mounts - - home - -- name: "MEDIUM | RHEL-08-010571 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory." - mount: - path: /boot - state: mounted - src: "{{ boot_mount.device }}" - fstype: "{{ boot_mount.fstype }}" - opts: "{{ boot_mount.options }},nosuid" - when: - - rhel_08_010571 - - ansible_mounts | selectattr('mount', 'match', '^/boot$') | list | length != 0 - - "'nosuid' not in boot_mount.options" - vars: - boot_mount: "{{ ansible_mounts | json_query('[?mount == `/boot`] | [0]') }}" - tags: - - RHEL-08-010571 - - mounts - - boot - -- name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions." - block: - - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" - shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' - args: - warn: no - changed_when: no - check_mode: no - register: rhel8stig_010580_mounts_nodev - - - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Split results" - set_fact: - rhel8stig_010580_mounts: "{{ rhel8stig_010580_mounts_nodev.stdout_lines | map('regex_replace', ld_mount_regex, ld_mount_yaml) | map('from_yaml') | list }}" - - with_items: "{{ rhel8stig_010580_mounts_nodev.stdout_lines }}" - vars: - ld_mount_regex: >- - ^(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*) - ld_mount_yaml: | - device: >-4 - \g - mpoint: >-4 - \g - fs: >-4 - \g - opts: >-4 - \g - when: rhel8stig_010580_mounts_nodev.stdout | length > 0 - - - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Set value" - mount: - path: "{{ item.mpoint }}" - state: mounted - src: "{{ item.device }}" - fstype: "{{ item.fs }}" - opts: "{{ item.opts }},nodev" - with_items: - - "{{ rhel8stig_010580_mounts | default([]) }}" - when: - - item.device != "/" - - "'odev' not in item.opts" - - rhel8stig_010580_mounts_nodev.stdout | length > 0 - when: - - rhel_08_010580 - tags: - - RHEL-08-010580 - - mounts - - non-root - -- name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent code from being executed on file systems that contain user home directories." - mount: - path: /home - state: mounted - src: "{{ home_mount.device }}" - fstype: "{{ home_mount.fstype }}" - opts: "{{ home_mount.options }},noexec" - when: - - rhel_08_010590 - - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 - - "'noexec' not in home_mount.options" - vars: - home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" - tags: - - RHEL-08-010590 - - mounts - - home - -- name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media." - block: - - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /media" - mount: - path: /media - state: mounted - src: "{{ removable_mount.device }}" - fstype: "{{ removable_mount.fstype }}" - opts: "{{ removable_mount.options }},nodev" - when: - - rhel_08_010600 - - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - - "'nodev' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - - - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /mnt" - mount: - path: /mnt - state: mounted - src: "{{ removable_mount2.device }}" - fstype: "{{ removable_mount2.fstype }}" - opts: "{{ removable_mount2.options }},nodev" - when: - - rhel_08_010600 - - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - - "'nodev' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" - when: - - rhel_08_010600 - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - tags: - - RHEL-08-010600 - - mounts - - media - -- name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media." - block: - - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /media" - mount: - path: /media - state: mounted - src: "{{ removable_mount.device }}" - fstype: "{{ removable_mount.fstype }}" - opts: "{{ removable_mount.options }},noexec" - when: - - rhel_08_010600 - - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - - "'noexec' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - - - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /mnt" - mount: - path: /mnt - state: mounted - src: "{{ removable_mount2.device }}" - fstype: "{{ removable_mount2.fstype }}" - opts: "{{ removable_mount2.options }},noexec" - when: - - rhel_08_010610 - - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - - "'noexec' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" - when: - - rhel_08_010610 - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - tags: - - RHEL-08-010610 - - mounts - - media - -- name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." - block: - - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media" - mount: - path: /media - state: mounted - src: "{{ removable_mount.device }}" - fstype: "{{ removable_mount.fstype }}" - opts: "{{ removable_mount.options }},nosuid" - when: - - rhel_08_010620 - - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - - "'nosuid' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - - - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" - mount: - path: /mnt - state: mounted - src: "{{ removable_mount2.device }}" - fstype: "{{ removable_mount2.fstype }}" - opts: "{{ removable_mount2.options }},nosuid" - when: - - rhel_08_010620 - - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - - "'nosuid' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" - when: - - rhel_08_010620 - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - tags: - - RHEL-08-010620 - - mounts - - media - -- name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)." - mount: - path: "{{ item }}" - src: "{{ ansible_mounts | json_query(device_query) }}" - fstype: "{{ ansible_mounts | json_query(fstype_query) }}" - opts: "{{ ansible_mounts | json_query(options_query) }},noexec" - state: mounted - vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' - with_items: "{{ rhel8stig_nfs_mounts }}" - when: - - rhel_08_010630 - - "'noexec' not in (ansible_mounts | json_query(options_query))" - tags: - - RHEL-08-010630 - - mounts - - nfs - -- name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)." - mount: - path: "{{ item }}" - src: "{{ ansible_mounts | json_query(device_query) }}" - fstype: "{{ ansible_mounts | json_query(fstype_query) }}" - opts: "{{ ansible_mounts | json_query(options_query) }},nodev" - state: mounted - vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' - with_items: "{{ rhel8stig_nfs_mounts }}" - when: - - rhel_08_010640 - - "'nodev' not in (ansible_mounts | json_query(options_query))" - tags: - - RHEL-08-010640 - -- name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)" - mount: - path: "{{ item }}" - src: "{{ ansible_mounts | json_query(device_query) }}" - fstype: "{{ ansible_mounts | json_query(fstype_query) }}" - opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" - state: mounted - vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' - with_items: "{{ rhel8stig_nfs_mounts }}" - when: - - rhel_08_010650 - - "'nosuid' not in (ansible_mounts | json_query(options_query))" - tags: - - RHEL-08-010650 - -- name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs." - block: - - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions" - shell: find {{ item.mount }} -xdev -type f -perm -002 - args: - warn: no - changed_when: false - failed_when: false - register: rhel_08_010660_world_writable_files - with_items: - - "{{ ansible_mounts }}" - - - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening" - set_fact: - rhel_08_010660_change_perms: "{{ rhel_08_010660_world_writable_files.results | map(attribute='stdout_lines') | flatten }}" - - - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Compare to home directories" - include_tasks: audit_homedirinifiles.yml - loop: - - "{{ rhel_08_stig_interactive_homedir_inifiles }}" - loop_control: - loop_var: ini_item - when: - - rhel_08_010660_change_perms != [] - - - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions" - file: - path: "{{ item }}" - mode: '0755' - state: file - with_items: - - "{{ rhel_08_010660_change_perms }}" - when: - - rhel_08_010660_change_perms != [] - when: - - rhel_08_010660 - - rhel8stig_disruption_high - # - rhel_08_stig_interactive_homedir_inifiles is defined - tags: - - RHEL-08-010660 - -- name: "MEDIUM | RHEL-08-010670 | PATCH | RHEL 8 must disable kernel dumps unless needed." - service: - name: kdump - enabled: no - state: stopped - when: - - rhel_08_010670 - - not rhel8stig_kdump_needed - tags: - - RHEL-08-010670 - - kdump - -- name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." - block: - - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if using numbered link files" - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^kernel.core_pattern =' - line: "kernel.core_pattern = |/bin/false" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched > 0 - - rhel8stig_sysctlconf_filename.files[0].islnk - - - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if no numbered link files" - lineinfile: - path: /etc/sysctl.conf - regexp: '^kernel.core_pattern =' - line: "kernel.core_pattern = |/bin/false" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched == 0 or - not rhel8stig_sysctlconf_filename.files[0].islnk - when: - - rhel_08_010671 - tags: - - RHEL-08-010671 - - sysctl - -- name: "MEDIUM | RHEL-08-010672 | PATCH | RHEL 8 must disable acquiring, saving, and processing core dumps." - systemd: - name: systemd-coredump.socket - masked: yes - daemon_reload: yes - notify: systemctl daemon-reload - when: - - rhel_08_010672 - tags: - - RHEL-08-010672 - - systemd - -- name: "MEDIUM | RHEL-08-010673 | PATCH | RHEL 8 must disable core dumps for all users." - lineinfile: - path: /etc/security/limits.conf - regexp: '^\*.*hard.*core' - line: "* hard core 0" - insertbefore: '# End of file' - when: - - rhel_08_010673 - tags: - - RHEL-08-010673 - - security - - limits - -- name: "MEDIUM | RHEL-08-010674 | PATCH | RHEL 8 must disable storing core dumps." - lineinfile: - path: /etc/systemd/coredump.conf - regexp: '^(S|s)torage=|#(S|s)torage=' - line: "Storage=none" - when: - - rhel_08_010674 - tags: - - RHEL-08-010674 - - systemd - -- name: "MEDIUM | RHEL-08-010675 | PATCH | RHEL 8 must disable core dump backtraces." - lineinfile: - path: /etc/systemd/coredump.conf - regexp: '^(P|p)rocess(S|s)ize(M|m)ax=|(P|p)rocess(S|s)ize(M|m)ax=' - line: "ProcessSizeMax=0" - when: - - rhel_08_010675 - tags: - - RHEL-08-010675 - - systemd - -# NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. -- name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." - block: - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf" - shell: grep "dns" /etc/nsswitch.conf | grep -v "#" - changed_when: no - failed_when: false - check_mode: no - register: rhel_08_010680_nsswitch_check - - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf" - command: grep -c "# Generated by NetworkManager" /etc/resolv.conf - changed_when: no - failed_when: false - check_mode: no - register: rhel_08_010680_networkmanager_check - - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf" - shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l - changed_when: no - failed_when: false - check_mode: no - register: rhel_08_010680_nameserver_count - - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf" - shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf - when: - - "'dns' not in rhel_08_010680_nsswitch_check.stdout" - - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf" - lineinfile: - dest: /etc/resolv.conf - regexp: "{{ item.regexp }}" - line: "nameserver {{ item.line }}" - insertafter: "{{ item.after }}" - with_items: # Written as lineinfile replaces last found so reverse logic to keep order of servers - - { regexp: ^nameserver, line: '{{ rhel8stig_dns_servers.1 }}', after: ^search } - - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }})', line: '{{ rhel8stig_dns_servers.0 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } - # - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }}|{{ rhel8stig_dns_servers.0 }})', line: '{{ rhel8stig_dns_servers.2 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } - when: - - not rhel8_stig_use_resolv_template - - rhel_08_010680_networkmanager_check.stdout == '0' - - rhel_08_010680_nameserver_count.stdout | int >= 2 - - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf using a template when not NetworkManager controlled" - template: - src: resolv.conf.j2 - dest: /etc/resolv.conf - owner: root - group: root - mode: 0644 - when: - - rhel_08_010680_networkmanager_check.stdout == '0' - - rhel8_stig_use_resolv_template - - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp." - debug: - msg: "The file /etc/resolv.conf is managed by network manager and/or shows less than two DNS servers configured. Please correct this in your DHCP configurations." - changed_when: true - when: - - rhel_08_010680_networkmanager_check.stdout != '0' or rhel_08_010680_nameserver_count.stdout| int < 2 - - not rhel8_stig_use_resolv_template - when: - - rhel_08_010680 - - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container - - not system_is_ec2 - tags: - - RHEL-08-010680 - -- name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." - block: - - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" - shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath - with_items: "{{ rhel_08_stig_interactive_homedir_results }}" - register: rhel_08_010690_ini_path_grep_list - changed_when: no - failed_when: false - - - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." - debug: - msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. - with_items: - - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" - - - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." - lineinfile: - path: "{{ item }}" - regexp: "^PATH=" - line: "{{ rhel_08_010690_user_path }}" - with_items: - - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" - when: - - rhel_08_010690 - - rhel8stig_disruption_high - - rhel8stig_change_user_path - tags: - - RHEL-08-010690 - - complexity-high - -- name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." - block: - - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories" - command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 - changed_when: false - failed_when: false - register: rhel_08_010700_world_writable_directories - - - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" - file: - path: "{{ item }}" - owner: root - with_items: - - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" - when: rhel_08_010700_world_writable_directories.stdout | length > 0 - when: - - rhel_08_010700 - tags: - - RHEL-08-010700 - -- name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group." - block: - - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories" - command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 - changed_when: false - failed_when: false - register: rhel_08_010710_world_writable_directories - - - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" - file: - path: "{{ item }}" - group: root - with_items: - - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" - when: rhel_08_010710_world_writable_directories.stdout | length > 0 - when: - - rhel_08_010710 - tags: - - RHEL-08-010710 - -- name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file." - block: - - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory" - shell: pwck -r | grep user | cut -f2 -d"'" - changed_when: false - failed_when: false - register: rhel_08_010720_users_no_home_dir - - - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory" - shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' - changed_when: false - failed_when: false - register: rhel_08_010720_user_list - - - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" - debug: - msg: - - "WARNING!!!!The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" - - "{{ rhel_08_010720_user_list.stdout_lines }}" - when: rhel_08_010720_user_list.stdout | length > 0 - when: - - rhel_08_010720 - tags: - - RHEL-08-010720 - -- name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - block: - - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) - changed_when: false - failed_when: false - register: rhel_08_010730_home_directories - - - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - file: - path: "{{ item }}" - mode: 0750 - with_items: - - "{{ rhel_08_010730_home_directories.stdout_lines }}" - when: rhel_08_010730_home_directories.stdout | length > 0 - when: - - rhel_08_010730 - tags: - - RHEL-08-010730 - -- name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." - file: - path: "{{ item.dir }}" - group: "{{ item.gid }}" - state: directory - with_items: "{{ rhel8stig_passwd }}" - loop_control: - label: "{{ rhel8stig_passwd_label }}" - when: - - rhel_08_010740 - - item.uid >= rhel8stig_interactive_uid_start - tags: - - skip_ansible_lint - - RHEL-08-010740 - -- name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." - file: - path: "{{ item.dir }}" - state: directory - with_items: "{{ rhel8stig_passwd }}" - loop_control: - label: "{{ rhel8stig_passwd_label }}" - when: - - rhel_08_010750 - - item.uid >= rhel8stig_interactive_uid_start - tags: - - skip_ansible_lint - - RHEL-08-010750 - -- name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." - lineinfile: - path: /etc/login.defs - regexp: '.*?CREATE_HOME.*' - line: CREATE_HOME yes - when: - - rhel_08_010760 - tags: - - RHEL-08-010760 - - login - - home - -- name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." - file: - path: "{{ item }}" - mode: 0740 - with_items: - - "{{ rhel_08_stig_interactive_homedir_inifiles }}" - when: - - rhel_08_010770 - - rhel8stig_disruption_high - - rhel_08_stig_interactive_homedir_inifiles is defined - tags: - - RHEL-08-010770 - - complexity-high - -- name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." - block: - - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" - shell: find / -nouser - args: - warn: no - changed_when: false - failed_when: false - register: rhel_08_010780_nouser_files - - - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" - debug: - msg: - - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" - - "{{ rhel_08_010780_nouser_files.stdout_lines }}" - when: rhel_08_010780_nouser_files.stdout | length > 0 - when: - - rhel_08_010780 - tags: - - RHEL-08-010780 - -- name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." - block: - - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" - shell: find / -nogroup - changed_when: false - failed_when: false - register: rhel_08_010790_nogroup_files - - - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" - debug: - msg: - - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" - - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" - when: rhel_08_010790_nogroup_files.stdout | length > 0 - when: - - rhel_08_010790 - tags: - - RHEL-08-010790 - -- name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." - debug: - msg: "WARNING!!!! /home is not mounted on a separate partition" - changed_when: - - rhel8stig_audit_complex - when: - - rhel_08_010800 - - not rhel8stig_system_is_container - - rhel8stig_complex - - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 - tags: - - RHEL-08-010800 - - complexity-high - - mount - - home - -- name: "MEDIUM | RHEL-08-010830 | PATCH |Unattended or automatic logon to RHEL 8 via ssh must not be allowed." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?PermitUserEnvironment' - line: 'PermitUserEnvironment no' - notify: restart sshd - when: - - rhel_08_010830 - - rhel8stig_disruption_high - tags: - - RHEL-08-010830 - - ssh - - disruption_high - -- name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." - debug: - msg: - - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." - - "To do this please run sudo chage -l account_name for the accounts you need to check" - - "The results will display the Account Expires information" - - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name' - when: - - rhel_08_020000 - tags: - - RHEL-08-020000 - -- name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020010 - tags: - - RHEL-08-020010 - - pamd - -- name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^deny =|^\# deny =' - line: "deny = {{ rhel8stig_pam_faillock.attempts }}" - when: - - rhel_08_020011 - tags: - - RHEL-08-020011 - - pamd - -- name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020012 - tags: - - RHEL-08-020012 - - pamd - -- name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^fail_interval =|^\# fail_interval =' - line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" - with_items: - - system-auth - - password-auth - when: - - rhel_08_020013 - tags: - - RHEL-08-020013 - - pamd - -- name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020013 - tags: - - RHEL-08-020013 - - pamd - -- name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^unlock_time =|^\# unlock_time =' - line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}" - with_items: - - system-auth - - password-auth - when: - - rhel_08_020015 - tags: - - RHEL-08-020015 - - pamd - -- name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist." - block: - - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist.| Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020016 - tags: - - RHEL-08-020016 - - pamd - -- name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist." - block: - - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^dir =|^\# dir =' - line: "dir = /var/log/faillock" - with_items: - - system-auth - - password-auth - when: - - rhel_08_020017 - tags: - - RHEL-08-020017 - - pamd - -- name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020018 - tags: - - RHEL-08-020018 - - pamd - -- name: "MEDIUM | RHEL-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^silent|^\# silent' - line: "silent" - with_items: - - system-auth - - password-auth - when: - - rhel_08_020019 - tags: - - RHEL-08-020019 - - pamd - -- name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020020 - tags: - - RHEL-08-020020 - - pamd - -- name: "MEDIUM | RHEL-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^audit|^\# audit' - line: "audit" - with_items: - - system-auth - - password-auth - when: - - rhel_08_020021 - tags: - - RHEL-08-020021 - - pamd - -- name: "MEDIUM | RHEL-020022| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}sfail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020022 - tags: - - RHEL-08-020022 - - pamd - -- name: "MEDIUM | RHEL-020023| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^even_deny_root|^\# even_deny_root' - line: "even_deny_root" - with_items: - - system-auth - - password-auth - when: - - rhel_08_020023 - tags: - - RHEL-08-020023 - - pamd - -- name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." - block: - - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" - command: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" - changed_when: false - failed_when: false - register: rhel_08_020030_lock_enabled - - - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" - lineinfile: - path: "{{ rhel_08_020030_lock_enabled.stdout }}" - regexp: '^lock-enabled' - line: lock-enabled=true - when: rhel_08_020030_lock_enabled.stdout | length > 0 - notify: dconf update - - - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist" - lineinfile: - path: /etc/dconf/db/local.d/00-screensaver - create: yes - regexp: '^lock-enabled' - owner: root - group: root - mode: 0644 - line: | - [org/gnome/desktop/screensaver] - # Set this to true to lock the screen when the screensaver activates - lock-enabled=true - when: rhel_08_020030_lock_enabled.stdout | length == 0 - notify: dconf update - when: - - rhel_08_020030 - - "'dconf' in ansible_facts.packages" - - rhel8stig_always_configure_dconf - - tags: - - RHEL-08-020030 - - gui - -- name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." - block: - - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" - dnf: - name: tmux - state: present - - - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Configure tmux" - lineinfile: - path: /etc/tmux.conf - regexp: '^set \-g' - line: "set -g lock-command vlock" - create: yes - owner: root - group: root - mode: 0644 - when: - - rhel_08_020040 - tags: - - RHEL-08-020040 - - tmux - -- name: " MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization." - lineinfile: - path: /etc/bashrc - regexp: '^\[ -n "$PS1" -a -z "$TMUX" \]' - line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' - when: - - rhel_08_020041 - tags: - - RHEL-08-020041 - - tmux - -- name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." - block: - - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' - args: - warn: no - changed_when: false - failed_when: false - register: rhel_08_020050_removal_action - - - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" - changed_when: false - failed_when: false - register: rhel_08_020050_removal_action_file - - - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist" - lineinfile: - path: /etc/dconf/db/distro.d/20-authselect - create: yes - owner: root - group: root - mode: 0644 - line: | - [org/gnome/settings-daemon/peripherals/smartcard] - removal-action='lock-screen' - when: rhel_08_020050_removal_action.stdout | length == 0 - notify: dconf update - - - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" - lineinfile: - path: "{{ rhel_08_020050_removal_action.stdout }}" - regexp: ^removal-action= - line: removal-action='lock-screen' - when: rhel_08_020050_removal_action.stdout | length > 0 - notify: dconf update - - - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" - lineinfile: - path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' - line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action - when: rhel_08_020050_removal_action_file.stdout | length > 0 - notify: dconf update - - - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" - lineinfile: - path: /etc/dconf/db/distro.d/locks/20-authselect - create: yes - line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action - owner: root - group: root - mode: 0640 - when: rhel_08_020050_removal_action_file.stdout | length == 0 - notify: dconf update - when: - - rhel_08_020050 - tags: - - RHEL-08-020050 - - smartcard - -- name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." - block: - - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" - shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' - args: - warn: no - changed_when: false - failed_when: false - register: rhel_08_020060_idle_delay_param - - - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist" - lineinfile: - path: /etc/dconf/db/local.d/00-screensaver - create: yes - owner: root - group: root - mode: 0640 - regexp: '^idle-delay' - line: | - [org/gnome/desktop/session] - # Set the lock time out to 900 seconds before the session is considered idle - idle-delay=uint32 900 - notify: dconf update - when: rhel_08_020060_idle_delay_param.stdout | length == 0 - - - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" - lineinfile: - path: "{{ rhel_08_020060_idle_delay_param.stdout }}" - regexp: '^idle-delay=' - line: idle-delay=uint32 900 - owner: root - group: root - mode: 0640 - notify: dconf update - when: rhel_08_020060_idle_delay_param.stdout | length > 0 - when: - - rhel_08_020060 - - "'dconf' in ansible_facts.packages" - - rhel8stig_always_configure_dconf - - tags: - - RHEL-08-020060 - - gui - -- name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." - lineinfile: - path: /etc/tmux.conf - regexp: '^set -g lock-after-time' - line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" - owner: root - group: root - mode: 0644 - when: - - rhel_08_020070 - tags: - - RHEL-08-020070 - - tmux - -- name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings." - lineinfile: - path: /etc/dconf/db/local.d/locks/session - create: yes - line: "{{ item }}" - owner: root - group: root - mode: 0640 - with_items: - - /org/gnome/desktop/session/idle-delay - - /org/gnome/desktop/screensaver/lock-enabled - - /org/gnome/desktop/screensaver/lock-delay - - /org/gnome/settings-daemon/plugins/media-keys/logout - - /org/gnome/login-screen/disable-user-list - - /org/gnome/login-screen/banner-message-text - - /org/gnome/login-screen/banner-message-enable - - /org/gnome/desktop/lockdown/disable-lock-screen - when: - - rhel_08_020080 - - "'dconf' in ansible_facts.packages" - - rhel8stig_always_configure_dconf - tags: - - RHEL-08-020080 - -- name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." - lineinfile: - path: "{{ rhel8stig_sssd_conf }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - owner: root - group: root - mode: 0640 - with_items: - - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } - - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } - - { regexp: '^maprule = {{ rhel8stig_sssd.maprule }}', line: 'maprule = {{ rhel8stig_sssd.maprule }}' } - - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains }}' } - notify: restart sssd - when: - - "'sssd' in ansible_facts.packages" - - rhel8stig_sssd_conf_present.stat.exists - - rhel_08_020090 - tags: - - RHEL-08-020090 - -- name: "MEDIUM | RHEL-08-020100 | PATCH RHEL 8 must ensure a password complexity module is enabled." - lineinfile: - path: "{{ item.path }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: '^password' - owner: root - group: root - mode: 0640 - with_items: - - { path: /etc/pam.d/system-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } - - { path: /etc/pam.d/password-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } - when: - - rhel_08_020100 - tags: - - RHEL-08-020100 - -- name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*ucredit' - line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" - when: - - rhel_08_020110 - tags: - - RHEL-08-020110 - - pwquality - -- name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*lcredit' - line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}" - when: - - rhel_08_020120 - tags: - - RHEL-08-020120 - - pwquality - -- name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*dcredit' - line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}" - when: - - rhel_08_020130 - tags: - - RHEL-08-020130 - - pwquality - -- name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*maxclassrepeat' - line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" - when: - - rhel_08_020140 - tags: - - RHEL-08-020140 - - pwquality - -- name: "MEDIUM | RHEL-020150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*maxrepeat' - line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}" - when: - - rhel_08_020150 - tags: - - RHEL-08-020150 - - pwquality - -- name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*minclass' - line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}" - when: - - rhel_08_020160 - tags: - - RHEL-08-020160 - - pwquality - -- name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*difok' - line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}" - when: - - rhel_08_020170 - tags: - - RHEL-08-020170 - - pwquality - -- name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow." - block: - - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users" - command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: rhel_08_020180_users - - - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction" - command: chage -m 1 {{ item }} - with_items: "{{ rhel_08_020180_users.stdout_lines }}" - when: - - rhel_08_020180 - tags: - - RHEL8-08-020180 - - password - -- name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def." - lineinfile: - path: /etc/login.defs - create: yes - owner: root - group: root - mode: 0644 - regexp: ^#?PASS_MIN_DAYS - line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}" - when: - - rhel_08_020190 - tags: - - RHEL-08-020190 - - login - -- name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction." - lineinfile: - path: /etc/login.defs - create: yes - owner: root - group: root - mode: 0644 - regexp: ^#?PASS_MAX_DAYS - line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" - when: - - rhel_08_020200 - tags: - - RHEL-08-020200 - - login - -- name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime." - block: - - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users" - command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" - check_mode: no - changed_when: rhel_08_020210_users.stdout | length > 0 - register: rhel_08_020210_users - - - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user." - command: chage -d '-1 day' {{ item }} - check_mode: "{{ rhel8stig_disruptive_check_mode }}" - with_items: "{{ rhel_08_020210_users.stdout_lines }}" - - - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime" - command: chage -M 60 {{ item }} - check_mode: "{{ rhel8stig_disruptive_check_mode }}" - with_items: "{{ rhel_08_020210_users.stdout_lines }}" - when: - - rhel_08_020210 - - rhel8stig_disruption_high - tags: - - RHEL-08-020210 - - disruption-high - - password - -- name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations." - block: - - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" - pamd: - name: "{{ item }}" - state: before - type: password - control: sufficient - module_path: pam_unix.so - new_type: password - new_control: required - new_module_path: pam_pwhistory.so - with_items: - - "system-auth" - - "password-auth" - - # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent - - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Check for existing password history reuse settings" - command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" - check_mode: no - changed_when: no - failed_when: rhel_08_020220_pw_hist_settings.rc > 1 - register: rhel_08_020220_pw_hist_settings - with_items: - - "system-auth" - - "password-auth" - - # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. - - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" - pamd: - name: "{{ item.item }}" - state: updated - type: password - control: required - module_path: pam_pwhistory.so - module_arguments: - - use_authtok - - remember={{ rhel8stig_pam_pwhistory.remember | default(5) }} - - retry={{ rhel8stig_pam_pwhistory.retries | default(3) }} - with_items: "{{ rhel_08_020220_pw_hist_settings.results }}" - when: item.rc == 1 - when: - - rhel_08_020220 - tags: - - RHEL-08-020220 - - pamd - -- name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*minlen' - line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" - when: - - rhel_08_020230 - tags: - - RHEL-08-020230 - - pwquality - -- name: "MEDIUM | RHEL-08-020231 | PATCH | RHEL 8 passwords for new users must have a minimum of 15 characters." - lineinfile: - path: /etc/login.defs - regexp: '^PASS_MIN_LEN|^#PASS_MIN_LEN' - line: "PASS_MIN_LEN 15" - owner: root - group: root - mode: 0644 - when: - - rhel_08_020231 - tags: - - RHEL-08-020231 - - passwords - -- name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." - block: - - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users" - command: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd - changed_when: false - failed_when: false - register: rhel_08_020240_duplicate_uid_users - - - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" - debug: - msg: - - "ALERT!!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" - - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" - when: - - rhel_08_020240 - tags: - - RHEL-08-020240 - -- name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts." - block: - - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth" - shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth - changed_when: false - failed_when: false - register: rhel_08_020250_sc_auth_sss - - - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth" - shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth - changed_when: false - failed_when: false - register: rhel_08_020250_system_auth_sss - - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" - lineinfile: - path: "{{ rhel8stig_sssd_conf }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - owner: root - group: root - mode: 0640 - notify: restart sssd - with_items: - - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } - - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' } - - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth" - lineinfile: - path: /etc/pam.d/smartcard-auth - line: auth sufficient pam_sss.so try_cert_auth - owner: root - group: root - mode: 0644 - notify: restart sssd - when: rhel_08_020250_sc_auth_sss.stdout | length == 0 - - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth" - pamd: - name: /etc/pam.d/smartcard-auth - state: updated - type: auth - control: sufficient - module_path: pam_sss.so - module_arguments: 'try_cert_auth' - notify: restart sssd - when: rhel_08_020250_sc_auth_sss.stdout | length > 0 - - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth" - pamd: - name: /etc/pam.d/system-auth - state: after - type: auth - control: required - module_path: pam_env.so - new_type: auth - new_control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' - new_module_path: pam_sss.so - module_arguments: try_cert_auth - notify: restart sssd - when: rhel_08_020250_system_auth_sss.stdout | length == 0 - - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth" - pamd: - name: /etc/pam.d/system-auth - state: updated - type: auth - control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' - module_path: pam_env.so - module_arguments: try_cert_auth - notify: restart sssd - when: rhel_08_020250_system_auth_sss.stdout | length > 0 - when: - - "'sssd' in ansible_facts.packages" - - rhel8stig_sssd_conf_present.stat.exists - - rhel_08_020250 - tags: - - RHEL-08-020250 - - pamd - -- name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity." - command: useradd -D -f 35 - when: - - rhel_08_020260 - tags: - - RHEL-08-020260 - - useradd - -- name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." - block: - - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." - command: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" - changed_when: false - failed_when: false - register: rhel_08_020270_system_users - - - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." - debug: - msg: - - "WARNING!!!Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" - - "{{ rhel_08_020270_system_users.stdout_lines }}" - when: - - rhel_08_020270 - tags: - - RHEL-08-020270 - -- name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - regexp: '^#?\s*ocredit' - line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}" - owner: root - group: root - mode: 0644 - when: - - rhel_08_020280 - tags: - - RHEL-08-020280 - - pwquality - -- name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." - lineinfile: - path: "{{ rhel8stig_sssd_conf }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - owner: root - group: root - mode: 0640 - with_items: - - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } - - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } - when: - - "'sssd' in ansible_facts.packages" - - rhel8stig_sssd_conf_present.stat.exists - - rhel_08_020290 - tags: - - RHEL-08-020290 - - sssd - -- name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - regexp: '^#?\s*dictcheck' - line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" - owner: root - group: root - mode: 0644 - when: - - rhel_08_020300 - tags: - - RHEL-08-020300 - - pwquality - -- name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." - lineinfile: - dest: /etc/login.defs - regexp: ^#?FAIL_DELAY - line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" - owner: root - group: root - mode: 0644 - when: - - rhel_08_020310 - tags: - - RHEL-08-020310 - - login - -- name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts." - block: - - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts" - command: "grep '^{{ item }}:' /etc/passwd" - check_mode: no - failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1 - changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0 - register: rhel_08_020320_unnecessary_accounts_found - with_items: "{{ rhel8stig_unnecessary_accounts }}" - - - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts" - user: - name: "{{ item }}" - state: absent - remove: "{{ rhel8stig_remove_unnecessary_user_files }}" - register: rhel_08_020320_accounts_removed - with_items: "{{ rhel8stig_unnecessary_accounts }}" - - - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" - include_tasks: parse_etc_passwd.yml - vars: - rhel8stig_passwd_tasks: "RHEL-08-020320" - when: rhel_08_020320_accounts_removed is changed - when: - - rhel_08_020320 - tags: - - RHEL-08-020320 - -- name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." - lineinfile: - dest: /etc/ssh/sshd_config - regexp: '(?i)^#?PrintLastLog' - line: 'PrintLastLog yes' - validate: /usr/sbin/sshd -t -f %s - owner: root - group: root - mode: 0644 - notify: restart sshd - when: - - rhel_08_020350 - - rhel8stig_ssh_required - tags: - - RHEL-08-020350 - - ssh - -- name: "MEDIUM | RHEL-08-020351 | PATCH | RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." - lineinfile: - path: /etc/login.defs - regexp: ^#?UMASK.* - line: "UMASK {{ rhel8stig_login_defaults.umask | default('077') }}" - owner: root - group: root - mode: 0644 - when: - - rhel_08_020351 - tags: - - RHEL-08-020351 - -- name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts." - block: - - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Find umask files" - find: - paths: /home - patterns: '^\.' - contains: 'umask' - recurse: yes - hidden: yes - use_regex: yes - register: rhel8stig_020352_files - - - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" - lineinfile: - path: "{{ item.path }}" - regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})" - state: absent - with_items: - - "{{ rhel8stig_020352_files.files }}" - when: rhel8stig_020352_files.matched > 0 - when: - - rhel_08_020352 - tags: - - RHEL-08-020352 - - umask - -- name: "MEDIUM | RHEL-08-020353 | PATCH | RHEL 8 must define default permissions for logon and non-logon shells." - replace: - path: "{{ item }}" - regexp: 'umask\s\d\d\d' - replace: "umask {{ rhel8stig_login_defaults.umask | default('077') }}" - with_items: - - /etc/bashrc - - /etc/csh.cshrc - when: - - rhel_08_020353 - tags: - - RHEL-08-020353 - - umask - -- name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv' } - - { regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv' } - - { regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv' } - - { regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv' } - notify: restart auditd - when: - - rhel_08_030000 - tags: - - RHEL-08-030000 - - auditd - -- name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8." - lineinfile: - path: /etc/rsyslog.conf - regexp: '^cron.*' - line: 'cron.* /var/log/cron' - when: - - rhel_08_030010 - tags: - - RHEL-08-030010 - - cron - -- name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^action_mail_acct =' - line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}" - register: rhel_08_030020_action_mail_acct_result - failed_when: - - rhel_08_030020_action_mail_acct_result is failed - - rhel_08_030020_action_mail_acct_result.rc != 257 - when: - - rhel_08_030020 - tags: - - RHEL-08-030020 - - auditd - -- name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure." - lineinfile: - path: /etc/aliases - regexp: '^postmaster:' - line: 'postmaster: root' - when: - - rhel_08_030030 - tags: - - RHEL-08-030030 - - aliases - -- name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^disk_error_action =' - line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}" - when: - - rhel_08_030040 - tags: - - RHEL-08-030040 - - auditd - -- name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^max_log_file_action =' - line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" - when: - - rhel_08_030050 - tags: - - RHEL-08-030050 - - auditd - -- name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^disk_full_action =' - line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" - owner: root - group: root - mode: 0644 - when: - - rhel_08_030060 - tags: - - RHEL-08-030060 - - auditd - -- name: "MEDIUM | RHEL-08-030061 | PATCH | The RHEL 8 audit system must audit local events." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^local_events =' - line: "local_events = yes" - owner: root - group: root - mode: 0644 - when: - - rhel_08_030061 - tags: - - RHEL-08-030061 - - auditd - -- name: "MEDIUM | RHEL-08-030062 | PATCH | RHEL 8 must label all off-loaded audit logs before sending them to the central log server." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^name_format =' - line: "name_format = hostname" - notify: restart auditd - when: - - rhel_08_030062 - tags: - - RHEL-08-030062 - - auditd - -- name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^log_group =' - line: "log_group = root" - mode: 0600 - when: - - rhel_08_030070 - tags: - - RHEL-08-030070 - -- name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." - block: - - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " - changed_when: false - failed_when: false - register: rhel8stig_030080_audit_log_file - - - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner" - file: - path: "{{ rhel8stig_030080_audit_log_file.stdout }}" - owner: root - when: rhel8stig_030080_audit_log_file.stdout | length > 0 - when: - - rhel_08_030080 - tags: - - RHEL-08-030080 - -- name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Set audit log group" - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^log_group' - line: "log_group = root" - when: - - rhel_08_030090 - tags: - - RHEL-08-030090 - -- name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." - block: - - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' - changed_when: false - failed_when: false - register: rhel_08_030100_audit_log_dir - - - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner" - file: - path: "{{ rhel_08_030100_audit_log_dir.stdout }}" - owner: root - state: directory - when: rhel_08_030100_audit_log_dir.stdout | length > 0 - tags: - - skip_ansible_lint - when: - - rhel_08_030100 - tags: - - RHEL-08-030100 - -- name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." - block: - - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' - args: - warn: no - changed_when: false - failed_when: false - register: rhel_08_030110_audit_log_dir - - - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group" - file: - path: "{{ rhel_08_030110_audit_log_dir.stdout }}" - group: root - state: directory - when: rhel_08_030110_audit_log_dir.stdout | length > 0 - tags: - - skip_ansible_lint - when: - - rhel_08_030110 - tags: - - skip_ansible_lint - - RHEL-08-030110 - -- name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access." - block: - - name: "MEDIUM | RHEL-08-030120 | AUDIT | RHEL 8 audit log directories must have a mode of 700 or less permissive to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' - changed_when: false - failed_when: false - register: rhel_08_030120_audit_log_dir - - - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" - file: - path: "{{ rhel_08_030120_audit_log_dir.stdout }}" - mode: 0700 - state: directory - when: rhel_08_030120_audit_log_dir.stdout | length > 0 - when: - - rhel_08_030120 - tags: - - RHEL-08-030120 - -- name: "MEDIUM | RHEL-08-030121 | PATCH | RHEL 8 audit system must protect auditing rules from unauthorized change." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-e ' - line: "-e 2" - when: - - rhel_08_030121 - tags: - - RHEL-08-030121 - - auditd - -- name: "MEDIUM | RHEL-08-030122 | PATCH | RHEL 8 audit system must protect logon UIDs from unauthorized change." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^--loginuid-' - line: "--loginuid-immutable" - when: - - rhel_08_030122 - tags: - - RHEL-08-030122 - - auditd - -- name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/shadow' - line: '-w /etc/shadow -p wa -k identity' - notify: restart auditd - when: - - rhel_08_030130 - tags: - - RHEL-08-030130 - - auditd - -- name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/security/opasswd' - line: -w /etc/security/opasswd -p wa -k identity - notify: restart auditd - when: - - rhel_08_030140 - tags: - - RHEL-08-030140 - - auditd - -- name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/passwd' - line: -w /etc/passwd -p wa -k identity - notify: restart auditd - when: - - rhel_08_030150 - tags: - - RHEL-08-030150 - - auditd - -- name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/gshadow' - line: -w /etc/gshadow -p wa -k identity - notify: restart auditd - when: - - rhel_08_030160 - tags: - - RHEL-08-030160 - - auditd - -- name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/group' - line: -w /etc/group -p wa -k identity - notify: restart auditd - when: - - rhel_08_030170 - tags: - - RHEL-08-030170 - - auditd - -- name: "MEDIUM | RHEL-08-030171 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/sudoers ' - line: -w /etc/sudoers -p wa -k identity - notify: restart auditd - when: - - rhel_08_030171 - tags: - - RHEL-08-030171 - - auditd - -- name: "MEDIUM | RHEL-08-030172 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/sudoers.d/' - line: -w /etc/sudoers.d/ -p wa -k identity - notify: restart auditd - when: - - rhel_08_030172 - tags: - - RHEL-08-030172 - - auditd - -- name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." - block: - - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Install audit" - dnf: - name: audit - state: present - - - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Enable and start service" - service: - name: auditd - enabled: yes - state: started - when: - - rhel_08_030180 - tags: - - rhel_08_030180 - - dnf - - auditd - -- name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' - line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' - notify: restart auditd - when: - - rhel_08_030190 - tags: - - RHEL-08-030190 - - auditd - -- name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030200 - tags: - - RHEL-08-030200 - - auditd - -- name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030210 - tags: - - RHEL-08-030210 - - auditd - -- name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030220 - tags: - - RHEL-08-030220 - - auditd - -- name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030230 - tags: - - RHEL-08-030230 - - auditd - -- name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030240 - tags: - - RHEL-08-030240 - - auditd - -- name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage - notify: restart auditd - when: - - rhel_08_030250 - tags: - - RHEL-08-030250 - - auditd - -- name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030260 - tags: - - RHEL-08-030260 - - auditd - -- name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030270 - tags: - - RHEL-08-030270 - - auditd - -- name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh - notify: restart auditd - when: - - rhel_08_030280 - tags: - - RHEL-08-030280 - - auditd - -- name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd - notify: restart auditd - when: - - rhel_08_030290 - tags: - - RHEL-08-030290 - - auditd - -- name: | - "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." - "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - - -a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - - -a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - notify: restart auditd - when: - - rhel_08_030300 or - rhel_08_030302 - tags: - - RHEL-08-030300 - - RHEL-08-030302 - - auditd - -- name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - notify: restart auditd - when: - - rhel_08_030301 - tags: - - RHEL-08-030301 - - auditd - -- name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030310 - tags: - - RHEL-08-030310 - - auditd - -- name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030311 - tags: - - RHEL-08-030311 - - auditd - -- name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030312 - tags: - - RHEL-08-030312 - - auditd - -- name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030313 - tags: - - RHEL-08-030313 - - auditd - -- name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030314 - tags: - - RHEL-08-030314 - - auditd - -- name: "MEDIUM | RHEL-08-03015 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030315 - tags: - - RHEL-08-030315 - - auditd - -- name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030316 - tags: - - RHEL-08-030316 - - auditd - -- name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030317 - tags: - - RHEL-08-030317 - - auditd - -- name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh - notify: restart auditd - when: - - rhel_08_030320 - tags: - - RHEL-08-030320 - - auditd - -- name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030330 - tags: - - RHEL-08-030330 - - auditd - -- name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check - notify: restart auditd - when: - - rhel_08_030340 - tags: - - RHEL-08-030340 - - auditd - -- name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd - notify: restart auditd - when: - - rhel_08_030350 - tags: - - RHEL-08-030350 - - auditd - -- name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - notify: restart auditd - when: - - rhel_08_030360 - tags: - - RHEL-08-030360 - - auditd - -- name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030361 - tags: - - RHEL-08-030361 - - auditd - -- name: "MEDIUM | RHEL-0-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030362 - tags: - - RHEL-08-030362 - - auditd - -- name: "MEDIUM | RHEL-08-030363 | PATCH | Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030363 - tags: - - RHEL-08-030363 - - auditd - -- name: "MEDIUM | RHEL-08-030364 | PATCH | Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030364 - tags: - - RHEL-08-030364 - - auditd - -- name: "MEDIUM | RHEL-08-030365 | PATCH | Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030365 - tags: - - RHEL-08-030365 - - auditd - -- name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd - notify: restart auditd - when: - - rhel_08_030370 - tags: - - RHEL-08-030370 - - auditd - -- name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - notify: restart auditd - when: - - rhel_08_030380 - tags: - - RHEL-08-030380 - - auditd - -- name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - notify: restart auditd - when: - - rhel_08_030390 - tags: - - RHEL-08-030390 - - auditd - -- name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab - notify: restart auditd - when: - - rhel_08_030400 - tags: - - RHEL-08-030400 - - auditd - -- name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd - notify: restart auditd - when: - - rhel_08_030410 - tags: - - RHEL-08-030410 - - auditd - -- name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030420 - tags: - - RHEL-08-030420 - - auditd - -- name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030430 - tags: - - RHEL-08-030430 - - auditd - -- name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030440 - tags: - - RHEL-08-030440 - - auditd - -- name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030450 - tags: - - RHEL-08-030450 - - auditd - -- name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030460 - tags: - - RHEL-08-030460 - - auditd - -- name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030470 - tags: - - RHEL-08-030470 - - auditd - -- name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030480 - tags: - - RHEL-08-030480 - - auditd - -- name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030490 - tags: - - RHEL-08-030490 - - auditd - -- name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030500 - tags: - - RHEL-08-030500 - - auditd - -- name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030510 - tags: - - RHEL-08-030510 - - auditd - -- name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd - when: - - rhel_08_030520 - tags: - - RHEL-08-030520 - - auditd - -- name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030530 - tags: - - RHEL-08-030530 - - auditd - -- name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030540 - tags: - - RHEL-08-030540 - - auditd - -- name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd - notify: restart auditd - when: - - rhel_08_030550 - tags: - - RHEL-08-030550 - - auditd - -- name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod - notify: restart auditd - when: - - rhel_08_030560 - tags: - - RHEL-08-030560 - - auditd - -- name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030570 - tags: - - RHEL-08-030570 - - auditd - -- name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules - notify: restart auditd - when: - - rhel_08_030580 - tags: - - RHEL-08-030580 - - auditd - -- name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -w /var/log/faillock -p wa -k logins - notify: restart auditd - when: - - rhel_08_030590 - tags: - - RHEL-08-030590 - - auditd - -- name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -w /var/log/lastlog -p wa -k logins - notify: restart auditd - when: - - rhel_08_030600 - tags: - - RHEL-08-030600 - - auditd - -- name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." - file: - path: "{{ item }}" - mode: 0640 - with_items: - - /etc/audit/rules.d/audit.rules - - /etc/audit/auditd.conf - when: - - rhel_08_030610 - tags: - - RHEL-08-030610 - - permissions - -- name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." - block: - - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms" - shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " - changed_when: false - failed_when: false - register: rhel_08_030620_tools - - - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" - file: - path: "{{ item }}" - mode: 0755 - with_items: - - "{{ rhel_08_030620_tools.stdout_lines }}" - when: - - rhel_08_030620 - tags: - - RHEL-08-030620 - - permissions - -- name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." - file: - path: "{{ item }}" - owner: root - with_items: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/audisp-remote - - /sbin/audisp-syslog - - /sbin/augenrules - when: - - rhel_08_030630 - tags: - - RHEL-08-030630 - - permissions - -- name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." - file: - path: "{{ item }}" - owner: root - with_items: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/audisp-remote - - /sbin/audisp-syslog - - /sbin/augenrules - when: - - rhel_08_030640 - tags: - - RHEL-08-030640 - - permissions - -- name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." - lineinfile: - path: /etc/aide.conf - line: "{{ item }}" - owner: root - group: root - mode: 0600 - with_items: - - "# Audit Tools" - - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 - when: - - rhel_08_030650 - tags: - - RHEL-08-030650 - - aide - -- name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility." - block: - - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition" - shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' - changed_when: false - failed_when: false - register: rhel_08_030660_audit_log_path - - - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition" - shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" - changed_when: false - failed_when: false - register: rhel_08_030660_audit_log_partition - - - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" - debug: - msg: - - "ALERT!!!Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" - - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" - - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}" - when: - - rhel_08_030660 - tags: - - RHEL-08-030660 - -- name: "MEDIUM | RHEL-08-030670 | PATCH | RHEL 8 must have the packages required for offloading audit logs installed." - dnf: - name: rsyslog - state: present - when: - - rhel_08_030670 - tags: - - RHEL-08-030670 - - rsyslog - -- name: "MEDIUM | RHEL-08-030680 | PATCH | RHEL 8 must have the packages required for encrypting offloaded audit logs installed." - dnf: - name: gnutls - state: present - when: - - rhel_08_030680 - tags: - - RHEL-08-030680 - - gnutls - -- name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." - lineinfile: - path: /etc/rsyslog.conf - regexp: '^.*\@\@' - line: "*.* @@{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" - when: - - rhel_08_030690 - tags: - - RHEL-08-030690 - - auditd - -- name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^overflow_action =' - line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}' - notify: restart auditd - when: - - rhel_08_030700 - tags: - - RHEL-08-030700 - - auditd - -- name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." - lineinfile: - path: /etc/rsyslog.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^\$DefaultNetstreamDriver', line: '$DefaultNetstreamDriver gtls' } - - { regexp: '^\$ActionSendStreamDriverMode', line: '$ActionSendStreamDriverMode 1' } - when: - - rhel_08_030710 - tags: - - RHEL-08-030710 - - auditd - -- name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must authenticate the remote logging server for off-loading audit logs." - lineinfile: - path: /etc/rsyslog.conf - regexp: '^\$ActionSendStreamDriverAuthMode' - line: "$ActionSendStreamDriverAuthMode x509/name" - notify: restart auditd - when: - - rhel_08_030720 - tags: - - rhel_08_030720 - - auditd - -- name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." - lineinfile: - path: /etc/audit/auditd.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^space_left =', line: 'space_left = 25%' } - - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } - when: - - rhel_08_030730 - tags: - - RHEL-08-030730 - - auditd - -- name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - lineinfile: - path: /etc/chrony.conf - regexp: '^server' - line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16' - notify: restart {{ rhel8stig_time_service }} - when: - - rhel_08_030740 - tags: - - RHEL-08-030740 - - chronyd - -- name: "MEDIUM | RHEL-08-040001 | PATCH | RHEL 8 must not have any automated bug reporting tools installed." - shell: dnf remove abrt* - failed_when: false - args: - warn: false - when: - - rhel_08_040001 - tags: - - RHEL-08-040001 - - dnf - - abrt - -- name: "MEDIUM | RHEL-08-040002 | PATCH | RHEL 8 must not have the sendmail package installed." - dnf: - name: sendmail - state: absent - when: - - rhel_08_040002 - tags: - - RHEL-08-040002 - - dnf - - sendmail - -- name: | - "MEDIUM | RHEL-08-040003 | PATCH | RHEL 8 must not have the gssproxy package installed." - "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." - dnf: - name: gssproxy - state: absent - when: - - rhel_08_040003 or - rhel_08_040370 - tags: - - RHEL-08-040003 - - RHEL-08-040370 - - dnf - - gssproxy - -- name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." - lineinfile: - path: /etc/modprobe.d/blacklist.conf - create: yes - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - owner: root - group: root - mode: 0640 - insertafter: "{{ item.insertafter }}" - notify: reboot system - with_items: - - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } - - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } - when: - - rhel_08_040020 - tags: - - RHEL-08-040020 - - camera - -- name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." - block: - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block" - block: - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld" - shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u - register: rhel8stig_PPSM_CLSA_check_firewalld - changed_when: false - failed_when: false - check_mode: no - when: - - rhel_08_040030 - tags: - - RHEL-08-040030 - - firewall - - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" - debug: - msg: - - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." - - "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}" - changed_when: true - when: - - rhel_08_040030 - - rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines is defined - tags: - - RHEL-08-040030 - - firewall - when: - - rhel_08_040030 - - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container - - rhel8stig_firewall_service == "firewalld" - - rhel8stig_start_firewall_service - tags: - - RHEL-08-040030 - - firewall - - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block" - block: - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables" - shell: iptables-save | grep -i accept | grep -i input - register: rhel8stig_PPSM_CLSA_check_iptables - changed_when: false - failed_when: false - check_mode: no - when: rhel_08_040030 - tags: - - RHEL-08-040030 - - firewall - - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" - debug: - msg: - - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}." - - "{{ rhel8stig_PPSM_CLSA_check_iptables.stdout_lines }}" - changed_when: true - when: - - rhel_08_040030 - - rhel8stig_PPSM_CLSA_check_iptables.stdout_lines is defined - tags: - - RHEL-08-040030 - - firewall - when: - - rhel_08_040030 - - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container - - rhel8stig_firewall_service == "iptables" - - rhel8stig_start_firewall_service - tags: - - RHEL-08-040030 - - firewall - - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use" - debug: - msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." - changed_when: true - when: - - rhel_08_040030 - - not rhel8stig_start_firewall_service - tags: - - RHEL-08-040030 - - firewall - when: - - rhel_08_040030 - - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container - - rhel8stig_disruptive - tags: - - RHEL-08-040030 - - firewall - -- name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required." - block: - - name: "MEDIUM | RHEL-08-040070 | AUDIT | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error" - shell: "systemctl show autofs | grep LoadState | cut -d= -f2" - changed_when: false - failed_when: false - register: rhel_08_040070_autofs_status - - - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists" - service: - name: autofs - state: stopped - enabled: no - when: rhel_08_040070_autofs_status.stdout == "loaded" - when: - - rhel_08_040070 - tags: - - RHEL-08-040070 - - autofs - -- name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." - lineinfile: - path: "{{ item.path }}" - create: yes - owner: root - group: root - mode: 0640 - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - with_items: - - { path: /etc/modprobe.d/usb-storage.conf, regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } - - { path: /etc/modprobe.d/blacklist.conf, regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} - when: - - rhel_08_040080 - tags: - - RHEL-08-040080 - - usb_devices - -- name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." - block: - - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" - dnf: - name: firewalld - state: present - when: rhel8stig_firewall_service == "firewalld" - - - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" - dnf: - name: iptables-services - state: present - when: rhel8stig_firewall_service == "iptables" - - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" - service: - name: "{{ rhel8stig_firewall_service }}" - state: started - enabled: yes +- name: "RHEL-08-010000 | HIGH | AUDIT | The RHEL 8 must be a vendor-supported release." + debug: + msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} + changed_when: ansible_distribution_version is not version_compare(rhel8stig_min_supported_os_ver[ansible_distribution], '>=') when: - - rhel_08_040100 + - rhel_08_010000 tags: - - RHEL-08-040100 - - firewall - - "{{ rhel8stig_firewall_service }}" + - RHEL-08-010000 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230221r627750_rule + - V-230221 -- name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." +- name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." block: - - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" - firewalld: - zone: "{{ rhel8stig_custom_firewall_zone }}" - permanent: true + - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." + dnf: + name: dracut-fips state: present + notify: rebuild initramfs + when: + - not ansible_fips - - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" - firewalld: - zone: "{{ rhel8stig_custom_firewall_zone }}" - permanent: true - state: enabled - service: "{{ item }}" - with_items: - - "{{ rhel8stig_white_list_services }}" - - - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" - command: firewall-cmd --reload - changed_when: rhel_08_040090_zone_reload.rc == 0 - failed_when: rhel_08_040090_zone_reload.rc >= 2 - register: rhel_08_040090_zone_reload - - - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default" - command: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" - changed_when: rhel_08_040090_default_zone_set.rc == 0 - failed_when: rhel_08_040090_default_zone_set.rc >= 2 - register: rhel_08_040090_default_zone_set - when: - - rhel_08_040090 - tags: - - RHEL-08-040090 - - firewall + - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" + command: fips-mode-setup --enable + register: rhel_08_010020_kernel_fips_enable + changed_when: rhel_08_010020_kernel_fips_enable.rc == 0 + when: + - not ansible_fips -- name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." - block: - - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" - command: rpm -q NetworkManager + - name: "RHEL-08-010020 | HIGH | AUDIT | Check if prelink package is installed" + command: rpm -q prelink args: warn: no - check_mode: no changed_when: no - register: rhel_08_nmcli_available failed_when: no - - - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" - command: nmcli radio wifi - args: - warn: no - register: rhel_08_wifi_enabled check_mode: no - changed_when: rhel_08_wifi_enabled.stdout != "disabled" - when: rhel_08_nmcli_available.rc == 0 - - - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" - command: nmcli radio wifi off - when: rhel_08_wifi_enabled is changed - when: - - rhel_08_040110 - tags: - - RHEL-08-040110 - - wifi - -- name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled." - lineinfile: - path: /etc/modprobe.d/bluetooth.conf - regexp: '^install bluetooth ' - line: "install bluetooth /bin/true" - create: yes - owner: root - group: root - mode: 0640 - notify: reboot system - when: - - rhel_08_040111 - tags: - - RHEL-08-040111 - - bluetooth - -- name: | - "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." - "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." - "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." - block: - - name: | - "MEDIUM | RHEL-08-040120 | AUDIT | RHEL 8 must mount /dev/shm with the nodev option." - "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option." - "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option." - shell: mount | grep /dev/shm - args: - warn: no - changed_when: false - failed_when: false - register: rhel8stig_040120_dev_shm_status + register: rhel_08_010020_prelink_installed - - name: | - "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." - "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." - "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." - mount: - path: /dev/shm - state: mounted - src: tmpfs - fstype: tmpfs - opts: "defaults{{ rhel_08_040120 | ternary (',nodev', '') }}{{ rhel_08_040121 | ternary (',nosuid', '') }}{{ rhel_08_040122 | ternary (',noexec', '') }}" - when: rhel8stig_040120_dev_shm_status.stdout | length > 0 - when: - - rhel_08_040120 or - rhel_08_040121 or - rhel_08_040122 - tags: - - RHEL-08-040120 - - RHEL-08-040121 - - RHEL-08-040122 - - mounts + - name: "RHEL-08-010020 | HIGH | PATCH | Disable prelinking." + lineinfile: + dest: /etc/sysconfig/prelink + regexp: ^#?PRELINKING + line: PRELINKING=no + when: rhel_08_010020_prelink_installed.rc == 0 + notify: undo existing prelinking + + - name: "RHEL-08-010020 | HIGH | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" + command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub + check_mode: no + failed_when: no + changed_when: rhel_08_010020_default_grub_missing_audit.rc > 0 + register: rhel_08_010020_default_grub_missing_audit -- name: | - "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." - "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." - "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." - block: - - name: | - "MEDIUM | RHEL-08-040123 | AUDIT | RHEL 8 must mount /tmp with the nodev option." - "MEDIUM | RHEL-08-040124 | AUDIT | RHEL 8 must mount /tmp with the nosuid option." - "MEDIUM | RHEL-08-040125 | AUDIT | RHEL 8 must mount /tmp with the noexec option." - shell: mount | grep /tmp - changed_when: false - failed_when: false - register: rhel8stig_040123_dev_status + - name: "RHEL-08-010020 | HIGH | AUDIT | parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" + command: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline + check_mode: no + changed_when: no + failed_when: rhel_08_010020_grub_cmdline_linux_audit.rc > 1 + when: rhel_08_010020_default_grub_missing_audit is changed + register: rhel_08_010020_grub_cmdline_linux_audit - - name: | - "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." - "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." - "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." - mount: - path: /tmp - state: mounted - src: "{{ tmp_mount.device }}" - fstype: xfs - opts: "defaults{{ rhel_08_040123 | ternary (',nodev', '') }}{{ rhel_08_040124 | ternary (',nosuid', '') }}{{ rhel_08_040125 | ternary (',noexec', '') }}" + - name: "RHEL-08-010020 | HIGH | PATCH | Copy over a sane /etc/default/grub" + template: + src: etc_default_grub.j2 + dest: /etc/default/grub + owner: root + group: root + mode: 0644 vars: - tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/tmp`] | [0]') }}" - when: rhel8stig_040123_dev_status.stdout | length > 0 - - when: - - rhel_08_040123 or - rhel_08_040124 or - rhel_08_040125 - tags: - - RHEL-08-040123 - - RHEL-08-040124 - - RHEL-08-04125 - - mounts - -- name: | - "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." - "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." - "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." - block: - - name: | - "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." - "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." - "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." - shell: mount | grep /var/log - changed_when: false - failed_when: false - register: rhel8stig_040126_var_log_status + grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}" + when: rhel_08_010020_default_grub_missing_audit is changed - - name: | - "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." - "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." - "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." - mount: - path: /var/log - state: mounted - src: "{{ var_log_mount.device }}" - fstype: xfs - opts: "defaults{{ rhel_08_040126 | ternary (',nodev', '') }}{{ rhel_08_040127 | ternary (',nosuid', '') }}{{ rhel_08_040128 | ternary (',noexec', '') }}" + - name: "RHEL-08-010020 | HIGH | PATCH | fips=1 must be in /etc/default/grub" + replace: + path: /etc/default/grub + regexp: "{{ rhel8stig_regexp_quoted_params }}" + replace: "{{ rhel8stig_replace_quoted_params }}" vars: - var_log_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log`] | [0]') }}" - when: rhel8stig_040126_var_log_status.stdout | length > 0 - when: - - rhel_08_040126 or - rhel_08_040127 or - rhel_08_040128 - tags: - - RHEL-08-040126 - - RHEL-08-040127 - - RHEL-08-040128 - - mounts - -- name: | - "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." - "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." - "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." - block: - - name: | - "MEDIUM | RHEL-08-040129 | AUDIT | RHEL 8 must mount /var/log/audit with the nodev option." - "MEDIUM | RHEL-08-040130 | AUDIT | RHEL 8 must mount /var/log/audit with the nosuid option." - "MEDIUM | RHEL-08-040131 | AUDIT | RHEL 8 must mount /var/log/audit with the noexec option." - shell: mount | grep /var/log/audit - changed_when: false - failed_when: false - register: rhel8stig_040129_var_log_audit_status + key: GRUB_CMDLINE_LINUX + param: fips + value: 1 + append: yes # this is the default + when: + - not ansible_check_mode or + rhel_08_010020_default_grub_missing_audit is not changed + notify: + - confirm grub2 user cfg - - name: | - "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." - "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." - "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." - mount: - path: /var/log/audit - state: mounted - src: "{{ audit_mount.device }}" - fstype: xfs - opts: "defaults{{ rhel_08_040129 | ternary (',nodev', '') }}{{ rhel_08_040130 | ternary (',nosuid', '') }}{{ rhel_08_040131 | ternary (',noexec', '') }}" + - name: "RHEL-08-010020 | HIGH | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." + replace: + path: /etc/default/grub + regexp: "{{ rhel8stig_regexp_quoted_params }}" + replace: "{{ rhel8stig_replace_quoted_params }}" + with_items: + - "{{ ansible_mounts | json_query(query) }}" vars: - audit_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log/audit`] | [0]') }}" - when: rhel8stig_040129_var_log_audit_status.stdout | length > 0 - when: - - rhel_08_040129 or - rhel_08_040130 or - rhel_08_040131 - tags: - - RHEL-08-040129 - - RHEL-08-040130 - - RHEL-08-040131 - - mounts + query: "[?mount=='{{ rhel8stig_boot_part }}'] | [0]" + key: GRUB_CMDLINE_LINUX + param: boot + value: UUID={{ item.uuid }} + insert: yes + when: + - rhel8stig_boot_part not in ['/', ''] + - not ansible_check_mode or + rhel_08_010020_default_grub_missing_audit is not changed + notify: confirm grub2 user cfg + register: result + + - name: "RHEL-08-010020 | HIGH | AUDIT | Verify kernel parameters in /etc/default/grub" + command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub + check_mode: no + with_items: + - fips=1 + - boot=UUID={{ ansible_mounts | json_query(query) }} + vars: + query: "[?mount=='{{ rhel8stig_boot_part }}'].uuid | [0]" + register: rhel_08_010020_audit + when: + - not ansible_check_mode or + rhel_08_010020_default_grub_missing_audit is not changed + - rhel8stig_boot_part not in ['/', ''] or + 'boot=' not in item + changed_when: + - ansible_check_mode + - rhel_08_010020_audit is failed + failed_when: + - rhel_08_010020_audit is failed + - not ansible_check_mode or + rhel_08_010020_audit.rc > 1 + when: rhel_08_010020 + tags: + - RHEL-08-010020 + - CAT1 + - CCI-000068 + - SRG-OS-000033-GPOS-00014 + - SV-230223r627750_rule + - V-230223 - name: | - "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" - "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." - "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." + "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance." + "RHEL-08-010150 | HIGH |PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes." block: - name: | - "MEDIUM | RHEL-08-040132 | AUDIT | RHEL 8 must mount /var/tmp with the nodev option" - "MEDIUM | RHEL-08-040133 | AUDIT | RHEL 8 must mount /var/tmp with the nosuid option." - "MEDIUM | RHEL-08-040134 | AUDIT | RHEL 8 must mount /var/tmp with the noexec option." - shell: mount | grep /var/tmp - changed_when: false - failed_when: false - register: rhel8stig_040132_var_tmp_status - - - name: | - "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" - "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." - "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." - mount: - path: /var/tmp - state: mounted - src: "{{ var_tmp_mount.device }}" - fstype: xfs - opts: "defaults{{ rhel_08_040132 | ternary (',nodev', '') }}{{ rhel_08_040133 | ternary (',nosuid', '') }}{{ rhel_08_040134 | ternary (',noexec', '') }}" - vars: - var_tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/var/tmp`] | [0]') }}" - when: rhel8stig_040132_var_tmp_status.stdout | length > 0 - when: - - rhel_08_040132 or - rhel_08_040133 or - rhel_08_040134 - tags: - - RHEL-08-040132 - - RHEL-08-040133 - - RHEL-08-040134 - - mounts - -- name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." - block: - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" - dnf: - name: fapolicyd - state: present - - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" - shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts - changed_when: false - failed_when: false - - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" - service: - name: fapolicyd - state: started - enabled: yes - - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " + "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set Grub Password" + "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set Grub Password" lineinfile: - path: /etc/fapolicyd/fapolicyd.rules - line: "{{ item }}" - with_items: - - "{{ rhel8stig_fapolicy_white_list }}" + path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg" + create: yes + regexp: ^GRUB2_PASSWORD= + line: "GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}" + owner: root + group: root + mode: 0640 + notify: confirm grub2 user cfg - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" + - name: | + "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set UEFI superusers" + "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set UEFI superusers" lineinfile: - path: /etc/fapolicyd/fapolicyd.conf - regexp: '^permissive =' - line: 'permissive = 0' + dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg" + regexp: '^set superusers' + line: 'set superusers="{{ rhel8stig_boot_superuser }}"' + insertafter: '### BEGIN /etc/grub.d/01_users ###' + notify: confirm grub2 user cfg when: - - rhel_08_040135 - tags: - - RHEL-08-040135 - - fapolicyd - -- name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." - block: - - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Install usbguard" - dnf: - name: usbguard - state: present - - - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Start/Enable service" - service: - name: usbguard - state: started - enabled: yes - when: - - rhel_08_040140 - tags: - - RHEL-08-040140 - - usbguard + - not system_is_ec2 + - rhel_08_010140 or + rhel_08_010150 + tags: + - RHEL-08-010140 + - RHEL-08-010150 + - CAT1 + - CCI-000213 + - SRG-OS-000080-GPOS-00048 + - SV-230234r627750_rule + - SV-230235r627750_rule + - V-230234 + - V-230235 + - grub + - bootloader -- name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." +- name: "RHEL-08-010370 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." block: - - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" - dnf: - name: nftables - state: present - - - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" - service: - name: nftables - state: started - enabled: yes - - - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" + - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Dnf Default" lineinfile: - path: /etc/firewalld/firewalld.conf - regexp: '^FirewallBackend=' - line: 'FirewallBackend=nftables' - when: - - rhel_08_040150 - tags: - - RHEL-08-040150 - - firewall - - nftables - -- name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." - block: - - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Install openssh-server" - dnf: - name: openssh-server - state: present - - - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" - service: - name: sshd - state: started - enabled: yes - when: - - rhel_08_040160 - tags: - - rhel_08_040160 - - ssh - -- name: "MEDIUM | RHEL-0-040161 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?RekeyLimit' - line: 'RekeyLimit 1G 1h' - notify: restart sshd - when: - - rhel_08_040161 - tags: - - RHEL-08-040161 - - sshd - -- name: "MEDIUM | RHEL-08-040162 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections by the client." - lineinfile: - path: /etc/ssh/ssh_config - regexp: '(?i)^#?RekeyLimit' - line: 'RekeyLimit 1G 1h' - notify: restart sshd - when: - - rhel_08_040162 - tags: - - RHEL-08-040162 - - sshd - -- name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." - systemd: - name: debug-shell.service - state: stopped - enabled: no - masked: yes - daemon_reload: yes - when: - - rhel_08_040180 - tags: - - RHEL-08-040180 - - debug-shell + path: /etc/dnf/dnf.conf + regexp: '^gpgcheck=' + line: gpgcheck=1 + + - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Gather Repos" + find: + paths: /etc/yum.repos.d + pattern: '*.repo' + register: rhel_08_010370_repos_files_list_full -- name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted." - block: - - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - with_items: - - net.ipv4.conf.default.accept_redirects - - net.ipv6.conf.default.accept_redirects + - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Flatten result" + set_fact: + rhel_08_010370_repos_files_list: "{{ rhel_08_010370_repos_files_list_full.files | map(attribute='path') | flatten }}" - - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" + - name: "RHEL-08-010370 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Set gpgcheck" lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + path: "{{ item }}" + regexp: '^gpgcheck' + line: gpgcheck=1 with_items: - - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } - - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } - when: - - rhel_08_040210 - tags: - - RHEL-08-040210 - - icmp - -- name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." - block: - - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects in sysctl" - sysctl: - name: net.ipv4.conf.all.send_redirects - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - - - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects default value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.all.send_redirects' - line: 'net.ipv4.conf.all.send_redirects=0' - when: - - rhel_08_040220 - tags: - - RHEL-08-040220 - - icmp - -- name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." - block: - - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast in sysctl" - sysctl: - name: net.ipv4.icmp_echo_ignore_broadcasts - state: present - value: '1' - reload: "{{ rhel8stig_sysctl_reload }}" - - - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast default value to 1" - lineinfile: - name: /etc/sysctl.conf - regexp: '^net.ipv4.icmp_echo_ignore_broadcasts' - line: 'net.ipv4.icmp_echo_ignore_broadcasts=1' + - "{{ rhel_08_010370_repos_files_list }}" when: - - rhel_08_040230 + - rhel_08_010370 tags: - - RHEL-08-040230 - - icmp - -- name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets." - block: - - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - with_items: - - net.ipv4.conf.all.accept_source_route - - net.ipv6.conf.all.accept_source_route + - RHEL-08-010370 + - CAT1 + - CCI-001749 + - SRG-OS-000366-GPOS-00153 + - SV-230264r627750_rule + - V-230264 + - yum - - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route default value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } - - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } +- name: "RHEL-08-010371 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." + lineinfile: + path: /etc/dnf/dnf.conf + regexp: '^localpkg_gpgcheck=' + line: localpkg_gpgcheck=True when: - - rhel_08_040240 + - rhel_08_010371 tags: - - RHEL-08-040240 - - icmp - -- name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default." - block: - - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - with_items: - - net.ipv4.conf.default.accept_source_route - - net.ipv6.conf.default.accept_source_route + - RHEL-08-010371 + - CAT1 + - CCI-001749 + - SRG-OS-000366-GPOS-00153 + - SV-230265r627750_rule + - V-230265 + - dnf - - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } - - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } +- name: "RHEL-08-010460 | HIGH | PATCH | There must be no shosts.equiv files on the RHEL 8 operating system." + file: + path: /etc/ssh/shosts.equiv + state: absent when: - - rhel_08_040250 + - rhel_08_010460 tags: - - RHEL-08-040250 - - icmp + - RHEL-08-010460 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230283r627750_rule + - V-230283 + - shosts -- name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router." +- name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system." block: - - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - with_items: - - net.ipv4.ip_forward - - net.ipv6.conf.all.forwarding + - name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Find .shosts files" + find: + path: '/' + recurse: yes + patterns: '*.shosts' + register: rhel_08_010470_shost_files - - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + - name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Remove .shosts files" + file: + path: "{{ item.path }}" + state: absent with_items: - - { regexp: '^net.ipv4.ip_forward', line: 'net.ipv4.ip_forward=0' } - - { regexp: '^net.ipv6.conf.all.forwarding', line: 'net.ipv6.conf.all.forwarding=0' } - - when: - - rhel_08_040260 - - not rhel8stig_system_is_router - tags: - - RHEL-08-040260 - - icmp - -- name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces." - block: - - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra in sysctl" - sysctl: - name: net.ipv6.conf.all.accept_ra - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - - - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv6.conf.all.accept_ra' - line: 'net.ipv6.conf.all.accept_ra=0' - when: - - rhel_08_040261 - - not rhel8stig_system_is_router - tags: - - RHEL-08-040261 - - icmp - -- name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default." - block: - - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra in sysctl" - sysctl: - name: net.ipv6.conf.default.accept_ra - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - - - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra to value 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv6.conf.default.accept_ra' - line: 'net.ipv6.conf.default.accept_ra=0' + - "{{ rhel_08_010470_shost_files.files }}" when: - - rhel_08_040262 - - not rhel8stig_system_is_router + - rhel_08_010470 tags: - - RHEL-08-040262 - - icmp + - RHEL-08-010470 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230284r627750_rule + - V-230284 + - shosts -- name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." - block: - - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects in sysctl" - sysctl: - name: net.ipv4.conf.default.send_redirects - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - - - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.default.send_redirects' - line: 'net.ipv4.conf.default.send_redirects=0' +- name: "RHEL-08-010820 | HIGH | PATCH | Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed." + lineinfile: + path: /etc/gdm/custom.conf + regexp: (?i)automaticloginenable + line: AutomaticLoginEnable=false + insertafter: '\[daemon\]' when: - - rhel_08_040270 + - rhel8stig_gui + - rhel_08_010820 tags: - - RHEL-08-040270 - - icmp + - RHEL-08-010820 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00229 + - SV-230329r627750_rule + - V-230329 -- name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." +- name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords." block: - - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" + - name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Remove nullok" + replace: + path: "{{ item }}" + regexp: ' nullok' + replace: '' with_items: - - net.ipv4.conf.all.accept_redirects - - net.ipv6.conf.all.accept_redirects + - /etc/pam.d/system-auth + - /etc/pam.d/password-auth - - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" + - name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Set PermitEmptyPasswords to no" lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } - - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } - when: - - rhel_08_040280 - tags: - - RHEL-08-040280 - - icmp - -- name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^kernel.unprivileged_bpf_disabled' - line: 'kernel.unprivileged_bpf_disabled = 1' - owner: root - group: root - mode: 0640 - notify: sysctl system - when: - - rhel_08_040281 - tags: - - RHEL-08-040281 - - sysctl - -- name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^kernel.yama.ptrace_scope' - line: 'kernel.yama.ptrace_scope = 1' - notify: sysctl system - when: - - rhel_08_040282 - tags: - - RHEL-08-040282 - - sysctl - -- name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access." - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^kernel.kptr_restrict' - line: 'kernel.kptr_restrict = 1' - owner: root - group: root - mode: 0640 - notify: sysctl system - when: - - rhel_08_040283 - tags: - - RHEL-08-040283 - - sysctl - -- name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces." - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^user.max_user_namespaces' - line: 'user.max_user_namespaces = 0' - notify: sysctl system - when: - - rhel_08_040284 - tags: - - RHEL-08-040284 - - sysctl - -- name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces." - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^net.ipv4.conf.all.rp_filter' - line: 'net.ipv4.conf.all.rp_filter = 1' - notify: sysctl system - when: - - rhel_08_040285 - tags: - - RHEL-08-040285 - - sysctl - -- name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying." - block: - - name: "MEDIUM | RHEL-08-040290 | AUDIT | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Check if postfix is installed." - command: rpm -q postfix - failed_when: no - check_mode: no - changed_when: no - register: rhel_08_040290_rpm_audit - - - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" - command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" - check_mode: no - when: '"postfix-" in rhel_08_040290_rpm_audit.stdout' - when: - - rhel_08_040290 - tags: - - RHEL-08-040290 - -- name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." - package: - name: xorg-x11-server-common - state: absent - when: - - rhel_08_040320 - - not rhel8stig_gui - -- name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." - block: - - name: "MEDIUM | RHEL-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" - shell: "ip link | grep -i promisc | cut -d ':' -f 2" - check_mode: no - failed_when: no - changed_when: rhel_08_040670_promisc_check.stdout != '' - ignore_errors: yes - register: rhel_08_040670_promisc_check - - - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" - shell: "ip link set dev {{ item }} promisc off" - with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" - when: - - rhel_08_040330 - - not rhel8stig_net_promisc_mode_required - tags: - - RHEL-08-040330 - -- name: "MEDIUM | RHEL-08-040340 | PATCH | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?X11Forwarding' - line: 'X11Forwarding no' - create: yes - owner: root - group: root - mode: 0640 - notify: restart sshd - when: - - rhel_08_040340 - - rhel8stig_ssh_required - tags: - - RHEL-08-040340 - - ssh - -- name: "MEDIUM | RHEL-08-040341 | PATCH | The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?X11UseLocalhost' - line: 'X11UseLocalhost yes' - when: - - rhel_08_040341 - tags: - - RHEL-08-040341 - - ssh - -- name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." - lineinfile: - path: /etc/xinetd.d/tftp - regexp: "(?i)^.*server_args.*=" - line: "\tserver_args\t\t= -s /var/lib/tftpboot" - insertafter: "\tserver\t\t\t=" - state: present - register: result - failed_when: - - result is failed - - result.rc != 257 + path: /etc/ssh/sshd_config + regexp: '(?i)^#?PermitEmptyPasswords' + line: 'PermitEmptyPasswords no' + notify: restart sshd when: - - rhel_08_040350 - - rhel8stig_tftp_required + - rhel_08_020330 + - rhel8stig_disruption_high tags: - - skip_ansible_lint - - RHEL-08-040350 - - tftp + - RHEL-08-020330 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230380r627750_rule + - V-230380 + - disruption_high -- name: "MEDIUM | RHEL-08-040380 | PATCH | The iprutils package must not be installed unless mission essential on RHEL 8." +- name: "RHEL-08-040000 | HIGH | PATCH | RHEL 8 must not have the telnet-server package installed." dnf: - name: iprutils + name: telnet-server state: absent when: - - rhel_08_040380 + - rhel_08_040000 + - - "'telnet-server' in ansible_facts.packages" tags: - - RHEL-08-040380 - - iprutils + - RHEL-08-040000 + - CAT1 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230487r627750_rule + - V-230487 -- name: "MEDIUM | RHEL-08-040390 | PATCH | The tuned package must not be installed unless mission essential on RHEL 8." +- name: "RHEL-08-040010 | HIGH | PATCH | RHEL 8 must not have the rsh-server package installed." dnf: - name: tuned + name: rsh-server state: absent when: - - rhel_08_040390 - tags: - - RHEL-08-040390 - - tuned + - rhel_08_040010 + - "'rsh-server' in ansible_facts.packages" + tags: + - RHEL-08-040010 + - CAT1 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230492r627750_rule + - V-230492 + + + + +# - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." +# dnf: +# name: "*" +# state: latest +# when: +# - not system_is_ec2 +# - rhel_08_010010 +# tags: +# - RHEL-08-010010 + +# - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection." +# block: +# - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout" +# command: lsblk +# changed_when: false +# failed_when: false +# register: rhel_08_010030_partition_layout + +# - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning" +# debug: +# msg: +# - 'WARNING!! Below is partition layout. Please run the "sudo more /etc/crypttab" command to confirm' +# - "every persistent disk partition has an entry. If partitions other than psuedo file systems (such as /var or /sys) this is a finding" +# - "{{ rhel_08_010030_partition_layout.stdout_lines }}" + +# when: rhel_08_010030 +# tags: +# - RHEL-08-010030 + +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" +# block: +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?Banner' +# line: 'Banner /etc/issue' + +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" +# copy: +# dest: "{{ item }}" +# content: "{{ rhel8stig_logon_banner }}" +# owner: root +# group: root +# mode: '0644' +# notify: restart sshd +# with_items: +# - /etc/issue +# - /etc/issue.net +# when: +# # - not system_is_ec2 +# - rhel_08_010040 or +# rhel_08_010060 +# tags: +# - RHEL-08-010040 +# - RHEL-08-010060 + +# - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." +# copy: +# dest: /etc/dconf/db/local.d/01-banner-message +# content: | +# [org/gnome/login-screen] +# banner-message-enable=true +# banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' +# mode: '0644' +# owner: root +# group: root +# vars: +# newline: "\n" +# notify: dconf update +# when: +# - rhel_08_010050 +# - "'dconf' in ansible_facts.packages" +# - rhel8stig_always_configure_dconf + +# tags: +# - RHEL-08-010050 + +# - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." +# lineinfile: +# path: /etc/rsyslog.d/50-default.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# create: yes +# mode: '0644' +# notify: restart rsyslog +# with_items: +# - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } +# - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } +# when: +# - rhel_08_010070 +# tags: +# - RHEL-08-010070 + +# # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." +# block: +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" +# command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem +# changed_when: false +# failed_when: false +# register: rhel_08_010090_certs_list + +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" +# debug: +# msg: +# - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" +# - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" +# - "{{ rhel_08_010090_certs_list.stdout_lines }}" +# when: +# - rhel_08_010090 +# tags: +# - RHEL-08-010090 + +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." +# block: +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" +# file: +# path: "{{ rhel8stig_path_to_sshkey }}" +# state: directory +# mode: '0700' + +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" +# openssh_keypair: +# path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" +# when: +# - rhel_08_010100 +# tags: +# - RHEL-08-010100 + +# - name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." +# lineinfile: +# path: /etc/login.defs +# regexp: '^ENCRYPT_METHOD.*' +# line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" +# when: +# - rhel_08_010110 +# tags: +# - RHEL-08-010110 +# - login + +# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." +# block: +# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" +# command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' +# changed_when: false +# failed_when: false +# register: rhel_08_010120_non_fips_hashed_accounts + +# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" +# command: "passwd -l {{ item }}" +# args: +# warn: no +# with_items: +# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" +# when: +# - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 + +# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" +# debug: +# msg: +# - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" +# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" +# when: +# - not rhel8stig_disruption_high +# - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 +# when: +# - rhel_08_010120 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010120 +# - disruption_high + +# - name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" +# pamd: +# name: "{{ item }}" +# type: password +# control: sufficient +# module_path: pam_unix.so +# module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" +# state: args_present +# with_items: +# - password-auth +# - system-auth +# when: +# - rhel_08_010130 +# tags: +# - RHEL-08-010130 + +# - name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." +# lineinfile: +# path: /usr/lib/systemd/system/rescue.service +# regexp: '^ExecStart=' +# line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" +# create: yes +# owner: root +# group: root +# mode: 0644 + +# when: +# - rhel_08_010151 +# tags: +# - RHEL-08-010151 +# - systemd + +# - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Add sha512 argument" +# pamd: +# name: "{{ item }}" +# type: password +# control: sufficient +# module_path: pam_unix.so +# module_arguments: sha512 +# state: args_present +# with_items: +# - password-auth +# - system-auth +# when: +# - rhel_08_010160 +# tags: +# - RHEL-08-010160 + +# - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication." +# block: +# - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" +# find: +# path: / +# patterns: '*.keytab' +# recurse: yes +# register: rhel8stig_010161_keytab_files + +# - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Remove .keytab files" +# file: +# path: "{{ item.path }}" +# state: absent +# with_items: +# - "{{ rhel8stig_010161_keytab_files.files }}" +# when: rhel8stig_010161_keytab_files.matched > 0 +# when: +# - rhel_08_010161 +# tags: +# - RHEL-08-010161 +# - kerberos + +# - name: "MEDIUM | RHEL-08-010162 | PATCH | The krb5-workstation package must not be installed on RHEL 8." +# dnf: +# name: krb5-workstation +# state: absent +# when: +# - rhel_08_010162 +# tags: +# - RHEL-08-010162 +# - kerberos + +# - name: | +# "MEDIUM | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services." +# "MEDIUM | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." +# selinux: +# state: enforcing +# policy: targeted +# check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" +# notify: reboot system +# when: +# - rhel_08_010170 or rhel_08_010450 +# - not rhel8stig_system_is_container +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010170 +# - RHEL-08-010450 +# - selinux +# - disruption_high + +# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." +# block: +# - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" +# shell: "find / ! -user root -type d -perm -0002 -exec ls -lLd {} \\; | sed 's/.* //'" +# changed_when: false +# failed_when: false +# register: rhel_08_010180_public_not_root_owned + +# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Chown non-root public folders" +# file: +# path: "{{ item }}" +# owner: root +# group: root +# with_items: +# - "{{ rhel_08_010180_public_not_root_owned.stdout_lines }}" +# when: +# - rhel_08_010180 +# tags: +# - RHEL-08-010180 + +# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." +# block: +# - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" +# shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" +# changed_when: false +# failed_when: false +# register: rhel_08_010190_world_writable_files + +# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" +# file: +# path: "{{ item }}" +# mode: '1777' +# with_items: +# - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" +# when: +# - rhel_08_010190 +# tags: +# - RHEL-08-010190 + +# - name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# notify: restart sshd +# with_items: +# - { regexp: '(?i)^#?ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} +# - { regexp: '(?i)^#?ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } +# when: +# - rhel_08_010200 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010200 +# - ssh + +# - name: | +# "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." +# "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." +# "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." +# file: +# path: /var/log/messages +# owner: root +# group: root +# mode: '0640' +# when: +# - rhel_08_010210 or +# rhel_08_010220 or +# rhel_08_010230 +# tags: +# - RHEL-08-010210 +# - RHEL-08-010220 +# - RHEL-08-010230 + +# - name: | +# "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." +# "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." +# "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." +# file: +# path: /var/log +# owner: root +# group: root +# mode: '0755' +# when: +# - rhel_08_010240 or +# rhel_08_010250 or +# rhel_08_010260 +# tags: +# - RHEL-08-010240 +# - RHEL-08-010250 +# - RHEL-08-010260 + +# - name: | +# "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." +# "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" +# block: +# - name: | +# "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" +# "MEDIUM | RHEL-08-010291 | AUDIT | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Get current FIPS mode state" +# command: fips-mode-setup --check +# changed_when: false +# failed_when: false +# register: rhel_08_010290_pre_fips_check + +# - name: | +# "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" +# "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Enable FIPS" +# command: fips-mode-setup --enable +# register: rhel_08_010290_fips_enable +# notify: reboot system +# when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' + +# - name: | +# "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" +# "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Add ssh ciphers" +# lineinfile: +# path: "{{ item.path }}" +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# notify: reboot system +# with_items: +# - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^MACs', line: "MACs {{ rhel8stig_ssh_macs_settings }}" } +# - { path: /etc/crypto-policies/back-ends/opensshserver.config, regexp: '^CRYPTO_POLICY=', line: "CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" } +# when: +# - rhel_08_010290 or +# rhel_08_010291 +# tags: +# - RHEL-08-010290 +# - RHEL-08-010291 +# - fips + +# - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." +# block: +# - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" +# command: fips-mode-setup --check +# changed_when: false +# failed_when: false +# register: rhel_08_010293_pre_fips_check + +# - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" +# command: fips-mode-setup --enable +# register: rhel_08_010290_fips_enable +# notify: reboot system +# when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' +# when: +# - rhel_08_010293 +# tags: +# - RHEL-08-010293 +# - fips + +# - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." +# lineinfile: +# path: /etc/crypto-policies/back-ends/opensslcnf.config +# regexp: '^MinProtocol =' +# line: "MinProtocol = TLSv1.2" +# notify: reboot system +# when: +# - rhel_08_010294 +# tags: +# - RHEL-08-010294 +# - openssl + +# - name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package" +# lineinfile: +# path: /etc/crypto-policies/back-ends/gnutls.config +# regexp: '^(.*\+VERS-ALL:)' +# line: '\1{{ rhel8stig_gnutls_encryption }}' +# backrefs: true +# create: yes +# owner: root +# group: root +# mode: 0640 +# notify: reboot system +# when: +# - rhel_08_010295 +# tags: +# - RHEL-08-010295 +# - gnutls + +# - name: | +# "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive." +# "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root." +# "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root." +# block: +# - name: | +# "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive" +# "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" +# "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root. | Get commands no group-owned by root" +# shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel_08_010300_commands + +# - name: | +# "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions" +# "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions" +# "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root. | Set permissions" +# file: +# path: "{{ item }}" +# owner: root +# group: root +# mode: '0755' +# force: yes +# with_items: +# - "{{ rhel_08_010300_commands.stdout_lines }}" +# when: +# - rhel_08_010300 or +# rhel_08_010310 or +# rhel_08_010320 +# tags: +# - RHEL-08-010300 +# - RHEL-08-010310 +# - RHEL-08-010320 + +# - name: | +# "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive." +# "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root." +# "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root." +# block: +# - name: | +# "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" +# "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root. | Get library files not owned by root" +# "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" +# shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel_08_010330_library_files + +# - name: | +# "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" +# "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" +# "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" +# file: +# path: "{{ item }}" +# owner: root +# group: root +# mode: '0755' +# with_items: +# - "{{ rhel_08_010330_library_files.stdout_lines }}" +# when: +# - rhel_08_010330 or +# rhel_08_010340 or +# rhel_08_010350 +# tags: +# - RHEL-08-010330 +# - RHEL-08-010340 +# - RHEL-08-010350 + +# - name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." +# cron: +# name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' +# user: "{{ rhel8stig_aide_cron.user }}" +# cron_file: "{{ rhel8stig_aide_cron.cron_file }}" +# job: "{{ rhel8stig_aide_cron.job + ((rhel8stig_aide_cron.notify_by_mail) | ternary(rhel8stig_aide_cron.notify_cmd,'')) }}" +# minute: "{{ rhel8stig_aide_cron.minute | default((rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | +# ternary('0', omit)) | default(omit) }}" +# hour: "{{ rhel8stig_aide_cron.hour | default((rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['daily', 'weekly', 'monthly']) | +# ternary('0', omit)) | default(omit) }}" +# weekday: "{{ rhel8stig_aide_cron.weekday | default((rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['weekly']) | +# ternary('0', omit)) | default(omit) }}" +# day: "{{ rhel8stig_aide_cron.day | default((rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['monthly']) | +# ternary('1', omit)) | default(omit) }}" +# special_time: "{{ (rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | +# ternary(omit, rhel8stig_aide_cron.special_time) }}" +# when: +# - rhel_08_010360 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010360 +# - aide + +# - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." +# block: +# - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if using numbered link files" +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^kernel.kexec_load_disabled =' +# line: "kernel.kexec_load_disabled = 1" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched > 0 +# - rhel8stig_sysctlconf_filename.files[0].islnk + +# - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if no numbered link files" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^kernel.kexec_load_disabled =' +# line: "kernel.kexec_load_disabled = 1" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched == 0 or +# not rhel8stig_sysctlconf_filename.files[0].islnk +# when: +# - rhel_08_010372 +# tags: +# - RHEL-08-010372 +# - sysctl + +# - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks." +# block: +# - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if using numbered link files" +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^fs.protected_symlinks =' +# line: "fs.protected_symlinks = 1" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched > 0 +# - rhel8stig_sysctlconf_filename.files[0].islnk + +# - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if no numbered link files" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^fs.protected_symlinks =' +# line: "fs.protected_symlinks = 1" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched == 0 or +# not rhel8stig_sysctlconf_filename.files[0].islnk +# when: +# - rhel_08_010373 +# tags: +# - RHEL-08-010373 +# - sysctl + +# - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." +# block: +# - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if using numbered link files" +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^fs.protected_hardlinks =' +# line: "fs.protected_hardlinks = 1" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched > 0 +# - rhel8stig_sysctlconf_filename.files[0].islnk + +# - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if no numbered link files" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^fs.protected_hardlinks =' +# line: "fs.protected_hardlinks = 1" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched == 0 or +# not rhel8stig_sysctlconf_filename.files[0].islnk +# when: +# - rhel_08_010374 +# tags: +# - RHEL-08-010374 +# - sysctl + +# - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." +# replace: +# path: "{{ item }}" +# regexp: '^([^#].*)NOPASSWD(.*)' +# replace: '\1PASSWD\2' +# with_items: +# - "{{ rhel8stig_sudoers_files.stdout_lines }}" +# when: +# - rhel_08_010380 +# - rhel8stig_using_password_auth +# tags: +# - RHEL-08-010380 +# - sudoers + +# - name: "MEDIUM | RHEL-08-010381 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation." +# replace: +# path: "{{ item }}" +# regexp: '^([^#].*)!authenticate(.*)' +# replace: '\1authenticate\2' +# with_items: +# - "{{ rhel8stig_sudoers_files.stdout_lines }}" +# when: +# - rhel_08_010381 +# - rhel8stig_using_password_auth +# tags: +# - RHEL-08-010381 +# - sudoers + +# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." +# block: +# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" +# dnf: +# name: esc +# state: present +# when: rhel8stig_gui + +# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" +# dnf: +# name: openssl-pkcs11 +# state: present +# when: +# - rhel_08_010390 +# tags: +# - RHEL-08-010390 +# - multifactor + +# - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." +# lineinfile: +# path: '{{ rhel8stig_sssd_conf }}' +# regexp: '^certificate_verification = {{ item }}' +# state: absent +# with_items: +# - 'no_ocsp, no_verification' +# - no_ocsp +# - no_verification +# notify: restart sssd +# when: +# - "'sssd' in ansible_facts.packages" +# - rhel8stig_sssd_conf_present.stat.exists +# - rhel_08_010400 +# tags: +# - RHEL-08-010400 + +# - name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." +# dnf: +# name: opensc +# state: present +# when: +# - rhel_08_010410 +# tags: +# - RHEL-08-010410 +# - opensc +# - piv + +# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution." +# block: +# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state" +# shell: dmesg |grep "NX (" +# changed_when: false +# failed_when: false +# register: rhel_08_010420_nx_bit_state + +# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set" +# debug: +# msg: +# - "Good News! You are setup with execute disable active." +# when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout' + +# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" +# debug: +# msg: +# - "ALERT!! You do not have execute disable active. Please change the setting in your BIOS settings" +# when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' +# when: +# - rhel_08_010420 +# tags: +# - RHEL-08-010420 + +# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks." +# block: +# - name: "MEDIUM | RHEL-08-010421 | AUDIT | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" +# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel8stig_010421_grub_cmdline_linux + +# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active" +# shell: grubby --update-kernel=ALL --args="page_poison=1" + +# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist" +# lineinfile: +# path: /etc/default/grub +# regexp: '^GRUB_CMDLINE_LINUX=' +# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010421_grub_cmdline_linux.stdout }} page_poison=1"' +# when: '"page_poison=" not in rhel8stig_010421_grub_cmdline_linux.stdout' + +# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if exists" +# replace: +# path: /etc/default/grub +# regexp: 'page_poison=([^\s|"])+' +# replace: "page_poison=1" +# when: '"page_poison=" in rhel8stig_010421_grub_cmdline_linux.stdout' +# when: +# - rhel_08_010421 +# tags: +# - RHEL-08-010421 +# - grub + +# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls." +# block: +# - name: "MEDIUM | RHEL-08-010422 | AUDIT | RHEL 8 must disable virtual syscalls. | Get GRUB_CMDLINE_LINUX settings" +# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel8stig_010422_grub_cmdline_linux + +# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active" +# shell: grubby --update-kernel=ALL --args="vsyscall=none" + +# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist" +# lineinfile: +# path: /etc/default/grub +# regexp: '^GRUB_CMDLINE_LINUX=' +# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010422_grub_cmdline_linux.stdout }} vsyscall=none"' +# when: '"vsyscall=" not in rhel8stig_010422_grub_cmdline_linux.stdout' + +# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if exists" +# replace: +# path: /etc/default/grub +# regexp: 'vsyscall=([^\s|"])+' +# replace: "vsyscall=none" +# when: '"vsyscall=" in rhel8stig_010422_grub_cmdline_linux.stdout' +# when: +# - rhel_08_010422 +# tags: +# - RHEL-08-010422 +# - grub + +# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks." +# block: +# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" +# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel8stig_010423_grub_cmdline_linux + +# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active" +# shell: grubby --update-kernel=ALL --args="slub_debug=P" + +# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist" +# lineinfile: +# path: /etc/default/grub +# regexp: '^GRUB_CMDLINE_LINUX=' +# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010423_grub_cmdline_linux.stdout }} slub_debug=P"' +# when: '"slub_debug=" not in rhel8stig_010423_grub_cmdline_linux.stdout' + +# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if exists" +# replace: +# path: /etc/default/grub +# regexp: 'slub_debug=([^\s|"])+' +# replace: "slub_debug=P" +# when: '"slub_debug=" in rhel8stig_010423_grub_cmdline_linux.stdout' +# when: +# - rhel_08_010423 +# tags: +# - RHEL-08-010423 +# - grub + +# - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." +# sysctl: +# name: kernel.randomize_va_space +# value: '2' +# state: present +# reload: "{{ rhel8stig_sysctl_reload }}" +# sysctl_set: yes +# ignoreerrors: yes +# notify: sysctl system +# when: +# - rhel_08_010430 +# tags: +# - RHEL-08-010430 +# - sysctl + +# - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." +# block: +# - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files" +# find: +# paths: /etc/ssh +# recurse: yes +# file_type: file +# patterns: 'ssh_host*_key.pub' +# hidden: true +# changed_when: false +# failed_when: false +# register: rhel_08_010480_public_files + +# - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" +# file: +# path: "{{ item.path }}" +# mode: '0644' +# with_items: +# - "{{ rhel_08_010480_public_files.files }}" +# notify: restart sshd +# when: +# - rhel_08_010480 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010480 +# - ssh + +# - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." +# block: +# - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Find files" +# find: +# paths: /etc/ssh +# recurse: yes +# file_type: file +# patterns: 'ssh_host*key' +# hidden: true +# changed_when: false +# failed_when: false +# register: rhel_08_010490_private_host_key_files + +# - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" +# file: +# path: "{{ item.path }}" +# mode: '0640' +# with_items: +# - "{{ rhel_08_010490_private_host_key_files.files }}" +# notify: restart sshd +# when: +# - rhel_08_010490 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010490 +# - ssh + +# - name: "MEDIUM | RHEL-08-010500 | PATCH | The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?StrictModes' +# line: 'StrictModes yes' +# notify: restart sshd +# when: +# - rhel_08_010500 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010500 +# - ssh + +# - name: "MEDIUM | RHEL-08-010510 | PATCH | The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?Compression' +# line: 'Compression {{ rhel8stig_sshd_compression }}' +# notify: restart sshd +# when: +# - rhel_08_010510 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010510 +# - ssh + +# - name: "MEDIUM | RHEL-08-010520 | PATCH | The RHEL 8 SSH daemon must not allow authentication using known host’s authentication." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?IgnoreUserKnownHosts' +# line: 'IgnoreUserKnownHosts yes' +# notify: restart sshd +# when: +# - rhel_08_010520 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010520 +# - ssh + +# - name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow unused methods of authentication." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '(?i)^#?KerberosAuthentication', line: "KerberosAuthentication no" } +# - { regexp: '(?i)^#?GSSAPIAuthentication', line: "GSSAPIAuthentication no" } +# notify: restart sshd +# when: +# - rhel_08_010521 +# tags: +# - RHEL-08-010521 +# - ssh + +# - name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." +# debug: +# msg: "WARNING!!!! /tmp is not mounted on a separate partition" +# changed_when: +# - rhel8stig_audit_complex +# when: +# - rhel_08_010543 +# - not rhel8stig_system_is_container +# - rhel8stig_complex +# - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 +# tags: +# - RHEL-08-010543 +# - complexity-high +# - mount +# - tmp + +# - name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?PermitRootLogin' +# line: 'PermitRootLogin no' +# notify: restart sshd +# when: +# - rhel_08_010550 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010550 +# - ssh + +# - name: "MEDIUM | RHEL-08-010560 | PATCH | The auditd service must be running in RHEL 8." +# service: +# name: auditd +# state: started +# enabled: yes +# when: +# - rhel_08_010560 +# - not rhel8stig_system_is_container +# tags: +# - RHEL-08-010560 +# - auditd + +# - name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." +# service: +# name: rsyslog.service +# state: started +# enabled: true +# when: +# - rhel_08_010561 +# tags: +# - RHEL-08-010561 +# - rsyslog + +# - name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." +# mount: +# path: /home +# state: mounted +# src: "{{ home_mount.device }}" +# fstype: "{{ home_mount.fstype }}" +# opts: "{{ home_mount.options }},nosuid" +# when: +# - rhel_08_010570 +# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 +# - "'nosuid' not in home_mount.options" +# vars: +# home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" +# tags: +# - RHEL-08-010570 +# - mounts +# - home + +# - name: "MEDIUM | RHEL-08-010571 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory." +# mount: +# path: /boot +# state: mounted +# src: "{{ boot_mount.device }}" +# fstype: "{{ boot_mount.fstype }}" +# opts: "{{ boot_mount.options }},nosuid" +# when: +# - rhel_08_010571 +# - ansible_mounts | selectattr('mount', 'match', '^/boot$') | list | length != 0 +# - "'nosuid' not in boot_mount.options" +# vars: +# boot_mount: "{{ ansible_mounts | json_query('[?mount == `/boot`] | [0]') }}" +# tags: +# - RHEL-08-010571 +# - mounts +# - boot + +# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions." +# block: +# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" +# shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' +# args: +# warn: no +# changed_when: no +# check_mode: no +# register: rhel8stig_010580_mounts_nodev + +# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Split results" +# set_fact: +# rhel8stig_010580_mounts: "{{ rhel8stig_010580_mounts_nodev.stdout_lines | map('regex_replace', ld_mount_regex, ld_mount_yaml) | map('from_yaml') | list }}" + +# with_items: "{{ rhel8stig_010580_mounts_nodev.stdout_lines }}" +# vars: +# ld_mount_regex: >- +# ^(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*) +# ld_mount_yaml: | +# device: >-4 +# \g +# mpoint: >-4 +# \g +# fs: >-4 +# \g +# opts: >-4 +# \g +# when: rhel8stig_010580_mounts_nodev.stdout | length > 0 + +# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Set value" +# mount: +# path: "{{ item.mpoint }}" +# state: mounted +# src: "{{ item.device }}" +# fstype: "{{ item.fs }}" +# opts: "{{ item.opts }},nodev" +# with_items: +# - "{{ rhel8stig_010580_mounts | default([]) }}" +# when: +# - item.device != "/" +# - "'odev' not in item.opts" +# - rhel8stig_010580_mounts_nodev.stdout | length > 0 +# when: +# - rhel_08_010580 +# tags: +# - RHEL-08-010580 +# - mounts +# - non-root + +# - name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent code from being executed on file systems that contain user home directories." +# mount: +# path: /home +# state: mounted +# src: "{{ home_mount.device }}" +# fstype: "{{ home_mount.fstype }}" +# opts: "{{ home_mount.options }},noexec" +# when: +# - rhel_08_010590 +# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 +# - "'noexec' not in home_mount.options" +# vars: +# home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" +# tags: +# - RHEL-08-010590 +# - mounts +# - home + +# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media." +# block: +# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /media" +# mount: +# path: /media +# state: mounted +# src: "{{ removable_mount.device }}" +# fstype: "{{ removable_mount.fstype }}" +# opts: "{{ removable_mount.options }},nodev" +# when: +# - rhel_08_010600 +# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 +# - "'nodev' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + +# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /mnt" +# mount: +# path: /mnt +# state: mounted +# src: "{{ removable_mount2.device }}" +# fstype: "{{ removable_mount2.fstype }}" +# opts: "{{ removable_mount2.options }},nodev" +# when: +# - rhel_08_010600 +# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 +# - "'nodev' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" +# when: +# - rhel_08_010600 +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# tags: +# - RHEL-08-010600 +# - mounts +# - media + +# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media." +# block: +# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /media" +# mount: +# path: /media +# state: mounted +# src: "{{ removable_mount.device }}" +# fstype: "{{ removable_mount.fstype }}" +# opts: "{{ removable_mount.options }},noexec" +# when: +# - rhel_08_010600 +# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 +# - "'noexec' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + +# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /mnt" +# mount: +# path: /mnt +# state: mounted +# src: "{{ removable_mount2.device }}" +# fstype: "{{ removable_mount2.fstype }}" +# opts: "{{ removable_mount2.options }},noexec" +# when: +# - rhel_08_010610 +# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 +# - "'noexec' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" +# when: +# - rhel_08_010610 +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# tags: +# - RHEL-08-010610 +# - mounts +# - media + +# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." +# block: +# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media" +# mount: +# path: /media +# state: mounted +# src: "{{ removable_mount.device }}" +# fstype: "{{ removable_mount.fstype }}" +# opts: "{{ removable_mount.options }},nosuid" +# when: +# - rhel_08_010620 +# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 +# - "'nosuid' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + +# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" +# mount: +# path: /mnt +# state: mounted +# src: "{{ removable_mount2.device }}" +# fstype: "{{ removable_mount2.fstype }}" +# opts: "{{ removable_mount2.options }},nosuid" +# when: +# - rhel_08_010620 +# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 +# - "'nosuid' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" +# when: +# - rhel_08_010620 +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# tags: +# - RHEL-08-010620 +# - mounts +# - media + +# - name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)." +# mount: +# path: "{{ item }}" +# src: "{{ ansible_mounts | json_query(device_query) }}" +# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" +# opts: "{{ ansible_mounts | json_query(options_query) }},noexec" +# state: mounted +# vars: +# device_query: '[?mount == `{{ item }}`] | [0].device' +# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' +# options_query: '[?mount == `{{ item }}`] | [0].options' +# with_items: "{{ rhel8stig_nfs_mounts }}" +# when: +# - rhel_08_010630 +# - "'noexec' not in (ansible_mounts | json_query(options_query))" +# tags: +# - RHEL-08-010630 +# - mounts +# - nfs + +# - name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)." +# mount: +# path: "{{ item }}" +# src: "{{ ansible_mounts | json_query(device_query) }}" +# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" +# opts: "{{ ansible_mounts | json_query(options_query) }},nodev" +# state: mounted +# vars: +# device_query: '[?mount == `{{ item }}`] | [0].device' +# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' +# options_query: '[?mount == `{{ item }}`] | [0].options' +# with_items: "{{ rhel8stig_nfs_mounts }}" +# when: +# - rhel_08_010640 +# - "'nodev' not in (ansible_mounts | json_query(options_query))" +# tags: +# - RHEL-08-010640 + +# - name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)" +# mount: +# path: "{{ item }}" +# src: "{{ ansible_mounts | json_query(device_query) }}" +# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" +# opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" +# state: mounted +# vars: +# device_query: '[?mount == `{{ item }}`] | [0].device' +# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' +# options_query: '[?mount == `{{ item }}`] | [0].options' +# with_items: "{{ rhel8stig_nfs_mounts }}" +# when: +# - rhel_08_010650 +# - "'nosuid' not in (ansible_mounts | json_query(options_query))" +# tags: +# - RHEL-08-010650 + +# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs." +# block: +# - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions" +# shell: find {{ item.mount }} -xdev -type f -perm -002 +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel_08_010660_world_writable_files +# with_items: +# - "{{ ansible_mounts }}" + +# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening" +# set_fact: +# rhel_08_010660_change_perms: "{{ rhel_08_010660_world_writable_files.results | map(attribute='stdout_lines') | flatten }}" + +# - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Compare to home directories" +# include_tasks: audit_homedirinifiles.yml +# loop: +# - "{{ rhel_08_stig_interactive_homedir_inifiles }}" +# loop_control: +# loop_var: ini_item +# when: +# - rhel_08_010660_change_perms != [] + +# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions" +# file: +# path: "{{ item }}" +# mode: '0755' +# state: file +# with_items: +# - "{{ rhel_08_010660_change_perms }}" +# when: +# - rhel_08_010660_change_perms != [] +# when: +# - rhel_08_010660 +# - rhel8stig_disruption_high +# # - rhel_08_stig_interactive_homedir_inifiles is defined +# tags: +# - RHEL-08-010660 + +# - name: "MEDIUM | RHEL-08-010670 | PATCH | RHEL 8 must disable kernel dumps unless needed." +# service: +# name: kdump +# enabled: no +# state: stopped +# when: +# - rhel_08_010670 +# - not rhel8stig_kdump_needed +# tags: +# - RHEL-08-010670 +# - kdump + +# - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." +# block: +# - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if using numbered link files" +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^kernel.core_pattern =' +# line: "kernel.core_pattern = |/bin/false" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched > 0 +# - rhel8stig_sysctlconf_filename.files[0].islnk + +# - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if no numbered link files" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^kernel.core_pattern =' +# line: "kernel.core_pattern = |/bin/false" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched == 0 or +# not rhel8stig_sysctlconf_filename.files[0].islnk +# when: +# - rhel_08_010671 +# tags: +# - RHEL-08-010671 +# - sysctl + +# - name: "MEDIUM | RHEL-08-010672 | PATCH | RHEL 8 must disable acquiring, saving, and processing core dumps." +# systemd: +# name: systemd-coredump.socket +# masked: yes +# daemon_reload: yes +# notify: systemctl daemon-reload +# when: +# - rhel_08_010672 +# tags: +# - RHEL-08-010672 +# - systemd + +# - name: "MEDIUM | RHEL-08-010673 | PATCH | RHEL 8 must disable core dumps for all users." +# lineinfile: +# path: /etc/security/limits.conf +# regexp: '^\*.*hard.*core' +# line: "* hard core 0" +# insertbefore: '# End of file' +# when: +# - rhel_08_010673 +# tags: +# - RHEL-08-010673 +# - security +# - limits + +# - name: "MEDIUM | RHEL-08-010674 | PATCH | RHEL 8 must disable storing core dumps." +# lineinfile: +# path: /etc/systemd/coredump.conf +# regexp: '^(S|s)torage=|#(S|s)torage=' +# line: "Storage=none" +# when: +# - rhel_08_010674 +# tags: +# - RHEL-08-010674 +# - systemd + +# - name: "MEDIUM | RHEL-08-010675 | PATCH | RHEL 8 must disable core dump backtraces." +# lineinfile: +# path: /etc/systemd/coredump.conf +# regexp: '^(P|p)rocess(S|s)ize(M|m)ax=|(P|p)rocess(S|s)ize(M|m)ax=' +# line: "ProcessSizeMax=0" +# when: +# - rhel_08_010675 +# tags: +# - RHEL-08-010675 +# - systemd + +# # NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." +# block: +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf" +# shell: grep "dns" /etc/nsswitch.conf | grep -v "#" +# changed_when: no +# failed_when: false +# check_mode: no +# register: rhel_08_010680_nsswitch_check + +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf" +# command: grep -c "# Generated by NetworkManager" /etc/resolv.conf +# changed_when: no +# failed_when: false +# check_mode: no +# register: rhel_08_010680_networkmanager_check + +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf" +# shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l +# changed_when: no +# failed_when: false +# check_mode: no +# register: rhel_08_010680_nameserver_count + +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf" +# shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf +# when: +# - "'dns' not in rhel_08_010680_nsswitch_check.stdout" + +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf" +# lineinfile: +# dest: /etc/resolv.conf +# regexp: "{{ item.regexp }}" +# line: "nameserver {{ item.line }}" +# insertafter: "{{ item.after }}" +# with_items: # Written as lineinfile replaces last found so reverse logic to keep order of servers +# - { regexp: ^nameserver, line: '{{ rhel8stig_dns_servers.1 }}', after: ^search } +# - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }})', line: '{{ rhel8stig_dns_servers.0 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } +# # - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }}|{{ rhel8stig_dns_servers.0 }})', line: '{{ rhel8stig_dns_servers.2 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } +# when: +# - not rhel8_stig_use_resolv_template +# - rhel_08_010680_networkmanager_check.stdout == '0' +# - rhel_08_010680_nameserver_count.stdout | int >= 2 + +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf using a template when not NetworkManager controlled" +# template: +# src: resolv.conf.j2 +# dest: /etc/resolv.conf +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_010680_networkmanager_check.stdout == '0' +# - rhel8_stig_use_resolv_template + +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp." +# debug: +# msg: "The file /etc/resolv.conf is managed by network manager and/or shows less than two DNS servers configured. Please correct this in your DHCP configurations." +# changed_when: true +# when: +# - rhel_08_010680_networkmanager_check.stdout != '0' or rhel_08_010680_nameserver_count.stdout| int < 2 +# - not rhel8_stig_use_resolv_template +# when: +# - rhel_08_010680 +# - not rhel8stig_system_is_chroot +# - not rhel8stig_system_is_container +# - not system_is_ec2 +# tags: +# - RHEL-08-010680 + +# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." +# block: +# - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" +# shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath +# with_items: "{{ rhel_08_stig_interactive_homedir_results }}" +# register: rhel_08_010690_ini_path_grep_list +# changed_when: no +# failed_when: false + +# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." +# debug: +# msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. +# with_items: +# - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" + +# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." +# lineinfile: +# path: "{{ item }}" +# regexp: "^PATH=" +# line: "{{ rhel_08_010690_user_path }}" +# with_items: +# - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" +# when: +# - rhel_08_010690 +# - rhel8stig_disruption_high +# - rhel8stig_change_user_path +# tags: +# - RHEL-08-010690 +# - complexity-high + +# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." +# block: +# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories" +# command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 +# changed_when: false +# failed_when: false +# register: rhel_08_010700_world_writable_directories + +# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" +# file: +# path: "{{ item }}" +# owner: root +# with_items: +# - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" +# when: rhel_08_010700_world_writable_directories.stdout | length > 0 +# when: +# - rhel_08_010700 +# tags: +# - RHEL-08-010700 + +# - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group." +# block: +# - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories" +# command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 +# changed_when: false +# failed_when: false +# register: rhel_08_010710_world_writable_directories + +# - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" +# file: +# path: "{{ item }}" +# group: root +# with_items: +# - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" +# when: rhel_08_010710_world_writable_directories.stdout | length > 0 +# when: +# - rhel_08_010710 +# tags: +# - RHEL-08-010710 + +# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file." +# block: +# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory" +# shell: pwck -r | grep user | cut -f2 -d"'" +# changed_when: false +# failed_when: false +# register: rhel_08_010720_users_no_home_dir + +# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory" +# shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' +# changed_when: false +# failed_when: false +# register: rhel_08_010720_user_list + +# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" +# debug: +# msg: +# - "WARNING!!!!The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" +# - "{{ rhel_08_010720_user_list.stdout_lines }}" +# when: rhel_08_010720_user_list.stdout | length > 0 +# when: +# - rhel_08_010720 +# tags: +# - RHEL-08-010720 + +# - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." +# block: +# - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." +# shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) +# changed_when: false +# failed_when: false +# register: rhel_08_010730_home_directories + +# - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." +# file: +# path: "{{ item }}" +# mode: 0750 +# with_items: +# - "{{ rhel_08_010730_home_directories.stdout_lines }}" +# when: rhel_08_010730_home_directories.stdout | length > 0 +# when: +# - rhel_08_010730 +# tags: +# - RHEL-08-010730 + +# - name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." +# file: +# path: "{{ item.dir }}" +# group: "{{ item.gid }}" +# state: directory +# with_items: "{{ rhel8stig_passwd }}" +# loop_control: +# label: "{{ rhel8stig_passwd_label }}" +# when: +# - rhel_08_010740 +# - item.uid >= rhel8stig_interactive_uid_start +# tags: +# - skip_ansible_lint +# - RHEL-08-010740 + +# - name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." +# file: +# path: "{{ item.dir }}" +# state: directory +# with_items: "{{ rhel8stig_passwd }}" +# loop_control: +# label: "{{ rhel8stig_passwd_label }}" +# when: +# - rhel_08_010750 +# - item.uid >= rhel8stig_interactive_uid_start +# tags: +# - skip_ansible_lint +# - RHEL-08-010750 + +# - name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." +# lineinfile: +# path: /etc/login.defs +# regexp: '.*?CREATE_HOME.*' +# line: CREATE_HOME yes +# when: +# - rhel_08_010760 +# tags: +# - RHEL-08-010760 +# - login +# - home + +# - name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." +# file: +# path: "{{ item }}" +# mode: 0740 +# with_items: +# - "{{ rhel_08_stig_interactive_homedir_inifiles }}" +# when: +# - rhel_08_010770 +# - rhel8stig_disruption_high +# - rhel_08_stig_interactive_homedir_inifiles is defined +# tags: +# - RHEL-08-010770 +# - complexity-high + +# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." +# block: +# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" +# shell: find / -nouser +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel_08_010780_nouser_files + +# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" +# debug: +# msg: +# - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" +# - "{{ rhel_08_010780_nouser_files.stdout_lines }}" +# when: rhel_08_010780_nouser_files.stdout | length > 0 +# when: +# - rhel_08_010780 +# tags: +# - RHEL-08-010780 + +# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." +# block: +# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" +# shell: find / -nogroup +# changed_when: false +# failed_when: false +# register: rhel_08_010790_nogroup_files + +# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" +# debug: +# msg: +# - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" +# - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" +# when: rhel_08_010790_nogroup_files.stdout | length > 0 +# when: +# - rhel_08_010790 +# tags: +# - RHEL-08-010790 + +# - name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." +# debug: +# msg: "WARNING!!!! /home is not mounted on a separate partition" +# changed_when: +# - rhel8stig_audit_complex +# when: +# - rhel_08_010800 +# - not rhel8stig_system_is_container +# - rhel8stig_complex +# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 +# tags: +# - RHEL-08-010800 +# - complexity-high +# - mount +# - home + +# - name: "MEDIUM | RHEL-08-010830 | PATCH |Unattended or automatic logon to RHEL 8 via ssh must not be allowed." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?PermitUserEnvironment' +# line: 'PermitUserEnvironment no' +# notify: restart sshd +# when: +# - rhel_08_010830 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010830 +# - ssh +# - disruption_high + +# - name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." +# debug: +# msg: +# - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." +# - "To do this please run sudo chage -l account_name for the accounts you need to check" +# - "The results will display the Account Expires information" +# - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name' +# when: +# - rhel_08_020000 +# tags: +# - RHEL-08-020000 + +# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." +# block: +# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020010 +# tags: +# - RHEL-08-020010 +# - pamd + +# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." +# block: +# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" +# lineinfile: +# path: "/etc/security/faillock.conf" +# regexp: '^deny =|^\# deny =' +# line: "deny = {{ rhel8stig_pam_faillock.attempts }}" +# when: +# - rhel_08_020011 +# tags: +# - RHEL-08-020011 +# - pamd + +# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." +# block: +# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020012 +# tags: +# - RHEL-08-020012 +# - pamd + +# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." +# block: +# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" +# lineinfile: +# path: "/etc/security/faillock.conf" +# regexp: '^fail_interval =|^\# fail_interval =' +# line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020013 +# tags: +# - RHEL-08-020013 +# - pamd + +# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." +# block: +# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020013 +# tags: +# - RHEL-08-020013 +# - pamd + +# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." +# block: +# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" +# lineinfile: +# path: "/etc/security/faillock.conf" +# regexp: '^unlock_time =|^\# unlock_time =' +# line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}" +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020015 +# tags: +# - RHEL-08-020015 +# - pamd + +# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist." +# block: +# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist.| Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020016 +# tags: +# - RHEL-08-020016 +# - pamd + +# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist." +# block: +# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" +# lineinfile: +# path: "/etc/security/faillock.conf" +# regexp: '^dir =|^\# dir =' +# line: "dir = /var/log/faillock" +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020017 +# tags: +# - RHEL-08-020017 +# - pamd + +# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." +# block: +# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020018 +# tags: +# - RHEL-08-020018 +# - pamd + +# - name: "MEDIUM | RHEL-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." +# block: +# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" +# lineinfile: +# path: "/etc/security/faillock.conf" +# regexp: '^silent|^\# silent' +# line: "silent" +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020019 +# tags: +# - RHEL-08-020019 +# - pamd + +# - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." +# block: +# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020020 +# tags: +# - RHEL-08-020020 +# - pamd + +# - name: "MEDIUM | RHEL-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." +# block: +# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" +# lineinfile: +# path: "/etc/security/faillock.conf" +# regexp: '^audit|^\# audit' +# line: "audit" +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020021 +# tags: +# - RHEL-08-020021 +# - pamd + +# - name: "MEDIUM | RHEL-020022| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." +# block: +# - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}sfail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020022 +# tags: +# - RHEL-08-020022 +# - pamd + +# - name: "MEDIUM | RHEL-020023| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." +# block: +# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" +# lineinfile: +# path: "/etc/security/faillock.conf" +# regexp: '^even_deny_root|^\# even_deny_root' +# line: "even_deny_root" +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020023 +# tags: +# - RHEL-08-020023 +# - pamd + +# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." +# block: +# - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" +# command: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" +# changed_when: false +# failed_when: false +# register: rhel_08_020030_lock_enabled + +# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" +# lineinfile: +# path: "{{ rhel_08_020030_lock_enabled.stdout }}" +# regexp: '^lock-enabled' +# line: lock-enabled=true +# when: rhel_08_020030_lock_enabled.stdout | length > 0 +# notify: dconf update + +# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist" +# lineinfile: +# path: /etc/dconf/db/local.d/00-screensaver +# create: yes +# regexp: '^lock-enabled' +# owner: root +# group: root +# mode: 0644 +# line: | +# [org/gnome/desktop/screensaver] +# # Set this to true to lock the screen when the screensaver activates +# lock-enabled=true +# when: rhel_08_020030_lock_enabled.stdout | length == 0 +# notify: dconf update +# when: +# - rhel_08_020030 +# - "'dconf' in ansible_facts.packages" +# - rhel8stig_always_configure_dconf + +# tags: +# - RHEL-08-020030 +# - gui + +# - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." +# block: +# - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" +# dnf: +# name: tmux +# state: present + +# - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Configure tmux" +# lineinfile: +# path: /etc/tmux.conf +# regexp: '^set \-g' +# line: "set -g lock-command vlock" +# create: yes +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020040 +# tags: +# - RHEL-08-020040 +# - tmux + +# - name: " MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization." +# lineinfile: +# path: /etc/bashrc +# regexp: '^\[ -n "$PS1" -a -z "$TMUX" \]' +# line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' +# when: +# - rhel_08_020041 +# tags: +# - RHEL-08-020041 +# - tmux + +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." +# block: +# - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" +# shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel_08_020050_removal_action + +# - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" +# shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" +# changed_when: false +# failed_when: false +# register: rhel_08_020050_removal_action_file + +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist" +# lineinfile: +# path: /etc/dconf/db/distro.d/20-authselect +# create: yes +# owner: root +# group: root +# mode: 0644 +# line: | +# [org/gnome/settings-daemon/peripherals/smartcard] +# removal-action='lock-screen' +# when: rhel_08_020050_removal_action.stdout | length == 0 +# notify: dconf update + +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" +# lineinfile: +# path: "{{ rhel_08_020050_removal_action.stdout }}" +# regexp: ^removal-action= +# line: removal-action='lock-screen' +# when: rhel_08_020050_removal_action.stdout | length > 0 +# notify: dconf update + +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" +# lineinfile: +# path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' +# line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action +# when: rhel_08_020050_removal_action_file.stdout | length > 0 +# notify: dconf update + +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" +# lineinfile: +# path: /etc/dconf/db/distro.d/locks/20-authselect +# create: yes +# line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action +# owner: root +# group: root +# mode: 0640 +# when: rhel_08_020050_removal_action_file.stdout | length == 0 +# notify: dconf update +# when: +# - rhel_08_020050 +# tags: +# - RHEL-08-020050 +# - smartcard + +# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." +# block: +# - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" +# shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel_08_020060_idle_delay_param + +# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist" +# lineinfile: +# path: /etc/dconf/db/local.d/00-screensaver +# create: yes +# owner: root +# group: root +# mode: 0640 +# regexp: '^idle-delay' +# line: | +# [org/gnome/desktop/session] +# # Set the lock time out to 900 seconds before the session is considered idle +# idle-delay=uint32 900 +# notify: dconf update +# when: rhel_08_020060_idle_delay_param.stdout | length == 0 + +# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" +# lineinfile: +# path: "{{ rhel_08_020060_idle_delay_param.stdout }}" +# regexp: '^idle-delay=' +# line: idle-delay=uint32 900 +# owner: root +# group: root +# mode: 0640 +# notify: dconf update +# when: rhel_08_020060_idle_delay_param.stdout | length > 0 +# when: +# - rhel_08_020060 +# - "'dconf' in ansible_facts.packages" +# - rhel8stig_always_configure_dconf + +# tags: +# - RHEL-08-020060 +# - gui + +# - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." +# lineinfile: +# path: /etc/tmux.conf +# regexp: '^set -g lock-after-time' +# line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020070 +# tags: +# - RHEL-08-020070 +# - tmux + +# - name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings." +# lineinfile: +# path: /etc/dconf/db/local.d/locks/session +# create: yes +# line: "{{ item }}" +# owner: root +# group: root +# mode: 0640 +# with_items: +# - /org/gnome/desktop/session/idle-delay +# - /org/gnome/desktop/screensaver/lock-enabled +# - /org/gnome/desktop/screensaver/lock-delay +# - /org/gnome/settings-daemon/plugins/media-keys/logout +# - /org/gnome/login-screen/disable-user-list +# - /org/gnome/login-screen/banner-message-text +# - /org/gnome/login-screen/banner-message-enable +# - /org/gnome/desktop/lockdown/disable-lock-screen +# when: +# - rhel_08_020080 +# - "'dconf' in ansible_facts.packages" +# - rhel8stig_always_configure_dconf +# tags: +# - RHEL-08-020080 + +# - name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." +# lineinfile: +# path: "{{ rhel8stig_sssd_conf }}" +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# owner: root +# group: root +# mode: 0640 +# with_items: +# - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } +# - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } +# - { regexp: '^maprule = {{ rhel8stig_sssd.maprule }}', line: 'maprule = {{ rhel8stig_sssd.maprule }}' } +# - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains }}' } +# notify: restart sssd +# when: +# - "'sssd' in ansible_facts.packages" +# - rhel8stig_sssd_conf_present.stat.exists +# - rhel_08_020090 +# tags: +# - RHEL-08-020090 + +# - name: "MEDIUM | RHEL-08-020100 | PATCH RHEL 8 must ensure a password complexity module is enabled." +# lineinfile: +# path: "{{ item.path }}" +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: '^password' +# owner: root +# group: root +# mode: 0640 +# with_items: +# - { path: /etc/pam.d/system-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } +# - { path: /etc/pam.d/password-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } +# when: +# - rhel_08_020100 +# tags: +# - RHEL-08-020100 + +# - name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*ucredit' +# line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" +# when: +# - rhel_08_020110 +# tags: +# - RHEL-08-020110 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*lcredit' +# line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}" +# when: +# - rhel_08_020120 +# tags: +# - RHEL-08-020120 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*dcredit' +# line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}" +# when: +# - rhel_08_020130 +# tags: +# - RHEL-08-020130 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*maxclassrepeat' +# line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" +# when: +# - rhel_08_020140 +# tags: +# - RHEL-08-020140 +# - pwquality + +# - name: "MEDIUM | RHEL-020150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*maxrepeat' +# line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}" +# when: +# - rhel_08_020150 +# tags: +# - RHEL-08-020150 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*minclass' +# line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}" +# when: +# - rhel_08_020160 +# tags: +# - RHEL-08-020160 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*difok' +# line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}" +# when: +# - rhel_08_020170 +# tags: +# - RHEL-08-020170 +# - pwquality + +# - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow." +# block: +# - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users" +# command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" +# changed_when: false +# failed_when: false +# register: rhel_08_020180_users + +# - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction" +# command: chage -m 1 {{ item }} +# with_items: "{{ rhel_08_020180_users.stdout_lines }}" +# when: +# - rhel_08_020180 +# tags: +# - RHEL8-08-020180 +# - password + +# - name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def." +# lineinfile: +# path: /etc/login.defs +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: ^#?PASS_MIN_DAYS +# line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}" +# when: +# - rhel_08_020190 +# tags: +# - RHEL-08-020190 +# - login + +# - name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction." +# lineinfile: +# path: /etc/login.defs +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: ^#?PASS_MAX_DAYS +# line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" +# when: +# - rhel_08_020200 +# tags: +# - RHEL-08-020200 +# - login + +# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime." +# block: +# - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users" +# command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" +# check_mode: no +# changed_when: rhel_08_020210_users.stdout | length > 0 +# register: rhel_08_020210_users + +# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user." +# command: chage -d '-1 day' {{ item }} +# check_mode: "{{ rhel8stig_disruptive_check_mode }}" +# with_items: "{{ rhel_08_020210_users.stdout_lines }}" + +# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime" +# command: chage -M 60 {{ item }} +# check_mode: "{{ rhel8stig_disruptive_check_mode }}" +# with_items: "{{ rhel_08_020210_users.stdout_lines }}" +# when: +# - rhel_08_020210 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-020210 +# - disruption-high +# - password + +# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations." +# block: +# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" +# pamd: +# name: "{{ item }}" +# state: before +# type: password +# control: sufficient +# module_path: pam_unix.so +# new_type: password +# new_control: required +# new_module_path: pam_pwhistory.so +# with_items: +# - "system-auth" +# - "password-auth" + +# # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent +# - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Check for existing password history reuse settings" +# command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" +# check_mode: no +# changed_when: no +# failed_when: rhel_08_020220_pw_hist_settings.rc > 1 +# register: rhel_08_020220_pw_hist_settings +# with_items: +# - "system-auth" +# - "password-auth" + +# # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. +# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" +# pamd: +# name: "{{ item.item }}" +# state: updated +# type: password +# control: required +# module_path: pam_pwhistory.so +# module_arguments: +# - use_authtok +# - remember={{ rhel8stig_pam_pwhistory.remember | default(5) }} +# - retry={{ rhel8stig_pam_pwhistory.retries | default(3) }} +# with_items: "{{ rhel_08_020220_pw_hist_settings.results }}" +# when: item.rc == 1 +# when: +# - rhel_08_020220 +# tags: +# - RHEL-08-020220 +# - pamd + +# - name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*minlen' +# line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" +# when: +# - rhel_08_020230 +# tags: +# - RHEL-08-020230 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020231 | PATCH | RHEL 8 passwords for new users must have a minimum of 15 characters." +# lineinfile: +# path: /etc/login.defs +# regexp: '^PASS_MIN_LEN|^#PASS_MIN_LEN' +# line: "PASS_MIN_LEN 15" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020231 +# tags: +# - RHEL-08-020231 +# - passwords + +# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." +# block: +# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users" +# command: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd +# changed_when: false +# failed_when: false +# register: rhel_08_020240_duplicate_uid_users + +# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" +# debug: +# msg: +# - "ALERT!!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" +# - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" +# when: +# - rhel_08_020240 +# tags: +# - RHEL-08-020240 + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts." +# block: +# - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth" +# shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth +# changed_when: false +# failed_when: false +# register: rhel_08_020250_sc_auth_sss + +# - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth" +# shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth +# changed_when: false +# failed_when: false +# register: rhel_08_020250_system_auth_sss + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" +# lineinfile: +# path: "{{ rhel8stig_sssd_conf }}" +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# owner: root +# group: root +# mode: 0640 +# notify: restart sssd +# with_items: +# - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } +# - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' } + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth" +# lineinfile: +# path: /etc/pam.d/smartcard-auth +# line: auth sufficient pam_sss.so try_cert_auth +# owner: root +# group: root +# mode: 0644 +# notify: restart sssd +# when: rhel_08_020250_sc_auth_sss.stdout | length == 0 + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth" +# pamd: +# name: /etc/pam.d/smartcard-auth +# state: updated +# type: auth +# control: sufficient +# module_path: pam_sss.so +# module_arguments: 'try_cert_auth' +# notify: restart sssd +# when: rhel_08_020250_sc_auth_sss.stdout | length > 0 + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth" +# pamd: +# name: /etc/pam.d/system-auth +# state: after +# type: auth +# control: required +# module_path: pam_env.so +# new_type: auth +# new_control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' +# new_module_path: pam_sss.so +# module_arguments: try_cert_auth +# notify: restart sssd +# when: rhel_08_020250_system_auth_sss.stdout | length == 0 + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth" +# pamd: +# name: /etc/pam.d/system-auth +# state: updated +# type: auth +# control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' +# module_path: pam_env.so +# module_arguments: try_cert_auth +# notify: restart sssd +# when: rhel_08_020250_system_auth_sss.stdout | length > 0 +# when: +# - "'sssd' in ansible_facts.packages" +# - rhel8stig_sssd_conf_present.stat.exists +# - rhel_08_020250 +# tags: +# - RHEL-08-020250 +# - pamd + +# - name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity." +# command: useradd -D -f 35 +# when: +# - rhel_08_020260 +# tags: +# - RHEL-08-020260 +# - useradd + +# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." +# block: +# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." +# command: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" +# changed_when: false +# failed_when: false +# register: rhel_08_020270_system_users + +# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." +# debug: +# msg: +# - "WARNING!!!Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" +# - "{{ rhel_08_020270_system_users.stdout_lines }}" +# when: +# - rhel_08_020270 +# tags: +# - RHEL-08-020270 + +# - name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# regexp: '^#?\s*ocredit' +# line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020280 +# tags: +# - RHEL-08-020280 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." +# lineinfile: +# path: "{{ rhel8stig_sssd_conf }}" +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# owner: root +# group: root +# mode: 0640 +# with_items: +# - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } +# - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } +# when: +# - "'sssd' in ansible_facts.packages" +# - rhel8stig_sssd_conf_present.stat.exists +# - rhel_08_020290 +# tags: +# - RHEL-08-020290 +# - sssd + +# - name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# regexp: '^#?\s*dictcheck' +# line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020300 +# tags: +# - RHEL-08-020300 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." +# lineinfile: +# dest: /etc/login.defs +# regexp: ^#?FAIL_DELAY +# line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020310 +# tags: +# - RHEL-08-020310 +# - login + +# - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts." +# block: +# - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts" +# command: "grep '^{{ item }}:' /etc/passwd" +# check_mode: no +# failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1 +# changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0 +# register: rhel_08_020320_unnecessary_accounts_found +# with_items: "{{ rhel8stig_unnecessary_accounts }}" + +# - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts" +# user: +# name: "{{ item }}" +# state: absent +# remove: "{{ rhel8stig_remove_unnecessary_user_files }}" +# register: rhel_08_020320_accounts_removed +# with_items: "{{ rhel8stig_unnecessary_accounts }}" + +# - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" +# include_tasks: parse_etc_passwd.yml +# vars: +# rhel8stig_passwd_tasks: "RHEL-08-020320" +# when: rhel_08_020320_accounts_removed is changed +# when: +# - rhel_08_020320 +# tags: +# - RHEL-08-020320 + +# - name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." +# lineinfile: +# dest: /etc/ssh/sshd_config +# regexp: '(?i)^#?PrintLastLog' +# line: 'PrintLastLog yes' +# validate: /usr/sbin/sshd -t -f %s +# owner: root +# group: root +# mode: 0644 +# notify: restart sshd +# when: +# - rhel_08_020350 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-020350 +# - ssh + +# - name: "MEDIUM | RHEL-08-020351 | PATCH | RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." +# lineinfile: +# path: /etc/login.defs +# regexp: ^#?UMASK.* +# line: "UMASK {{ rhel8stig_login_defaults.umask | default('077') }}" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020351 +# tags: +# - RHEL-08-020351 + +# - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts." +# block: +# - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Find umask files" +# find: +# paths: /home +# patterns: '^\.' +# contains: 'umask' +# recurse: yes +# hidden: yes +# use_regex: yes +# register: rhel8stig_020352_files + +# - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" +# lineinfile: +# path: "{{ item.path }}" +# regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})" +# state: absent +# with_items: +# - "{{ rhel8stig_020352_files.files }}" +# when: rhel8stig_020352_files.matched > 0 +# when: +# - rhel_08_020352 +# tags: +# - RHEL-08-020352 +# - umask + +# - name: "MEDIUM | RHEL-08-020353 | PATCH | RHEL 8 must define default permissions for logon and non-logon shells." +# replace: +# path: "{{ item }}" +# regexp: 'umask\s\d\d\d' +# replace: "umask {{ rhel8stig_login_defaults.umask | default('077') }}" +# with_items: +# - /etc/bashrc +# - /etc/csh.cshrc +# when: +# - rhel_08_020353 +# tags: +# - RHEL-08-020353 +# - umask + +# - name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv' } +# - { regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv' } +# - { regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv' } +# - { regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv' } +# notify: restart auditd +# when: +# - rhel_08_030000 +# tags: +# - RHEL-08-030000 +# - auditd + +# - name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8." +# lineinfile: +# path: /etc/rsyslog.conf +# regexp: '^cron.*' +# line: 'cron.* /var/log/cron' +# when: +# - rhel_08_030010 +# tags: +# - RHEL-08-030010 +# - cron + +# - name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^action_mail_acct =' +# line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}" +# register: rhel_08_030020_action_mail_acct_result +# failed_when: +# - rhel_08_030020_action_mail_acct_result is failed +# - rhel_08_030020_action_mail_acct_result.rc != 257 +# when: +# - rhel_08_030020 +# tags: +# - RHEL-08-030020 +# - auditd + +# - name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure." +# lineinfile: +# path: /etc/aliases +# regexp: '^postmaster:' +# line: 'postmaster: root' +# when: +# - rhel_08_030030 +# tags: +# - RHEL-08-030030 +# - aliases + +# - name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^disk_error_action =' +# line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}" +# when: +# - rhel_08_030040 +# tags: +# - RHEL-08-030040 +# - auditd + +# - name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^max_log_file_action =' +# line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" +# when: +# - rhel_08_030050 +# tags: +# - RHEL-08-030050 +# - auditd + +# - name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^disk_full_action =' +# line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_030060 +# tags: +# - RHEL-08-030060 +# - auditd + +# - name: "MEDIUM | RHEL-08-030061 | PATCH | The RHEL 8 audit system must audit local events." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^local_events =' +# line: "local_events = yes" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_030061 +# tags: +# - RHEL-08-030061 +# - auditd + +# - name: "MEDIUM | RHEL-08-030062 | PATCH | RHEL 8 must label all off-loaded audit logs before sending them to the central log server." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^name_format =' +# line: "name_format = hostname" +# notify: restart auditd +# when: +# - rhel_08_030062 +# tags: +# - RHEL-08-030062 +# - auditd + +# - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^log_group =' +# line: "log_group = root" +# mode: 0600 +# when: +# - rhel_08_030070 +# tags: +# - RHEL-08-030070 + +# - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." +# block: +# - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file" +# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " +# changed_when: false +# failed_when: false +# register: rhel8stig_030080_audit_log_file + +# - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner" +# file: +# path: "{{ rhel8stig_030080_audit_log_file.stdout }}" +# owner: root +# when: rhel8stig_030080_audit_log_file.stdout | length > 0 +# when: +# - rhel_08_030080 +# tags: +# - RHEL-08-030080 + +# - name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Set audit log group" +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^log_group' +# line: "log_group = root" +# when: +# - rhel_08_030090 +# tags: +# - RHEL-08-030090 + +# - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." +# block: +# - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory" +# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' +# changed_when: false +# failed_when: false +# register: rhel_08_030100_audit_log_dir + +# - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner" +# file: +# path: "{{ rhel_08_030100_audit_log_dir.stdout }}" +# owner: root +# state: directory +# when: rhel_08_030100_audit_log_dir.stdout | length > 0 +# tags: +# - skip_ansible_lint +# when: +# - rhel_08_030100 +# tags: +# - RHEL-08-030100 + +# - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." +# block: +# - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" +# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel_08_030110_audit_log_dir + +# - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group" +# file: +# path: "{{ rhel_08_030110_audit_log_dir.stdout }}" +# group: root +# state: directory +# when: rhel_08_030110_audit_log_dir.stdout | length > 0 +# tags: +# - skip_ansible_lint +# when: +# - rhel_08_030110 +# tags: +# - skip_ansible_lint +# - RHEL-08-030110 + +# - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access." +# block: +# - name: "MEDIUM | RHEL-08-030120 | AUDIT | RHEL 8 audit log directories must have a mode of 700 or less permissive to prevent unauthorized read access. | Get audit log directory" +# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' +# changed_when: false +# failed_when: false +# register: rhel_08_030120_audit_log_dir + +# - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" +# file: +# path: "{{ rhel_08_030120_audit_log_dir.stdout }}" +# mode: 0700 +# state: directory +# when: rhel_08_030120_audit_log_dir.stdout | length > 0 +# when: +# - rhel_08_030120 +# tags: +# - RHEL-08-030120 + +# - name: "MEDIUM | RHEL-08-030121 | PATCH | RHEL 8 audit system must protect auditing rules from unauthorized change." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-e ' +# line: "-e 2" +# when: +# - rhel_08_030121 +# tags: +# - RHEL-08-030121 +# - auditd + +# - name: "MEDIUM | RHEL-08-030122 | PATCH | RHEL 8 audit system must protect logon UIDs from unauthorized change." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^--loginuid-' +# line: "--loginuid-immutable" +# when: +# - rhel_08_030122 +# tags: +# - RHEL-08-030122 +# - auditd + +# - name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/shadow' +# line: '-w /etc/shadow -p wa -k identity' +# notify: restart auditd +# when: +# - rhel_08_030130 +# tags: +# - RHEL-08-030130 +# - auditd + +# - name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/security/opasswd' +# line: -w /etc/security/opasswd -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030140 +# tags: +# - RHEL-08-030140 +# - auditd + +# - name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/passwd' +# line: -w /etc/passwd -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030150 +# tags: +# - RHEL-08-030150 +# - auditd + +# - name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/gshadow' +# line: -w /etc/gshadow -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030160 +# tags: +# - RHEL-08-030160 +# - auditd + +# - name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/group' +# line: -w /etc/group -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030170 +# tags: +# - RHEL-08-030170 +# - auditd + +# - name: "MEDIUM | RHEL-08-030171 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/sudoers ' +# line: -w /etc/sudoers -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030171 +# tags: +# - RHEL-08-030171 +# - auditd + +# - name: "MEDIUM | RHEL-08-030172 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/sudoers.d/' +# line: -w /etc/sudoers.d/ -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030172 +# tags: +# - RHEL-08-030172 +# - auditd + +# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." +# block: +# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Install audit" +# dnf: +# name: audit +# state: present + +# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Enable and start service" +# service: +# name: auditd +# enabled: yes +# state: started +# when: +# - rhel_08_030180 +# tags: +# - rhel_08_030180 +# - dnf +# - auditd + +# - name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' +# line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' +# notify: restart auditd +# when: +# - rhel_08_030190 +# tags: +# - RHEL-08-030190 +# - auditd + +# - name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030200 +# tags: +# - RHEL-08-030200 +# - auditd + +# - name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030210 +# tags: +# - RHEL-08-030210 +# - auditd + +# - name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030220 +# tags: +# - RHEL-08-030220 +# - auditd + +# - name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030230 +# tags: +# - RHEL-08-030230 +# - auditd + +# - name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030240 +# tags: +# - RHEL-08-030240 +# - auditd + +# - name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage +# notify: restart auditd +# when: +# - rhel_08_030250 +# tags: +# - RHEL-08-030250 +# - auditd + +# - name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030260 +# tags: +# - RHEL-08-030260 +# - auditd + +# - name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030270 +# tags: +# - RHEL-08-030270 +# - auditd + +# - name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh +# notify: restart auditd +# when: +# - rhel_08_030280 +# tags: +# - RHEL-08-030280 +# - auditd + +# - name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd +# notify: restart auditd +# when: +# - rhel_08_030290 +# tags: +# - RHEL-08-030290 +# - auditd + +# - name: | +# "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." +# "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +# - -a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +# - -a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +# notify: restart auditd +# when: +# - rhel_08_030300 or +# rhel_08_030302 +# tags: +# - RHEL-08-030300 +# - RHEL-08-030302 +# - auditd + +# - name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +# notify: restart auditd +# when: +# - rhel_08_030301 +# tags: +# - RHEL-08-030301 +# - auditd + +# - name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030310 +# tags: +# - RHEL-08-030310 +# - auditd + +# - name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030311 +# tags: +# - RHEL-08-030311 +# - auditd + +# - name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030312 +# tags: +# - RHEL-08-030312 +# - auditd + +# - name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030313 +# tags: +# - RHEL-08-030313 +# - auditd + +# - name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030314 +# tags: +# - RHEL-08-030314 +# - auditd + +# - name: "MEDIUM | RHEL-08-03015 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030315 +# tags: +# - RHEL-08-030315 +# - auditd + +# - name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030316 +# tags: +# - RHEL-08-030316 +# - auditd + +# - name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030317 +# tags: +# - RHEL-08-030317 +# - auditd + +# - name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh +# notify: restart auditd +# when: +# - rhel_08_030320 +# tags: +# - RHEL-08-030320 +# - auditd + +# - name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030330 +# tags: +# - RHEL-08-030330 +# - auditd + +# - name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check +# notify: restart auditd +# when: +# - rhel_08_030340 +# tags: +# - RHEL-08-030340 +# - auditd + +# - name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +# notify: restart auditd +# when: +# - rhel_08_030350 +# tags: +# - RHEL-08-030350 +# - auditd + +# - name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# - -a always,exit -F arch=b64 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# notify: restart auditd +# when: +# - rhel_08_030360 +# tags: +# - RHEL-08-030360 +# - auditd + +# - name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# - -a always,exit -F arch=b64 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# notify: restart auditd +# when: +# - rhel_08_030361 +# tags: +# - RHEL-08-030361 +# - auditd + +# - name: "MEDIUM | RHEL-0-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# - -a always,exit -F arch=b64 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# notify: restart auditd +# when: +# - rhel_08_030362 +# tags: +# - RHEL-08-030362 +# - auditd + +# - name: "MEDIUM | RHEL-08-030363 | PATCH | Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# - -a always,exit -F arch=b64 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# notify: restart auditd +# when: +# - rhel_08_030363 +# tags: +# - RHEL-08-030363 +# - auditd + +# - name: "MEDIUM | RHEL-08-030364 | PATCH | Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# - -a always,exit -F arch=b64 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# notify: restart auditd +# when: +# - rhel_08_030364 +# tags: +# - RHEL-08-030364 +# - auditd + +# - name: "MEDIUM | RHEL-08-030365 | PATCH | Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# - -a always,exit -F arch=b64 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# notify: restart auditd +# when: +# - rhel_08_030365 +# tags: +# - RHEL-08-030365 +# - auditd + +# - name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd +# notify: restart auditd +# when: +# - rhel_08_030370 +# tags: +# - RHEL-08-030370 +# - auditd + +# - name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# notify: restart auditd +# when: +# - rhel_08_030380 +# tags: +# - RHEL-08-030380 +# - auditd + +# - name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# - -a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# notify: restart auditd +# when: +# - rhel_08_030390 +# tags: +# - RHEL-08-030390 +# - auditd + +# - name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab +# notify: restart auditd +# when: +# - rhel_08_030400 +# tags: +# - RHEL-08-030400 +# - auditd + +# - name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +# notify: restart auditd +# when: +# - rhel_08_030410 +# tags: +# - RHEL-08-030410 +# - auditd + +# - name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030420 +# tags: +# - RHEL-08-030420 +# - auditd + +# - name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030430 +# tags: +# - RHEL-08-030430 +# - auditd + +# - name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030440 +# tags: +# - RHEL-08-030440 +# - auditd + +# - name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030450 +# tags: +# - RHEL-08-030450 +# - auditd + +# - name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030460 +# tags: +# - RHEL-08-030460 +# - auditd + +# - name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030470 +# tags: +# - RHEL-08-030470 +# - auditd + +# - name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030480 +# tags: +# - RHEL-08-030480 +# - auditd + +# - name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030490 +# tags: +# - RHEL-08-030490 +# - auditd + +# - name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030500 +# tags: +# - RHEL-08-030500 +# - auditd + +# - name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030510 +# tags: +# - RHEL-08-030510 +# - auditd + +# - name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030520 +# tags: +# - RHEL-08-030520 +# - auditd + +# - name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030530 +# tags: +# - RHEL-08-030530 +# - auditd + +# - name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030540 +# tags: +# - RHEL-08-030540 +# - auditd + +# - name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +# notify: restart auditd +# when: +# - rhel_08_030550 +# tags: +# - RHEL-08-030550 +# - auditd + +# - name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod +# notify: restart auditd +# when: +# - rhel_08_030560 +# tags: +# - RHEL-08-030560 +# - auditd + +# - name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030570 +# tags: +# - RHEL-08-030570 +# - auditd + +# - name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules +# notify: restart auditd +# when: +# - rhel_08_030580 +# tags: +# - RHEL-08-030580 +# - auditd + +# - name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -w /var/log/faillock -p wa -k logins +# notify: restart auditd +# when: +# - rhel_08_030590 +# tags: +# - RHEL-08-030590 +# - auditd + +# - name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -w /var/log/lastlog -p wa -k logins +# notify: restart auditd +# when: +# - rhel_08_030600 +# tags: +# - RHEL-08-030600 +# - auditd + +# - name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." +# file: +# path: "{{ item }}" +# mode: 0640 +# with_items: +# - /etc/audit/rules.d/audit.rules +# - /etc/audit/auditd.conf +# when: +# - rhel_08_030610 +# tags: +# - RHEL-08-030610 +# - permissions + +# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." +# block: +# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms" +# shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " +# changed_when: false +# failed_when: false +# register: rhel_08_030620_tools + +# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" +# file: +# path: "{{ item }}" +# mode: 0755 +# with_items: +# - "{{ rhel_08_030620_tools.stdout_lines }}" +# when: +# - rhel_08_030620 +# tags: +# - RHEL-08-030620 +# - permissions + +# - name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." +# file: +# path: "{{ item }}" +# owner: root +# with_items: +# - /sbin/auditctl +# - /sbin/aureport +# - /sbin/ausearch +# - /sbin/autrace +# - /sbin/auditd +# - /sbin/audisp-remote +# - /sbin/audisp-syslog +# - /sbin/augenrules +# when: +# - rhel_08_030630 +# tags: +# - RHEL-08-030630 +# - permissions + +# - name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." +# file: +# path: "{{ item }}" +# owner: root +# with_items: +# - /sbin/auditctl +# - /sbin/aureport +# - /sbin/ausearch +# - /sbin/autrace +# - /sbin/auditd +# - /sbin/audisp-remote +# - /sbin/audisp-syslog +# - /sbin/augenrules +# when: +# - rhel_08_030640 +# tags: +# - RHEL-08-030640 +# - permissions + +# - name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." +# lineinfile: +# path: /etc/aide.conf +# line: "{{ item }}" +# owner: root +# group: root +# mode: 0600 +# with_items: +# - "# Audit Tools" +# - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 +# when: +# - rhel_08_030650 +# tags: +# - RHEL-08-030650 +# - aide + +# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility." +# block: +# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition" +# shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' +# changed_when: false +# failed_when: false +# register: rhel_08_030660_audit_log_path + +# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition" +# shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" +# changed_when: false +# failed_when: false +# register: rhel_08_030660_audit_log_partition + +# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" +# debug: +# msg: +# - "ALERT!!!Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" +# - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" +# - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}" +# when: +# - rhel_08_030660 +# tags: +# - RHEL-08-030660 + +# - name: "MEDIUM | RHEL-08-030670 | PATCH | RHEL 8 must have the packages required for offloading audit logs installed." +# dnf: +# name: rsyslog +# state: present +# when: +# - rhel_08_030670 +# tags: +# - RHEL-08-030670 +# - rsyslog + +# - name: "MEDIUM | RHEL-08-030680 | PATCH | RHEL 8 must have the packages required for encrypting offloaded audit logs installed." +# dnf: +# name: gnutls +# state: present +# when: +# - rhel_08_030680 +# tags: +# - RHEL-08-030680 +# - gnutls + +# - name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." +# lineinfile: +# path: /etc/rsyslog.conf +# regexp: '^.*\@\@' +# line: "*.* @@{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" +# when: +# - rhel_08_030690 +# tags: +# - RHEL-08-030690 +# - auditd + +# - name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^overflow_action =' +# line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}' +# notify: restart auditd +# when: +# - rhel_08_030700 +# tags: +# - RHEL-08-030700 +# - auditd + +# - name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." +# lineinfile: +# path: /etc/rsyslog.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^\$DefaultNetstreamDriver', line: '$DefaultNetstreamDriver gtls' } +# - { regexp: '^\$ActionSendStreamDriverMode', line: '$ActionSendStreamDriverMode 1' } +# when: +# - rhel_08_030710 +# tags: +# - RHEL-08-030710 +# - auditd + +# - name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must authenticate the remote logging server for off-loading audit logs." +# lineinfile: +# path: /etc/rsyslog.conf +# regexp: '^\$ActionSendStreamDriverAuthMode' +# line: "$ActionSendStreamDriverAuthMode x509/name" +# notify: restart auditd +# when: +# - rhel_08_030720 +# tags: +# - rhel_08_030720 +# - auditd + +# - name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^space_left =', line: 'space_left = 25%' } +# - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } +# when: +# - rhel_08_030730 +# tags: +# - RHEL-08-030730 +# - auditd + +# - name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." +# lineinfile: +# path: /etc/chrony.conf +# regexp: '^server' +# line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16' +# notify: restart {{ rhel8stig_time_service }} +# when: +# - rhel_08_030740 +# tags: +# - RHEL-08-030740 +# - chronyd + +# - name: "MEDIUM | RHEL-08-040001 | PATCH | RHEL 8 must not have any automated bug reporting tools installed." +# shell: dnf remove abrt* +# failed_when: false +# args: +# warn: false +# when: +# - rhel_08_040001 +# tags: +# - RHEL-08-040001 +# - dnf +# - abrt + +# - name: "MEDIUM | RHEL-08-040002 | PATCH | RHEL 8 must not have the sendmail package installed." +# dnf: +# name: sendmail +# state: absent +# when: +# - rhel_08_040002 +# tags: +# - RHEL-08-040002 +# - dnf +# - sendmail + +# - name: | +# "MEDIUM | RHEL-08-040003 | PATCH | RHEL 8 must not have the gssproxy package installed." +# "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." +# dnf: +# name: gssproxy +# state: absent +# when: +# - rhel_08_040003 or +# rhel_08_040370 +# tags: +# - RHEL-08-040003 +# - RHEL-08-040370 +# - dnf +# - gssproxy + +# - name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." +# lineinfile: +# path: /etc/modprobe.d/blacklist.conf +# create: yes +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# owner: root +# group: root +# mode: 0640 +# insertafter: "{{ item.insertafter }}" +# notify: reboot system +# with_items: +# - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } +# - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } +# when: +# - rhel_08_040020 +# tags: +# - RHEL-08-040020 +# - camera + +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." +# block: +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block" +# block: +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld" +# shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u +# register: rhel8stig_PPSM_CLSA_check_firewalld +# changed_when: false +# failed_when: false +# check_mode: no +# when: +# - rhel_08_040030 +# tags: +# - RHEL-08-040030 +# - firewall + +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" +# debug: +# msg: +# - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." +# - "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}" +# changed_when: true +# when: +# - rhel_08_040030 +# - rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines is defined +# tags: +# - RHEL-08-040030 +# - firewall +# when: +# - rhel_08_040030 +# - not rhel8stig_system_is_chroot +# - not rhel8stig_system_is_container +# - rhel8stig_firewall_service == "firewalld" +# - rhel8stig_start_firewall_service +# tags: +# - RHEL-08-040030 +# - firewall + +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block" +# block: +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables" +# shell: iptables-save | grep -i accept | grep -i input +# register: rhel8stig_PPSM_CLSA_check_iptables +# changed_when: false +# failed_when: false +# check_mode: no +# when: rhel_08_040030 +# tags: +# - RHEL-08-040030 +# - firewall + +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" +# debug: +# msg: +# - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}." +# - "{{ rhel8stig_PPSM_CLSA_check_iptables.stdout_lines }}" +# changed_when: true +# when: +# - rhel_08_040030 +# - rhel8stig_PPSM_CLSA_check_iptables.stdout_lines is defined +# tags: +# - RHEL-08-040030 +# - firewall +# when: +# - rhel_08_040030 +# - not rhel8stig_system_is_chroot +# - not rhel8stig_system_is_container +# - rhel8stig_firewall_service == "iptables" +# - rhel8stig_start_firewall_service +# tags: +# - RHEL-08-040030 +# - firewall + +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use" +# debug: +# msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." +# changed_when: true +# when: +# - rhel_08_040030 +# - not rhel8stig_start_firewall_service +# tags: +# - RHEL-08-040030 +# - firewall +# when: +# - rhel_08_040030 +# - not rhel8stig_system_is_chroot +# - not rhel8stig_system_is_container +# - rhel8stig_disruptive +# tags: +# - RHEL-08-040030 +# - firewall + +# - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required." +# block: +# - name: "MEDIUM | RHEL-08-040070 | AUDIT | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error" +# shell: "systemctl show autofs | grep LoadState | cut -d= -f2" +# changed_when: false +# failed_when: false +# register: rhel_08_040070_autofs_status + +# - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists" +# service: +# name: autofs +# state: stopped +# enabled: no +# when: rhel_08_040070_autofs_status.stdout == "loaded" +# when: +# - rhel_08_040070 +# tags: +# - RHEL-08-040070 +# - autofs + +# - name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." +# lineinfile: +# path: "{{ item.path }}" +# create: yes +# owner: root +# group: root +# mode: 0640 +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# with_items: +# - { path: /etc/modprobe.d/usb-storage.conf, regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } +# - { path: /etc/modprobe.d/blacklist.conf, regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} +# when: +# - rhel_08_040080 +# tags: +# - RHEL-08-040080 +# - usb_devices + +# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." +# block: +# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" +# dnf: +# name: firewalld +# state: present +# when: rhel8stig_firewall_service == "firewalld" + +# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" +# dnf: +# name: iptables-services +# state: present +# when: rhel8stig_firewall_service == "iptables" + +# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" +# service: +# name: "{{ rhel8stig_firewall_service }}" +# state: started +# enabled: yes +# when: +# - rhel_08_040100 +# tags: +# - RHEL-08-040100 +# - firewall +# - "{{ rhel8stig_firewall_service }}" + +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." +# block: +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" +# firewalld: +# zone: "{{ rhel8stig_custom_firewall_zone }}" +# permanent: true +# state: present + +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" +# firewalld: +# zone: "{{ rhel8stig_custom_firewall_zone }}" +# permanent: true +# state: enabled +# service: "{{ item }}" +# with_items: +# - "{{ rhel8stig_white_list_services }}" + +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" +# command: firewall-cmd --reload +# changed_when: rhel_08_040090_zone_reload.rc == 0 +# failed_when: rhel_08_040090_zone_reload.rc >= 2 +# register: rhel_08_040090_zone_reload + +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default" +# command: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" +# changed_when: rhel_08_040090_default_zone_set.rc == 0 +# failed_when: rhel_08_040090_default_zone_set.rc >= 2 +# register: rhel_08_040090_default_zone_set +# when: +# - rhel_08_040090 +# tags: +# - RHEL-08-040090 +# - firewall + +# - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." +# block: +# - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" +# command: rpm -q NetworkManager +# args: +# warn: no +# check_mode: no +# changed_when: no +# register: rhel_08_nmcli_available +# failed_when: no + +# - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" +# command: nmcli radio wifi +# args: +# warn: no +# register: rhel_08_wifi_enabled +# check_mode: no +# changed_when: rhel_08_wifi_enabled.stdout != "disabled" +# when: rhel_08_nmcli_available.rc == 0 + +# - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" +# command: nmcli radio wifi off +# when: rhel_08_wifi_enabled is changed +# when: +# - rhel_08_040110 +# tags: +# - RHEL-08-040110 +# - wifi + +# - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled." +# lineinfile: +# path: /etc/modprobe.d/bluetooth.conf +# regexp: '^install bluetooth ' +# line: "install bluetooth /bin/true" +# create: yes +# owner: root +# group: root +# mode: 0640 +# notify: reboot system +# when: +# - rhel_08_040111 +# tags: +# - RHEL-08-040111 +# - bluetooth + +# - name: | +# "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." +# "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." +# "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." +# block: +# - name: | +# "MEDIUM | RHEL-08-040120 | AUDIT | RHEL 8 must mount /dev/shm with the nodev option." +# "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option." +# "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option." +# shell: mount | grep /dev/shm +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel8stig_040120_dev_shm_status + +# - name: | +# "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." +# "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." +# "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." +# mount: +# path: /dev/shm +# state: mounted +# src: tmpfs +# fstype: tmpfs +# opts: "defaults{{ rhel_08_040120 | ternary (',nodev', '') }}{{ rhel_08_040121 | ternary (',nosuid', '') }}{{ rhel_08_040122 | ternary (',noexec', '') }}" +# when: rhel8stig_040120_dev_shm_status.stdout | length > 0 +# when: +# - rhel_08_040120 or +# rhel_08_040121 or +# rhel_08_040122 +# tags: +# - RHEL-08-040120 +# - RHEL-08-040121 +# - RHEL-08-040122 +# - mounts + +# - name: | +# "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." +# "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." +# "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." +# block: +# - name: | +# "MEDIUM | RHEL-08-040123 | AUDIT | RHEL 8 must mount /tmp with the nodev option." +# "MEDIUM | RHEL-08-040124 | AUDIT | RHEL 8 must mount /tmp with the nosuid option." +# "MEDIUM | RHEL-08-040125 | AUDIT | RHEL 8 must mount /tmp with the noexec option." +# shell: mount | grep /tmp +# changed_when: false +# failed_when: false +# register: rhel8stig_040123_dev_status + +# - name: | +# "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." +# "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." +# "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." +# mount: +# path: /tmp +# state: mounted +# src: "{{ tmp_mount.device }}" +# fstype: xfs +# opts: "defaults{{ rhel_08_040123 | ternary (',nodev', '') }}{{ rhel_08_040124 | ternary (',nosuid', '') }}{{ rhel_08_040125 | ternary (',noexec', '') }}" +# vars: +# tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/tmp`] | [0]') }}" +# when: rhel8stig_040123_dev_status.stdout | length > 0 + +# when: +# - rhel_08_040123 or +# rhel_08_040124 or +# rhel_08_040125 +# tags: +# - RHEL-08-040123 +# - RHEL-08-040124 +# - RHEL-08-04125 +# - mounts + +# - name: | +# "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." +# "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." +# "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." +# block: +# - name: | +# "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." +# "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." +# "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." +# shell: mount | grep /var/log +# changed_when: false +# failed_when: false +# register: rhel8stig_040126_var_log_status + +# - name: | +# "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." +# "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." +# "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." +# mount: +# path: /var/log +# state: mounted +# src: "{{ var_log_mount.device }}" +# fstype: xfs +# opts: "defaults{{ rhel_08_040126 | ternary (',nodev', '') }}{{ rhel_08_040127 | ternary (',nosuid', '') }}{{ rhel_08_040128 | ternary (',noexec', '') }}" +# vars: +# var_log_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log`] | [0]') }}" +# when: rhel8stig_040126_var_log_status.stdout | length > 0 +# when: +# - rhel_08_040126 or +# rhel_08_040127 or +# rhel_08_040128 +# tags: +# - RHEL-08-040126 +# - RHEL-08-040127 +# - RHEL-08-040128 +# - mounts + +# - name: | +# "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." +# "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." +# "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." +# block: +# - name: | +# "MEDIUM | RHEL-08-040129 | AUDIT | RHEL 8 must mount /var/log/audit with the nodev option." +# "MEDIUM | RHEL-08-040130 | AUDIT | RHEL 8 must mount /var/log/audit with the nosuid option." +# "MEDIUM | RHEL-08-040131 | AUDIT | RHEL 8 must mount /var/log/audit with the noexec option." +# shell: mount | grep /var/log/audit +# changed_when: false +# failed_when: false +# register: rhel8stig_040129_var_log_audit_status + +# - name: | +# "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." +# "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." +# "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." +# mount: +# path: /var/log/audit +# state: mounted +# src: "{{ audit_mount.device }}" +# fstype: xfs +# opts: "defaults{{ rhel_08_040129 | ternary (',nodev', '') }}{{ rhel_08_040130 | ternary (',nosuid', '') }}{{ rhel_08_040131 | ternary (',noexec', '') }}" +# vars: +# audit_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log/audit`] | [0]') }}" +# when: rhel8stig_040129_var_log_audit_status.stdout | length > 0 +# when: +# - rhel_08_040129 or +# rhel_08_040130 or +# rhel_08_040131 +# tags: +# - RHEL-08-040129 +# - RHEL-08-040130 +# - RHEL-08-040131 +# - mounts + +# - name: | +# "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" +# "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." +# "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." +# block: +# - name: | +# "MEDIUM | RHEL-08-040132 | AUDIT | RHEL 8 must mount /var/tmp with the nodev option" +# "MEDIUM | RHEL-08-040133 | AUDIT | RHEL 8 must mount /var/tmp with the nosuid option." +# "MEDIUM | RHEL-08-040134 | AUDIT | RHEL 8 must mount /var/tmp with the noexec option." +# shell: mount | grep /var/tmp +# changed_when: false +# failed_when: false +# register: rhel8stig_040132_var_tmp_status + +# - name: | +# "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" +# "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." +# "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." +# mount: +# path: /var/tmp +# state: mounted +# src: "{{ var_tmp_mount.device }}" +# fstype: xfs +# opts: "defaults{{ rhel_08_040132 | ternary (',nodev', '') }}{{ rhel_08_040133 | ternary (',nosuid', '') }}{{ rhel_08_040134 | ternary (',noexec', '') }}" +# vars: +# var_tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/var/tmp`] | [0]') }}" +# when: rhel8stig_040132_var_tmp_status.stdout | length > 0 +# when: +# - rhel_08_040132 or +# rhel_08_040133 or +# rhel_08_040134 +# tags: +# - RHEL-08-040132 +# - RHEL-08-040133 +# - RHEL-08-040134 +# - mounts + +# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." +# block: +# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" +# dnf: +# name: fapolicyd +# state: present + +# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" +# shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts +# changed_when: false +# failed_when: false + +# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" +# service: +# name: fapolicyd +# state: started +# enabled: yes + +# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " +# lineinfile: +# path: /etc/fapolicyd/fapolicyd.rules +# line: "{{ item }}" +# with_items: +# - "{{ rhel8stig_fapolicy_white_list }}" + +# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" +# lineinfile: +# path: /etc/fapolicyd/fapolicyd.conf +# regexp: '^permissive =' +# line: 'permissive = 0' +# when: +# - rhel_08_040135 +# tags: +# - RHEL-08-040135 +# - fapolicyd + +# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." +# block: +# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Install usbguard" +# dnf: +# name: usbguard +# state: present + +# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Start/Enable service" +# service: +# name: usbguard +# state: started +# enabled: yes +# when: +# - rhel_08_040140 +# tags: +# - RHEL-08-040140 +# - usbguard + +# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." +# block: +# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" +# dnf: +# name: nftables +# state: present + +# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" +# service: +# name: nftables +# state: started +# enabled: yes + +# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" +# lineinfile: +# path: /etc/firewalld/firewalld.conf +# regexp: '^FirewallBackend=' +# line: 'FirewallBackend=nftables' +# when: +# - rhel_08_040150 +# tags: +# - RHEL-08-040150 +# - firewall +# - nftables + +# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." +# block: +# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Install openssh-server" +# dnf: +# name: openssh-server +# state: present + +# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" +# service: +# name: sshd +# state: started +# enabled: yes +# when: +# - rhel_08_040160 +# tags: +# - rhel_08_040160 +# - ssh + +# - name: "MEDIUM | RHEL-0-040161 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?RekeyLimit' +# line: 'RekeyLimit 1G 1h' +# notify: restart sshd +# when: +# - rhel_08_040161 +# tags: +# - RHEL-08-040161 +# - sshd + +# - name: "MEDIUM | RHEL-08-040162 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections by the client." +# lineinfile: +# path: /etc/ssh/ssh_config +# regexp: '(?i)^#?RekeyLimit' +# line: 'RekeyLimit 1G 1h' +# notify: restart sshd +# when: +# - rhel_08_040162 +# tags: +# - RHEL-08-040162 +# - sshd + +# - name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." +# systemd: +# name: debug-shell.service +# state: stopped +# enabled: no +# masked: yes +# daemon_reload: yes +# when: +# - rhel_08_040180 +# tags: +# - RHEL-08-040180 +# - debug-shell + +# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted." +# block: +# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.conf.default.accept_redirects +# - net.ipv6.conf.default.accept_redirects + +# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } +# - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } +# when: +# - rhel_08_040210 +# tags: +# - RHEL-08-040210 +# - icmp + +# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." +# block: +# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects in sysctl" +# sysctl: +# name: net.ipv4.conf.all.send_redirects +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" + +# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects default value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^net.ipv4.conf.all.send_redirects' +# line: 'net.ipv4.conf.all.send_redirects=0' +# when: +# - rhel_08_040220 +# tags: +# - RHEL-08-040220 +# - icmp + +# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." +# block: +# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast in sysctl" +# sysctl: +# name: net.ipv4.icmp_echo_ignore_broadcasts +# state: present +# value: '1' +# reload: "{{ rhel8stig_sysctl_reload }}" + +# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast default value to 1" +# lineinfile: +# name: /etc/sysctl.conf +# regexp: '^net.ipv4.icmp_echo_ignore_broadcasts' +# line: 'net.ipv4.icmp_echo_ignore_broadcasts=1' +# when: +# - rhel_08_040230 +# tags: +# - RHEL-08-040230 +# - icmp + +# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets." +# block: +# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.conf.all.accept_source_route +# - net.ipv6.conf.all.accept_source_route + +# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route default value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } +# - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } +# when: +# - rhel_08_040240 +# tags: +# - RHEL-08-040240 +# - icmp + +# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default." +# block: +# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.conf.default.accept_source_route +# - net.ipv6.conf.default.accept_source_route + +# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } +# - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } +# when: +# - rhel_08_040250 +# tags: +# - RHEL-08-040250 +# - icmp + +# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router." +# block: +# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.ip_forward +# - net.ipv6.conf.all.forwarding + +# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.ip_forward', line: 'net.ipv4.ip_forward=0' } +# - { regexp: '^net.ipv6.conf.all.forwarding', line: 'net.ipv6.conf.all.forwarding=0' } + +# when: +# - rhel_08_040260 +# - not rhel8stig_system_is_router +# tags: +# - RHEL-08-040260 +# - icmp + +# - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces." +# block: +# - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra in sysctl" +# sysctl: +# name: net.ipv6.conf.all.accept_ra +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" + +# - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^net.ipv6.conf.all.accept_ra' +# line: 'net.ipv6.conf.all.accept_ra=0' +# when: +# - rhel_08_040261 +# - not rhel8stig_system_is_router +# tags: +# - RHEL-08-040261 +# - icmp + +# - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default." +# block: +# - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra in sysctl" +# sysctl: +# name: net.ipv6.conf.default.accept_ra +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" + +# - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra to value 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^net.ipv6.conf.default.accept_ra' +# line: 'net.ipv6.conf.default.accept_ra=0' +# when: +# - rhel_08_040262 +# - not rhel8stig_system_is_router +# tags: +# - RHEL-08-040262 +# - icmp + +# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." +# block: +# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects in sysctl" +# sysctl: +# name: net.ipv4.conf.default.send_redirects +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" + +# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^net.ipv4.conf.default.send_redirects' +# line: 'net.ipv4.conf.default.send_redirects=0' +# when: +# - rhel_08_040270 +# tags: +# - RHEL-08-040270 +# - icmp + +# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." +# block: +# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.conf.all.accept_redirects +# - net.ipv6.conf.all.accept_redirects + +# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } +# - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } +# when: +# - rhel_08_040280 +# tags: +# - RHEL-08-040280 +# - icmp + +# - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^kernel.unprivileged_bpf_disabled' +# line: 'kernel.unprivileged_bpf_disabled = 1' +# owner: root +# group: root +# mode: 0640 +# notify: sysctl system +# when: +# - rhel_08_040281 +# tags: +# - RHEL-08-040281 +# - sysctl + +# - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^kernel.yama.ptrace_scope' +# line: 'kernel.yama.ptrace_scope = 1' +# notify: sysctl system +# when: +# - rhel_08_040282 +# tags: +# - RHEL-08-040282 +# - sysctl + +# - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access." +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^kernel.kptr_restrict' +# line: 'kernel.kptr_restrict = 1' +# owner: root +# group: root +# mode: 0640 +# notify: sysctl system +# when: +# - rhel_08_040283 +# tags: +# - RHEL-08-040283 +# - sysctl + +# - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces." +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^user.max_user_namespaces' +# line: 'user.max_user_namespaces = 0' +# notify: sysctl system +# when: +# - rhel_08_040284 +# tags: +# - RHEL-08-040284 +# - sysctl + +# - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces." +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^net.ipv4.conf.all.rp_filter' +# line: 'net.ipv4.conf.all.rp_filter = 1' +# notify: sysctl system +# when: +# - rhel_08_040285 +# tags: +# - RHEL-08-040285 +# - sysctl + +# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying." +# block: +# - name: "MEDIUM | RHEL-08-040290 | AUDIT | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Check if postfix is installed." +# command: rpm -q postfix +# failed_when: no +# check_mode: no +# changed_when: no +# register: rhel_08_040290_rpm_audit + +# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" +# command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" +# check_mode: no +# when: '"postfix-" in rhel_08_040290_rpm_audit.stdout' +# when: +# - rhel_08_040290 +# tags: +# - RHEL-08-040290 + +# - name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." +# package: +# name: xorg-x11-server-common +# state: absent +# when: +# - rhel_08_040320 +# - not rhel8stig_gui + +# - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." +# block: +# - name: "MEDIUM | RHEL-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" +# shell: "ip link | grep -i promisc | cut -d ':' -f 2" +# check_mode: no +# failed_when: no +# changed_when: rhel_08_040670_promisc_check.stdout != '' +# ignore_errors: yes +# register: rhel_08_040670_promisc_check + +# - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" +# shell: "ip link set dev {{ item }} promisc off" +# with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" +# when: +# - rhel_08_040330 +# - not rhel8stig_net_promisc_mode_required +# tags: +# - RHEL-08-040330 + +# - name: "MEDIUM | RHEL-08-040340 | PATCH | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?X11Forwarding' +# line: 'X11Forwarding no' +# create: yes +# owner: root +# group: root +# mode: 0640 +# notify: restart sshd +# when: +# - rhel_08_040340 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-040340 +# - ssh + +# - name: "MEDIUM | RHEL-08-040341 | PATCH | The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?X11UseLocalhost' +# line: 'X11UseLocalhost yes' +# when: +# - rhel_08_040341 +# tags: +# - RHEL-08-040341 +# - ssh + +# - name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." +# lineinfile: +# path: /etc/xinetd.d/tftp +# regexp: "(?i)^.*server_args.*=" +# line: "\tserver_args\t\t= -s /var/lib/tftpboot" +# insertafter: "\tserver\t\t\t=" +# state: present +# register: result +# failed_when: +# - result is failed +# - result.rc != 257 +# when: +# - rhel_08_040350 +# - rhel8stig_tftp_required +# tags: +# - skip_ansible_lint +# - RHEL-08-040350 +# - tftp + +# - name: "MEDIUM | RHEL-08-040380 | PATCH | The iprutils package must not be installed unless mission essential on RHEL 8." +# dnf: +# name: iprutils +# state: absent +# when: +# - rhel_08_040380 +# tags: +# - RHEL-08-040380 +# - iprutils + +# - name: "MEDIUM | RHEL-08-040390 | PATCH | The tuned package must not be installed unless mission essential on RHEL 8." +# dnf: +# name: tuned +# state: absent +# when: +# - rhel_08_040390 +# tags: +# - RHEL-08-040390 +# - tuned From c210739096604c9db1a5894be1cbbb35939530bc Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 9 Aug 2021 13:22:43 -0400 Subject: [PATCH 015/110] Fixed Cat2 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 11112 +++++++++++++++++++++---------------------- tasks/fix-cat3.yml | 986 ++-- 2 files changed, 5871 insertions(+), 6227 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index fff57ae9..59595d09 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1,5805 +1,5449 @@ --- +- name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." + dnf: + name: "*" + state: latest + when: + - not system_is_ec2 + - rhel_08_010010 + tags: + - RHEL-08-010010 + +- name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection." + block: + - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout" + command: lsblk + changed_when: false + failed_when: false + register: rhel_08_010030_partition_layout + + - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning" + debug: + msg: + - 'WARNING!! Below is partition layout. Please run the "sudo more /etc/crypttab" command to confirm' + - "every persistent disk partition has an entry. If partitions other than psuedo file systems (such as /var or /sys) this is a finding" + - "{{ rhel_08_010030_partition_layout.stdout_lines }}" + + when: rhel_08_010030 + tags: + - RHEL-08-010030 + +- name: | + "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." + "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" + block: + - name: | + "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" + "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?Banner' + line: 'Banner /etc/issue' + + - name: | + "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" + "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" + copy: + dest: "{{ item }}" + content: "{{ rhel8stig_logon_banner }}" + owner: root + group: root + mode: '0644' + notify: restart sshd + with_items: + - /etc/issue + - /etc/issue.net + when: + # - not system_is_ec2 + - rhel_08_010040 or + rhel_08_010060 + tags: + - RHEL-08-010040 + - RHEL-08-010060 + +- name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." + copy: + dest: /etc/dconf/db/local.d/01-banner-message + content: | + [org/gnome/login-screen] + banner-message-enable=true + banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' + mode: '0644' + owner: root + group: root + vars: + newline: "\n" + notify: dconf update + when: + - rhel_08_010050 + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + + tags: + - RHEL-08-010050 + +- name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." + lineinfile: + path: /etc/rsyslog.d/50-default.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + create: yes + mode: '0644' + notify: restart rsyslog + with_items: + - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } + - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } + when: + - rhel_08_010070 + tags: + - RHEL-08-010070 + +# This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. +- name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." + block: + - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" + command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem + changed_when: false + failed_when: false + register: rhel_08_010090_certs_list + + - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" + debug: + msg: + - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" + - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" + - "{{ rhel_08_010090_certs_list.stdout_lines }}" + when: + - rhel_08_010090 + tags: + - RHEL-08-010090 + +- name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." + block: + - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" + file: + path: "{{ rhel8stig_path_to_sshkey }}" + state: directory + mode: '0700' + + - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" + openssh_keypair: + path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" + when: + - rhel_08_010100 + tags: + - RHEL-08-010100 + +- name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." + lineinfile: + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD.*' + line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" + when: + - rhel_08_010110 + tags: + - RHEL-08-010110 + - login + +- name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." + block: + - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" + command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' + changed_when: false + failed_when: false + register: rhel_08_010120_non_fips_hashed_accounts + + - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" + command: "passwd -l {{ item }}" + args: + warn: no + with_items: + - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" + when: + - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 + + - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" + debug: + msg: + - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" + - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" + when: + - not rhel8stig_disruption_high + - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 + when: + - rhel_08_010120 + - rhel8stig_disruption_high + tags: + - RHEL-08-010120 + - disruption_high + +- name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" + pamd: + name: "{{ item }}" + type: password + control: sufficient + module_path: pam_unix.so + module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" + state: args_present + with_items: + - password-auth + - system-auth + when: + - rhel_08_010130 + tags: + - RHEL-08-010130 + +- name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." + lineinfile: + path: /usr/lib/systemd/system/rescue.service + regexp: '^ExecStart=' + line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" + create: yes + owner: root + group: root + mode: 0644 + + when: + - rhel_08_010151 + tags: + - RHEL-08-010151 + - systemd + +- name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Add sha512 argument" + pamd: + name: "{{ item }}" + type: password + control: sufficient + module_path: pam_unix.so + module_arguments: sha512 + state: args_present + with_items: + - password-auth + - system-auth + when: + - rhel_08_010160 + tags: + - RHEL-08-010160 + +- name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication." + block: + - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" + find: + path: / + patterns: '*.keytab' + recurse: yes + register: rhel8stig_010161_keytab_files + + - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Remove .keytab files" + file: + path: "{{ item.path }}" + state: absent + with_items: + - "{{ rhel8stig_010161_keytab_files.files }}" + when: rhel8stig_010161_keytab_files.matched > 0 + when: + - rhel_08_010161 + tags: + - RHEL-08-010161 + - kerberos + +- name: "MEDIUM | RHEL-08-010162 | PATCH | The krb5-workstation package must not be installed on RHEL 8." + dnf: + name: krb5-workstation + state: absent + when: + - rhel_08_010162 + tags: + - RHEL-08-010162 + - kerberos + +- name: | + "MEDIUM | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services." + "MEDIUM | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." + selinux: + state: enforcing + policy: targeted + check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" + notify: reboot system + when: + - rhel_08_010170 or rhel_08_010450 + - not rhel8stig_system_is_container + - rhel8stig_disruption_high + tags: + - RHEL-08-010170 + - RHEL-08-010450 + - selinux + - disruption_high + +- name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." + block: + - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" + shell: "find / ! -user root -type d -perm -0002 -exec ls -lLd {} \\; | sed 's/.* //'" + changed_when: false + failed_when: false + register: rhel_08_010180_public_not_root_owned + + - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Chown non-root public folders" + file: + path: "{{ item }}" + owner: root + group: root + with_items: + - "{{ rhel_08_010180_public_not_root_owned.stdout_lines }}" + when: + - rhel_08_010180 + tags: + - RHEL-08-010180 + +- name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." + block: + - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" + shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" + changed_when: false + failed_when: false + register: rhel_08_010190_world_writable_files + + - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" + file: + path: "{{ item }}" + mode: '1777' + with_items: + - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" + when: + - rhel_08_010190 + tags: + - RHEL-08-010190 + +- name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." + lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: restart sshd + with_items: + - { regexp: '(?i)^#?ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} + - { regexp: '(?i)^#?ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } + when: + - rhel_08_010200 + - rhel8stig_ssh_required + tags: + - RHEL-08-010200 + - ssh + +- name: | + "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." + "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." + "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." + file: + path: /var/log/messages + owner: root + group: root + mode: '0640' + when: + - rhel_08_010210 or + rhel_08_010220 or + rhel_08_010230 + tags: + - RHEL-08-010210 + - RHEL-08-010220 + - RHEL-08-010230 + +- name: | + "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." + "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." + "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." + file: + path: /var/log + owner: root + group: root + mode: '0755' + when: + - rhel_08_010240 or + rhel_08_010250 or + rhel_08_010260 + tags: + - RHEL-08-010240 + - RHEL-08-010250 + - RHEL-08-010260 + +- name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." + "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" + block: + - name: | + "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" + "MEDIUM | RHEL-08-010291 | AUDIT | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Get current FIPS mode state" + command: fips-mode-setup --check + changed_when: false + failed_when: false + register: rhel_08_010290_pre_fips_check + + - name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" + "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Enable FIPS" + command: fips-mode-setup --enable + register: rhel_08_010290_fips_enable + notify: reboot system + when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' + + - name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" + "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Add ssh ciphers" + lineinfile: + path: "{{ item.path }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: reboot system + with_items: + - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^MACs', line: "MACs {{ rhel8stig_ssh_macs_settings }}" } + - { path: /etc/crypto-policies/back-ends/opensshserver.config, regexp: '^CRYPTO_POLICY=', line: "CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" } + when: + - rhel_08_010290 or + rhel_08_010291 + tags: + - RHEL-08-010290 + - RHEL-08-010291 + - fips + +- name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." + block: + - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" + command: fips-mode-setup --check + changed_when: false + failed_when: false + register: rhel_08_010293_pre_fips_check + + - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" + command: fips-mode-setup --enable + register: rhel_08_010290_fips_enable + notify: reboot system + when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' + when: + - rhel_08_010293 + tags: + - RHEL-08-010293 + - fips + +- name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." + lineinfile: + path: /etc/crypto-policies/back-ends/opensslcnf.config + regexp: '^MinProtocol =' + line: "MinProtocol = TLSv1.2" + notify: reboot system + when: + - rhel_08_010294 + tags: + - RHEL-08-010294 + - openssl + +- name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package" + lineinfile: + path: /etc/crypto-policies/back-ends/gnutls.config + regexp: '^(.*\+VERS-ALL:)' + line: '\1{{ rhel8stig_gnutls_encryption }}' + backrefs: true + create: yes + owner: root + group: root + mode: 0640 + notify: reboot system + when: + - rhel_08_010295 + tags: + - RHEL-08-010295 + - gnutls + +- name: | + "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive." + "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root." + "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root." + block: + - name: | + "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive" + "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" + "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root. | Get commands no group-owned by root" + shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" + args: + warn: no + changed_when: false + failed_when: false + register: rhel_08_010300_commands + + - name: | + "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions" + "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions" + "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root. | Set permissions" + file: + path: "{{ item }}" + owner: root + group: root + mode: '0755' + force: yes + with_items: + - "{{ rhel_08_010300_commands.stdout_lines }}" + when: + - rhel_08_010300 or + rhel_08_010310 or + rhel_08_010320 + tags: + - RHEL-08-010300 + - RHEL-08-010310 + - RHEL-08-010320 + +- name: | + "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive." + "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root." + "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root." + block: + - name: | + "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" + "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root. | Get library files not owned by root" + "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" + shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" + args: + warn: no + changed_when: false + failed_when: false + register: rhel_08_010330_library_files + + - name: | + "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" + "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" + "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" + file: + path: "{{ item }}" + owner: root + group: root + mode: '0755' + with_items: + - "{{ rhel_08_010330_library_files.stdout_lines }}" + when: + - rhel_08_010330 or + rhel_08_010340 or + rhel_08_010350 + tags: + - RHEL-08-010330 + - RHEL-08-010340 + - RHEL-08-010350 + +- name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." + cron: + name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' + user: "{{ rhel8stig_aide_cron.user }}" + cron_file: "{{ rhel8stig_aide_cron.cron_file }}" + job: "{{ rhel8stig_aide_cron.job + ((rhel8stig_aide_cron.notify_by_mail) | ternary(rhel8stig_aide_cron.notify_cmd,'')) }}" + minute: "{{ rhel8stig_aide_cron.minute | default((rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | + ternary('0', omit)) | default(omit) }}" + hour: "{{ rhel8stig_aide_cron.hour | default((rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['daily', 'weekly', 'monthly']) | + ternary('0', omit)) | default(omit) }}" + weekday: "{{ rhel8stig_aide_cron.weekday | default((rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['weekly']) | + ternary('0', omit)) | default(omit) }}" + day: "{{ rhel8stig_aide_cron.day | default((rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['monthly']) | + ternary('1', omit)) | default(omit) }}" + special_time: "{{ (rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | + ternary(omit, rhel8stig_aide_cron.special_time) }}" + when: + - rhel_08_010360 + - rhel8stig_disruption_high + tags: + - RHEL-08-010360 + - aide + +- name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." + block: + - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.kexec_load_disabled =' + line: "kernel.kexec_load_disabled = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk + + - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^kernel.kexec_load_disabled =' + line: "kernel.kexec_load_disabled = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010372 + tags: + - RHEL-08-010372 + - sysctl + +- name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks." + block: + - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^fs.protected_symlinks =' + line: "fs.protected_symlinks = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk + + - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^fs.protected_symlinks =' + line: "fs.protected_symlinks = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010373 + tags: + - RHEL-08-010373 + - sysctl + +- name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." + block: + - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^fs.protected_hardlinks =' + line: "fs.protected_hardlinks = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk + + - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^fs.protected_hardlinks =' + line: "fs.protected_hardlinks = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010374 + tags: + - RHEL-08-010374 + - sysctl + +- name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." + replace: + path: "{{ item }}" + regexp: '^([^#].*)NOPASSWD(.*)' + replace: '\1PASSWD\2' + with_items: + - "{{ rhel8stig_sudoers_files.stdout_lines }}" + when: + - rhel_08_010380 + - rhel8stig_using_password_auth + tags: + - RHEL-08-010380 + - sudoers + +- name: "MEDIUM | RHEL-08-010381 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation." + replace: + path: "{{ item }}" + regexp: '^([^#].*)!authenticate(.*)' + replace: '\1authenticate\2' + with_items: + - "{{ rhel8stig_sudoers_files.stdout_lines }}" + when: + - rhel_08_010381 + - rhel8stig_using_password_auth + tags: + - RHEL-08-010381 + - sudoers + +- name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." + block: + - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" + dnf: + name: esc + state: present + when: rhel8stig_gui + + - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" + dnf: + name: openssl-pkcs11 + state: present + when: + - rhel_08_010390 + tags: + - RHEL-08-010390 + - multifactor + +- name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." + lineinfile: + path: '{{ rhel8stig_sssd_conf }}' + regexp: '^certificate_verification = {{ item }}' + state: absent + with_items: + - 'no_ocsp, no_verification' + - no_ocsp + - no_verification + notify: restart sssd + when: + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists + - rhel_08_010400 + tags: + - RHEL-08-010400 + +- name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." + dnf: + name: opensc + state: present + when: + - rhel_08_010410 + tags: + - RHEL-08-010410 + - opensc + - piv + +- name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution." + block: + - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state" + shell: dmesg |grep "NX (" + changed_when: false + failed_when: false + register: rhel_08_010420_nx_bit_state + + - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set" + debug: + msg: + - "Good News! You are setup with execute disable active." + when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout' + + - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" + debug: + msg: + - "ALERT!! You do not have execute disable active. Please change the setting in your BIOS settings" + when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' + when: + - rhel_08_010420 + tags: + - RHEL-08-010420 + +- name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks." + block: + - name: "MEDIUM | RHEL-08-010421 | AUDIT | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + args: + warn: no + changed_when: false + failed_when: false + register: rhel8stig_010421_grub_cmdline_linux + + - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active" + shell: grubby --update-kernel=ALL --args="page_poison=1" + + - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010421_grub_cmdline_linux.stdout }} page_poison=1"' + when: '"page_poison=" not in rhel8stig_010421_grub_cmdline_linux.stdout' + + - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if exists" + replace: + path: /etc/default/grub + regexp: 'page_poison=([^\s|"])+' + replace: "page_poison=1" + when: '"page_poison=" in rhel8stig_010421_grub_cmdline_linux.stdout' + when: + - rhel_08_010421 + tags: + - RHEL-08-010421 + - grub + +- name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls." + block: + - name: "MEDIUM | RHEL-08-010422 | AUDIT | RHEL 8 must disable virtual syscalls. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + args: + warn: no + changed_when: false + failed_when: false + register: rhel8stig_010422_grub_cmdline_linux + + - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active" + shell: grubby --update-kernel=ALL --args="vsyscall=none" + + - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010422_grub_cmdline_linux.stdout }} vsyscall=none"' + when: '"vsyscall=" not in rhel8stig_010422_grub_cmdline_linux.stdout' + + - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if exists" + replace: + path: /etc/default/grub + regexp: 'vsyscall=([^\s|"])+' + replace: "vsyscall=none" + when: '"vsyscall=" in rhel8stig_010422_grub_cmdline_linux.stdout' + when: + - rhel_08_010422 + tags: + - RHEL-08-010422 + - grub + +- name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks." + block: + - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + args: + warn: no + changed_when: false + failed_when: false + register: rhel8stig_010423_grub_cmdline_linux + + - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active" + shell: grubby --update-kernel=ALL --args="slub_debug=P" + + - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010423_grub_cmdline_linux.stdout }} slub_debug=P"' + when: '"slub_debug=" not in rhel8stig_010423_grub_cmdline_linux.stdout' + + - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if exists" + replace: + path: /etc/default/grub + regexp: 'slub_debug=([^\s|"])+' + replace: "slub_debug=P" + when: '"slub_debug=" in rhel8stig_010423_grub_cmdline_linux.stdout' + when: + - rhel_08_010423 + tags: + - RHEL-08-010423 + - grub + +- name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." + sysctl: + name: kernel.randomize_va_space + value: '2' + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: yes + ignoreerrors: yes + notify: sysctl system + when: + - rhel_08_010430 + tags: + - RHEL-08-010430 + - sysctl + +- name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." + block: + - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files" + find: + paths: /etc/ssh + recurse: yes + file_type: file + patterns: 'ssh_host*_key.pub' + hidden: true + changed_when: false + failed_when: false + register: rhel_08_010480_public_files + + - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" + file: + path: "{{ item.path }}" + mode: '0644' + with_items: + - "{{ rhel_08_010480_public_files.files }}" + notify: restart sshd + when: + - rhel_08_010480 + - rhel8stig_ssh_required + tags: + - RHEL-08-010480 + - ssh + +- name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." + block: + - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Find files" + find: + paths: /etc/ssh + recurse: yes + file_type: file + patterns: 'ssh_host*key' + hidden: true + changed_when: false + failed_when: false + register: rhel_08_010490_private_host_key_files + + - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" + file: + path: "{{ item.path }}" + mode: '0640' + with_items: + - "{{ rhel_08_010490_private_host_key_files.files }}" + notify: restart sshd + when: + - rhel_08_010490 + - rhel8stig_ssh_required + tags: + - RHEL-08-010490 + - ssh + +- name: "MEDIUM | RHEL-08-010500 | PATCH | The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?StrictModes' + line: 'StrictModes yes' + notify: restart sshd + when: + - rhel_08_010500 + - rhel8stig_ssh_required + tags: + - RHEL-08-010500 + - ssh + +- name: "MEDIUM | RHEL-08-010510 | PATCH | The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?Compression' + line: 'Compression {{ rhel8stig_sshd_compression }}' + notify: restart sshd + when: + - rhel_08_010510 + - rhel8stig_ssh_required + tags: + - RHEL-08-010510 + - ssh + +- name: "MEDIUM | RHEL-08-010520 | PATCH | The RHEL 8 SSH daemon must not allow authentication using known host’s authentication." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?IgnoreUserKnownHosts' + line: 'IgnoreUserKnownHosts yes' + notify: restart sshd + when: + - rhel_08_010520 + - rhel8stig_ssh_required + tags: + - RHEL-08-010520 + - ssh + +- name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow unused methods of authentication." + lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '(?i)^#?KerberosAuthentication', line: "KerberosAuthentication no" } + - { regexp: '(?i)^#?GSSAPIAuthentication', line: "GSSAPIAuthentication no" } + notify: restart sshd + when: + - rhel_08_010521 + tags: + - RHEL-08-010521 + - ssh + +- name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." + debug: + msg: "WARNING!!!! /tmp is not mounted on a separate partition" + changed_when: + - rhel8stig_audit_complex + when: + - rhel_08_010543 + - not rhel8stig_system_is_container + - rhel8stig_complex + - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 + tags: + - RHEL-08-010543 + - complexity-high + - mount + - tmp + +- name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?PermitRootLogin' + line: 'PermitRootLogin no' + notify: restart sshd + when: + - rhel_08_010550 + - rhel8stig_ssh_required + tags: + - RHEL-08-010550 + - ssh + +- name: "MEDIUM | RHEL-08-010560 | PATCH | The auditd service must be running in RHEL 8." + service: + name: auditd + state: started + enabled: yes + when: + - rhel_08_010560 + - not rhel8stig_system_is_container + tags: + - RHEL-08-010560 + - auditd + +- name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." + service: + name: rsyslog.service + state: started + enabled: true + when: + - rhel_08_010561 + tags: + - RHEL-08-010561 + - rsyslog + +- name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." + mount: + path: /home + state: mounted + src: "{{ home_mount.device }}" + fstype: "{{ home_mount.fstype }}" + opts: "{{ home_mount.options }},nosuid" + when: + - rhel_08_010570 + - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 + - "'nosuid' not in home_mount.options" + vars: + home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" + tags: + - RHEL-08-010570 + - mounts + - home + +- name: "MEDIUM | RHEL-08-010571 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory." + mount: + path: /boot + state: mounted + src: "{{ boot_mount.device }}" + fstype: "{{ boot_mount.fstype }}" + opts: "{{ boot_mount.options }},nosuid" + when: + - rhel_08_010571 + - ansible_mounts | selectattr('mount', 'match', '^/boot$') | list | length != 0 + - "'nosuid' not in boot_mount.options" + vars: + boot_mount: "{{ ansible_mounts | json_query('[?mount == `/boot`] | [0]') }}" + tags: + - RHEL-08-010571 + - mounts + - boot + +- name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions." + block: + - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" + shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' + args: + warn: no + changed_when: no + check_mode: no + register: rhel8stig_010580_mounts_nodev + + - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Split results" + set_fact: + rhel8stig_010580_mounts: "{{ rhel8stig_010580_mounts_nodev.stdout_lines | map('regex_replace', ld_mount_regex, ld_mount_yaml) | map('from_yaml') | list }}" + + with_items: "{{ rhel8stig_010580_mounts_nodev.stdout_lines }}" + vars: + ld_mount_regex: >- + ^(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*) + ld_mount_yaml: | + device: >-4 + \g + mpoint: >-4 + \g + fs: >-4 + \g + opts: >-4 + \g + when: rhel8stig_010580_mounts_nodev.stdout | length > 0 + + - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Set value" + mount: + path: "{{ item.mpoint }}" + state: mounted + src: "{{ item.device }}" + fstype: "{{ item.fs }}" + opts: "{{ item.opts }},nodev" + with_items: + - "{{ rhel8stig_010580_mounts | default([]) }}" + when: + - item.device != "/" + - "'odev' not in item.opts" + - rhel8stig_010580_mounts_nodev.stdout | length > 0 + when: + - rhel_08_010580 + tags: + - RHEL-08-010580 + - mounts + - non-root + +- name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent code from being executed on file systems that contain user home directories." + mount: + path: /home + state: mounted + src: "{{ home_mount.device }}" + fstype: "{{ home_mount.fstype }}" + opts: "{{ home_mount.options }},noexec" + when: + - rhel_08_010590 + - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 + - "'noexec' not in home_mount.options" + vars: + home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" + tags: + - RHEL-08-010590 + - mounts + - home + +- name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media." + block: + - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /media" + mount: + path: /media + state: mounted + src: "{{ removable_mount.device }}" + fstype: "{{ removable_mount.fstype }}" + opts: "{{ removable_mount.options }},nodev" + when: + - rhel_08_010600 + - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 + - "'nodev' not in home_mount.options" + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + vars: + removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + + - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /mnt" + mount: + path: /mnt + state: mounted + src: "{{ removable_mount2.device }}" + fstype: "{{ removable_mount2.fstype }}" + opts: "{{ removable_mount2.options }},nodev" + when: + - rhel_08_010600 + - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 + - "'nodev' not in home_mount.options" + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + vars: + removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" + when: + - rhel_08_010600 + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + tags: + - RHEL-08-010600 + - mounts + - media + +- name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media." + block: + - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /media" + mount: + path: /media + state: mounted + src: "{{ removable_mount.device }}" + fstype: "{{ removable_mount.fstype }}" + opts: "{{ removable_mount.options }},noexec" + when: + - rhel_08_010600 + - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 + - "'noexec' not in home_mount.options" + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + vars: + removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + + - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /mnt" + mount: + path: /mnt + state: mounted + src: "{{ removable_mount2.device }}" + fstype: "{{ removable_mount2.fstype }}" + opts: "{{ removable_mount2.options }},noexec" + when: + - rhel_08_010610 + - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 + - "'noexec' not in home_mount.options" + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + vars: + removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" + when: + - rhel_08_010610 + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + tags: + - RHEL-08-010610 + - mounts + - media + +- name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." + block: + - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media" + mount: + path: /media + state: mounted + src: "{{ removable_mount.device }}" + fstype: "{{ removable_mount.fstype }}" + opts: "{{ removable_mount.options }},nosuid" + when: + - rhel_08_010620 + - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 + - "'nosuid' not in home_mount.options" + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + vars: + removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + + - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" + mount: + path: /mnt + state: mounted + src: "{{ removable_mount2.device }}" + fstype: "{{ removable_mount2.fstype }}" + opts: "{{ removable_mount2.options }},nosuid" + when: + - rhel_08_010620 + - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 + - "'nosuid' not in home_mount.options" + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + vars: + removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" + when: + - rhel_08_010620 + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + tags: + - RHEL-08-010620 + - mounts + - media + +- name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)." + mount: + path: "{{ item }}" + src: "{{ ansible_mounts | json_query(device_query) }}" + fstype: "{{ ansible_mounts | json_query(fstype_query) }}" + opts: "{{ ansible_mounts | json_query(options_query) }},noexec" + state: mounted + vars: + device_query: '[?mount == `{{ item }}`] | [0].device' + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' + options_query: '[?mount == `{{ item }}`] | [0].options' + with_items: "{{ rhel8stig_nfs_mounts }}" + when: + - rhel_08_010630 + - "'noexec' not in (ansible_mounts | json_query(options_query))" + tags: + - RHEL-08-010630 + - mounts + - nfs + +- name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)." + mount: + path: "{{ item }}" + src: "{{ ansible_mounts | json_query(device_query) }}" + fstype: "{{ ansible_mounts | json_query(fstype_query) }}" + opts: "{{ ansible_mounts | json_query(options_query) }},nodev" + state: mounted + vars: + device_query: '[?mount == `{{ item }}`] | [0].device' + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' + options_query: '[?mount == `{{ item }}`] | [0].options' + with_items: "{{ rhel8stig_nfs_mounts }}" + when: + - rhel_08_010640 + - "'nodev' not in (ansible_mounts | json_query(options_query))" + tags: + - RHEL-08-010640 + +- name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)" + mount: + path: "{{ item }}" + src: "{{ ansible_mounts | json_query(device_query) }}" + fstype: "{{ ansible_mounts | json_query(fstype_query) }}" + opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" + state: mounted + vars: + device_query: '[?mount == `{{ item }}`] | [0].device' + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' + options_query: '[?mount == `{{ item }}`] | [0].options' + with_items: "{{ rhel8stig_nfs_mounts }}" + when: + - rhel_08_010650 + - "'nosuid' not in (ansible_mounts | json_query(options_query))" + tags: + - RHEL-08-010650 + +- name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs." + block: + - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions" + shell: find {{ item.mount }} -xdev -type f -perm -002 + args: + warn: no + changed_when: false + failed_when: false + register: rhel_08_010660_world_writable_files + with_items: + - "{{ ansible_mounts }}" + + - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening" + set_fact: + rhel_08_010660_change_perms: "{{ rhel_08_010660_world_writable_files.results | map(attribute='stdout_lines') | flatten }}" + + - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Compare to home directories" + include_tasks: audit_homedirinifiles.yml + loop: + - "{{ rhel_08_stig_interactive_homedir_inifiles }}" + loop_control: + loop_var: ini_item + when: + - rhel_08_010660_change_perms != [] + + - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions" + file: + path: "{{ item }}" + mode: '0755' + state: file + with_items: + - "{{ rhel_08_010660_change_perms }}" + when: + - rhel_08_010660_change_perms != [] + when: + - rhel_08_010660 + - rhel8stig_disruption_high + # - rhel_08_stig_interactive_homedir_inifiles is defined + tags: + - RHEL-08-010660 + +- name: "MEDIUM | RHEL-08-010670 | PATCH | RHEL 8 must disable kernel dumps unless needed." + service: + name: kdump + enabled: no + state: stopped + when: + - rhel_08_010670 + - not rhel8stig_kdump_needed + tags: + - RHEL-08-010670 + - kdump + +- name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." + block: + - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.core_pattern =' + line: "kernel.core_pattern = |/bin/false" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk + + - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^kernel.core_pattern =' + line: "kernel.core_pattern = |/bin/false" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010671 + tags: + - RHEL-08-010671 + - sysctl + +- name: "MEDIUM | RHEL-08-010672 | PATCH | RHEL 8 must disable acquiring, saving, and processing core dumps." + systemd: + name: systemd-coredump.socket + masked: yes + daemon_reload: yes + notify: systemctl daemon-reload + when: + - rhel_08_010672 + tags: + - RHEL-08-010672 + - systemd + +- name: "MEDIUM | RHEL-08-010673 | PATCH | RHEL 8 must disable core dumps for all users." + lineinfile: + path: /etc/security/limits.conf + regexp: '^\*.*hard.*core' + line: "* hard core 0" + insertbefore: '# End of file' + when: + - rhel_08_010673 + tags: + - RHEL-08-010673 + - security + - limits + +- name: "MEDIUM | RHEL-08-010674 | PATCH | RHEL 8 must disable storing core dumps." + lineinfile: + path: /etc/systemd/coredump.conf + regexp: '^(S|s)torage=|#(S|s)torage=' + line: "Storage=none" + when: + - rhel_08_010674 + tags: + - RHEL-08-010674 + - systemd + +- name: "MEDIUM | RHEL-08-010675 | PATCH | RHEL 8 must disable core dump backtraces." + lineinfile: + path: /etc/systemd/coredump.conf + regexp: '^(P|p)rocess(S|s)ize(M|m)ax=|(P|p)rocess(S|s)ize(M|m)ax=' + line: "ProcessSizeMax=0" + when: + - rhel_08_010675 + tags: + - RHEL-08-010675 + - systemd + +# NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. +- name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." + block: + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf" + shell: grep "dns" /etc/nsswitch.conf | grep -v "#" + changed_when: no + failed_when: false + check_mode: no + register: rhel_08_010680_nsswitch_check + + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf" + command: grep -c "# Generated by NetworkManager" /etc/resolv.conf + changed_when: no + failed_when: false + check_mode: no + register: rhel_08_010680_networkmanager_check + + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf" + shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l + changed_when: no + failed_when: false + check_mode: no + register: rhel_08_010680_nameserver_count + + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf" + shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf + when: + - "'dns' not in rhel_08_010680_nsswitch_check.stdout" + + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf" + lineinfile: + dest: /etc/resolv.conf + regexp: "{{ item.regexp }}" + line: "nameserver {{ item.line }}" + insertafter: "{{ item.after }}" + with_items: # Written as lineinfile replaces last found so reverse logic to keep order of servers + - { regexp: ^nameserver, line: '{{ rhel8stig_dns_servers.1 }}', after: ^search } + - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }})', line: '{{ rhel8stig_dns_servers.0 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } + # - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }}|{{ rhel8stig_dns_servers.0 }})', line: '{{ rhel8stig_dns_servers.2 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } + when: + - not rhel8_stig_use_resolv_template + - rhel_08_010680_networkmanager_check.stdout == '0' + - rhel_08_010680_nameserver_count.stdout | int >= 2 + + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf using a template when not NetworkManager controlled" + template: + src: resolv.conf.j2 + dest: /etc/resolv.conf + owner: root + group: root + mode: 0644 + when: + - rhel_08_010680_networkmanager_check.stdout == '0' + - rhel8_stig_use_resolv_template + + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp." + debug: + msg: "The file /etc/resolv.conf is managed by network manager and/or shows less than two DNS servers configured. Please correct this in your DHCP configurations." + changed_when: true + when: + - rhel_08_010680_networkmanager_check.stdout != '0' or rhel_08_010680_nameserver_count.stdout| int < 2 + - not rhel8_stig_use_resolv_template + when: + - rhel_08_010680 + - not rhel8stig_system_is_chroot + - not rhel8stig_system_is_container + - not system_is_ec2 + tags: + - RHEL-08-010680 + +- name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." + block: + - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" + shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath + with_items: "{{ rhel_08_stig_interactive_homedir_results }}" + register: rhel_08_010690_ini_path_grep_list + changed_when: no + failed_when: false + + - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." + debug: + msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. + with_items: + - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" + + - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." + lineinfile: + path: "{{ item }}" + regexp: "^PATH=" + line: "{{ rhel_08_010690_user_path }}" + with_items: + - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" + when: + - rhel_08_010690 + - rhel8stig_disruption_high + - rhel8stig_change_user_path + tags: + - RHEL-08-010690 + - complexity-high + +- name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." + block: + - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories" + command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 + changed_when: false + failed_when: false + register: rhel_08_010700_world_writable_directories + + - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" + file: + path: "{{ item }}" + owner: root + with_items: + - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" + when: rhel_08_010700_world_writable_directories.stdout | length > 0 + when: + - rhel_08_010700 + tags: + - RHEL-08-010700 + +- name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group." + block: + - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories" + command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 + changed_when: false + failed_when: false + register: rhel_08_010710_world_writable_directories + + - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" + file: + path: "{{ item }}" + group: root + with_items: + - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" + when: rhel_08_010710_world_writable_directories.stdout | length > 0 + when: + - rhel_08_010710 + tags: + - RHEL-08-010710 + +- name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file." + block: + - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory" + shell: pwck -r | grep user | cut -f2 -d"'" + changed_when: false + failed_when: false + register: rhel_08_010720_users_no_home_dir + + - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory" + shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' + changed_when: false + failed_when: false + register: rhel_08_010720_user_list + + - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" + debug: + msg: + - "WARNING!!!!The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" + - "{{ rhel_08_010720_user_list.stdout_lines }}" + when: rhel_08_010720_user_list.stdout | length > 0 + when: + - rhel_08_010720 + tags: + - RHEL-08-010720 + +- name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." + block: + - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." + shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) + changed_when: false + failed_when: false + register: rhel_08_010730_home_directories + + - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." + file: + path: "{{ item }}" + mode: 0750 + with_items: + - "{{ rhel_08_010730_home_directories.stdout_lines }}" + when: rhel_08_010730_home_directories.stdout | length > 0 + when: + - rhel_08_010730 + tags: + - RHEL-08-010730 + +- name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." + file: + path: "{{ item.dir }}" + group: "{{ item.gid }}" + state: directory + with_items: "{{ rhel8stig_passwd }}" + loop_control: + label: "{{ rhel8stig_passwd_label }}" + when: + - rhel_08_010740 + - item.uid >= rhel8stig_interactive_uid_start + tags: + - skip_ansible_lint + - RHEL-08-010740 + +- name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." + file: + path: "{{ item.dir }}" + state: directory + with_items: "{{ rhel8stig_passwd }}" + loop_control: + label: "{{ rhel8stig_passwd_label }}" + when: + - rhel_08_010750 + - item.uid >= rhel8stig_interactive_uid_start + tags: + - skip_ansible_lint + - RHEL-08-010750 + +- name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." + lineinfile: + path: /etc/login.defs + regexp: '.*?CREATE_HOME.*' + line: CREATE_HOME yes + when: + - rhel_08_010760 + tags: + - RHEL-08-010760 + - login + - home + +- name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." + file: + path: "{{ item }}" + mode: 0740 + with_items: + - "{{ rhel_08_stig_interactive_homedir_inifiles }}" + when: + - rhel_08_010770 + - rhel8stig_disruption_high + - rhel_08_stig_interactive_homedir_inifiles is defined + tags: + - RHEL-08-010770 + - complexity-high + +- name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." + block: + - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" + shell: find / -nouser + args: + warn: no + changed_when: false + failed_when: false + register: rhel_08_010780_nouser_files + + - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" + debug: + msg: + - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" + - "{{ rhel_08_010780_nouser_files.stdout_lines }}" + when: rhel_08_010780_nouser_files.stdout | length > 0 + when: + - rhel_08_010780 + tags: + - RHEL-08-010780 + +- name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." + block: + - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" + shell: find / -nogroup + changed_when: false + failed_when: false + register: rhel_08_010790_nogroup_files + + - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" + debug: + msg: + - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" + - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" + when: rhel_08_010790_nogroup_files.stdout | length > 0 + when: + - rhel_08_010790 + tags: + - RHEL-08-010790 + +- name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." + debug: + msg: "WARNING!!!! /home is not mounted on a separate partition" + changed_when: + - rhel8stig_audit_complex + when: + - rhel_08_010800 + - not rhel8stig_system_is_container + - rhel8stig_complex + - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 + tags: + - RHEL-08-010800 + - complexity-high + - mount + - home + +- name: "MEDIUM | RHEL-08-010830 | PATCH |Unattended or automatic logon to RHEL 8 via ssh must not be allowed." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?PermitUserEnvironment' + line: 'PermitUserEnvironment no' + notify: restart sshd + when: + - rhel_08_010830 + - rhel8stig_disruption_high + tags: + - RHEL-08-010830 + - ssh + - disruption_high + +- name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." + debug: + msg: + - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." + - "To do this please run sudo chage -l account_name for the accounts you need to check" + - "The results will display the Account Expires information" + - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name' + when: + - rhel_08_020000 + tags: + - RHEL-08-020000 + +- name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020010 + tags: + - RHEL-08-020010 + - pamd + +- name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^deny =|^\# deny =' + line: "deny = {{ rhel8stig_pam_faillock.attempts }}" + when: + - rhel_08_020011 + tags: + - RHEL-08-020011 + - pamd + +- name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020012 + tags: + - RHEL-08-020012 + - pamd + +- name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^fail_interval =|^\# fail_interval =' + line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020013 + tags: + - RHEL-08-020013 + - pamd + +- name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020013 + tags: + - RHEL-08-020013 + - pamd + +- name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^unlock_time =|^\# unlock_time =' + line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020015 + tags: + - RHEL-08-020015 + - pamd + +- name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist." + block: + - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist.| Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020016 + tags: + - RHEL-08-020016 + - pamd + +- name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist." + block: + - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^dir =|^\# dir =' + line: "dir = /var/log/faillock" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020017 + tags: + - RHEL-08-020017 + - pamd + +- name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020018 + tags: + - RHEL-08-020018 + - pamd + +- name: "MEDIUM | RHEL-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^silent|^\# silent' + line: "silent" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020019 + tags: + - RHEL-08-020019 + - pamd + +- name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020020 + tags: + - RHEL-08-020020 + - pamd + +- name: "MEDIUM | RHEL-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^audit|^\# audit' + line: "audit" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020021 + tags: + - RHEL-08-020021 + - pamd + +- name: "MEDIUM | RHEL-020022| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}sfail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020022 + tags: + - RHEL-08-020022 + - pamd + +- name: "MEDIUM | RHEL-020023| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + + - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^even_deny_root|^\# even_deny_root' + line: "even_deny_root" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020023 + tags: + - RHEL-08-020023 + - pamd + +- name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." + block: + - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" + command: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" + changed_when: false + failed_when: false + register: rhel_08_020030_lock_enabled + + - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" + lineinfile: + path: "{{ rhel_08_020030_lock_enabled.stdout }}" + regexp: '^lock-enabled' + line: lock-enabled=true + when: rhel_08_020030_lock_enabled.stdout | length > 0 + notify: dconf update + + - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist" + lineinfile: + path: /etc/dconf/db/local.d/00-screensaver + create: yes + regexp: '^lock-enabled' + owner: root + group: root + mode: 0644 + line: | + [org/gnome/desktop/screensaver] + # Set this to true to lock the screen when the screensaver activates + lock-enabled=true + when: rhel_08_020030_lock_enabled.stdout | length == 0 + notify: dconf update + when: + - rhel_08_020030 + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + + tags: + - RHEL-08-020030 + - gui + +- name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." + block: + - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" + dnf: + name: tmux + state: present + + - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Configure tmux" + lineinfile: + path: /etc/tmux.conf + regexp: '^set \-g' + line: "set -g lock-command vlock" + create: yes + owner: root + group: root + mode: 0644 + when: + - rhel_08_020040 + tags: + - RHEL-08-020040 + - tmux + +- name: " MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization." + lineinfile: + path: /etc/bashrc + regexp: '^\[ -n "$PS1" -a -z "$TMUX" \]' + line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' + when: + - rhel_08_020041 + tags: + - RHEL-08-020041 + - tmux + +- name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." + block: + - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" + shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' + args: + warn: no + changed_when: false + failed_when: false + register: rhel_08_020050_removal_action + + - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" + shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" + changed_when: false + failed_when: false + register: rhel_08_020050_removal_action_file + + - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist" + lineinfile: + path: /etc/dconf/db/distro.d/20-authselect + create: yes + owner: root + group: root + mode: 0644 + line: | + [org/gnome/settings-daemon/peripherals/smartcard] + removal-action='lock-screen' + when: rhel_08_020050_removal_action.stdout | length == 0 + notify: dconf update + + - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" + lineinfile: + path: "{{ rhel_08_020050_removal_action.stdout }}" + regexp: ^removal-action= + line: removal-action='lock-screen' + when: rhel_08_020050_removal_action.stdout | length > 0 + notify: dconf update + + - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" + lineinfile: + path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' + line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action + when: rhel_08_020050_removal_action_file.stdout | length > 0 + notify: dconf update + + - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" + lineinfile: + path: /etc/dconf/db/distro.d/locks/20-authselect + create: yes + line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action + owner: root + group: root + mode: 0640 + when: rhel_08_020050_removal_action_file.stdout | length == 0 + notify: dconf update + when: + - rhel_08_020050 + tags: + - RHEL-08-020050 + - smartcard + +- name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." + block: + - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" + shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' + args: + warn: no + changed_when: false + failed_when: false + register: rhel_08_020060_idle_delay_param + + - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist" + lineinfile: + path: /etc/dconf/db/local.d/00-screensaver + create: yes + owner: root + group: root + mode: 0640 + regexp: '^idle-delay' + line: | + [org/gnome/desktop/session] + # Set the lock time out to 900 seconds before the session is considered idle + idle-delay=uint32 900 + notify: dconf update + when: rhel_08_020060_idle_delay_param.stdout | length == 0 + + - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" + lineinfile: + path: "{{ rhel_08_020060_idle_delay_param.stdout }}" + regexp: '^idle-delay=' + line: idle-delay=uint32 900 + owner: root + group: root + mode: 0640 + notify: dconf update + when: rhel_08_020060_idle_delay_param.stdout | length > 0 + when: + - rhel_08_020060 + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + + tags: + - RHEL-08-020060 + - gui + +- name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." + lineinfile: + path: /etc/tmux.conf + regexp: '^set -g lock-after-time' + line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" + owner: root + group: root + mode: 0644 + when: + - rhel_08_020070 + tags: + - RHEL-08-020070 + - tmux + +- name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings." + lineinfile: + path: /etc/dconf/db/local.d/locks/session + create: yes + line: "{{ item }}" + owner: root + group: root + mode: 0640 + with_items: + - /org/gnome/desktop/session/idle-delay + - /org/gnome/desktop/screensaver/lock-enabled + - /org/gnome/desktop/screensaver/lock-delay + - /org/gnome/settings-daemon/plugins/media-keys/logout + - /org/gnome/login-screen/disable-user-list + - /org/gnome/login-screen/banner-message-text + - /org/gnome/login-screen/banner-message-enable + - /org/gnome/desktop/lockdown/disable-lock-screen + when: + - rhel_08_020080 + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + tags: + - RHEL-08-020080 + +- name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." + lineinfile: + path: "{{ rhel8stig_sssd_conf }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + owner: root + group: root + mode: 0640 + with_items: + - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } + - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } + - { regexp: '^maprule = {{ rhel8stig_sssd.maprule }}', line: 'maprule = {{ rhel8stig_sssd.maprule }}' } + - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains }}' } + notify: restart sssd + when: + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists + - rhel_08_020090 + tags: + - RHEL-08-020090 + +- name: "MEDIUM | RHEL-08-020100 | PATCH RHEL 8 must ensure a password complexity module is enabled." + lineinfile: + path: "{{ item.path }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: '^password' + owner: root + group: root + mode: 0640 + with_items: + - { path: /etc/pam.d/system-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } + - { path: /etc/pam.d/password-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } + when: + - rhel_08_020100 + tags: + - RHEL-08-020100 + +- name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*ucredit' + line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" + when: + - rhel_08_020110 + tags: + - RHEL-08-020110 + - pwquality + +- name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*lcredit' + line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}" + when: + - rhel_08_020120 + tags: + - RHEL-08-020120 + - pwquality + +- name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*dcredit' + line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}" + when: + - rhel_08_020130 + tags: + - RHEL-08-020130 + - pwquality + +- name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*maxclassrepeat' + line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" + when: + - rhel_08_020140 + tags: + - RHEL-08-020140 + - pwquality + +- name: "MEDIUM | RHEL-020150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*maxrepeat' + line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}" + when: + - rhel_08_020150 + tags: + - RHEL-08-020150 + - pwquality + +- name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*minclass' + line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}" + when: + - rhel_08_020160 + tags: + - RHEL-08-020160 + - pwquality + +- name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*difok' + line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}" + when: + - rhel_08_020170 + tags: + - RHEL-08-020170 + - pwquality + +- name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow." + block: + - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users" + command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: rhel_08_020180_users + + - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction" + command: chage -m 1 {{ item }} + with_items: "{{ rhel_08_020180_users.stdout_lines }}" + when: + - rhel_08_020180 + tags: + - RHEL8-08-020180 + - password + +- name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def." + lineinfile: + path: /etc/login.defs + create: yes + owner: root + group: root + mode: 0644 + regexp: ^#?PASS_MIN_DAYS + line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}" + when: + - rhel_08_020190 + tags: + - RHEL-08-020190 + - login + +- name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction." + lineinfile: + path: /etc/login.defs + create: yes + owner: root + group: root + mode: 0644 + regexp: ^#?PASS_MAX_DAYS + line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" + when: + - rhel_08_020200 + tags: + - RHEL-08-020200 + - login + +- name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime." + block: + - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users" + command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" + check_mode: no + changed_when: rhel_08_020210_users.stdout | length > 0 + register: rhel_08_020210_users + + - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user." + command: chage -d '-1 day' {{ item }} + check_mode: "{{ rhel8stig_disruptive_check_mode }}" + with_items: "{{ rhel_08_020210_users.stdout_lines }}" + + - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime" + command: chage -M 60 {{ item }} + check_mode: "{{ rhel8stig_disruptive_check_mode }}" + with_items: "{{ rhel_08_020210_users.stdout_lines }}" + when: + - rhel_08_020210 + - rhel8stig_disruption_high + tags: + - RHEL-08-020210 + - disruption-high + - password + +- name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations." + block: + - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" + pamd: + name: "{{ item }}" + state: before + type: password + control: sufficient + module_path: pam_unix.so + new_type: password + new_control: required + new_module_path: pam_pwhistory.so + with_items: + - "system-auth" + - "password-auth" + + # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent + - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Check for existing password history reuse settings" + command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" + check_mode: no + changed_when: no + failed_when: rhel_08_020220_pw_hist_settings.rc > 1 + register: rhel_08_020220_pw_hist_settings + with_items: + - "system-auth" + - "password-auth" + + # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. + - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" + pamd: + name: "{{ item.item }}" + state: updated + type: password + control: required + module_path: pam_pwhistory.so + module_arguments: + - use_authtok + - remember={{ rhel8stig_pam_pwhistory.remember | default(5) }} + - retry={{ rhel8stig_pam_pwhistory.retries | default(3) }} + with_items: "{{ rhel_08_020220_pw_hist_settings.results }}" + when: item.rc == 1 + when: + - rhel_08_020220 + tags: + - RHEL-08-020220 + - pamd + +- name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*minlen' + line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" + when: + - rhel_08_020230 + tags: + - RHEL-08-020230 + - pwquality + +- name: "MEDIUM | RHEL-08-020231 | PATCH | RHEL 8 passwords for new users must have a minimum of 15 characters." + lineinfile: + path: /etc/login.defs + regexp: '^PASS_MIN_LEN|^#PASS_MIN_LEN' + line: "PASS_MIN_LEN 15" + owner: root + group: root + mode: 0644 + when: + - rhel_08_020231 + tags: + - RHEL-08-020231 + - passwords + +- name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." + block: + - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users" + command: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd + changed_when: false + failed_when: false + register: rhel_08_020240_duplicate_uid_users + + - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" + debug: + msg: + - "ALERT!!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" + - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" + when: + - rhel_08_020240 + tags: + - RHEL-08-020240 + +- name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts." + block: + - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth" + shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth + changed_when: false + failed_when: false + register: rhel_08_020250_sc_auth_sss + + - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth" + shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth + changed_when: false + failed_when: false + register: rhel_08_020250_system_auth_sss + + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" + lineinfile: + path: "{{ rhel8stig_sssd_conf }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + owner: root + group: root + mode: 0640 + notify: restart sssd + with_items: + - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } + - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' } + + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth" + lineinfile: + path: /etc/pam.d/smartcard-auth + line: auth sufficient pam_sss.so try_cert_auth + owner: root + group: root + mode: 0644 + notify: restart sssd + when: rhel_08_020250_sc_auth_sss.stdout | length == 0 + + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth" + pamd: + name: /etc/pam.d/smartcard-auth + state: updated + type: auth + control: sufficient + module_path: pam_sss.so + module_arguments: 'try_cert_auth' + notify: restart sssd + when: rhel_08_020250_sc_auth_sss.stdout | length > 0 + + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth" + pamd: + name: /etc/pam.d/system-auth + state: after + type: auth + control: required + module_path: pam_env.so + new_type: auth + new_control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' + new_module_path: pam_sss.so + module_arguments: try_cert_auth + notify: restart sssd + when: rhel_08_020250_system_auth_sss.stdout | length == 0 + + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth" + pamd: + name: /etc/pam.d/system-auth + state: updated + type: auth + control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' + module_path: pam_env.so + module_arguments: try_cert_auth + notify: restart sssd + when: rhel_08_020250_system_auth_sss.stdout | length > 0 + when: + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists + - rhel_08_020250 + tags: + - RHEL-08-020250 + - pamd + +- name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity." + command: useradd -D -f 35 + when: + - rhel_08_020260 + tags: + - RHEL-08-020260 + - useradd + +- name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + block: + - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + command: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" + changed_when: false + failed_when: false + register: rhel_08_020270_system_users + + - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + debug: + msg: + - "WARNING!!!Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" + - "{{ rhel_08_020270_system_users.stdout_lines }}" + when: + - rhel_08_020270 + tags: + - RHEL-08-020270 + +- name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + regexp: '^#?\s*ocredit' + line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}" + owner: root + group: root + mode: 0644 + when: + - rhel_08_020280 + tags: + - RHEL-08-020280 + - pwquality + +- name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." + lineinfile: + path: "{{ rhel8stig_sssd_conf }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + owner: root + group: root + mode: 0640 + with_items: + - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } + - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } + when: + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists + - rhel_08_020290 + tags: + - RHEL-08-020290 + - sssd + +- name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + regexp: '^#?\s*dictcheck' + line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" + owner: root + group: root + mode: 0644 + when: + - rhel_08_020300 + tags: + - RHEL-08-020300 + - pwquality + +- name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." + lineinfile: + dest: /etc/login.defs + regexp: ^#?FAIL_DELAY + line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" + owner: root + group: root + mode: 0644 + when: + - rhel_08_020310 + tags: + - RHEL-08-020310 + - login + +- name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts." + block: + - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts" + command: "grep '^{{ item }}:' /etc/passwd" + check_mode: no + failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1 + changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0 + register: rhel_08_020320_unnecessary_accounts_found + with_items: "{{ rhel8stig_unnecessary_accounts }}" + + - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts" + user: + name: "{{ item }}" + state: absent + remove: "{{ rhel8stig_remove_unnecessary_user_files }}" + register: rhel_08_020320_accounts_removed + with_items: "{{ rhel8stig_unnecessary_accounts }}" + + - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" + include_tasks: parse_etc_passwd.yml + vars: + rhel8stig_passwd_tasks: "RHEL-08-020320" + when: rhel_08_020320_accounts_removed is changed + when: + - rhel_08_020320 + tags: + - RHEL-08-020320 + +- name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." + lineinfile: + dest: /etc/ssh/sshd_config + regexp: '(?i)^#?PrintLastLog' + line: 'PrintLastLog yes' + validate: /usr/sbin/sshd -t -f %s + owner: root + group: root + mode: 0644 + notify: restart sshd + when: + - rhel_08_020350 + - rhel8stig_ssh_required + tags: + - RHEL-08-020350 + - ssh + +- name: "MEDIUM | RHEL-08-020351 | PATCH | RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." + lineinfile: + path: /etc/login.defs + regexp: ^#?UMASK.* + line: "UMASK {{ rhel8stig_login_defaults.umask | default('077') }}" + owner: root + group: root + mode: 0644 + when: + - rhel_08_020351 + tags: + - RHEL-08-020351 + +- name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts." + block: + - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Find umask files" + find: + paths: /home + patterns: '^\.' + contains: 'umask' + recurse: yes + hidden: yes + use_regex: yes + register: rhel8stig_020352_files + + - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" + lineinfile: + path: "{{ item.path }}" + regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})" + state: absent + with_items: + - "{{ rhel8stig_020352_files.files }}" + when: rhel8stig_020352_files.matched > 0 + when: + - rhel_08_020352 + tags: + - RHEL-08-020352 + - umask + +- name: "MEDIUM | RHEL-08-020353 | PATCH | RHEL 8 must define default permissions for logon and non-logon shells." + replace: + path: "{{ item }}" + regexp: 'umask\s\d\d\d' + replace: "umask {{ rhel8stig_login_defaults.umask | default('077') }}" + with_items: + - /etc/bashrc + - /etc/csh.cshrc + when: + - rhel_08_020353 + tags: + - RHEL-08-020353 + - umask + +- name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv' } + - { regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv' } + - { regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv' } + - { regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv' } + notify: restart auditd + when: + - rhel_08_030000 + tags: + - RHEL-08-030000 + - auditd + +- name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8." + lineinfile: + path: /etc/rsyslog.conf + regexp: '^cron.*' + line: 'cron.* /var/log/cron' + when: + - rhel_08_030010 + tags: + - RHEL-08-030010 + - cron + +- name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^action_mail_acct =' + line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}" + register: rhel_08_030020_action_mail_acct_result + failed_when: + - rhel_08_030020_action_mail_acct_result is failed + - rhel_08_030020_action_mail_acct_result.rc != 257 + when: + - rhel_08_030020 + tags: + - RHEL-08-030020 + - auditd + +- name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure." + lineinfile: + path: /etc/aliases + regexp: '^postmaster:' + line: 'postmaster: root' + when: + - rhel_08_030030 + tags: + - RHEL-08-030030 + - aliases + +- name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^disk_error_action =' + line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}" + when: + - rhel_08_030040 + tags: + - RHEL-08-030040 + - auditd + +- name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^max_log_file_action =' + line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" + when: + - rhel_08_030050 + tags: + - RHEL-08-030050 + - auditd + +- name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^disk_full_action =' + line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" + owner: root + group: root + mode: 0644 + when: + - rhel_08_030060 + tags: + - RHEL-08-030060 + - auditd + +- name: "MEDIUM | RHEL-08-030061 | PATCH | The RHEL 8 audit system must audit local events." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^local_events =' + line: "local_events = yes" + owner: root + group: root + mode: 0644 + when: + - rhel_08_030061 + tags: + - RHEL-08-030061 + - auditd + +- name: "MEDIUM | RHEL-08-030062 | PATCH | RHEL 8 must label all off-loaded audit logs before sending them to the central log server." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^name_format =' + line: "name_format = hostname" + notify: restart auditd + when: + - rhel_08_030062 + tags: + - RHEL-08-030062 + - auditd + +- name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^log_group =' + line: "log_group = root" + mode: 0600 + when: + - rhel_08_030070 + tags: + - RHEL-08-030070 + +- name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." + block: + - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file" + shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " + changed_when: false + failed_when: false + register: rhel8stig_030080_audit_log_file + + - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner" + file: + path: "{{ rhel8stig_030080_audit_log_file.stdout }}" + owner: root + when: rhel8stig_030080_audit_log_file.stdout | length > 0 + when: + - rhel_08_030080 + tags: + - RHEL-08-030080 + +- name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Set audit log group" + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^log_group' + line: "log_group = root" + when: + - rhel_08_030090 + tags: + - RHEL-08-030090 + +- name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." + block: + - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory" + shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + changed_when: false + failed_when: false + register: rhel_08_030100_audit_log_dir + + - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner" + file: + path: "{{ rhel_08_030100_audit_log_dir.stdout }}" + owner: root + state: directory + when: rhel_08_030100_audit_log_dir.stdout | length > 0 + tags: + - skip_ansible_lint + when: + - rhel_08_030100 + tags: + - RHEL-08-030100 + +- name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." + block: + - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" + shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + args: + warn: no + changed_when: false + failed_when: false + register: rhel_08_030110_audit_log_dir + + - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group" + file: + path: "{{ rhel_08_030110_audit_log_dir.stdout }}" + group: root + state: directory + when: rhel_08_030110_audit_log_dir.stdout | length > 0 + tags: + - skip_ansible_lint + when: + - rhel_08_030110 + tags: + - skip_ansible_lint + - RHEL-08-030110 + +- name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access." + block: + - name: "MEDIUM | RHEL-08-030120 | AUDIT | RHEL 8 audit log directories must have a mode of 700 or less permissive to prevent unauthorized read access. | Get audit log directory" + shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + changed_when: false + failed_when: false + register: rhel_08_030120_audit_log_dir + + - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" + file: + path: "{{ rhel_08_030120_audit_log_dir.stdout }}" + mode: 0700 + state: directory + when: rhel_08_030120_audit_log_dir.stdout | length > 0 + when: + - rhel_08_030120 + tags: + - RHEL-08-030120 + +- name: "MEDIUM | RHEL-08-030121 | PATCH | RHEL 8 audit system must protect auditing rules from unauthorized change." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-e ' + line: "-e 2" + when: + - rhel_08_030121 + tags: + - RHEL-08-030121 + - auditd + +- name: "MEDIUM | RHEL-08-030122 | PATCH | RHEL 8 audit system must protect logon UIDs from unauthorized change." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^--loginuid-' + line: "--loginuid-immutable" + when: + - rhel_08_030122 + tags: + - RHEL-08-030122 + - auditd + +- name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/shadow' + line: '-w /etc/shadow -p wa -k identity' + notify: restart auditd + when: + - rhel_08_030130 + tags: + - RHEL-08-030130 + - auditd + +- name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/security/opasswd' + line: -w /etc/security/opasswd -p wa -k identity + notify: restart auditd + when: + - rhel_08_030140 + tags: + - RHEL-08-030140 + - auditd + +- name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/passwd' + line: -w /etc/passwd -p wa -k identity + notify: restart auditd + when: + - rhel_08_030150 + tags: + - RHEL-08-030150 + - auditd + +- name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/gshadow' + line: -w /etc/gshadow -p wa -k identity + notify: restart auditd + when: + - rhel_08_030160 + tags: + - RHEL-08-030160 + - auditd + +- name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/group' + line: -w /etc/group -p wa -k identity + notify: restart auditd + when: + - rhel_08_030170 + tags: + - RHEL-08-030170 + - auditd + +- name: "MEDIUM | RHEL-08-030171 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/sudoers ' + line: -w /etc/sudoers -p wa -k identity + notify: restart auditd + when: + - rhel_08_030171 + tags: + - RHEL-08-030171 + - auditd + +- name: "MEDIUM | RHEL-08-030172 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/sudoers.d/' + line: -w /etc/sudoers.d/ -p wa -k identity + notify: restart auditd + when: + - rhel_08_030172 + tags: + - RHEL-08-030172 + - auditd + +- name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." + block: + - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Install audit" + dnf: + name: audit + state: present + + - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Enable and start service" + service: + name: auditd + enabled: yes + state: started + when: + - rhel_08_030180 + tags: + - rhel_08_030180 + - dnf + - auditd + +- name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' + line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' + notify: restart auditd + when: + - rhel_08_030190 + tags: + - RHEL-08-030190 + - auditd + +- name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030200 + tags: + - RHEL-08-030200 + - auditd + +- name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030210 + tags: + - RHEL-08-030210 + - auditd + +- name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030220 + tags: + - RHEL-08-030220 + - auditd + +- name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030230 + tags: + - RHEL-08-030230 + - auditd + +- name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030240 + tags: + - RHEL-08-030240 + - auditd + +- name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage + notify: restart auditd + when: + - rhel_08_030250 + tags: + - RHEL-08-030250 + - auditd + +- name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030260 + tags: + - RHEL-08-030260 + - auditd + +- name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030270 + tags: + - RHEL-08-030270 + - auditd + +- name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh + notify: restart auditd + when: + - rhel_08_030280 + tags: + - RHEL-08-030280 + - auditd + +- name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd + notify: restart auditd + when: + - rhel_08_030290 + tags: + - RHEL-08-030290 + - auditd + +- name: | + "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." + "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount + - -a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount + - -a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount + notify: restart auditd + when: + - rhel_08_030300 or + rhel_08_030302 + tags: + - RHEL-08-030300 + - RHEL-08-030302 + - auditd + +- name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount + notify: restart auditd + when: + - rhel_08_030301 + tags: + - RHEL-08-030301 + - auditd + +- name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030310 + tags: + - RHEL-08-030310 + - auditd -- name: "RHEL-08-010000 | HIGH | AUDIT | The RHEL 8 must be a vendor-supported release." - debug: - msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} - changed_when: ansible_distribution_version is not version_compare(rhel8stig_min_supported_os_ver[ansible_distribution], '>=') +- name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030311 + tags: + - RHEL-08-030311 + - auditd + +- name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030312 + tags: + - RHEL-08-030312 + - auditd + +- name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030313 + tags: + - RHEL-08-030313 + - auditd + +- name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030314 + tags: + - RHEL-08-030314 + - auditd + +- name: "MEDIUM | RHEL-08-03015 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030315 + tags: + - RHEL-08-030315 + - auditd + +- name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030316 + tags: + - RHEL-08-030316 + - auditd + +- name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030317 + tags: + - RHEL-08-030317 + - auditd + +- name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh + notify: restart auditd + when: + - rhel_08_030320 + tags: + - RHEL-08-030320 + - auditd + +- name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030330 + tags: + - RHEL-08-030330 + - auditd + +- name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check + notify: restart auditd + when: + - rhel_08_030340 + tags: + - RHEL-08-030340 + - auditd + +- name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd + notify: restart auditd + when: + - rhel_08_030350 + tags: + - RHEL-08-030350 + - auditd + +- name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + - -a always,exit -F arch=b64 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + notify: restart auditd + when: + - rhel_08_030360 + tags: + - RHEL-08-030360 + - auditd + +- name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030361 + tags: + - RHEL-08-030361 + - auditd + +- name: "MEDIUM | RHEL-0-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030362 + tags: + - RHEL-08-030362 + - auditd + +- name: "MEDIUM | RHEL-08-030363 | PATCH | Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030363 + tags: + - RHEL-08-030363 + - auditd + +- name: "MEDIUM | RHEL-08-030364 | PATCH | Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030364 + tags: + - RHEL-08-030364 + - auditd + +- name: "MEDIUM | RHEL-08-030365 | PATCH | Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030365 + tags: + - RHEL-08-030365 + - auditd + +- name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd + notify: restart auditd + when: + - rhel_08_030370 + tags: + - RHEL-08-030370 + - auditd + +- name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + notify: restart auditd + when: + - rhel_08_030380 + tags: + - RHEL-08-030380 + - auditd + +- name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + - -a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + notify: restart auditd + when: + - rhel_08_030390 + tags: + - RHEL-08-030390 + - auditd + +- name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab + notify: restart auditd + when: + - rhel_08_030400 + tags: + - RHEL-08-030400 + - auditd + +- name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd + notify: restart auditd + when: + - rhel_08_030410 + tags: + - RHEL-08-030410 + - auditd + +- name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030420 + tags: + - RHEL-08-030420 + - auditd + +- name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030430 + tags: + - RHEL-08-030430 + - auditd + +- name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030440 + tags: + - RHEL-08-030440 + - auditd + +- name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030450 + tags: + - RHEL-08-030450 + - auditd + +- name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030460 + tags: + - RHEL-08-030460 + - auditd + +- name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030470 + tags: + - RHEL-08-030470 + - auditd + +- name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030480 + tags: + - RHEL-08-030480 + - auditd + +- name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030490 + tags: + - RHEL-08-030490 + - auditd + +- name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030500 + tags: + - RHEL-08-030500 + - auditd + +- name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030510 + tags: + - RHEL-08-030510 + - auditd + +- name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + notify: restart auditd + when: + - rhel_08_030520 + tags: + - RHEL-08-030520 + - auditd + +- name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030530 + tags: + - RHEL-08-030530 + - auditd + +- name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030540 + tags: + - RHEL-08-030540 + - auditd + +- name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd + notify: restart auditd + when: + - rhel_08_030550 + tags: + - RHEL-08-030550 + - auditd + +- name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod + notify: restart auditd + when: + - rhel_08_030560 + tags: + - RHEL-08-030560 + - auditd + +- name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030570 + tags: + - RHEL-08-030570 + - auditd + +- name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules + notify: restart auditd + when: + - rhel_08_030580 + tags: + - RHEL-08-030580 + - auditd + +- name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -w /var/log/faillock -p wa -k logins + notify: restart auditd + when: + - rhel_08_030590 + tags: + - RHEL-08-030590 + - auditd + +- name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -w /var/log/lastlog -p wa -k logins + notify: restart auditd + when: + - rhel_08_030600 + tags: + - RHEL-08-030600 + - auditd + +- name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." + file: + path: "{{ item }}" + mode: 0640 + with_items: + - /etc/audit/rules.d/audit.rules + - /etc/audit/auditd.conf + when: + - rhel_08_030610 + tags: + - RHEL-08-030610 + - permissions + +- name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." + block: + - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms" + shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " + changed_when: false + failed_when: false + register: rhel_08_030620_tools + + - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" + file: + path: "{{ item }}" + mode: 0755 + with_items: + - "{{ rhel_08_030620_tools.stdout_lines }}" + when: + - rhel_08_030620 + tags: + - RHEL-08-030620 + - permissions + +- name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." + file: + path: "{{ item }}" + owner: root + with_items: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/audisp-remote + - /sbin/audisp-syslog + - /sbin/augenrules + when: + - rhel_08_030630 + tags: + - RHEL-08-030630 + - permissions + +- name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." + file: + path: "{{ item }}" + owner: root + with_items: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/audisp-remote + - /sbin/audisp-syslog + - /sbin/augenrules + when: + - rhel_08_030640 + tags: + - RHEL-08-030640 + - permissions + +- name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." + lineinfile: + path: /etc/aide.conf + line: "{{ item }}" + owner: root + group: root + mode: 0600 + with_items: + - "# Audit Tools" + - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + when: + - rhel_08_030650 + tags: + - RHEL-08-030650 + - aide + +- name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility." + block: + - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition" + shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' + changed_when: false + failed_when: false + register: rhel_08_030660_audit_log_path + + - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition" + shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" + changed_when: false + failed_when: false + register: rhel_08_030660_audit_log_partition + + - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" + debug: + msg: + - "ALERT!!!Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" + - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" + - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}" + when: + - rhel_08_030660 + tags: + - RHEL-08-030660 + +- name: "MEDIUM | RHEL-08-030670 | PATCH | RHEL 8 must have the packages required for offloading audit logs installed." + dnf: + name: rsyslog + state: present + when: + - rhel_08_030670 + tags: + - RHEL-08-030670 + - rsyslog + +- name: "MEDIUM | RHEL-08-030680 | PATCH | RHEL 8 must have the packages required for encrypting offloaded audit logs installed." + dnf: + name: gnutls + state: present + when: + - rhel_08_030680 + tags: + - RHEL-08-030680 + - gnutls + +- name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." + lineinfile: + path: /etc/rsyslog.conf + regexp: '^.*\@\@' + line: "*.* @@{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" + when: + - rhel_08_030690 + tags: + - RHEL-08-030690 + - auditd + +- name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^overflow_action =' + line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}' + notify: restart auditd + when: + - rhel_08_030700 + tags: + - RHEL-08-030700 + - auditd + +- name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." + lineinfile: + path: /etc/rsyslog.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^\$DefaultNetstreamDriver', line: '$DefaultNetstreamDriver gtls' } + - { regexp: '^\$ActionSendStreamDriverMode', line: '$ActionSendStreamDriverMode 1' } + when: + - rhel_08_030710 + tags: + - RHEL-08-030710 + - auditd + +- name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must authenticate the remote logging server for off-loading audit logs." + lineinfile: + path: /etc/rsyslog.conf + regexp: '^\$ActionSendStreamDriverAuthMode' + line: "$ActionSendStreamDriverAuthMode x509/name" + notify: restart auditd + when: + - rhel_08_030720 + tags: + - rhel_08_030720 + - auditd + +- name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." + lineinfile: + path: /etc/audit/auditd.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^space_left =', line: 'space_left = 25%' } + - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } + when: + - rhel_08_030730 + tags: + - RHEL-08-030730 + - auditd + +- name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." + lineinfile: + path: /etc/chrony.conf + regexp: '^server' + line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16' + notify: restart {{ rhel8stig_time_service }} + when: + - rhel_08_030740 + tags: + - RHEL-08-030740 + - chronyd + +- name: "MEDIUM | RHEL-08-040001 | PATCH | RHEL 8 must not have any automated bug reporting tools installed." + shell: dnf remove abrt* + failed_when: false + args: + warn: false + when: + - rhel_08_040001 + tags: + - RHEL-08-040001 + - dnf + - abrt + +- name: "MEDIUM | RHEL-08-040002 | PATCH | RHEL 8 must not have the sendmail package installed." + dnf: + name: sendmail + state: absent + when: + - rhel_08_040002 + tags: + - RHEL-08-040002 + - dnf + - sendmail + +- name: | + "MEDIUM | RHEL-08-040003 | PATCH | RHEL 8 must not have the gssproxy package installed." + "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." + dnf: + name: gssproxy + state: absent + when: + - rhel_08_040003 or + rhel_08_040370 + tags: + - RHEL-08-040003 + - RHEL-08-040370 + - dnf + - gssproxy + +- name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + create: yes + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + owner: root + group: root + mode: 0640 + insertafter: "{{ item.insertafter }}" + notify: reboot system + with_items: + - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } + - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } + when: + - rhel_08_040020 + tags: + - RHEL-08-040020 + - camera + +- name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." + block: + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block" + block: + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld" + shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u + register: rhel8stig_PPSM_CLSA_check_firewalld + changed_when: false + failed_when: false + check_mode: no + when: + - rhel_08_040030 + tags: + - RHEL-08-040030 + - firewall + + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" + debug: + msg: + - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." + - "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}" + changed_when: true + when: + - rhel_08_040030 + - rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines is defined + tags: + - RHEL-08-040030 + - firewall + when: + - rhel_08_040030 + - not rhel8stig_system_is_chroot + - not rhel8stig_system_is_container + - rhel8stig_firewall_service == "firewalld" + - rhel8stig_start_firewall_service + tags: + - RHEL-08-040030 + - firewall + + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block" + block: + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables" + shell: iptables-save | grep -i accept | grep -i input + register: rhel8stig_PPSM_CLSA_check_iptables + changed_when: false + failed_when: false + check_mode: no + when: rhel_08_040030 + tags: + - RHEL-08-040030 + - firewall + + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" + debug: + msg: + - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}." + - "{{ rhel8stig_PPSM_CLSA_check_iptables.stdout_lines }}" + changed_when: true + when: + - rhel_08_040030 + - rhel8stig_PPSM_CLSA_check_iptables.stdout_lines is defined + tags: + - RHEL-08-040030 + - firewall + when: + - rhel_08_040030 + - not rhel8stig_system_is_chroot + - not rhel8stig_system_is_container + - rhel8stig_firewall_service == "iptables" + - rhel8stig_start_firewall_service + tags: + - RHEL-08-040030 + - firewall + + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use" + debug: + msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." + changed_when: true + when: + - rhel_08_040030 + - not rhel8stig_start_firewall_service + tags: + - RHEL-08-040030 + - firewall + when: + - rhel_08_040030 + - not rhel8stig_system_is_chroot + - not rhel8stig_system_is_container + - rhel8stig_disruptive + tags: + - RHEL-08-040030 + - firewall + +- name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required." + block: + - name: "MEDIUM | RHEL-08-040070 | AUDIT | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error" + shell: "systemctl show autofs | grep LoadState | cut -d= -f2" + changed_when: false + failed_when: false + register: rhel_08_040070_autofs_status + + - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists" + service: + name: autofs + state: stopped + enabled: no + when: rhel_08_040070_autofs_status.stdout == "loaded" + when: + - rhel_08_040070 + tags: + - RHEL-08-040070 + - autofs + +- name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." + lineinfile: + path: "{{ item.path }}" + create: yes + owner: root + group: root + mode: 0640 + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + with_items: + - { path: /etc/modprobe.d/usb-storage.conf, regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } + - { path: /etc/modprobe.d/blacklist.conf, regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} when: - - rhel_08_010000 + - rhel_08_040080 tags: - - RHEL-08-010000 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230221r627750_rule - - V-230221 + - RHEL-08-040080 + - usb_devices -- name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." +- name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." block: - - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." + - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" dnf: - name: dracut-fips + name: firewalld state: present - notify: rebuild initramfs - when: - - not ansible_fips + when: rhel8stig_firewall_service == "firewalld" - - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" - command: fips-mode-setup --enable - register: rhel_08_010020_kernel_fips_enable - changed_when: rhel_08_010020_kernel_fips_enable.rc == 0 - when: - - not ansible_fips + - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" + dnf: + name: iptables-services + state: present + when: rhel8stig_firewall_service == "iptables" + + - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" + service: + name: "{{ rhel8stig_firewall_service }}" + state: started + enabled: yes + when: + - rhel_08_040100 + tags: + - RHEL-08-040100 + - firewall + - "{{ rhel8stig_firewall_service }}" + +- name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." + block: + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" + firewalld: + zone: "{{ rhel8stig_custom_firewall_zone }}" + permanent: true + state: present + + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" + firewalld: + zone: "{{ rhel8stig_custom_firewall_zone }}" + permanent: true + state: enabled + service: "{{ item }}" + with_items: + - "{{ rhel8stig_white_list_services }}" + + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" + command: firewall-cmd --reload + changed_when: rhel_08_040090_zone_reload.rc == 0 + failed_when: rhel_08_040090_zone_reload.rc >= 2 + register: rhel_08_040090_zone_reload + + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default" + command: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" + changed_when: rhel_08_040090_default_zone_set.rc == 0 + failed_when: rhel_08_040090_default_zone_set.rc >= 2 + register: rhel_08_040090_default_zone_set + when: + - rhel_08_040090 + tags: + - RHEL-08-040090 + - firewall - - name: "RHEL-08-010020 | HIGH | AUDIT | Check if prelink package is installed" - command: rpm -q prelink +- name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." + block: + - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" + command: rpm -q NetworkManager args: warn: no + check_mode: no changed_when: no + register: rhel_08_nmcli_available failed_when: no - check_mode: no - register: rhel_08_010020_prelink_installed - - name: "RHEL-08-010020 | HIGH | PATCH | Disable prelinking." - lineinfile: - dest: /etc/sysconfig/prelink - regexp: ^#?PRELINKING - line: PRELINKING=no - when: rhel_08_010020_prelink_installed.rc == 0 - notify: undo existing prelinking - - - name: "RHEL-08-010020 | HIGH | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" - command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub + - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" + command: nmcli radio wifi + args: + warn: no + register: rhel_08_wifi_enabled check_mode: no - failed_when: no - changed_when: rhel_08_010020_default_grub_missing_audit.rc > 0 - register: rhel_08_010020_default_grub_missing_audit + changed_when: rhel_08_wifi_enabled.stdout != "disabled" + when: rhel_08_nmcli_available.rc == 0 - - name: "RHEL-08-010020 | HIGH | AUDIT | parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" - command: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline - check_mode: no - changed_when: no - failed_when: rhel_08_010020_grub_cmdline_linux_audit.rc > 1 - when: rhel_08_010020_default_grub_missing_audit is changed - register: rhel_08_010020_grub_cmdline_linux_audit + - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" + command: nmcli radio wifi off + when: rhel_08_wifi_enabled is changed + when: + - rhel_08_040110 + tags: + - RHEL-08-040110 + - wifi - - name: "RHEL-08-010020 | HIGH | PATCH | Copy over a sane /etc/default/grub" - template: - src: etc_default_grub.j2 - dest: /etc/default/grub - owner: root - group: root - mode: 0644 - vars: - grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}" - when: rhel_08_010020_default_grub_missing_audit is changed +- name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled." + lineinfile: + path: /etc/modprobe.d/bluetooth.conf + regexp: '^install bluetooth ' + line: "install bluetooth /bin/true" + create: yes + owner: root + group: root + mode: 0640 + notify: reboot system + when: + - rhel_08_040111 + tags: + - RHEL-08-040111 + - bluetooth - - name: "RHEL-08-010020 | HIGH | PATCH | fips=1 must be in /etc/default/grub" - replace: - path: /etc/default/grub - regexp: "{{ rhel8stig_regexp_quoted_params }}" - replace: "{{ rhel8stig_replace_quoted_params }}" +- name: | + "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." + "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." + "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." + block: + - name: | + "MEDIUM | RHEL-08-040120 | AUDIT | RHEL 8 must mount /dev/shm with the nodev option." + "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option." + "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option." + shell: mount | grep /dev/shm + args: + warn: no + changed_when: false + failed_when: false + register: rhel8stig_040120_dev_shm_status + + - name: | + "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." + "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." + "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." + mount: + path: /dev/shm + state: mounted + src: tmpfs + fstype: tmpfs + opts: "defaults{{ rhel_08_040120 | ternary (',nodev', '') }}{{ rhel_08_040121 | ternary (',nosuid', '') }}{{ rhel_08_040122 | ternary (',noexec', '') }}" + when: rhel8stig_040120_dev_shm_status.stdout | length > 0 + when: + - rhel_08_040120 or + rhel_08_040121 or + rhel_08_040122 + tags: + - RHEL-08-040120 + - RHEL-08-040121 + - RHEL-08-040122 + - mounts + +- name: | + "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." + "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." + "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." + block: + - name: | + "MEDIUM | RHEL-08-040123 | AUDIT | RHEL 8 must mount /tmp with the nodev option." + "MEDIUM | RHEL-08-040124 | AUDIT | RHEL 8 must mount /tmp with the nosuid option." + "MEDIUM | RHEL-08-040125 | AUDIT | RHEL 8 must mount /tmp with the noexec option." + shell: mount | grep /tmp + changed_when: false + failed_when: false + register: rhel8stig_040123_dev_status + + - name: | + "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." + "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." + "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." + mount: + path: /tmp + state: mounted + src: "{{ tmp_mount.device }}" + fstype: xfs + opts: "defaults{{ rhel_08_040123 | ternary (',nodev', '') }}{{ rhel_08_040124 | ternary (',nosuid', '') }}{{ rhel_08_040125 | ternary (',noexec', '') }}" vars: - key: GRUB_CMDLINE_LINUX - param: fips - value: 1 - append: yes # this is the default - when: - - not ansible_check_mode or - rhel_08_010020_default_grub_missing_audit is not changed - notify: - - confirm grub2 user cfg + tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/tmp`] | [0]') }}" + when: rhel8stig_040123_dev_status.stdout | length > 0 - - name: "RHEL-08-010020 | HIGH | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." - replace: - path: /etc/default/grub - regexp: "{{ rhel8stig_regexp_quoted_params }}" - replace: "{{ rhel8stig_replace_quoted_params }}" - with_items: - - "{{ ansible_mounts | json_query(query) }}" + when: + - rhel_08_040123 or + rhel_08_040124 or + rhel_08_040125 + tags: + - RHEL-08-040123 + - RHEL-08-040124 + - RHEL-08-04125 + - mounts + +- name: | + "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." + "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." + "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." + block: + - name: | + "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." + "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." + "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." + shell: mount | grep /var/log + changed_when: false + failed_when: false + register: rhel8stig_040126_var_log_status + + - name: | + "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." + "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." + "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." + mount: + path: /var/log + state: mounted + src: "{{ var_log_mount.device }}" + fstype: xfs + opts: "defaults{{ rhel_08_040126 | ternary (',nodev', '') }}{{ rhel_08_040127 | ternary (',nosuid', '') }}{{ rhel_08_040128 | ternary (',noexec', '') }}" vars: - query: "[?mount=='{{ rhel8stig_boot_part }}'] | [0]" - key: GRUB_CMDLINE_LINUX - param: boot - value: UUID={{ item.uuid }} - insert: yes - when: - - rhel8stig_boot_part not in ['/', ''] - - not ansible_check_mode or - rhel_08_010020_default_grub_missing_audit is not changed - notify: confirm grub2 user cfg - register: result - - - name: "RHEL-08-010020 | HIGH | AUDIT | Verify kernel parameters in /etc/default/grub" - command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub - check_mode: no - with_items: - - fips=1 - - boot=UUID={{ ansible_mounts | json_query(query) }} + var_log_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log`] | [0]') }}" + when: rhel8stig_040126_var_log_status.stdout | length > 0 + when: + - rhel_08_040126 or + rhel_08_040127 or + rhel_08_040128 + tags: + - RHEL-08-040126 + - RHEL-08-040127 + - RHEL-08-040128 + - mounts + +- name: | + "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." + "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." + "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." + block: + - name: | + "MEDIUM | RHEL-08-040129 | AUDIT | RHEL 8 must mount /var/log/audit with the nodev option." + "MEDIUM | RHEL-08-040130 | AUDIT | RHEL 8 must mount /var/log/audit with the nosuid option." + "MEDIUM | RHEL-08-040131 | AUDIT | RHEL 8 must mount /var/log/audit with the noexec option." + shell: mount | grep /var/log/audit + changed_when: false + failed_when: false + register: rhel8stig_040129_var_log_audit_status + + - name: | + "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." + "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." + "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." + mount: + path: /var/log/audit + state: mounted + src: "{{ audit_mount.device }}" + fstype: xfs + opts: "defaults{{ rhel_08_040129 | ternary (',nodev', '') }}{{ rhel_08_040130 | ternary (',nosuid', '') }}{{ rhel_08_040131 | ternary (',noexec', '') }}" vars: - query: "[?mount=='{{ rhel8stig_boot_part }}'].uuid | [0]" - register: rhel_08_010020_audit - when: - - not ansible_check_mode or - rhel_08_010020_default_grub_missing_audit is not changed - - rhel8stig_boot_part not in ['/', ''] or - 'boot=' not in item - changed_when: - - ansible_check_mode - - rhel_08_010020_audit is failed - failed_when: - - rhel_08_010020_audit is failed - - not ansible_check_mode or - rhel_08_010020_audit.rc > 1 - when: rhel_08_010020 - tags: - - RHEL-08-010020 - - CAT1 - - CCI-000068 - - SRG-OS-000033-GPOS-00014 - - SV-230223r627750_rule - - V-230223 + audit_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log/audit`] | [0]') }}" + when: rhel8stig_040129_var_log_audit_status.stdout | length > 0 + when: + - rhel_08_040129 or + rhel_08_040130 or + rhel_08_040131 + tags: + - RHEL-08-040129 + - RHEL-08-040130 + - RHEL-08-040131 + - mounts - name: | - "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance." - "RHEL-08-010150 | HIGH |PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes." + "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" + "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." + "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." block: - name: | - "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set Grub Password" - "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set Grub Password" - lineinfile: - path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg" - create: yes - regexp: ^GRUB2_PASSWORD= - line: "GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}" - owner: root - group: root - mode: 0640 - notify: confirm grub2 user cfg + "MEDIUM | RHEL-08-040132 | AUDIT | RHEL 8 must mount /var/tmp with the nodev option" + "MEDIUM | RHEL-08-040133 | AUDIT | RHEL 8 must mount /var/tmp with the nosuid option." + "MEDIUM | RHEL-08-040134 | AUDIT | RHEL 8 must mount /var/tmp with the noexec option." + shell: mount | grep /var/tmp + changed_when: false + failed_when: false + register: rhel8stig_040132_var_tmp_status - name: | - "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set UEFI superusers" - "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set UEFI superusers" + "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" + "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." + "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." + mount: + path: /var/tmp + state: mounted + src: "{{ var_tmp_mount.device }}" + fstype: xfs + opts: "defaults{{ rhel_08_040132 | ternary (',nodev', '') }}{{ rhel_08_040133 | ternary (',nosuid', '') }}{{ rhel_08_040134 | ternary (',noexec', '') }}" + vars: + var_tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/var/tmp`] | [0]') }}" + when: rhel8stig_040132_var_tmp_status.stdout | length > 0 + when: + - rhel_08_040132 or + rhel_08_040133 or + rhel_08_040134 + tags: + - RHEL-08-040132 + - RHEL-08-040133 + - RHEL-08-040134 + - mounts + +- name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." + block: + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" + dnf: + name: fapolicyd + state: present + + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" + shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts + changed_when: false + failed_when: false + + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" + service: + name: fapolicyd + state: started + enabled: yes + + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " + lineinfile: + path: /etc/fapolicyd/fapolicyd.rules + line: "{{ item }}" + with_items: + - "{{ rhel8stig_fapolicy_white_list }}" + + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" lineinfile: - dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg" - regexp: '^set superusers' - line: 'set superusers="{{ rhel8stig_boot_superuser }}"' - insertafter: '### BEGIN /etc/grub.d/01_users ###' - notify: confirm grub2 user cfg + path: /etc/fapolicyd/fapolicyd.conf + regexp: '^permissive =' + line: 'permissive = 0' when: - - not system_is_ec2 - - rhel_08_010140 or - rhel_08_010150 - tags: - - RHEL-08-010140 - - RHEL-08-010150 - - CAT1 - - CCI-000213 - - SRG-OS-000080-GPOS-00048 - - SV-230234r627750_rule - - SV-230235r627750_rule - - V-230234 - - V-230235 - - grub - - bootloader + - rhel_08_040135 + tags: + - RHEL-08-040135 + - fapolicyd + +- name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." + block: + - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Install usbguard" + dnf: + name: usbguard + state: present + + - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Start/Enable service" + service: + name: usbguard + state: started + enabled: yes + when: + - rhel_08_040140 + tags: + - RHEL-08-040140 + - usbguard -- name: "RHEL-08-010370 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." +- name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." block: - - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Dnf Default" + - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" + dnf: + name: nftables + state: present + + - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" + service: + name: nftables + state: started + enabled: yes + + - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" lineinfile: - path: /etc/dnf/dnf.conf - regexp: '^gpgcheck=' - line: gpgcheck=1 - - - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Gather Repos" - find: - paths: /etc/yum.repos.d - pattern: '*.repo' - register: rhel_08_010370_repos_files_list_full + path: /etc/firewalld/firewalld.conf + regexp: '^FirewallBackend=' + line: 'FirewallBackend=nftables' + when: + - rhel_08_040150 + tags: + - RHEL-08-040150 + - firewall + - nftables - - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Flatten result" - set_fact: - rhel_08_010370_repos_files_list: "{{ rhel_08_010370_repos_files_list_full.files | map(attribute='path') | flatten }}" +- name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." + block: + - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Install openssh-server" + dnf: + name: openssh-server + state: present + + - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" + service: + name: sshd + state: started + enabled: yes + when: + - rhel_08_040160 + tags: + - rhel_08_040160 + - ssh + +- name: "MEDIUM | RHEL-0-040161 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?RekeyLimit' + line: 'RekeyLimit 1G 1h' + notify: restart sshd + when: + - rhel_08_040161 + tags: + - RHEL-08-040161 + - sshd + +- name: "MEDIUM | RHEL-08-040162 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections by the client." + lineinfile: + path: /etc/ssh/ssh_config + regexp: '(?i)^#?RekeyLimit' + line: 'RekeyLimit 1G 1h' + notify: restart sshd + when: + - rhel_08_040162 + tags: + - RHEL-08-040162 + - sshd + +- name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." + systemd: + name: debug-shell.service + state: stopped + enabled: no + masked: yes + daemon_reload: yes + when: + - rhel_08_040180 + tags: + - RHEL-08-040180 + - debug-shell + +- name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted." + block: + - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + with_items: + - net.ipv4.conf.default.accept_redirects + - net.ipv6.conf.default.accept_redirects - - name: "RHEL-08-010370 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Set gpgcheck" + - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" lineinfile: - path: "{{ item }}" - regexp: '^gpgcheck' - line: gpgcheck=1 + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" with_items: - - "{{ rhel_08_010370_repos_files_list }}" + - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } + - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } when: - - rhel_08_010370 + - rhel_08_040210 tags: - - RHEL-08-010370 - - CAT1 - - CCI-001749 - - SRG-OS-000366-GPOS-00153 - - SV-230264r627750_rule - - V-230264 - - yum + - RHEL-08-040210 + - icmp -- name: "RHEL-08-010371 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." - lineinfile: - path: /etc/dnf/dnf.conf - regexp: '^localpkg_gpgcheck=' - line: localpkg_gpgcheck=True +- name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." + block: + - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects in sysctl" + sysctl: + name: net.ipv4.conf.all.send_redirects + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + + - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects default value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.all.send_redirects' + line: 'net.ipv4.conf.all.send_redirects=0' when: - - rhel_08_010371 + - rhel_08_040220 tags: - - RHEL-08-010371 - - CAT1 - - CCI-001749 - - SRG-OS-000366-GPOS-00153 - - SV-230265r627750_rule - - V-230265 - - dnf + - RHEL-08-040220 + - icmp -- name: "RHEL-08-010460 | HIGH | PATCH | There must be no shosts.equiv files on the RHEL 8 operating system." - file: - path: /etc/ssh/shosts.equiv - state: absent +- name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." + block: + - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast in sysctl" + sysctl: + name: net.ipv4.icmp_echo_ignore_broadcasts + state: present + value: '1' + reload: "{{ rhel8stig_sysctl_reload }}" + + - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast default value to 1" + lineinfile: + name: /etc/sysctl.conf + regexp: '^net.ipv4.icmp_echo_ignore_broadcasts' + line: 'net.ipv4.icmp_echo_ignore_broadcasts=1' when: - - rhel_08_010460 + - rhel_08_040230 tags: - - RHEL-08-010460 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230283r627750_rule - - V-230283 - - shosts + - RHEL-08-040230 + - icmp -- name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system." +- name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets." block: - - name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Find .shosts files" - find: - path: '/' - recurse: yes - patterns: '*.shosts' - register: rhel_08_010470_shost_files + - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + with_items: + - net.ipv4.conf.all.accept_source_route + - net.ipv6.conf.all.accept_source_route - - name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Remove .shosts files" - file: - path: "{{ item.path }}" - state: absent + - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route default value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" with_items: - - "{{ rhel_08_010470_shost_files.files }}" + - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } + - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } when: - - rhel_08_010470 + - rhel_08_040240 tags: - - RHEL-08-010470 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230284r627750_rule - - V-230284 - - shosts + - RHEL-08-040240 + - icmp -- name: "RHEL-08-010820 | HIGH | PATCH | Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed." - lineinfile: - path: /etc/gdm/custom.conf - regexp: (?i)automaticloginenable - line: AutomaticLoginEnable=false - insertafter: '\[daemon\]' +- name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default." + block: + - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + with_items: + - net.ipv4.conf.default.accept_source_route + - net.ipv6.conf.default.accept_source_route + + - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } + - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } when: - - rhel8stig_gui - - rhel_08_010820 + - rhel_08_040250 tags: - - RHEL-08-010820 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00229 - - SV-230329r627750_rule - - V-230329 + - RHEL-08-040250 + - icmp -- name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords." +- name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router." block: - - name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Remove nullok" - replace: - path: "{{ item }}" - regexp: ' nullok' - replace: '' + - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" with_items: - - /etc/pam.d/system-auth - - /etc/pam.d/password-auth + - net.ipv4.ip_forward + - net.ipv6.conf.all.forwarding - - name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Set PermitEmptyPasswords to no" + - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward value to 0" lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?PermitEmptyPasswords' - line: 'PermitEmptyPasswords no' - notify: restart sshd + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^net.ipv4.ip_forward', line: 'net.ipv4.ip_forward=0' } + - { regexp: '^net.ipv6.conf.all.forwarding', line: 'net.ipv6.conf.all.forwarding=0' } + when: - - rhel_08_020330 - - rhel8stig_disruption_high + - rhel_08_040260 + - not rhel8stig_system_is_router tags: - - RHEL-08-020330 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230380r627750_rule - - V-230380 - - disruption_high + - RHEL-08-040260 + - icmp + +- name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces." + block: + - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra in sysctl" + sysctl: + name: net.ipv6.conf.all.accept_ra + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + + - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv6.conf.all.accept_ra' + line: 'net.ipv6.conf.all.accept_ra=0' + when: + - rhel_08_040261 + - not rhel8stig_system_is_router + tags: + - RHEL-08-040261 + - icmp + +- name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default." + block: + - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra in sysctl" + sysctl: + name: net.ipv6.conf.default.accept_ra + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + + - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra to value 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv6.conf.default.accept_ra' + line: 'net.ipv6.conf.default.accept_ra=0' + when: + - rhel_08_040262 + - not rhel8stig_system_is_router + tags: + - RHEL-08-040262 + - icmp + +- name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." + block: + - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects in sysctl" + sysctl: + name: net.ipv4.conf.default.send_redirects + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + + - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.default.send_redirects' + line: 'net.ipv4.conf.default.send_redirects=0' + when: + - rhel_08_040270 + tags: + - RHEL-08-040270 + - icmp -- name: "RHEL-08-040000 | HIGH | PATCH | RHEL 8 must not have the telnet-server package installed." +- name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." + block: + - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + with_items: + - net.ipv4.conf.all.accept_redirects + - net.ipv6.conf.all.accept_redirects + + - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" + lineinfile: + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } + - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } + when: + - rhel_08_040280 + tags: + - RHEL-08-040280 + - icmp + +- name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.unprivileged_bpf_disabled' + line: 'kernel.unprivileged_bpf_disabled = 1' + owner: root + group: root + mode: 0640 + notify: sysctl system + when: + - rhel_08_040281 + tags: + - RHEL-08-040281 + - sysctl + +- name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.yama.ptrace_scope' + line: 'kernel.yama.ptrace_scope = 1' + notify: sysctl system + when: + - rhel_08_040282 + tags: + - RHEL-08-040282 + - sysctl + +- name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.kptr_restrict' + line: 'kernel.kptr_restrict = 1' + owner: root + group: root + mode: 0640 + notify: sysctl system + when: + - rhel_08_040283 + tags: + - RHEL-08-040283 + - sysctl + +- name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^user.max_user_namespaces' + line: 'user.max_user_namespaces = 0' + notify: sysctl system + when: + - rhel_08_040284 + tags: + - RHEL-08-040284 + - sysctl + +- name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^net.ipv4.conf.all.rp_filter' + line: 'net.ipv4.conf.all.rp_filter = 1' + notify: sysctl system + when: + - rhel_08_040285 + tags: + - RHEL-08-040285 + - sysctl + +- name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying." + block: + - name: "MEDIUM | RHEL-08-040290 | AUDIT | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Check if postfix is installed." + command: rpm -q postfix + failed_when: no + check_mode: no + changed_when: no + register: rhel_08_040290_rpm_audit + + - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" + command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" + check_mode: no + when: '"postfix-" in rhel_08_040290_rpm_audit.stdout' + when: + - rhel_08_040290 + tags: + - RHEL-08-040290 + +- name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." + package: + name: xorg-x11-server-common + state: absent + when: + - rhel_08_040320 + - not rhel8stig_gui + +- name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." + block: + - name: "MEDIUM | RHEL-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" + shell: "ip link | grep -i promisc | cut -d ':' -f 2" + check_mode: no + failed_when: no + changed_when: rhel_08_040670_promisc_check.stdout != '' + ignore_errors: yes + register: rhel_08_040670_promisc_check + + - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" + shell: "ip link set dev {{ item }} promisc off" + with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" + when: + - rhel_08_040330 + - not rhel8stig_net_promisc_mode_required + tags: + - RHEL-08-040330 + +- name: "MEDIUM | RHEL-08-040340 | PATCH | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?X11Forwarding' + line: 'X11Forwarding no' + create: yes + owner: root + group: root + mode: 0640 + notify: restart sshd + when: + - rhel_08_040340 + - rhel8stig_ssh_required + tags: + - RHEL-08-040340 + - ssh + +- name: "MEDIUM | RHEL-08-040341 | PATCH | The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?X11UseLocalhost' + line: 'X11UseLocalhost yes' + when: + - rhel_08_040341 + tags: + - RHEL-08-040341 + - ssh + +- name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." + lineinfile: + path: /etc/xinetd.d/tftp + regexp: "(?i)^.*server_args.*=" + line: "\tserver_args\t\t= -s /var/lib/tftpboot" + insertafter: "\tserver\t\t\t=" + state: present + register: result + failed_when: + - result is failed + - result.rc != 257 + when: + - rhel_08_040350 + - rhel8stig_tftp_required + tags: + - skip_ansible_lint + - RHEL-08-040350 + - tftp + +- name: "MEDIUM | RHEL-08-040380 | PATCH | The iprutils package must not be installed unless mission essential on RHEL 8." dnf: - name: telnet-server + name: iprutils state: absent when: - - rhel_08_040000 - - - "'telnet-server' in ansible_facts.packages" + - rhel_08_040380 tags: - - RHEL-08-040000 - - CAT1 - - CCI-000381 - - SRG-OS-000095-GPOS-00049 - - SV-230487r627750_rule - - V-230487 + - RHEL-08-040380 + - iprutils -- name: "RHEL-08-040010 | HIGH | PATCH | RHEL 8 must not have the rsh-server package installed." +- name: "MEDIUM | RHEL-08-040390 | PATCH | The tuned package must not be installed unless mission essential on RHEL 8." dnf: - name: rsh-server + name: tuned state: absent when: - - rhel_08_040010 - - "'rsh-server' in ansible_facts.packages" - tags: - - RHEL-08-040010 - - CAT1 - - CCI-000381 - - SRG-OS-000095-GPOS-00049 - - SV-230492r627750_rule - - V-230492 - - - - -# - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." -# dnf: -# name: "*" -# state: latest -# when: -# - not system_is_ec2 -# - rhel_08_010010 -# tags: -# - RHEL-08-010010 - -# - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection." -# block: -# - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout" -# command: lsblk -# changed_when: false -# failed_when: false -# register: rhel_08_010030_partition_layout - -# - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning" -# debug: -# msg: -# - 'WARNING!! Below is partition layout. Please run the "sudo more /etc/crypttab" command to confirm' -# - "every persistent disk partition has an entry. If partitions other than psuedo file systems (such as /var or /sys) this is a finding" -# - "{{ rhel_08_010030_partition_layout.stdout_lines }}" - -# when: rhel_08_010030 -# tags: -# - RHEL-08-010030 - -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" -# block: -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?Banner' -# line: 'Banner /etc/issue' - -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" -# copy: -# dest: "{{ item }}" -# content: "{{ rhel8stig_logon_banner }}" -# owner: root -# group: root -# mode: '0644' -# notify: restart sshd -# with_items: -# - /etc/issue -# - /etc/issue.net -# when: -# # - not system_is_ec2 -# - rhel_08_010040 or -# rhel_08_010060 -# tags: -# - RHEL-08-010040 -# - RHEL-08-010060 - -# - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." -# copy: -# dest: /etc/dconf/db/local.d/01-banner-message -# content: | -# [org/gnome/login-screen] -# banner-message-enable=true -# banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' -# mode: '0644' -# owner: root -# group: root -# vars: -# newline: "\n" -# notify: dconf update -# when: -# - rhel_08_010050 -# - "'dconf' in ansible_facts.packages" -# - rhel8stig_always_configure_dconf - -# tags: -# - RHEL-08-010050 - -# - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." -# lineinfile: -# path: /etc/rsyslog.d/50-default.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# create: yes -# mode: '0644' -# notify: restart rsyslog -# with_items: -# - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } -# - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } -# when: -# - rhel_08_010070 -# tags: -# - RHEL-08-010070 - -# # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." -# block: -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" -# command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem -# changed_when: false -# failed_when: false -# register: rhel_08_010090_certs_list - -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" -# debug: -# msg: -# - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" -# - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" -# - "{{ rhel_08_010090_certs_list.stdout_lines }}" -# when: -# - rhel_08_010090 -# tags: -# - RHEL-08-010090 - -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." -# block: -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" -# file: -# path: "{{ rhel8stig_path_to_sshkey }}" -# state: directory -# mode: '0700' - -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" -# openssh_keypair: -# path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" -# when: -# - rhel_08_010100 -# tags: -# - RHEL-08-010100 - -# - name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." -# lineinfile: -# path: /etc/login.defs -# regexp: '^ENCRYPT_METHOD.*' -# line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" -# when: -# - rhel_08_010110 -# tags: -# - RHEL-08-010110 -# - login - -# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." -# block: -# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" -# command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' -# changed_when: false -# failed_when: false -# register: rhel_08_010120_non_fips_hashed_accounts - -# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" -# command: "passwd -l {{ item }}" -# args: -# warn: no -# with_items: -# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" -# when: -# - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 - -# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" -# debug: -# msg: -# - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" -# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" -# when: -# - not rhel8stig_disruption_high -# - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 -# when: -# - rhel_08_010120 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010120 -# - disruption_high - -# - name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" -# pamd: -# name: "{{ item }}" -# type: password -# control: sufficient -# module_path: pam_unix.so -# module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" -# state: args_present -# with_items: -# - password-auth -# - system-auth -# when: -# - rhel_08_010130 -# tags: -# - RHEL-08-010130 - -# - name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." -# lineinfile: -# path: /usr/lib/systemd/system/rescue.service -# regexp: '^ExecStart=' -# line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" -# create: yes -# owner: root -# group: root -# mode: 0644 - -# when: -# - rhel_08_010151 -# tags: -# - RHEL-08-010151 -# - systemd - -# - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Add sha512 argument" -# pamd: -# name: "{{ item }}" -# type: password -# control: sufficient -# module_path: pam_unix.so -# module_arguments: sha512 -# state: args_present -# with_items: -# - password-auth -# - system-auth -# when: -# - rhel_08_010160 -# tags: -# - RHEL-08-010160 - -# - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication." -# block: -# - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" -# find: -# path: / -# patterns: '*.keytab' -# recurse: yes -# register: rhel8stig_010161_keytab_files - -# - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Remove .keytab files" -# file: -# path: "{{ item.path }}" -# state: absent -# with_items: -# - "{{ rhel8stig_010161_keytab_files.files }}" -# when: rhel8stig_010161_keytab_files.matched > 0 -# when: -# - rhel_08_010161 -# tags: -# - RHEL-08-010161 -# - kerberos - -# - name: "MEDIUM | RHEL-08-010162 | PATCH | The krb5-workstation package must not be installed on RHEL 8." -# dnf: -# name: krb5-workstation -# state: absent -# when: -# - rhel_08_010162 -# tags: -# - RHEL-08-010162 -# - kerberos - -# - name: | -# "MEDIUM | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services." -# "MEDIUM | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." -# selinux: -# state: enforcing -# policy: targeted -# check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" -# notify: reboot system -# when: -# - rhel_08_010170 or rhel_08_010450 -# - not rhel8stig_system_is_container -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010170 -# - RHEL-08-010450 -# - selinux -# - disruption_high - -# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." -# block: -# - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" -# shell: "find / ! -user root -type d -perm -0002 -exec ls -lLd {} \\; | sed 's/.* //'" -# changed_when: false -# failed_when: false -# register: rhel_08_010180_public_not_root_owned - -# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Chown non-root public folders" -# file: -# path: "{{ item }}" -# owner: root -# group: root -# with_items: -# - "{{ rhel_08_010180_public_not_root_owned.stdout_lines }}" -# when: -# - rhel_08_010180 -# tags: -# - RHEL-08-010180 - -# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." -# block: -# - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" -# shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" -# changed_when: false -# failed_when: false -# register: rhel_08_010190_world_writable_files - -# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" -# file: -# path: "{{ item }}" -# mode: '1777' -# with_items: -# - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" -# when: -# - rhel_08_010190 -# tags: -# - RHEL-08-010190 - -# - name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# notify: restart sshd -# with_items: -# - { regexp: '(?i)^#?ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} -# - { regexp: '(?i)^#?ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } -# when: -# - rhel_08_010200 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010200 -# - ssh - -# - name: | -# "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." -# "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." -# "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." -# file: -# path: /var/log/messages -# owner: root -# group: root -# mode: '0640' -# when: -# - rhel_08_010210 or -# rhel_08_010220 or -# rhel_08_010230 -# tags: -# - RHEL-08-010210 -# - RHEL-08-010220 -# - RHEL-08-010230 - -# - name: | -# "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." -# "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." -# "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." -# file: -# path: /var/log -# owner: root -# group: root -# mode: '0755' -# when: -# - rhel_08_010240 or -# rhel_08_010250 or -# rhel_08_010260 -# tags: -# - RHEL-08-010240 -# - RHEL-08-010250 -# - RHEL-08-010260 - -# - name: | -# "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." -# "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" -# block: -# - name: | -# "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" -# "MEDIUM | RHEL-08-010291 | AUDIT | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Get current FIPS mode state" -# command: fips-mode-setup --check -# changed_when: false -# failed_when: false -# register: rhel_08_010290_pre_fips_check - -# - name: | -# "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" -# "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Enable FIPS" -# command: fips-mode-setup --enable -# register: rhel_08_010290_fips_enable -# notify: reboot system -# when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' - -# - name: | -# "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" -# "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Add ssh ciphers" -# lineinfile: -# path: "{{ item.path }}" -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# notify: reboot system -# with_items: -# - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^MACs', line: "MACs {{ rhel8stig_ssh_macs_settings }}" } -# - { path: /etc/crypto-policies/back-ends/opensshserver.config, regexp: '^CRYPTO_POLICY=', line: "CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" } -# when: -# - rhel_08_010290 or -# rhel_08_010291 -# tags: -# - RHEL-08-010290 -# - RHEL-08-010291 -# - fips - -# - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." -# block: -# - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" -# command: fips-mode-setup --check -# changed_when: false -# failed_when: false -# register: rhel_08_010293_pre_fips_check - -# - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" -# command: fips-mode-setup --enable -# register: rhel_08_010290_fips_enable -# notify: reboot system -# when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' -# when: -# - rhel_08_010293 -# tags: -# - RHEL-08-010293 -# - fips - -# - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." -# lineinfile: -# path: /etc/crypto-policies/back-ends/opensslcnf.config -# regexp: '^MinProtocol =' -# line: "MinProtocol = TLSv1.2" -# notify: reboot system -# when: -# - rhel_08_010294 -# tags: -# - RHEL-08-010294 -# - openssl - -# - name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package" -# lineinfile: -# path: /etc/crypto-policies/back-ends/gnutls.config -# regexp: '^(.*\+VERS-ALL:)' -# line: '\1{{ rhel8stig_gnutls_encryption }}' -# backrefs: true -# create: yes -# owner: root -# group: root -# mode: 0640 -# notify: reboot system -# when: -# - rhel_08_010295 -# tags: -# - RHEL-08-010295 -# - gnutls - -# - name: | -# "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive." -# "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root." -# "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root." -# block: -# - name: | -# "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive" -# "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" -# "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root. | Get commands no group-owned by root" -# shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel_08_010300_commands - -# - name: | -# "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions" -# "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions" -# "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root. | Set permissions" -# file: -# path: "{{ item }}" -# owner: root -# group: root -# mode: '0755' -# force: yes -# with_items: -# - "{{ rhel_08_010300_commands.stdout_lines }}" -# when: -# - rhel_08_010300 or -# rhel_08_010310 or -# rhel_08_010320 -# tags: -# - RHEL-08-010300 -# - RHEL-08-010310 -# - RHEL-08-010320 - -# - name: | -# "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive." -# "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root." -# "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root." -# block: -# - name: | -# "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" -# "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root. | Get library files not owned by root" -# "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" -# shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel_08_010330_library_files - -# - name: | -# "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" -# "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" -# "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" -# file: -# path: "{{ item }}" -# owner: root -# group: root -# mode: '0755' -# with_items: -# - "{{ rhel_08_010330_library_files.stdout_lines }}" -# when: -# - rhel_08_010330 or -# rhel_08_010340 or -# rhel_08_010350 -# tags: -# - RHEL-08-010330 -# - RHEL-08-010340 -# - RHEL-08-010350 - -# - name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." -# cron: -# name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' -# user: "{{ rhel8stig_aide_cron.user }}" -# cron_file: "{{ rhel8stig_aide_cron.cron_file }}" -# job: "{{ rhel8stig_aide_cron.job + ((rhel8stig_aide_cron.notify_by_mail) | ternary(rhel8stig_aide_cron.notify_cmd,'')) }}" -# minute: "{{ rhel8stig_aide_cron.minute | default((rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | -# ternary('0', omit)) | default(omit) }}" -# hour: "{{ rhel8stig_aide_cron.hour | default((rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['daily', 'weekly', 'monthly']) | -# ternary('0', omit)) | default(omit) }}" -# weekday: "{{ rhel8stig_aide_cron.weekday | default((rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['weekly']) | -# ternary('0', omit)) | default(omit) }}" -# day: "{{ rhel8stig_aide_cron.day | default((rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['monthly']) | -# ternary('1', omit)) | default(omit) }}" -# special_time: "{{ (rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | -# ternary(omit, rhel8stig_aide_cron.special_time) }}" -# when: -# - rhel_08_010360 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010360 -# - aide - -# - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." -# block: -# - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if using numbered link files" -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^kernel.kexec_load_disabled =' -# line: "kernel.kexec_load_disabled = 1" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched > 0 -# - rhel8stig_sysctlconf_filename.files[0].islnk - -# - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if no numbered link files" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^kernel.kexec_load_disabled =' -# line: "kernel.kexec_load_disabled = 1" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched == 0 or -# not rhel8stig_sysctlconf_filename.files[0].islnk -# when: -# - rhel_08_010372 -# tags: -# - RHEL-08-010372 -# - sysctl - -# - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks." -# block: -# - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if using numbered link files" -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^fs.protected_symlinks =' -# line: "fs.protected_symlinks = 1" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched > 0 -# - rhel8stig_sysctlconf_filename.files[0].islnk - -# - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if no numbered link files" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^fs.protected_symlinks =' -# line: "fs.protected_symlinks = 1" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched == 0 or -# not rhel8stig_sysctlconf_filename.files[0].islnk -# when: -# - rhel_08_010373 -# tags: -# - RHEL-08-010373 -# - sysctl - -# - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." -# block: -# - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if using numbered link files" -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^fs.protected_hardlinks =' -# line: "fs.protected_hardlinks = 1" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched > 0 -# - rhel8stig_sysctlconf_filename.files[0].islnk - -# - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if no numbered link files" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^fs.protected_hardlinks =' -# line: "fs.protected_hardlinks = 1" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched == 0 or -# not rhel8stig_sysctlconf_filename.files[0].islnk -# when: -# - rhel_08_010374 -# tags: -# - RHEL-08-010374 -# - sysctl - -# - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." -# replace: -# path: "{{ item }}" -# regexp: '^([^#].*)NOPASSWD(.*)' -# replace: '\1PASSWD\2' -# with_items: -# - "{{ rhel8stig_sudoers_files.stdout_lines }}" -# when: -# - rhel_08_010380 -# - rhel8stig_using_password_auth -# tags: -# - RHEL-08-010380 -# - sudoers - -# - name: "MEDIUM | RHEL-08-010381 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation." -# replace: -# path: "{{ item }}" -# regexp: '^([^#].*)!authenticate(.*)' -# replace: '\1authenticate\2' -# with_items: -# - "{{ rhel8stig_sudoers_files.stdout_lines }}" -# when: -# - rhel_08_010381 -# - rhel8stig_using_password_auth -# tags: -# - RHEL-08-010381 -# - sudoers - -# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." -# block: -# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" -# dnf: -# name: esc -# state: present -# when: rhel8stig_gui - -# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" -# dnf: -# name: openssl-pkcs11 -# state: present -# when: -# - rhel_08_010390 -# tags: -# - RHEL-08-010390 -# - multifactor - -# - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." -# lineinfile: -# path: '{{ rhel8stig_sssd_conf }}' -# regexp: '^certificate_verification = {{ item }}' -# state: absent -# with_items: -# - 'no_ocsp, no_verification' -# - no_ocsp -# - no_verification -# notify: restart sssd -# when: -# - "'sssd' in ansible_facts.packages" -# - rhel8stig_sssd_conf_present.stat.exists -# - rhel_08_010400 -# tags: -# - RHEL-08-010400 - -# - name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." -# dnf: -# name: opensc -# state: present -# when: -# - rhel_08_010410 -# tags: -# - RHEL-08-010410 -# - opensc -# - piv - -# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution." -# block: -# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state" -# shell: dmesg |grep "NX (" -# changed_when: false -# failed_when: false -# register: rhel_08_010420_nx_bit_state - -# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set" -# debug: -# msg: -# - "Good News! You are setup with execute disable active." -# when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout' - -# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" -# debug: -# msg: -# - "ALERT!! You do not have execute disable active. Please change the setting in your BIOS settings" -# when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' -# when: -# - rhel_08_010420 -# tags: -# - RHEL-08-010420 - -# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks." -# block: -# - name: "MEDIUM | RHEL-08-010421 | AUDIT | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" -# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel8stig_010421_grub_cmdline_linux - -# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active" -# shell: grubby --update-kernel=ALL --args="page_poison=1" - -# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist" -# lineinfile: -# path: /etc/default/grub -# regexp: '^GRUB_CMDLINE_LINUX=' -# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010421_grub_cmdline_linux.stdout }} page_poison=1"' -# when: '"page_poison=" not in rhel8stig_010421_grub_cmdline_linux.stdout' - -# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if exists" -# replace: -# path: /etc/default/grub -# regexp: 'page_poison=([^\s|"])+' -# replace: "page_poison=1" -# when: '"page_poison=" in rhel8stig_010421_grub_cmdline_linux.stdout' -# when: -# - rhel_08_010421 -# tags: -# - RHEL-08-010421 -# - grub - -# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls." -# block: -# - name: "MEDIUM | RHEL-08-010422 | AUDIT | RHEL 8 must disable virtual syscalls. | Get GRUB_CMDLINE_LINUX settings" -# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel8stig_010422_grub_cmdline_linux - -# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active" -# shell: grubby --update-kernel=ALL --args="vsyscall=none" - -# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist" -# lineinfile: -# path: /etc/default/grub -# regexp: '^GRUB_CMDLINE_LINUX=' -# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010422_grub_cmdline_linux.stdout }} vsyscall=none"' -# when: '"vsyscall=" not in rhel8stig_010422_grub_cmdline_linux.stdout' - -# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if exists" -# replace: -# path: /etc/default/grub -# regexp: 'vsyscall=([^\s|"])+' -# replace: "vsyscall=none" -# when: '"vsyscall=" in rhel8stig_010422_grub_cmdline_linux.stdout' -# when: -# - rhel_08_010422 -# tags: -# - RHEL-08-010422 -# - grub - -# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks." -# block: -# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" -# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel8stig_010423_grub_cmdline_linux - -# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active" -# shell: grubby --update-kernel=ALL --args="slub_debug=P" - -# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist" -# lineinfile: -# path: /etc/default/grub -# regexp: '^GRUB_CMDLINE_LINUX=' -# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010423_grub_cmdline_linux.stdout }} slub_debug=P"' -# when: '"slub_debug=" not in rhel8stig_010423_grub_cmdline_linux.stdout' - -# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if exists" -# replace: -# path: /etc/default/grub -# regexp: 'slub_debug=([^\s|"])+' -# replace: "slub_debug=P" -# when: '"slub_debug=" in rhel8stig_010423_grub_cmdline_linux.stdout' -# when: -# - rhel_08_010423 -# tags: -# - RHEL-08-010423 -# - grub - -# - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." -# sysctl: -# name: kernel.randomize_va_space -# value: '2' -# state: present -# reload: "{{ rhel8stig_sysctl_reload }}" -# sysctl_set: yes -# ignoreerrors: yes -# notify: sysctl system -# when: -# - rhel_08_010430 -# tags: -# - RHEL-08-010430 -# - sysctl - -# - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." -# block: -# - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files" -# find: -# paths: /etc/ssh -# recurse: yes -# file_type: file -# patterns: 'ssh_host*_key.pub' -# hidden: true -# changed_when: false -# failed_when: false -# register: rhel_08_010480_public_files - -# - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" -# file: -# path: "{{ item.path }}" -# mode: '0644' -# with_items: -# - "{{ rhel_08_010480_public_files.files }}" -# notify: restart sshd -# when: -# - rhel_08_010480 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010480 -# - ssh - -# - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." -# block: -# - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Find files" -# find: -# paths: /etc/ssh -# recurse: yes -# file_type: file -# patterns: 'ssh_host*key' -# hidden: true -# changed_when: false -# failed_when: false -# register: rhel_08_010490_private_host_key_files - -# - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" -# file: -# path: "{{ item.path }}" -# mode: '0640' -# with_items: -# - "{{ rhel_08_010490_private_host_key_files.files }}" -# notify: restart sshd -# when: -# - rhel_08_010490 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010490 -# - ssh - -# - name: "MEDIUM | RHEL-08-010500 | PATCH | The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?StrictModes' -# line: 'StrictModes yes' -# notify: restart sshd -# when: -# - rhel_08_010500 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010500 -# - ssh - -# - name: "MEDIUM | RHEL-08-010510 | PATCH | The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?Compression' -# line: 'Compression {{ rhel8stig_sshd_compression }}' -# notify: restart sshd -# when: -# - rhel_08_010510 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010510 -# - ssh - -# - name: "MEDIUM | RHEL-08-010520 | PATCH | The RHEL 8 SSH daemon must not allow authentication using known host’s authentication." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?IgnoreUserKnownHosts' -# line: 'IgnoreUserKnownHosts yes' -# notify: restart sshd -# when: -# - rhel_08_010520 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010520 -# - ssh - -# - name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow unused methods of authentication." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '(?i)^#?KerberosAuthentication', line: "KerberosAuthentication no" } -# - { regexp: '(?i)^#?GSSAPIAuthentication', line: "GSSAPIAuthentication no" } -# notify: restart sshd -# when: -# - rhel_08_010521 -# tags: -# - RHEL-08-010521 -# - ssh - -# - name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." -# debug: -# msg: "WARNING!!!! /tmp is not mounted on a separate partition" -# changed_when: -# - rhel8stig_audit_complex -# when: -# - rhel_08_010543 -# - not rhel8stig_system_is_container -# - rhel8stig_complex -# - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 -# tags: -# - RHEL-08-010543 -# - complexity-high -# - mount -# - tmp - -# - name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?PermitRootLogin' -# line: 'PermitRootLogin no' -# notify: restart sshd -# when: -# - rhel_08_010550 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010550 -# - ssh - -# - name: "MEDIUM | RHEL-08-010560 | PATCH | The auditd service must be running in RHEL 8." -# service: -# name: auditd -# state: started -# enabled: yes -# when: -# - rhel_08_010560 -# - not rhel8stig_system_is_container -# tags: -# - RHEL-08-010560 -# - auditd - -# - name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." -# service: -# name: rsyslog.service -# state: started -# enabled: true -# when: -# - rhel_08_010561 -# tags: -# - RHEL-08-010561 -# - rsyslog - -# - name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." -# mount: -# path: /home -# state: mounted -# src: "{{ home_mount.device }}" -# fstype: "{{ home_mount.fstype }}" -# opts: "{{ home_mount.options }},nosuid" -# when: -# - rhel_08_010570 -# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 -# - "'nosuid' not in home_mount.options" -# vars: -# home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" -# tags: -# - RHEL-08-010570 -# - mounts -# - home - -# - name: "MEDIUM | RHEL-08-010571 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory." -# mount: -# path: /boot -# state: mounted -# src: "{{ boot_mount.device }}" -# fstype: "{{ boot_mount.fstype }}" -# opts: "{{ boot_mount.options }},nosuid" -# when: -# - rhel_08_010571 -# - ansible_mounts | selectattr('mount', 'match', '^/boot$') | list | length != 0 -# - "'nosuid' not in boot_mount.options" -# vars: -# boot_mount: "{{ ansible_mounts | json_query('[?mount == `/boot`] | [0]') }}" -# tags: -# - RHEL-08-010571 -# - mounts -# - boot - -# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions." -# block: -# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" -# shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' -# args: -# warn: no -# changed_when: no -# check_mode: no -# register: rhel8stig_010580_mounts_nodev - -# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Split results" -# set_fact: -# rhel8stig_010580_mounts: "{{ rhel8stig_010580_mounts_nodev.stdout_lines | map('regex_replace', ld_mount_regex, ld_mount_yaml) | map('from_yaml') | list }}" - -# with_items: "{{ rhel8stig_010580_mounts_nodev.stdout_lines }}" -# vars: -# ld_mount_regex: >- -# ^(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*) -# ld_mount_yaml: | -# device: >-4 -# \g -# mpoint: >-4 -# \g -# fs: >-4 -# \g -# opts: >-4 -# \g -# when: rhel8stig_010580_mounts_nodev.stdout | length > 0 - -# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Set value" -# mount: -# path: "{{ item.mpoint }}" -# state: mounted -# src: "{{ item.device }}" -# fstype: "{{ item.fs }}" -# opts: "{{ item.opts }},nodev" -# with_items: -# - "{{ rhel8stig_010580_mounts | default([]) }}" -# when: -# - item.device != "/" -# - "'odev' not in item.opts" -# - rhel8stig_010580_mounts_nodev.stdout | length > 0 -# when: -# - rhel_08_010580 -# tags: -# - RHEL-08-010580 -# - mounts -# - non-root - -# - name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent code from being executed on file systems that contain user home directories." -# mount: -# path: /home -# state: mounted -# src: "{{ home_mount.device }}" -# fstype: "{{ home_mount.fstype }}" -# opts: "{{ home_mount.options }},noexec" -# when: -# - rhel_08_010590 -# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 -# - "'noexec' not in home_mount.options" -# vars: -# home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" -# tags: -# - RHEL-08-010590 -# - mounts -# - home - -# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media." -# block: -# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /media" -# mount: -# path: /media -# state: mounted -# src: "{{ removable_mount.device }}" -# fstype: "{{ removable_mount.fstype }}" -# opts: "{{ removable_mount.options }},nodev" -# when: -# - rhel_08_010600 -# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 -# - "'nodev' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - -# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /mnt" -# mount: -# path: /mnt -# state: mounted -# src: "{{ removable_mount2.device }}" -# fstype: "{{ removable_mount2.fstype }}" -# opts: "{{ removable_mount2.options }},nodev" -# when: -# - rhel_08_010600 -# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 -# - "'nodev' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" -# when: -# - rhel_08_010600 -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# tags: -# - RHEL-08-010600 -# - mounts -# - media - -# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media." -# block: -# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /media" -# mount: -# path: /media -# state: mounted -# src: "{{ removable_mount.device }}" -# fstype: "{{ removable_mount.fstype }}" -# opts: "{{ removable_mount.options }},noexec" -# when: -# - rhel_08_010600 -# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 -# - "'noexec' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - -# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /mnt" -# mount: -# path: /mnt -# state: mounted -# src: "{{ removable_mount2.device }}" -# fstype: "{{ removable_mount2.fstype }}" -# opts: "{{ removable_mount2.options }},noexec" -# when: -# - rhel_08_010610 -# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 -# - "'noexec' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" -# when: -# - rhel_08_010610 -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# tags: -# - RHEL-08-010610 -# - mounts -# - media - -# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." -# block: -# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media" -# mount: -# path: /media -# state: mounted -# src: "{{ removable_mount.device }}" -# fstype: "{{ removable_mount.fstype }}" -# opts: "{{ removable_mount.options }},nosuid" -# when: -# - rhel_08_010620 -# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 -# - "'nosuid' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - -# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" -# mount: -# path: /mnt -# state: mounted -# src: "{{ removable_mount2.device }}" -# fstype: "{{ removable_mount2.fstype }}" -# opts: "{{ removable_mount2.options }},nosuid" -# when: -# - rhel_08_010620 -# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 -# - "'nosuid' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" -# when: -# - rhel_08_010620 -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# tags: -# - RHEL-08-010620 -# - mounts -# - media - -# - name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)." -# mount: -# path: "{{ item }}" -# src: "{{ ansible_mounts | json_query(device_query) }}" -# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" -# opts: "{{ ansible_mounts | json_query(options_query) }},noexec" -# state: mounted -# vars: -# device_query: '[?mount == `{{ item }}`] | [0].device' -# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' -# options_query: '[?mount == `{{ item }}`] | [0].options' -# with_items: "{{ rhel8stig_nfs_mounts }}" -# when: -# - rhel_08_010630 -# - "'noexec' not in (ansible_mounts | json_query(options_query))" -# tags: -# - RHEL-08-010630 -# - mounts -# - nfs - -# - name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)." -# mount: -# path: "{{ item }}" -# src: "{{ ansible_mounts | json_query(device_query) }}" -# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" -# opts: "{{ ansible_mounts | json_query(options_query) }},nodev" -# state: mounted -# vars: -# device_query: '[?mount == `{{ item }}`] | [0].device' -# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' -# options_query: '[?mount == `{{ item }}`] | [0].options' -# with_items: "{{ rhel8stig_nfs_mounts }}" -# when: -# - rhel_08_010640 -# - "'nodev' not in (ansible_mounts | json_query(options_query))" -# tags: -# - RHEL-08-010640 - -# - name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)" -# mount: -# path: "{{ item }}" -# src: "{{ ansible_mounts | json_query(device_query) }}" -# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" -# opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" -# state: mounted -# vars: -# device_query: '[?mount == `{{ item }}`] | [0].device' -# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' -# options_query: '[?mount == `{{ item }}`] | [0].options' -# with_items: "{{ rhel8stig_nfs_mounts }}" -# when: -# - rhel_08_010650 -# - "'nosuid' not in (ansible_mounts | json_query(options_query))" -# tags: -# - RHEL-08-010650 - -# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs." -# block: -# - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions" -# shell: find {{ item.mount }} -xdev -type f -perm -002 -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel_08_010660_world_writable_files -# with_items: -# - "{{ ansible_mounts }}" - -# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening" -# set_fact: -# rhel_08_010660_change_perms: "{{ rhel_08_010660_world_writable_files.results | map(attribute='stdout_lines') | flatten }}" - -# - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Compare to home directories" -# include_tasks: audit_homedirinifiles.yml -# loop: -# - "{{ rhel_08_stig_interactive_homedir_inifiles }}" -# loop_control: -# loop_var: ini_item -# when: -# - rhel_08_010660_change_perms != [] - -# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions" -# file: -# path: "{{ item }}" -# mode: '0755' -# state: file -# with_items: -# - "{{ rhel_08_010660_change_perms }}" -# when: -# - rhel_08_010660_change_perms != [] -# when: -# - rhel_08_010660 -# - rhel8stig_disruption_high -# # - rhel_08_stig_interactive_homedir_inifiles is defined -# tags: -# - RHEL-08-010660 - -# - name: "MEDIUM | RHEL-08-010670 | PATCH | RHEL 8 must disable kernel dumps unless needed." -# service: -# name: kdump -# enabled: no -# state: stopped -# when: -# - rhel_08_010670 -# - not rhel8stig_kdump_needed -# tags: -# - RHEL-08-010670 -# - kdump - -# - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." -# block: -# - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if using numbered link files" -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^kernel.core_pattern =' -# line: "kernel.core_pattern = |/bin/false" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched > 0 -# - rhel8stig_sysctlconf_filename.files[0].islnk - -# - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if no numbered link files" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^kernel.core_pattern =' -# line: "kernel.core_pattern = |/bin/false" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched == 0 or -# not rhel8stig_sysctlconf_filename.files[0].islnk -# when: -# - rhel_08_010671 -# tags: -# - RHEL-08-010671 -# - sysctl - -# - name: "MEDIUM | RHEL-08-010672 | PATCH | RHEL 8 must disable acquiring, saving, and processing core dumps." -# systemd: -# name: systemd-coredump.socket -# masked: yes -# daemon_reload: yes -# notify: systemctl daemon-reload -# when: -# - rhel_08_010672 -# tags: -# - RHEL-08-010672 -# - systemd - -# - name: "MEDIUM | RHEL-08-010673 | PATCH | RHEL 8 must disable core dumps for all users." -# lineinfile: -# path: /etc/security/limits.conf -# regexp: '^\*.*hard.*core' -# line: "* hard core 0" -# insertbefore: '# End of file' -# when: -# - rhel_08_010673 -# tags: -# - RHEL-08-010673 -# - security -# - limits - -# - name: "MEDIUM | RHEL-08-010674 | PATCH | RHEL 8 must disable storing core dumps." -# lineinfile: -# path: /etc/systemd/coredump.conf -# regexp: '^(S|s)torage=|#(S|s)torage=' -# line: "Storage=none" -# when: -# - rhel_08_010674 -# tags: -# - RHEL-08-010674 -# - systemd - -# - name: "MEDIUM | RHEL-08-010675 | PATCH | RHEL 8 must disable core dump backtraces." -# lineinfile: -# path: /etc/systemd/coredump.conf -# regexp: '^(P|p)rocess(S|s)ize(M|m)ax=|(P|p)rocess(S|s)ize(M|m)ax=' -# line: "ProcessSizeMax=0" -# when: -# - rhel_08_010675 -# tags: -# - RHEL-08-010675 -# - systemd - -# # NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." -# block: -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf" -# shell: grep "dns" /etc/nsswitch.conf | grep -v "#" -# changed_when: no -# failed_when: false -# check_mode: no -# register: rhel_08_010680_nsswitch_check - -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf" -# command: grep -c "# Generated by NetworkManager" /etc/resolv.conf -# changed_when: no -# failed_when: false -# check_mode: no -# register: rhel_08_010680_networkmanager_check - -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf" -# shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l -# changed_when: no -# failed_when: false -# check_mode: no -# register: rhel_08_010680_nameserver_count - -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf" -# shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf -# when: -# - "'dns' not in rhel_08_010680_nsswitch_check.stdout" - -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf" -# lineinfile: -# dest: /etc/resolv.conf -# regexp: "{{ item.regexp }}" -# line: "nameserver {{ item.line }}" -# insertafter: "{{ item.after }}" -# with_items: # Written as lineinfile replaces last found so reverse logic to keep order of servers -# - { regexp: ^nameserver, line: '{{ rhel8stig_dns_servers.1 }}', after: ^search } -# - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }})', line: '{{ rhel8stig_dns_servers.0 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } -# # - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }}|{{ rhel8stig_dns_servers.0 }})', line: '{{ rhel8stig_dns_servers.2 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } -# when: -# - not rhel8_stig_use_resolv_template -# - rhel_08_010680_networkmanager_check.stdout == '0' -# - rhel_08_010680_nameserver_count.stdout | int >= 2 - -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf using a template when not NetworkManager controlled" -# template: -# src: resolv.conf.j2 -# dest: /etc/resolv.conf -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_010680_networkmanager_check.stdout == '0' -# - rhel8_stig_use_resolv_template - -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp." -# debug: -# msg: "The file /etc/resolv.conf is managed by network manager and/or shows less than two DNS servers configured. Please correct this in your DHCP configurations." -# changed_when: true -# when: -# - rhel_08_010680_networkmanager_check.stdout != '0' or rhel_08_010680_nameserver_count.stdout| int < 2 -# - not rhel8_stig_use_resolv_template -# when: -# - rhel_08_010680 -# - not rhel8stig_system_is_chroot -# - not rhel8stig_system_is_container -# - not system_is_ec2 -# tags: -# - RHEL-08-010680 - -# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." -# block: -# - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" -# shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath -# with_items: "{{ rhel_08_stig_interactive_homedir_results }}" -# register: rhel_08_010690_ini_path_grep_list -# changed_when: no -# failed_when: false - -# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." -# debug: -# msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. -# with_items: -# - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" - -# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." -# lineinfile: -# path: "{{ item }}" -# regexp: "^PATH=" -# line: "{{ rhel_08_010690_user_path }}" -# with_items: -# - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" -# when: -# - rhel_08_010690 -# - rhel8stig_disruption_high -# - rhel8stig_change_user_path -# tags: -# - RHEL-08-010690 -# - complexity-high - -# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." -# block: -# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories" -# command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 -# changed_when: false -# failed_when: false -# register: rhel_08_010700_world_writable_directories - -# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" -# file: -# path: "{{ item }}" -# owner: root -# with_items: -# - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" -# when: rhel_08_010700_world_writable_directories.stdout | length > 0 -# when: -# - rhel_08_010700 -# tags: -# - RHEL-08-010700 - -# - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group." -# block: -# - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories" -# command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 -# changed_when: false -# failed_when: false -# register: rhel_08_010710_world_writable_directories - -# - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" -# file: -# path: "{{ item }}" -# group: root -# with_items: -# - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" -# when: rhel_08_010710_world_writable_directories.stdout | length > 0 -# when: -# - rhel_08_010710 -# tags: -# - RHEL-08-010710 - -# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file." -# block: -# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory" -# shell: pwck -r | grep user | cut -f2 -d"'" -# changed_when: false -# failed_when: false -# register: rhel_08_010720_users_no_home_dir - -# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory" -# shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' -# changed_when: false -# failed_when: false -# register: rhel_08_010720_user_list - -# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" -# debug: -# msg: -# - "WARNING!!!!The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" -# - "{{ rhel_08_010720_user_list.stdout_lines }}" -# when: rhel_08_010720_user_list.stdout | length > 0 -# when: -# - rhel_08_010720 -# tags: -# - RHEL-08-010720 - -# - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." -# block: -# - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." -# shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) -# changed_when: false -# failed_when: false -# register: rhel_08_010730_home_directories - -# - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." -# file: -# path: "{{ item }}" -# mode: 0750 -# with_items: -# - "{{ rhel_08_010730_home_directories.stdout_lines }}" -# when: rhel_08_010730_home_directories.stdout | length > 0 -# when: -# - rhel_08_010730 -# tags: -# - RHEL-08-010730 - -# - name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." -# file: -# path: "{{ item.dir }}" -# group: "{{ item.gid }}" -# state: directory -# with_items: "{{ rhel8stig_passwd }}" -# loop_control: -# label: "{{ rhel8stig_passwd_label }}" -# when: -# - rhel_08_010740 -# - item.uid >= rhel8stig_interactive_uid_start -# tags: -# - skip_ansible_lint -# - RHEL-08-010740 - -# - name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." -# file: -# path: "{{ item.dir }}" -# state: directory -# with_items: "{{ rhel8stig_passwd }}" -# loop_control: -# label: "{{ rhel8stig_passwd_label }}" -# when: -# - rhel_08_010750 -# - item.uid >= rhel8stig_interactive_uid_start -# tags: -# - skip_ansible_lint -# - RHEL-08-010750 - -# - name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." -# lineinfile: -# path: /etc/login.defs -# regexp: '.*?CREATE_HOME.*' -# line: CREATE_HOME yes -# when: -# - rhel_08_010760 -# tags: -# - RHEL-08-010760 -# - login -# - home - -# - name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." -# file: -# path: "{{ item }}" -# mode: 0740 -# with_items: -# - "{{ rhel_08_stig_interactive_homedir_inifiles }}" -# when: -# - rhel_08_010770 -# - rhel8stig_disruption_high -# - rhel_08_stig_interactive_homedir_inifiles is defined -# tags: -# - RHEL-08-010770 -# - complexity-high - -# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." -# block: -# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" -# shell: find / -nouser -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel_08_010780_nouser_files - -# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" -# debug: -# msg: -# - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" -# - "{{ rhel_08_010780_nouser_files.stdout_lines }}" -# when: rhel_08_010780_nouser_files.stdout | length > 0 -# when: -# - rhel_08_010780 -# tags: -# - RHEL-08-010780 - -# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." -# block: -# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" -# shell: find / -nogroup -# changed_when: false -# failed_when: false -# register: rhel_08_010790_nogroup_files - -# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" -# debug: -# msg: -# - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" -# - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" -# when: rhel_08_010790_nogroup_files.stdout | length > 0 -# when: -# - rhel_08_010790 -# tags: -# - RHEL-08-010790 - -# - name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." -# debug: -# msg: "WARNING!!!! /home is not mounted on a separate partition" -# changed_when: -# - rhel8stig_audit_complex -# when: -# - rhel_08_010800 -# - not rhel8stig_system_is_container -# - rhel8stig_complex -# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 -# tags: -# - RHEL-08-010800 -# - complexity-high -# - mount -# - home - -# - name: "MEDIUM | RHEL-08-010830 | PATCH |Unattended or automatic logon to RHEL 8 via ssh must not be allowed." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?PermitUserEnvironment' -# line: 'PermitUserEnvironment no' -# notify: restart sshd -# when: -# - rhel_08_010830 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010830 -# - ssh -# - disruption_high - -# - name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." -# debug: -# msg: -# - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." -# - "To do this please run sudo chage -l account_name for the accounts you need to check" -# - "The results will display the Account Expires information" -# - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name' -# when: -# - rhel_08_020000 -# tags: -# - RHEL-08-020000 - -# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." -# block: -# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020010 -# tags: -# - RHEL-08-020010 -# - pamd - -# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." -# block: -# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" -# lineinfile: -# path: "/etc/security/faillock.conf" -# regexp: '^deny =|^\# deny =' -# line: "deny = {{ rhel8stig_pam_faillock.attempts }}" -# when: -# - rhel_08_020011 -# tags: -# - RHEL-08-020011 -# - pamd - -# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." -# block: -# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020012 -# tags: -# - RHEL-08-020012 -# - pamd - -# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." -# block: -# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" -# lineinfile: -# path: "/etc/security/faillock.conf" -# regexp: '^fail_interval =|^\# fail_interval =' -# line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020013 -# tags: -# - RHEL-08-020013 -# - pamd - -# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." -# block: -# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020013 -# tags: -# - RHEL-08-020013 -# - pamd - -# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." -# block: -# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" -# lineinfile: -# path: "/etc/security/faillock.conf" -# regexp: '^unlock_time =|^\# unlock_time =' -# line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}" -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020015 -# tags: -# - RHEL-08-020015 -# - pamd - -# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist." -# block: -# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist.| Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020016 -# tags: -# - RHEL-08-020016 -# - pamd - -# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist." -# block: -# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" -# lineinfile: -# path: "/etc/security/faillock.conf" -# regexp: '^dir =|^\# dir =' -# line: "dir = /var/log/faillock" -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020017 -# tags: -# - RHEL-08-020017 -# - pamd - -# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." -# block: -# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020018 -# tags: -# - RHEL-08-020018 -# - pamd - -# - name: "MEDIUM | RHEL-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." -# block: -# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" -# lineinfile: -# path: "/etc/security/faillock.conf" -# regexp: '^silent|^\# silent' -# line: "silent" -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020019 -# tags: -# - RHEL-08-020019 -# - pamd - -# - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." -# block: -# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020020 -# tags: -# - RHEL-08-020020 -# - pamd - -# - name: "MEDIUM | RHEL-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." -# block: -# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" -# lineinfile: -# path: "/etc/security/faillock.conf" -# regexp: '^audit|^\# audit' -# line: "audit" -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020021 -# tags: -# - RHEL-08-020021 -# - pamd - -# - name: "MEDIUM | RHEL-020022| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." -# block: -# - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}sfail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020022 -# tags: -# - RHEL-08-020022 -# - pamd - -# - name: "MEDIUM | RHEL-020023| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." -# block: -# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth - -# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" -# lineinfile: -# path: "/etc/security/faillock.conf" -# regexp: '^even_deny_root|^\# even_deny_root' -# line: "even_deny_root" -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020023 -# tags: -# - RHEL-08-020023 -# - pamd - -# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." -# block: -# - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" -# command: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" -# changed_when: false -# failed_when: false -# register: rhel_08_020030_lock_enabled - -# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" -# lineinfile: -# path: "{{ rhel_08_020030_lock_enabled.stdout }}" -# regexp: '^lock-enabled' -# line: lock-enabled=true -# when: rhel_08_020030_lock_enabled.stdout | length > 0 -# notify: dconf update - -# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist" -# lineinfile: -# path: /etc/dconf/db/local.d/00-screensaver -# create: yes -# regexp: '^lock-enabled' -# owner: root -# group: root -# mode: 0644 -# line: | -# [org/gnome/desktop/screensaver] -# # Set this to true to lock the screen when the screensaver activates -# lock-enabled=true -# when: rhel_08_020030_lock_enabled.stdout | length == 0 -# notify: dconf update -# when: -# - rhel_08_020030 -# - "'dconf' in ansible_facts.packages" -# - rhel8stig_always_configure_dconf - -# tags: -# - RHEL-08-020030 -# - gui - -# - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." -# block: -# - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" -# dnf: -# name: tmux -# state: present - -# - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Configure tmux" -# lineinfile: -# path: /etc/tmux.conf -# regexp: '^set \-g' -# line: "set -g lock-command vlock" -# create: yes -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020040 -# tags: -# - RHEL-08-020040 -# - tmux - -# - name: " MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization." -# lineinfile: -# path: /etc/bashrc -# regexp: '^\[ -n "$PS1" -a -z "$TMUX" \]' -# line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' -# when: -# - rhel_08_020041 -# tags: -# - RHEL-08-020041 -# - tmux - -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." -# block: -# - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" -# shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel_08_020050_removal_action - -# - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" -# shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" -# changed_when: false -# failed_when: false -# register: rhel_08_020050_removal_action_file - -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist" -# lineinfile: -# path: /etc/dconf/db/distro.d/20-authselect -# create: yes -# owner: root -# group: root -# mode: 0644 -# line: | -# [org/gnome/settings-daemon/peripherals/smartcard] -# removal-action='lock-screen' -# when: rhel_08_020050_removal_action.stdout | length == 0 -# notify: dconf update - -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" -# lineinfile: -# path: "{{ rhel_08_020050_removal_action.stdout }}" -# regexp: ^removal-action= -# line: removal-action='lock-screen' -# when: rhel_08_020050_removal_action.stdout | length > 0 -# notify: dconf update - -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" -# lineinfile: -# path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' -# line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action -# when: rhel_08_020050_removal_action_file.stdout | length > 0 -# notify: dconf update - -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" -# lineinfile: -# path: /etc/dconf/db/distro.d/locks/20-authselect -# create: yes -# line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action -# owner: root -# group: root -# mode: 0640 -# when: rhel_08_020050_removal_action_file.stdout | length == 0 -# notify: dconf update -# when: -# - rhel_08_020050 -# tags: -# - RHEL-08-020050 -# - smartcard - -# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." -# block: -# - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" -# shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel_08_020060_idle_delay_param - -# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist" -# lineinfile: -# path: /etc/dconf/db/local.d/00-screensaver -# create: yes -# owner: root -# group: root -# mode: 0640 -# regexp: '^idle-delay' -# line: | -# [org/gnome/desktop/session] -# # Set the lock time out to 900 seconds before the session is considered idle -# idle-delay=uint32 900 -# notify: dconf update -# when: rhel_08_020060_idle_delay_param.stdout | length == 0 - -# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" -# lineinfile: -# path: "{{ rhel_08_020060_idle_delay_param.stdout }}" -# regexp: '^idle-delay=' -# line: idle-delay=uint32 900 -# owner: root -# group: root -# mode: 0640 -# notify: dconf update -# when: rhel_08_020060_idle_delay_param.stdout | length > 0 -# when: -# - rhel_08_020060 -# - "'dconf' in ansible_facts.packages" -# - rhel8stig_always_configure_dconf - -# tags: -# - RHEL-08-020060 -# - gui - -# - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." -# lineinfile: -# path: /etc/tmux.conf -# regexp: '^set -g lock-after-time' -# line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020070 -# tags: -# - RHEL-08-020070 -# - tmux - -# - name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings." -# lineinfile: -# path: /etc/dconf/db/local.d/locks/session -# create: yes -# line: "{{ item }}" -# owner: root -# group: root -# mode: 0640 -# with_items: -# - /org/gnome/desktop/session/idle-delay -# - /org/gnome/desktop/screensaver/lock-enabled -# - /org/gnome/desktop/screensaver/lock-delay -# - /org/gnome/settings-daemon/plugins/media-keys/logout -# - /org/gnome/login-screen/disable-user-list -# - /org/gnome/login-screen/banner-message-text -# - /org/gnome/login-screen/banner-message-enable -# - /org/gnome/desktop/lockdown/disable-lock-screen -# when: -# - rhel_08_020080 -# - "'dconf' in ansible_facts.packages" -# - rhel8stig_always_configure_dconf -# tags: -# - RHEL-08-020080 - -# - name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." -# lineinfile: -# path: "{{ rhel8stig_sssd_conf }}" -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# owner: root -# group: root -# mode: 0640 -# with_items: -# - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } -# - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } -# - { regexp: '^maprule = {{ rhel8stig_sssd.maprule }}', line: 'maprule = {{ rhel8stig_sssd.maprule }}' } -# - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains }}' } -# notify: restart sssd -# when: -# - "'sssd' in ansible_facts.packages" -# - rhel8stig_sssd_conf_present.stat.exists -# - rhel_08_020090 -# tags: -# - RHEL-08-020090 - -# - name: "MEDIUM | RHEL-08-020100 | PATCH RHEL 8 must ensure a password complexity module is enabled." -# lineinfile: -# path: "{{ item.path }}" -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: '^password' -# owner: root -# group: root -# mode: 0640 -# with_items: -# - { path: /etc/pam.d/system-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } -# - { path: /etc/pam.d/password-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } -# when: -# - rhel_08_020100 -# tags: -# - RHEL-08-020100 - -# - name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*ucredit' -# line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" -# when: -# - rhel_08_020110 -# tags: -# - RHEL-08-020110 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*lcredit' -# line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}" -# when: -# - rhel_08_020120 -# tags: -# - RHEL-08-020120 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*dcredit' -# line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}" -# when: -# - rhel_08_020130 -# tags: -# - RHEL-08-020130 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*maxclassrepeat' -# line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" -# when: -# - rhel_08_020140 -# tags: -# - RHEL-08-020140 -# - pwquality - -# - name: "MEDIUM | RHEL-020150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*maxrepeat' -# line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}" -# when: -# - rhel_08_020150 -# tags: -# - RHEL-08-020150 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*minclass' -# line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}" -# when: -# - rhel_08_020160 -# tags: -# - RHEL-08-020160 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*difok' -# line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}" -# when: -# - rhel_08_020170 -# tags: -# - RHEL-08-020170 -# - pwquality - -# - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow." -# block: -# - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users" -# command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" -# changed_when: false -# failed_when: false -# register: rhel_08_020180_users - -# - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction" -# command: chage -m 1 {{ item }} -# with_items: "{{ rhel_08_020180_users.stdout_lines }}" -# when: -# - rhel_08_020180 -# tags: -# - RHEL8-08-020180 -# - password - -# - name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def." -# lineinfile: -# path: /etc/login.defs -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: ^#?PASS_MIN_DAYS -# line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}" -# when: -# - rhel_08_020190 -# tags: -# - RHEL-08-020190 -# - login - -# - name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction." -# lineinfile: -# path: /etc/login.defs -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: ^#?PASS_MAX_DAYS -# line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" -# when: -# - rhel_08_020200 -# tags: -# - RHEL-08-020200 -# - login - -# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime." -# block: -# - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users" -# command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" -# check_mode: no -# changed_when: rhel_08_020210_users.stdout | length > 0 -# register: rhel_08_020210_users - -# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user." -# command: chage -d '-1 day' {{ item }} -# check_mode: "{{ rhel8stig_disruptive_check_mode }}" -# with_items: "{{ rhel_08_020210_users.stdout_lines }}" - -# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime" -# command: chage -M 60 {{ item }} -# check_mode: "{{ rhel8stig_disruptive_check_mode }}" -# with_items: "{{ rhel_08_020210_users.stdout_lines }}" -# when: -# - rhel_08_020210 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-020210 -# - disruption-high -# - password - -# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations." -# block: -# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" -# pamd: -# name: "{{ item }}" -# state: before -# type: password -# control: sufficient -# module_path: pam_unix.so -# new_type: password -# new_control: required -# new_module_path: pam_pwhistory.so -# with_items: -# - "system-auth" -# - "password-auth" - -# # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent -# - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Check for existing password history reuse settings" -# command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" -# check_mode: no -# changed_when: no -# failed_when: rhel_08_020220_pw_hist_settings.rc > 1 -# register: rhel_08_020220_pw_hist_settings -# with_items: -# - "system-auth" -# - "password-auth" - -# # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. -# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" -# pamd: -# name: "{{ item.item }}" -# state: updated -# type: password -# control: required -# module_path: pam_pwhistory.so -# module_arguments: -# - use_authtok -# - remember={{ rhel8stig_pam_pwhistory.remember | default(5) }} -# - retry={{ rhel8stig_pam_pwhistory.retries | default(3) }} -# with_items: "{{ rhel_08_020220_pw_hist_settings.results }}" -# when: item.rc == 1 -# when: -# - rhel_08_020220 -# tags: -# - RHEL-08-020220 -# - pamd - -# - name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*minlen' -# line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" -# when: -# - rhel_08_020230 -# tags: -# - RHEL-08-020230 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020231 | PATCH | RHEL 8 passwords for new users must have a minimum of 15 characters." -# lineinfile: -# path: /etc/login.defs -# regexp: '^PASS_MIN_LEN|^#PASS_MIN_LEN' -# line: "PASS_MIN_LEN 15" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020231 -# tags: -# - RHEL-08-020231 -# - passwords - -# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." -# block: -# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users" -# command: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd -# changed_when: false -# failed_when: false -# register: rhel_08_020240_duplicate_uid_users - -# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" -# debug: -# msg: -# - "ALERT!!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" -# - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" -# when: -# - rhel_08_020240 -# tags: -# - RHEL-08-020240 - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts." -# block: -# - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth" -# shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth -# changed_when: false -# failed_when: false -# register: rhel_08_020250_sc_auth_sss - -# - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth" -# shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth -# changed_when: false -# failed_when: false -# register: rhel_08_020250_system_auth_sss - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" -# lineinfile: -# path: "{{ rhel8stig_sssd_conf }}" -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# owner: root -# group: root -# mode: 0640 -# notify: restart sssd -# with_items: -# - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } -# - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' } - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth" -# lineinfile: -# path: /etc/pam.d/smartcard-auth -# line: auth sufficient pam_sss.so try_cert_auth -# owner: root -# group: root -# mode: 0644 -# notify: restart sssd -# when: rhel_08_020250_sc_auth_sss.stdout | length == 0 - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth" -# pamd: -# name: /etc/pam.d/smartcard-auth -# state: updated -# type: auth -# control: sufficient -# module_path: pam_sss.so -# module_arguments: 'try_cert_auth' -# notify: restart sssd -# when: rhel_08_020250_sc_auth_sss.stdout | length > 0 - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth" -# pamd: -# name: /etc/pam.d/system-auth -# state: after -# type: auth -# control: required -# module_path: pam_env.so -# new_type: auth -# new_control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' -# new_module_path: pam_sss.so -# module_arguments: try_cert_auth -# notify: restart sssd -# when: rhel_08_020250_system_auth_sss.stdout | length == 0 - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth" -# pamd: -# name: /etc/pam.d/system-auth -# state: updated -# type: auth -# control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' -# module_path: pam_env.so -# module_arguments: try_cert_auth -# notify: restart sssd -# when: rhel_08_020250_system_auth_sss.stdout | length > 0 -# when: -# - "'sssd' in ansible_facts.packages" -# - rhel8stig_sssd_conf_present.stat.exists -# - rhel_08_020250 -# tags: -# - RHEL-08-020250 -# - pamd - -# - name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity." -# command: useradd -D -f 35 -# when: -# - rhel_08_020260 -# tags: -# - RHEL-08-020260 -# - useradd - -# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." -# block: -# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." -# command: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" -# changed_when: false -# failed_when: false -# register: rhel_08_020270_system_users - -# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." -# debug: -# msg: -# - "WARNING!!!Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" -# - "{{ rhel_08_020270_system_users.stdout_lines }}" -# when: -# - rhel_08_020270 -# tags: -# - RHEL-08-020270 - -# - name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# regexp: '^#?\s*ocredit' -# line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020280 -# tags: -# - RHEL-08-020280 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." -# lineinfile: -# path: "{{ rhel8stig_sssd_conf }}" -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# owner: root -# group: root -# mode: 0640 -# with_items: -# - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } -# - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } -# when: -# - "'sssd' in ansible_facts.packages" -# - rhel8stig_sssd_conf_present.stat.exists -# - rhel_08_020290 -# tags: -# - RHEL-08-020290 -# - sssd - -# - name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# regexp: '^#?\s*dictcheck' -# line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020300 -# tags: -# - RHEL-08-020300 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." -# lineinfile: -# dest: /etc/login.defs -# regexp: ^#?FAIL_DELAY -# line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020310 -# tags: -# - RHEL-08-020310 -# - login - -# - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts." -# block: -# - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts" -# command: "grep '^{{ item }}:' /etc/passwd" -# check_mode: no -# failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1 -# changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0 -# register: rhel_08_020320_unnecessary_accounts_found -# with_items: "{{ rhel8stig_unnecessary_accounts }}" - -# - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts" -# user: -# name: "{{ item }}" -# state: absent -# remove: "{{ rhel8stig_remove_unnecessary_user_files }}" -# register: rhel_08_020320_accounts_removed -# with_items: "{{ rhel8stig_unnecessary_accounts }}" - -# - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" -# include_tasks: parse_etc_passwd.yml -# vars: -# rhel8stig_passwd_tasks: "RHEL-08-020320" -# when: rhel_08_020320_accounts_removed is changed -# when: -# - rhel_08_020320 -# tags: -# - RHEL-08-020320 - -# - name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." -# lineinfile: -# dest: /etc/ssh/sshd_config -# regexp: '(?i)^#?PrintLastLog' -# line: 'PrintLastLog yes' -# validate: /usr/sbin/sshd -t -f %s -# owner: root -# group: root -# mode: 0644 -# notify: restart sshd -# when: -# - rhel_08_020350 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-020350 -# - ssh - -# - name: "MEDIUM | RHEL-08-020351 | PATCH | RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." -# lineinfile: -# path: /etc/login.defs -# regexp: ^#?UMASK.* -# line: "UMASK {{ rhel8stig_login_defaults.umask | default('077') }}" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020351 -# tags: -# - RHEL-08-020351 - -# - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts." -# block: -# - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Find umask files" -# find: -# paths: /home -# patterns: '^\.' -# contains: 'umask' -# recurse: yes -# hidden: yes -# use_regex: yes -# register: rhel8stig_020352_files - -# - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" -# lineinfile: -# path: "{{ item.path }}" -# regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})" -# state: absent -# with_items: -# - "{{ rhel8stig_020352_files.files }}" -# when: rhel8stig_020352_files.matched > 0 -# when: -# - rhel_08_020352 -# tags: -# - RHEL-08-020352 -# - umask - -# - name: "MEDIUM | RHEL-08-020353 | PATCH | RHEL 8 must define default permissions for logon and non-logon shells." -# replace: -# path: "{{ item }}" -# regexp: 'umask\s\d\d\d' -# replace: "umask {{ rhel8stig_login_defaults.umask | default('077') }}" -# with_items: -# - /etc/bashrc -# - /etc/csh.cshrc -# when: -# - rhel_08_020353 -# tags: -# - RHEL-08-020353 -# - umask - -# - name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv' } -# - { regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv' } -# - { regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv' } -# - { regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv' } -# notify: restart auditd -# when: -# - rhel_08_030000 -# tags: -# - RHEL-08-030000 -# - auditd - -# - name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8." -# lineinfile: -# path: /etc/rsyslog.conf -# regexp: '^cron.*' -# line: 'cron.* /var/log/cron' -# when: -# - rhel_08_030010 -# tags: -# - RHEL-08-030010 -# - cron - -# - name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^action_mail_acct =' -# line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}" -# register: rhel_08_030020_action_mail_acct_result -# failed_when: -# - rhel_08_030020_action_mail_acct_result is failed -# - rhel_08_030020_action_mail_acct_result.rc != 257 -# when: -# - rhel_08_030020 -# tags: -# - RHEL-08-030020 -# - auditd - -# - name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure." -# lineinfile: -# path: /etc/aliases -# regexp: '^postmaster:' -# line: 'postmaster: root' -# when: -# - rhel_08_030030 -# tags: -# - RHEL-08-030030 -# - aliases - -# - name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^disk_error_action =' -# line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}" -# when: -# - rhel_08_030040 -# tags: -# - RHEL-08-030040 -# - auditd - -# - name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^max_log_file_action =' -# line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" -# when: -# - rhel_08_030050 -# tags: -# - RHEL-08-030050 -# - auditd - -# - name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^disk_full_action =' -# line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_030060 -# tags: -# - RHEL-08-030060 -# - auditd - -# - name: "MEDIUM | RHEL-08-030061 | PATCH | The RHEL 8 audit system must audit local events." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^local_events =' -# line: "local_events = yes" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_030061 -# tags: -# - RHEL-08-030061 -# - auditd - -# - name: "MEDIUM | RHEL-08-030062 | PATCH | RHEL 8 must label all off-loaded audit logs before sending them to the central log server." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^name_format =' -# line: "name_format = hostname" -# notify: restart auditd -# when: -# - rhel_08_030062 -# tags: -# - RHEL-08-030062 -# - auditd - -# - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^log_group =' -# line: "log_group = root" -# mode: 0600 -# when: -# - rhel_08_030070 -# tags: -# - RHEL-08-030070 - -# - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." -# block: -# - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file" -# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " -# changed_when: false -# failed_when: false -# register: rhel8stig_030080_audit_log_file - -# - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner" -# file: -# path: "{{ rhel8stig_030080_audit_log_file.stdout }}" -# owner: root -# when: rhel8stig_030080_audit_log_file.stdout | length > 0 -# when: -# - rhel_08_030080 -# tags: -# - RHEL-08-030080 - -# - name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Set audit log group" -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^log_group' -# line: "log_group = root" -# when: -# - rhel_08_030090 -# tags: -# - RHEL-08-030090 - -# - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." -# block: -# - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory" -# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' -# changed_when: false -# failed_when: false -# register: rhel_08_030100_audit_log_dir - -# - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner" -# file: -# path: "{{ rhel_08_030100_audit_log_dir.stdout }}" -# owner: root -# state: directory -# when: rhel_08_030100_audit_log_dir.stdout | length > 0 -# tags: -# - skip_ansible_lint -# when: -# - rhel_08_030100 -# tags: -# - RHEL-08-030100 - -# - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." -# block: -# - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" -# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel_08_030110_audit_log_dir - -# - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group" -# file: -# path: "{{ rhel_08_030110_audit_log_dir.stdout }}" -# group: root -# state: directory -# when: rhel_08_030110_audit_log_dir.stdout | length > 0 -# tags: -# - skip_ansible_lint -# when: -# - rhel_08_030110 -# tags: -# - skip_ansible_lint -# - RHEL-08-030110 - -# - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access." -# block: -# - name: "MEDIUM | RHEL-08-030120 | AUDIT | RHEL 8 audit log directories must have a mode of 700 or less permissive to prevent unauthorized read access. | Get audit log directory" -# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' -# changed_when: false -# failed_when: false -# register: rhel_08_030120_audit_log_dir - -# - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" -# file: -# path: "{{ rhel_08_030120_audit_log_dir.stdout }}" -# mode: 0700 -# state: directory -# when: rhel_08_030120_audit_log_dir.stdout | length > 0 -# when: -# - rhel_08_030120 -# tags: -# - RHEL-08-030120 - -# - name: "MEDIUM | RHEL-08-030121 | PATCH | RHEL 8 audit system must protect auditing rules from unauthorized change." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-e ' -# line: "-e 2" -# when: -# - rhel_08_030121 -# tags: -# - RHEL-08-030121 -# - auditd - -# - name: "MEDIUM | RHEL-08-030122 | PATCH | RHEL 8 audit system must protect logon UIDs from unauthorized change." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^--loginuid-' -# line: "--loginuid-immutable" -# when: -# - rhel_08_030122 -# tags: -# - RHEL-08-030122 -# - auditd - -# - name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/shadow' -# line: '-w /etc/shadow -p wa -k identity' -# notify: restart auditd -# when: -# - rhel_08_030130 -# tags: -# - RHEL-08-030130 -# - auditd - -# - name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/security/opasswd' -# line: -w /etc/security/opasswd -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030140 -# tags: -# - RHEL-08-030140 -# - auditd - -# - name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/passwd' -# line: -w /etc/passwd -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030150 -# tags: -# - RHEL-08-030150 -# - auditd - -# - name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/gshadow' -# line: -w /etc/gshadow -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030160 -# tags: -# - RHEL-08-030160 -# - auditd - -# - name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/group' -# line: -w /etc/group -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030170 -# tags: -# - RHEL-08-030170 -# - auditd - -# - name: "MEDIUM | RHEL-08-030171 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/sudoers ' -# line: -w /etc/sudoers -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030171 -# tags: -# - RHEL-08-030171 -# - auditd - -# - name: "MEDIUM | RHEL-08-030172 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/sudoers.d/' -# line: -w /etc/sudoers.d/ -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030172 -# tags: -# - RHEL-08-030172 -# - auditd - -# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." -# block: -# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Install audit" -# dnf: -# name: audit -# state: present - -# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Enable and start service" -# service: -# name: auditd -# enabled: yes -# state: started -# when: -# - rhel_08_030180 -# tags: -# - rhel_08_030180 -# - dnf -# - auditd - -# - name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' -# line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' -# notify: restart auditd -# when: -# - rhel_08_030190 -# tags: -# - RHEL-08-030190 -# - auditd - -# - name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030200 -# tags: -# - RHEL-08-030200 -# - auditd - -# - name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030210 -# tags: -# - RHEL-08-030210 -# - auditd - -# - name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030220 -# tags: -# - RHEL-08-030220 -# - auditd - -# - name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030230 -# tags: -# - RHEL-08-030230 -# - auditd - -# - name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030240 -# tags: -# - RHEL-08-030240 -# - auditd - -# - name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage -# notify: restart auditd -# when: -# - rhel_08_030250 -# tags: -# - RHEL-08-030250 -# - auditd - -# - name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030260 -# tags: -# - RHEL-08-030260 -# - auditd - -# - name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030270 -# tags: -# - RHEL-08-030270 -# - auditd - -# - name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh -# notify: restart auditd -# when: -# - rhel_08_030280 -# tags: -# - RHEL-08-030280 -# - auditd - -# - name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd -# notify: restart auditd -# when: -# - rhel_08_030290 -# tags: -# - RHEL-08-030290 -# - auditd - -# - name: | -# "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." -# "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount -# - -a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount -# - -a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount -# notify: restart auditd -# when: -# - rhel_08_030300 or -# rhel_08_030302 -# tags: -# - RHEL-08-030300 -# - RHEL-08-030302 -# - auditd - -# - name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount -# notify: restart auditd -# when: -# - rhel_08_030301 -# tags: -# - RHEL-08-030301 -# - auditd - -# - name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030310 -# tags: -# - RHEL-08-030310 -# - auditd - -# - name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030311 -# tags: -# - RHEL-08-030311 -# - auditd - -# - name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030312 -# tags: -# - RHEL-08-030312 -# - auditd - -# - name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030313 -# tags: -# - RHEL-08-030313 -# - auditd - -# - name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030314 -# tags: -# - RHEL-08-030314 -# - auditd - -# - name: "MEDIUM | RHEL-08-03015 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030315 -# tags: -# - RHEL-08-030315 -# - auditd - -# - name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030316 -# tags: -# - RHEL-08-030316 -# - auditd - -# - name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030317 -# tags: -# - RHEL-08-030317 -# - auditd - -# - name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh -# notify: restart auditd -# when: -# - rhel_08_030320 -# tags: -# - RHEL-08-030320 -# - auditd - -# - name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030330 -# tags: -# - RHEL-08-030330 -# - auditd - -# - name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check -# notify: restart auditd -# when: -# - rhel_08_030340 -# tags: -# - RHEL-08-030340 -# - auditd - -# - name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd -# notify: restart auditd -# when: -# - rhel_08_030350 -# tags: -# - RHEL-08-030350 -# - auditd - -# - name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# - -a always,exit -F arch=b64 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# notify: restart auditd -# when: -# - rhel_08_030360 -# tags: -# - RHEL-08-030360 -# - auditd - -# - name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# - -a always,exit -F arch=b64 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# notify: restart auditd -# when: -# - rhel_08_030361 -# tags: -# - RHEL-08-030361 -# - auditd - -# - name: "MEDIUM | RHEL-0-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# - -a always,exit -F arch=b64 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# notify: restart auditd -# when: -# - rhel_08_030362 -# tags: -# - RHEL-08-030362 -# - auditd - -# - name: "MEDIUM | RHEL-08-030363 | PATCH | Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# - -a always,exit -F arch=b64 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# notify: restart auditd -# when: -# - rhel_08_030363 -# tags: -# - RHEL-08-030363 -# - auditd - -# - name: "MEDIUM | RHEL-08-030364 | PATCH | Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# - -a always,exit -F arch=b64 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# notify: restart auditd -# when: -# - rhel_08_030364 -# tags: -# - RHEL-08-030364 -# - auditd - -# - name: "MEDIUM | RHEL-08-030365 | PATCH | Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# - -a always,exit -F arch=b64 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# notify: restart auditd -# when: -# - rhel_08_030365 -# tags: -# - RHEL-08-030365 -# - auditd - -# - name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd -# notify: restart auditd -# when: -# - rhel_08_030370 -# tags: -# - RHEL-08-030370 -# - auditd - -# - name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# notify: restart auditd -# when: -# - rhel_08_030380 -# tags: -# - RHEL-08-030380 -# - auditd - -# - name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# - -a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# notify: restart auditd -# when: -# - rhel_08_030390 -# tags: -# - RHEL-08-030390 -# - auditd - -# - name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab -# notify: restart auditd -# when: -# - rhel_08_030400 -# tags: -# - RHEL-08-030400 -# - auditd - -# - name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd -# notify: restart auditd -# when: -# - rhel_08_030410 -# tags: -# - RHEL-08-030410 -# - auditd - -# - name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030420 -# tags: -# - RHEL-08-030420 -# - auditd - -# - name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030430 -# tags: -# - RHEL-08-030430 -# - auditd - -# - name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030440 -# tags: -# - RHEL-08-030440 -# - auditd - -# - name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030450 -# tags: -# - RHEL-08-030450 -# - auditd - -# - name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030460 -# tags: -# - RHEL-08-030460 -# - auditd - -# - name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030470 -# tags: -# - RHEL-08-030470 -# - auditd - -# - name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030480 -# tags: -# - RHEL-08-030480 -# - auditd - -# - name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030490 -# tags: -# - RHEL-08-030490 -# - auditd - -# - name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030500 -# tags: -# - RHEL-08-030500 -# - auditd - -# - name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030510 -# tags: -# - RHEL-08-030510 -# - auditd - -# - name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030520 -# tags: -# - RHEL-08-030520 -# - auditd - -# - name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030530 -# tags: -# - RHEL-08-030530 -# - auditd - -# - name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030540 -# tags: -# - RHEL-08-030540 -# - auditd - -# - name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd -# notify: restart auditd -# when: -# - rhel_08_030550 -# tags: -# - RHEL-08-030550 -# - auditd - -# - name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod -# notify: restart auditd -# when: -# - rhel_08_030560 -# tags: -# - RHEL-08-030560 -# - auditd - -# - name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030570 -# tags: -# - RHEL-08-030570 -# - auditd - -# - name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules -# notify: restart auditd -# when: -# - rhel_08_030580 -# tags: -# - RHEL-08-030580 -# - auditd - -# - name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -w /var/log/faillock -p wa -k logins -# notify: restart auditd -# when: -# - rhel_08_030590 -# tags: -# - RHEL-08-030590 -# - auditd - -# - name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -w /var/log/lastlog -p wa -k logins -# notify: restart auditd -# when: -# - rhel_08_030600 -# tags: -# - RHEL-08-030600 -# - auditd - -# - name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." -# file: -# path: "{{ item }}" -# mode: 0640 -# with_items: -# - /etc/audit/rules.d/audit.rules -# - /etc/audit/auditd.conf -# when: -# - rhel_08_030610 -# tags: -# - RHEL-08-030610 -# - permissions - -# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." -# block: -# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms" -# shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " -# changed_when: false -# failed_when: false -# register: rhel_08_030620_tools - -# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" -# file: -# path: "{{ item }}" -# mode: 0755 -# with_items: -# - "{{ rhel_08_030620_tools.stdout_lines }}" -# when: -# - rhel_08_030620 -# tags: -# - RHEL-08-030620 -# - permissions - -# - name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." -# file: -# path: "{{ item }}" -# owner: root -# with_items: -# - /sbin/auditctl -# - /sbin/aureport -# - /sbin/ausearch -# - /sbin/autrace -# - /sbin/auditd -# - /sbin/audisp-remote -# - /sbin/audisp-syslog -# - /sbin/augenrules -# when: -# - rhel_08_030630 -# tags: -# - RHEL-08-030630 -# - permissions - -# - name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." -# file: -# path: "{{ item }}" -# owner: root -# with_items: -# - /sbin/auditctl -# - /sbin/aureport -# - /sbin/ausearch -# - /sbin/autrace -# - /sbin/auditd -# - /sbin/audisp-remote -# - /sbin/audisp-syslog -# - /sbin/augenrules -# when: -# - rhel_08_030640 -# tags: -# - RHEL-08-030640 -# - permissions - -# - name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." -# lineinfile: -# path: /etc/aide.conf -# line: "{{ item }}" -# owner: root -# group: root -# mode: 0600 -# with_items: -# - "# Audit Tools" -# - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 -# when: -# - rhel_08_030650 -# tags: -# - RHEL-08-030650 -# - aide - -# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility." -# block: -# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition" -# shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' -# changed_when: false -# failed_when: false -# register: rhel_08_030660_audit_log_path - -# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition" -# shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" -# changed_when: false -# failed_when: false -# register: rhel_08_030660_audit_log_partition - -# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" -# debug: -# msg: -# - "ALERT!!!Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" -# - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" -# - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}" -# when: -# - rhel_08_030660 -# tags: -# - RHEL-08-030660 - -# - name: "MEDIUM | RHEL-08-030670 | PATCH | RHEL 8 must have the packages required for offloading audit logs installed." -# dnf: -# name: rsyslog -# state: present -# when: -# - rhel_08_030670 -# tags: -# - RHEL-08-030670 -# - rsyslog - -# - name: "MEDIUM | RHEL-08-030680 | PATCH | RHEL 8 must have the packages required for encrypting offloaded audit logs installed." -# dnf: -# name: gnutls -# state: present -# when: -# - rhel_08_030680 -# tags: -# - RHEL-08-030680 -# - gnutls - -# - name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." -# lineinfile: -# path: /etc/rsyslog.conf -# regexp: '^.*\@\@' -# line: "*.* @@{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" -# when: -# - rhel_08_030690 -# tags: -# - RHEL-08-030690 -# - auditd - -# - name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^overflow_action =' -# line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}' -# notify: restart auditd -# when: -# - rhel_08_030700 -# tags: -# - RHEL-08-030700 -# - auditd - -# - name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." -# lineinfile: -# path: /etc/rsyslog.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^\$DefaultNetstreamDriver', line: '$DefaultNetstreamDriver gtls' } -# - { regexp: '^\$ActionSendStreamDriverMode', line: '$ActionSendStreamDriverMode 1' } -# when: -# - rhel_08_030710 -# tags: -# - RHEL-08-030710 -# - auditd - -# - name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must authenticate the remote logging server for off-loading audit logs." -# lineinfile: -# path: /etc/rsyslog.conf -# regexp: '^\$ActionSendStreamDriverAuthMode' -# line: "$ActionSendStreamDriverAuthMode x509/name" -# notify: restart auditd -# when: -# - rhel_08_030720 -# tags: -# - rhel_08_030720 -# - auditd - -# - name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^space_left =', line: 'space_left = 25%' } -# - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } -# when: -# - rhel_08_030730 -# tags: -# - RHEL-08-030730 -# - auditd - -# - name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." -# lineinfile: -# path: /etc/chrony.conf -# regexp: '^server' -# line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16' -# notify: restart {{ rhel8stig_time_service }} -# when: -# - rhel_08_030740 -# tags: -# - RHEL-08-030740 -# - chronyd - -# - name: "MEDIUM | RHEL-08-040001 | PATCH | RHEL 8 must not have any automated bug reporting tools installed." -# shell: dnf remove abrt* -# failed_when: false -# args: -# warn: false -# when: -# - rhel_08_040001 -# tags: -# - RHEL-08-040001 -# - dnf -# - abrt - -# - name: "MEDIUM | RHEL-08-040002 | PATCH | RHEL 8 must not have the sendmail package installed." -# dnf: -# name: sendmail -# state: absent -# when: -# - rhel_08_040002 -# tags: -# - RHEL-08-040002 -# - dnf -# - sendmail - -# - name: | -# "MEDIUM | RHEL-08-040003 | PATCH | RHEL 8 must not have the gssproxy package installed." -# "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." -# dnf: -# name: gssproxy -# state: absent -# when: -# - rhel_08_040003 or -# rhel_08_040370 -# tags: -# - RHEL-08-040003 -# - RHEL-08-040370 -# - dnf -# - gssproxy - -# - name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." -# lineinfile: -# path: /etc/modprobe.d/blacklist.conf -# create: yes -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# owner: root -# group: root -# mode: 0640 -# insertafter: "{{ item.insertafter }}" -# notify: reboot system -# with_items: -# - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } -# - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } -# when: -# - rhel_08_040020 -# tags: -# - RHEL-08-040020 -# - camera - -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." -# block: -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block" -# block: -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld" -# shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u -# register: rhel8stig_PPSM_CLSA_check_firewalld -# changed_when: false -# failed_when: false -# check_mode: no -# when: -# - rhel_08_040030 -# tags: -# - RHEL-08-040030 -# - firewall - -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" -# debug: -# msg: -# - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." -# - "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}" -# changed_when: true -# when: -# - rhel_08_040030 -# - rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines is defined -# tags: -# - RHEL-08-040030 -# - firewall -# when: -# - rhel_08_040030 -# - not rhel8stig_system_is_chroot -# - not rhel8stig_system_is_container -# - rhel8stig_firewall_service == "firewalld" -# - rhel8stig_start_firewall_service -# tags: -# - RHEL-08-040030 -# - firewall - -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block" -# block: -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables" -# shell: iptables-save | grep -i accept | grep -i input -# register: rhel8stig_PPSM_CLSA_check_iptables -# changed_when: false -# failed_when: false -# check_mode: no -# when: rhel_08_040030 -# tags: -# - RHEL-08-040030 -# - firewall - -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" -# debug: -# msg: -# - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}." -# - "{{ rhel8stig_PPSM_CLSA_check_iptables.stdout_lines }}" -# changed_when: true -# when: -# - rhel_08_040030 -# - rhel8stig_PPSM_CLSA_check_iptables.stdout_lines is defined -# tags: -# - RHEL-08-040030 -# - firewall -# when: -# - rhel_08_040030 -# - not rhel8stig_system_is_chroot -# - not rhel8stig_system_is_container -# - rhel8stig_firewall_service == "iptables" -# - rhel8stig_start_firewall_service -# tags: -# - RHEL-08-040030 -# - firewall - -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use" -# debug: -# msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." -# changed_when: true -# when: -# - rhel_08_040030 -# - not rhel8stig_start_firewall_service -# tags: -# - RHEL-08-040030 -# - firewall -# when: -# - rhel_08_040030 -# - not rhel8stig_system_is_chroot -# - not rhel8stig_system_is_container -# - rhel8stig_disruptive -# tags: -# - RHEL-08-040030 -# - firewall - -# - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required." -# block: -# - name: "MEDIUM | RHEL-08-040070 | AUDIT | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error" -# shell: "systemctl show autofs | grep LoadState | cut -d= -f2" -# changed_when: false -# failed_when: false -# register: rhel_08_040070_autofs_status - -# - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists" -# service: -# name: autofs -# state: stopped -# enabled: no -# when: rhel_08_040070_autofs_status.stdout == "loaded" -# when: -# - rhel_08_040070 -# tags: -# - RHEL-08-040070 -# - autofs - -# - name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." -# lineinfile: -# path: "{{ item.path }}" -# create: yes -# owner: root -# group: root -# mode: 0640 -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# with_items: -# - { path: /etc/modprobe.d/usb-storage.conf, regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } -# - { path: /etc/modprobe.d/blacklist.conf, regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} -# when: -# - rhel_08_040080 -# tags: -# - RHEL-08-040080 -# - usb_devices - -# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." -# block: -# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" -# dnf: -# name: firewalld -# state: present -# when: rhel8stig_firewall_service == "firewalld" - -# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" -# dnf: -# name: iptables-services -# state: present -# when: rhel8stig_firewall_service == "iptables" - -# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" -# service: -# name: "{{ rhel8stig_firewall_service }}" -# state: started -# enabled: yes -# when: -# - rhel_08_040100 -# tags: -# - RHEL-08-040100 -# - firewall -# - "{{ rhel8stig_firewall_service }}" - -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." -# block: -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" -# firewalld: -# zone: "{{ rhel8stig_custom_firewall_zone }}" -# permanent: true -# state: present - -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" -# firewalld: -# zone: "{{ rhel8stig_custom_firewall_zone }}" -# permanent: true -# state: enabled -# service: "{{ item }}" -# with_items: -# - "{{ rhel8stig_white_list_services }}" - -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" -# command: firewall-cmd --reload -# changed_when: rhel_08_040090_zone_reload.rc == 0 -# failed_when: rhel_08_040090_zone_reload.rc >= 2 -# register: rhel_08_040090_zone_reload - -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default" -# command: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" -# changed_when: rhel_08_040090_default_zone_set.rc == 0 -# failed_when: rhel_08_040090_default_zone_set.rc >= 2 -# register: rhel_08_040090_default_zone_set -# when: -# - rhel_08_040090 -# tags: -# - RHEL-08-040090 -# - firewall - -# - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." -# block: -# - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" -# command: rpm -q NetworkManager -# args: -# warn: no -# check_mode: no -# changed_when: no -# register: rhel_08_nmcli_available -# failed_when: no - -# - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" -# command: nmcli radio wifi -# args: -# warn: no -# register: rhel_08_wifi_enabled -# check_mode: no -# changed_when: rhel_08_wifi_enabled.stdout != "disabled" -# when: rhel_08_nmcli_available.rc == 0 - -# - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" -# command: nmcli radio wifi off -# when: rhel_08_wifi_enabled is changed -# when: -# - rhel_08_040110 -# tags: -# - RHEL-08-040110 -# - wifi - -# - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled." -# lineinfile: -# path: /etc/modprobe.d/bluetooth.conf -# regexp: '^install bluetooth ' -# line: "install bluetooth /bin/true" -# create: yes -# owner: root -# group: root -# mode: 0640 -# notify: reboot system -# when: -# - rhel_08_040111 -# tags: -# - RHEL-08-040111 -# - bluetooth - -# - name: | -# "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." -# "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." -# "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." -# block: -# - name: | -# "MEDIUM | RHEL-08-040120 | AUDIT | RHEL 8 must mount /dev/shm with the nodev option." -# "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option." -# "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option." -# shell: mount | grep /dev/shm -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel8stig_040120_dev_shm_status - -# - name: | -# "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." -# "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." -# "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." -# mount: -# path: /dev/shm -# state: mounted -# src: tmpfs -# fstype: tmpfs -# opts: "defaults{{ rhel_08_040120 | ternary (',nodev', '') }}{{ rhel_08_040121 | ternary (',nosuid', '') }}{{ rhel_08_040122 | ternary (',noexec', '') }}" -# when: rhel8stig_040120_dev_shm_status.stdout | length > 0 -# when: -# - rhel_08_040120 or -# rhel_08_040121 or -# rhel_08_040122 -# tags: -# - RHEL-08-040120 -# - RHEL-08-040121 -# - RHEL-08-040122 -# - mounts - -# - name: | -# "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." -# "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." -# "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." -# block: -# - name: | -# "MEDIUM | RHEL-08-040123 | AUDIT | RHEL 8 must mount /tmp with the nodev option." -# "MEDIUM | RHEL-08-040124 | AUDIT | RHEL 8 must mount /tmp with the nosuid option." -# "MEDIUM | RHEL-08-040125 | AUDIT | RHEL 8 must mount /tmp with the noexec option." -# shell: mount | grep /tmp -# changed_when: false -# failed_when: false -# register: rhel8stig_040123_dev_status - -# - name: | -# "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." -# "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." -# "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." -# mount: -# path: /tmp -# state: mounted -# src: "{{ tmp_mount.device }}" -# fstype: xfs -# opts: "defaults{{ rhel_08_040123 | ternary (',nodev', '') }}{{ rhel_08_040124 | ternary (',nosuid', '') }}{{ rhel_08_040125 | ternary (',noexec', '') }}" -# vars: -# tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/tmp`] | [0]') }}" -# when: rhel8stig_040123_dev_status.stdout | length > 0 - -# when: -# - rhel_08_040123 or -# rhel_08_040124 or -# rhel_08_040125 -# tags: -# - RHEL-08-040123 -# - RHEL-08-040124 -# - RHEL-08-04125 -# - mounts - -# - name: | -# "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." -# "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." -# "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." -# block: -# - name: | -# "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." -# "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." -# "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." -# shell: mount | grep /var/log -# changed_when: false -# failed_when: false -# register: rhel8stig_040126_var_log_status - -# - name: | -# "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." -# "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." -# "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." -# mount: -# path: /var/log -# state: mounted -# src: "{{ var_log_mount.device }}" -# fstype: xfs -# opts: "defaults{{ rhel_08_040126 | ternary (',nodev', '') }}{{ rhel_08_040127 | ternary (',nosuid', '') }}{{ rhel_08_040128 | ternary (',noexec', '') }}" -# vars: -# var_log_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log`] | [0]') }}" -# when: rhel8stig_040126_var_log_status.stdout | length > 0 -# when: -# - rhel_08_040126 or -# rhel_08_040127 or -# rhel_08_040128 -# tags: -# - RHEL-08-040126 -# - RHEL-08-040127 -# - RHEL-08-040128 -# - mounts - -# - name: | -# "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." -# "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." -# "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." -# block: -# - name: | -# "MEDIUM | RHEL-08-040129 | AUDIT | RHEL 8 must mount /var/log/audit with the nodev option." -# "MEDIUM | RHEL-08-040130 | AUDIT | RHEL 8 must mount /var/log/audit with the nosuid option." -# "MEDIUM | RHEL-08-040131 | AUDIT | RHEL 8 must mount /var/log/audit with the noexec option." -# shell: mount | grep /var/log/audit -# changed_when: false -# failed_when: false -# register: rhel8stig_040129_var_log_audit_status - -# - name: | -# "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." -# "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." -# "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." -# mount: -# path: /var/log/audit -# state: mounted -# src: "{{ audit_mount.device }}" -# fstype: xfs -# opts: "defaults{{ rhel_08_040129 | ternary (',nodev', '') }}{{ rhel_08_040130 | ternary (',nosuid', '') }}{{ rhel_08_040131 | ternary (',noexec', '') }}" -# vars: -# audit_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log/audit`] | [0]') }}" -# when: rhel8stig_040129_var_log_audit_status.stdout | length > 0 -# when: -# - rhel_08_040129 or -# rhel_08_040130 or -# rhel_08_040131 -# tags: -# - RHEL-08-040129 -# - RHEL-08-040130 -# - RHEL-08-040131 -# - mounts - -# - name: | -# "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" -# "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." -# "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." -# block: -# - name: | -# "MEDIUM | RHEL-08-040132 | AUDIT | RHEL 8 must mount /var/tmp with the nodev option" -# "MEDIUM | RHEL-08-040133 | AUDIT | RHEL 8 must mount /var/tmp with the nosuid option." -# "MEDIUM | RHEL-08-040134 | AUDIT | RHEL 8 must mount /var/tmp with the noexec option." -# shell: mount | grep /var/tmp -# changed_when: false -# failed_when: false -# register: rhel8stig_040132_var_tmp_status - -# - name: | -# "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" -# "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." -# "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." -# mount: -# path: /var/tmp -# state: mounted -# src: "{{ var_tmp_mount.device }}" -# fstype: xfs -# opts: "defaults{{ rhel_08_040132 | ternary (',nodev', '') }}{{ rhel_08_040133 | ternary (',nosuid', '') }}{{ rhel_08_040134 | ternary (',noexec', '') }}" -# vars: -# var_tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/var/tmp`] | [0]') }}" -# when: rhel8stig_040132_var_tmp_status.stdout | length > 0 -# when: -# - rhel_08_040132 or -# rhel_08_040133 or -# rhel_08_040134 -# tags: -# - RHEL-08-040132 -# - RHEL-08-040133 -# - RHEL-08-040134 -# - mounts - -# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." -# block: -# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" -# dnf: -# name: fapolicyd -# state: present - -# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" -# shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts -# changed_when: false -# failed_when: false - -# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" -# service: -# name: fapolicyd -# state: started -# enabled: yes - -# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " -# lineinfile: -# path: /etc/fapolicyd/fapolicyd.rules -# line: "{{ item }}" -# with_items: -# - "{{ rhel8stig_fapolicy_white_list }}" - -# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" -# lineinfile: -# path: /etc/fapolicyd/fapolicyd.conf -# regexp: '^permissive =' -# line: 'permissive = 0' -# when: -# - rhel_08_040135 -# tags: -# - RHEL-08-040135 -# - fapolicyd - -# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." -# block: -# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Install usbguard" -# dnf: -# name: usbguard -# state: present - -# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Start/Enable service" -# service: -# name: usbguard -# state: started -# enabled: yes -# when: -# - rhel_08_040140 -# tags: -# - RHEL-08-040140 -# - usbguard - -# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." -# block: -# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" -# dnf: -# name: nftables -# state: present - -# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" -# service: -# name: nftables -# state: started -# enabled: yes - -# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" -# lineinfile: -# path: /etc/firewalld/firewalld.conf -# regexp: '^FirewallBackend=' -# line: 'FirewallBackend=nftables' -# when: -# - rhel_08_040150 -# tags: -# - RHEL-08-040150 -# - firewall -# - nftables - -# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." -# block: -# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Install openssh-server" -# dnf: -# name: openssh-server -# state: present - -# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" -# service: -# name: sshd -# state: started -# enabled: yes -# when: -# - rhel_08_040160 -# tags: -# - rhel_08_040160 -# - ssh - -# - name: "MEDIUM | RHEL-0-040161 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?RekeyLimit' -# line: 'RekeyLimit 1G 1h' -# notify: restart sshd -# when: -# - rhel_08_040161 -# tags: -# - RHEL-08-040161 -# - sshd - -# - name: "MEDIUM | RHEL-08-040162 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections by the client." -# lineinfile: -# path: /etc/ssh/ssh_config -# regexp: '(?i)^#?RekeyLimit' -# line: 'RekeyLimit 1G 1h' -# notify: restart sshd -# when: -# - rhel_08_040162 -# tags: -# - RHEL-08-040162 -# - sshd - -# - name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." -# systemd: -# name: debug-shell.service -# state: stopped -# enabled: no -# masked: yes -# daemon_reload: yes -# when: -# - rhel_08_040180 -# tags: -# - RHEL-08-040180 -# - debug-shell - -# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted." -# block: -# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.conf.default.accept_redirects -# - net.ipv6.conf.default.accept_redirects - -# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } -# - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } -# when: -# - rhel_08_040210 -# tags: -# - RHEL-08-040210 -# - icmp - -# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." -# block: -# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects in sysctl" -# sysctl: -# name: net.ipv4.conf.all.send_redirects -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" - -# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects default value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^net.ipv4.conf.all.send_redirects' -# line: 'net.ipv4.conf.all.send_redirects=0' -# when: -# - rhel_08_040220 -# tags: -# - RHEL-08-040220 -# - icmp - -# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." -# block: -# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast in sysctl" -# sysctl: -# name: net.ipv4.icmp_echo_ignore_broadcasts -# state: present -# value: '1' -# reload: "{{ rhel8stig_sysctl_reload }}" - -# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast default value to 1" -# lineinfile: -# name: /etc/sysctl.conf -# regexp: '^net.ipv4.icmp_echo_ignore_broadcasts' -# line: 'net.ipv4.icmp_echo_ignore_broadcasts=1' -# when: -# - rhel_08_040230 -# tags: -# - RHEL-08-040230 -# - icmp - -# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets." -# block: -# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.conf.all.accept_source_route -# - net.ipv6.conf.all.accept_source_route - -# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route default value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } -# - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } -# when: -# - rhel_08_040240 -# tags: -# - RHEL-08-040240 -# - icmp - -# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default." -# block: -# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.conf.default.accept_source_route -# - net.ipv6.conf.default.accept_source_route - -# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } -# - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } -# when: -# - rhel_08_040250 -# tags: -# - RHEL-08-040250 -# - icmp - -# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router." -# block: -# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.ip_forward -# - net.ipv6.conf.all.forwarding - -# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.ip_forward', line: 'net.ipv4.ip_forward=0' } -# - { regexp: '^net.ipv6.conf.all.forwarding', line: 'net.ipv6.conf.all.forwarding=0' } - -# when: -# - rhel_08_040260 -# - not rhel8stig_system_is_router -# tags: -# - RHEL-08-040260 -# - icmp - -# - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces." -# block: -# - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra in sysctl" -# sysctl: -# name: net.ipv6.conf.all.accept_ra -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" - -# - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^net.ipv6.conf.all.accept_ra' -# line: 'net.ipv6.conf.all.accept_ra=0' -# when: -# - rhel_08_040261 -# - not rhel8stig_system_is_router -# tags: -# - RHEL-08-040261 -# - icmp - -# - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default." -# block: -# - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra in sysctl" -# sysctl: -# name: net.ipv6.conf.default.accept_ra -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" - -# - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra to value 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^net.ipv6.conf.default.accept_ra' -# line: 'net.ipv6.conf.default.accept_ra=0' -# when: -# - rhel_08_040262 -# - not rhel8stig_system_is_router -# tags: -# - RHEL-08-040262 -# - icmp - -# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." -# block: -# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects in sysctl" -# sysctl: -# name: net.ipv4.conf.default.send_redirects -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" - -# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^net.ipv4.conf.default.send_redirects' -# line: 'net.ipv4.conf.default.send_redirects=0' -# when: -# - rhel_08_040270 -# tags: -# - RHEL-08-040270 -# - icmp - -# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." -# block: -# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.conf.all.accept_redirects -# - net.ipv6.conf.all.accept_redirects - -# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } -# - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } -# when: -# - rhel_08_040280 -# tags: -# - RHEL-08-040280 -# - icmp - -# - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^kernel.unprivileged_bpf_disabled' -# line: 'kernel.unprivileged_bpf_disabled = 1' -# owner: root -# group: root -# mode: 0640 -# notify: sysctl system -# when: -# - rhel_08_040281 -# tags: -# - RHEL-08-040281 -# - sysctl - -# - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^kernel.yama.ptrace_scope' -# line: 'kernel.yama.ptrace_scope = 1' -# notify: sysctl system -# when: -# - rhel_08_040282 -# tags: -# - RHEL-08-040282 -# - sysctl - -# - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access." -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^kernel.kptr_restrict' -# line: 'kernel.kptr_restrict = 1' -# owner: root -# group: root -# mode: 0640 -# notify: sysctl system -# when: -# - rhel_08_040283 -# tags: -# - RHEL-08-040283 -# - sysctl - -# - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces." -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^user.max_user_namespaces' -# line: 'user.max_user_namespaces = 0' -# notify: sysctl system -# when: -# - rhel_08_040284 -# tags: -# - RHEL-08-040284 -# - sysctl - -# - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces." -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^net.ipv4.conf.all.rp_filter' -# line: 'net.ipv4.conf.all.rp_filter = 1' -# notify: sysctl system -# when: -# - rhel_08_040285 -# tags: -# - RHEL-08-040285 -# - sysctl - -# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying." -# block: -# - name: "MEDIUM | RHEL-08-040290 | AUDIT | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Check if postfix is installed." -# command: rpm -q postfix -# failed_when: no -# check_mode: no -# changed_when: no -# register: rhel_08_040290_rpm_audit - -# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" -# command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" -# check_mode: no -# when: '"postfix-" in rhel_08_040290_rpm_audit.stdout' -# when: -# - rhel_08_040290 -# tags: -# - RHEL-08-040290 - -# - name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." -# package: -# name: xorg-x11-server-common -# state: absent -# when: -# - rhel_08_040320 -# - not rhel8stig_gui - -# - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." -# block: -# - name: "MEDIUM | RHEL-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" -# shell: "ip link | grep -i promisc | cut -d ':' -f 2" -# check_mode: no -# failed_when: no -# changed_when: rhel_08_040670_promisc_check.stdout != '' -# ignore_errors: yes -# register: rhel_08_040670_promisc_check - -# - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" -# shell: "ip link set dev {{ item }} promisc off" -# with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" -# when: -# - rhel_08_040330 -# - not rhel8stig_net_promisc_mode_required -# tags: -# - RHEL-08-040330 - -# - name: "MEDIUM | RHEL-08-040340 | PATCH | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?X11Forwarding' -# line: 'X11Forwarding no' -# create: yes -# owner: root -# group: root -# mode: 0640 -# notify: restart sshd -# when: -# - rhel_08_040340 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-040340 -# - ssh - -# - name: "MEDIUM | RHEL-08-040341 | PATCH | The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?X11UseLocalhost' -# line: 'X11UseLocalhost yes' -# when: -# - rhel_08_040341 -# tags: -# - RHEL-08-040341 -# - ssh - -# - name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." -# lineinfile: -# path: /etc/xinetd.d/tftp -# regexp: "(?i)^.*server_args.*=" -# line: "\tserver_args\t\t= -s /var/lib/tftpboot" -# insertafter: "\tserver\t\t\t=" -# state: present -# register: result -# failed_when: -# - result is failed -# - result.rc != 257 -# when: -# - rhel_08_040350 -# - rhel8stig_tftp_required -# tags: -# - skip_ansible_lint -# - RHEL-08-040350 -# - tftp - -# - name: "MEDIUM | RHEL-08-040380 | PATCH | The iprutils package must not be installed unless mission essential on RHEL 8." -# dnf: -# name: iprutils -# state: absent -# when: -# - rhel_08_040380 -# tags: -# - RHEL-08-040380 -# - iprutils - -# - name: "MEDIUM | RHEL-08-040390 | PATCH | The tuned package must not be installed unless mission essential on RHEL 8." -# dnf: -# name: tuned -# state: absent -# when: -# - rhel_08_040390 -# tags: -# - RHEL-08-040390 -# - tuned + - rhel_08_040390 + tags: + - RHEL-08-040390 + - tuned diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index c279d11b..097e5979 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -8,496 +8,496 @@ - RHEL-08-010171 - policycoreutils -- name: "LOW | RHEL-08-010292 | PATCH | RHEL 8 must ensure the SSH server uses strong entropy." - lineinfile: - path: /etc/sysconfig/sshd - regexp: '^SSH_USE_STRONG_RNG=|^.*SSH_USE_STRONG_RNG=' - line: SSH_USE_STRONG_RNG=32 - notify: restart sshd - when: - - rhel_08_010292 - tags: - - RHEL-08-010292 - - sshd - -- name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." - block: - - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer. | Set kernel message buffer if using numbered link files" - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^kernel.dmesg_restrict =' - line: "kernel.dmesg_restrict = 1" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched > 0 - - rhel8stig_sysctlconf_filename.files[0].islnk - - - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer. | Set kernel message buffer no numbered link files" - lineinfile: - path: /etc/sysctl.conf - regexp: '^kernel.dmesg_restrict =' - line: "kernel.dmesg_restrict = 1" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched == 0 or - not rhel8stig_sysctlconf_filename.files[0].islnk - when: - - rhel_08_010375 - tags: - - RHEL-08-010375 - - sysctl - -- name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." - block: - - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users. | Set kernel profiling if using numbered link files" - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^kernel.perf_event_paranoid =' - line: 'kernel.perf_event_paranoid = 2' - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched > 0 - - rhel8stig_sysctlconf_filename.files[0].islnk - - - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users. | Set kernel profiling no numbered link files" - lineinfile: - path: /etc/sysctl.conf - regexp: '^kernel.perf_event_paranoid =' - line: 'kernel.perf_event_paranoid = 2' - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched == 0 or - not rhel8stig_sysctlconf_filename.files[0].islnk - when: - - rhel_08_010376 - tags: - - RHEL-08-010376 - - sysctl - -- name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8." - block: - - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Find .conf files" - find: - paths: /etc - recurse: yes - file_type: any - depth: 2 - patterns: - - yum.conf - - dnf.conf - register: rhel_08_010440_package_confs - - - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Set settings" - lineinfile: - path: "{{ item.path }}" - regexp: '^.*clean_requirements_on_remove' - line: 'clean_requirements_on_remove=True' - with_items: - - "{{ rhel_08_010440_package_confs.files }}" - when: - - rhel_08_010440 - tags: - - RHEL-08-010440 - -- name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service." - systemd: - name: rngd.service - state: started - enabled: yes - when: - - rhel_08_010471 - tags: - - RHEL-08-010471 - -- name: "LOW | RHEL-08-010540 | AUDIT | The RHEL 8 must use a separate file system for /var." - debug: - msg: "WARNING: /var is not mounted on a separate partition" - changed_when: - - rhel8stig_audit_complex - when: - - rhel_08_010540 - - not rhel8stig_system_is_container - - rhel8stig_complex - - ansible_mounts | selectattr('mount', 'match', '^/var$') | list | length == 0 - tags: - - RHEL-08-010540 - - complexity-high - - mount - - var - -- name: "LOW | RHEL-08-010541 | AUDIT | RHEL 8 must use a separate file system for /var/log." - debug: - msg: - - "WARNING!! /var/log is not mounted on a seperate partition" - changed_when: - - rhel8stig_audit_complex - when: - - rhel_08_010541 - - not rhel8stig_system_is_container - - rhel8stig_complex - - ansible_mounts | selectattr('mount', 'match', '^/var/log$') | list | length == 0 - tags: - - RHEL-08-010541 - - complexity_high - - mount - - auditd - -- name: "LOW | RHEL-08-010542 | AUDIT | The RHEL 8 must use a separate file system for the system audit data path." - debug: - msg: - - "WARNING!! /var/log/audit is not mounted on a seperate partition" - changed_when: - - rhel8stig_audit_complex - when: - - rhel_08_010542 - - not rhel8stig_system_is_container - - rhel8stig_complex - - ansible_mounts | selectattr('mount', 'match', '^/var/log/audit$') | list | length == 0 - tags: - - RHEL-08-010542 - - complexity_high - - mount - - auditd - -- name: "LOW | RHEL-08-020024 | PATCH | RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types." - lineinfile: - path: /etc/security/limits.conf - regexp: '^\* hard maxlogins' - line: '* hard maxlogins 10' - insertbefore: '^# End of file' - create: yes - owner: root - group: root - mode: 0644 - when: - - rhel_08_020024 - tags: - - RHEL-08-020024 - -- name: "LOW | RHEL-08-020042 | PATCH | RHEL 8 must prevent users from disabling session control mechanisms." - lineinfile: - path: /etc/shells - regexp: 'tmux' - state: absent - when: - - rhel_08_020042 - tags: - - RHEL-08-020042 - - tmux - -- name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon." - block: - - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon. | Set session required for pam_lastlog.so" - pamd: - name: postlogin - type: session - control: optional - new_control: required - module_path: pam_lastlog.so - state: updated - - - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon. | Remove default=1 and optional control" - pamd: - name: postlogin - type: session - state: args_absent - control: "{{ item }}" - module_path: pam_lastlog.so - module_arguments: silent - with_items: - - '[default=1]' - - required - when: - - rhel_08_020340 - tags: - - RHEL-08-020340 - -- name: "LOW | RHEL-08-030063 | PATCH | RHEL 8 must resolve audit information before writing to disk." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^log_format =' - line: "log_format = ENRICHED" - notify: restart auditd - when: - - rhel_08_030063 - tags: - - RHEL-08-030063 - - auditd - -- name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon." - block: - - name: "LOW | RHEL-08-030601 | AUDIT | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - register: rhel8stig_030601_grub_cmdline_linux - - - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit to 1 as active" - shell: grubby --update-kernel=ALL --args="audit=1" - args: - warn: no - - - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if doesnt exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_030601_grub_cmdline_linux.stdout }} audit=1"' - when: '"audit=" not in rhel8stig_030601_grub_cmdline_linux.stdout' - - - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if exists" - replace: - path: /etc/default/grub - regexp: 'audit=([^\s|"])+' - replace: "audit=1" - when: '"audit=" in rhel8stig_030601_grub_cmdline_linux.stdout' - when: - - rhel_08_030601 - tags: - - RHEL-08-030601 - - grub - -- name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon." - block: - - name: "LOW | RHEL-08-030602 | AUDIT | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - register: rhel8stig_030602_grub_cmdline_linux - - - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | set audit_backlog_limit active" - shell: grubby --update-kernel=ALL --args="audit_backlog_limit=8192" - args: - warn: no - - - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if doesn't exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_030602_grub_cmdline_linux.stdout }} audit_backlog_limit=8192"' - when: '"audit_backlog_limit=" not in rhel8stig_030602_grub_cmdline_linux.stdout' - - - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if exists" - replace: - path: /etc/default/grub - regexp: 'audit_backlog_limit=([^\s|"])+' - replace: "audit_backlog_limit=8192" - when: '"audit_backlog_limit=" in rhel8stig_030602_grub_cmdline_linux.stdout' - when: - - rhel_08_030602 - tags: - - RHEL-08-030602 - - grub - -- name: "LOW | RHEL-08-030603 | PATCH | RHEL 8 must enable Linux audit logging for the USBGuard daemon" - lineinfile: - path: /etc/usbguard/usbguard-daemon.conf - regexp: '^AuditBackend=' - line: "AuditBackend=LinuxAudit" - create: yes - owner: root - group: root - mode: 0600 - when: - - rhel_08_030603 - tags: - - RHEL-08-030603 - - usb - -- name: "LOW | RHEL-08-030741 | PATCH | RHEL 8 must disable the chrony daemon from acting as a server." - lineinfile: - path: /etc/chrony.conf - regexp: '^port|#port' - line: "port 0" - when: - - rhel_08_030741 - tags: - - RHEL-08-030741 - - chrony - -- name: "LOW | RHEL-08-030742 | PATCH | RHEL 8 must disable network management of the chrony daemon." - lineinfile: - path: /etc/chrony.conf - regexp: '^cmdport|#cmdport' - line: "cmdport 0" - when: - - rhel_08_030742 - tags: - - RHEL-08-030742 - - chrony - -- name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities." - block: - - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: no - changed_when: false - failed_when: false - register: rhel8stig_040004_grub_cmdline_linux - - - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti=on active" - shell: grubby --update-kernel=ALL --args="pti=on" - args: - warn: no - - - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti if doesn't exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_040004_grub_cmdline_linux.stdout }} pti=on"' - when: '"pti=" not in rhel8stig_040004_grub_cmdline_linux.stdout' - - - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti exists" - replace: - path: /etc/default/grub - regexp: 'pti=([^\s|"])+' - replace: "pti=on" - when: '"pti=" in rhel8stig_040004_grub_cmdline_linux.stdout' - when: - - rhel_08_040004 - tags: - - RHEL-08-040004 - - grub - -- name: "LOW | RHEL-08-040021 | PATCH | RHEL 8 must disable the asynchronous transfer mode (ATM) protocol." - lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: yes - owner: root - group: root - mode: 0640 - notify: reboot system - with_items: - - { regexp: '^install ATM', line: 'install ATM /bin/true', insertafter: 'EOF' } - - { regexp: '^blacklist ATM', line: 'blacklist ATM', insertafter: '^install ATM /bin/true' } - when: - - rhel_08_040021 - tags: - - RHEL-08-040021 - - modprobe - - atm - -- name: "LOW | RHEL-08-040022 | PATCH | RHEL 8 must disable the controller area network (CAN) protocol." - lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: yes - owner: root - group: root - mode: 0640 - notify: reboot system - with_items: - - { regexp: '^install CAN', line: 'install CAN /bin/true', insertafter: 'EOF' } - - { regexp: 'blacklist CAN', line: 'blacklist CAN', insertafter: '^install CAN /bin/true' } - when: - - rhel_08_040022 - tags: - - RHEL-08-040022 - - modprobe - - can - -- name: "LOW | RHEL-08-040023 | PATCH | RHEL 8 must disable the stream control transmission (SCTP) protocol." - lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: yes - owner: root - group: root - mode: 0640 - notify: reboot system - with_items: - - { regexp: '^install SCTP', line: 'install SCTP /bin/true', insertafter: 'EOF' } - - { regexp: '^blacklist SCTP', line: 'blacklist SCTP', insertafter: '^install SCTP' } - when: - - rhel_08_040023 - tags: - - RHEL-08-040023 - - modprobe - - sctp - -- name: "LOW | RHEL-08-040024 | PATCH | RHEL 8 must disable the transparent inter-process communication (TIPC) protocol." - lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: yes - owner: root - group: root - mode: 0640 - notify: reboot system - with_items: - - { regexp: '^install TIPC', line: 'install TIPC /bin/true', insertafter: 'EOF' } - - { regexp: '^blacklist TIPC', line: 'blacklist TIPC', insertafter: '^install TIPC' } - when: - - rhel_08_040024 - tags: - - RHEL-08-040024 - - modprobe - - tipc - -- name: "LOW | RHEL-08-040025 | PATCH | RHEL 8 must disable mounting of cramfs." - lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: yes - owner: root - group: root - mode: 0640 - notify: reboot system - with_items: - - { regexp: '^install cramfs', line: 'install cramfs /bin/true', insertafter: 'EOF' } - - { regexp: 'blacklist cramfs', line: 'blacklist cramfs', insertafter: '^install cramfs' } - when: - - rhel_08_040025 - tags: - - RHEL-08-040025 - - modprobe - - cramfs - -- name: "LOW | RHEL-08-040026 | PATCH | RHEL 8 must disable IEEE 1394 (FireWire) Support." - lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: yes - owner: root - group: root - mode: 0640 - notify: reboot system - with_items: - - { regexp: '^install firewire-core', line: 'install firewire-core /bin/true', insertafter: 'EOF' } - - { regexp: '^blacklist firewire-core', line: 'blacklist firewire-core', insertafter: '^install firewire-core' } - when: - - rhel_08_040026 - tags: - - RHEL-08-040026 - - modprobe - - firewire - -- name: | - "LOW | RHEL-08-040300 | PATCH | The RHEL 8 file integrity tool must be configured to verify extended attributes." - "LOW | RHEL-08-040310 | PATCH | The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs)." - template: - src: aide.conf.j2 - dest: /etc/aide.conf - owner: root - group: root - mode: '0600' - when: - - rhel_08_040300 - - rhel_08_040310 - tags: - - RHEL-08-040300 - - RHEL-08-040310 - - aide +# - name: "LOW | RHEL-08-010292 | PATCH | RHEL 8 must ensure the SSH server uses strong entropy." +# lineinfile: +# path: /etc/sysconfig/sshd +# regexp: '^SSH_USE_STRONG_RNG=|^.*SSH_USE_STRONG_RNG=' +# line: SSH_USE_STRONG_RNG=32 +# notify: restart sshd +# when: +# - rhel_08_010292 +# tags: +# - RHEL-08-010292 +# - sshd + +# - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." +# block: +# - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer. | Set kernel message buffer if using numbered link files" +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^kernel.dmesg_restrict =' +# line: "kernel.dmesg_restrict = 1" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched > 0 +# - rhel8stig_sysctlconf_filename.files[0].islnk + +# - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer. | Set kernel message buffer no numbered link files" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^kernel.dmesg_restrict =' +# line: "kernel.dmesg_restrict = 1" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched == 0 or +# not rhel8stig_sysctlconf_filename.files[0].islnk +# when: +# - rhel_08_010375 +# tags: +# - RHEL-08-010375 +# - sysctl + +# - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." +# block: +# - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users. | Set kernel profiling if using numbered link files" +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^kernel.perf_event_paranoid =' +# line: 'kernel.perf_event_paranoid = 2' +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched > 0 +# - rhel8stig_sysctlconf_filename.files[0].islnk + +# - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users. | Set kernel profiling no numbered link files" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^kernel.perf_event_paranoid =' +# line: 'kernel.perf_event_paranoid = 2' +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched == 0 or +# not rhel8stig_sysctlconf_filename.files[0].islnk +# when: +# - rhel_08_010376 +# tags: +# - RHEL-08-010376 +# - sysctl + +# - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8." +# block: +# - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Find .conf files" +# find: +# paths: /etc +# recurse: yes +# file_type: any +# depth: 2 +# patterns: +# - yum.conf +# - dnf.conf +# register: rhel_08_010440_package_confs + +# - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Set settings" +# lineinfile: +# path: "{{ item.path }}" +# regexp: '^.*clean_requirements_on_remove' +# line: 'clean_requirements_on_remove=True' +# with_items: +# - "{{ rhel_08_010440_package_confs.files }}" +# when: +# - rhel_08_010440 +# tags: +# - RHEL-08-010440 + +# - name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service." +# systemd: +# name: rngd.service +# state: started +# enabled: yes +# when: +# - rhel_08_010471 +# tags: +# - RHEL-08-010471 + +# - name: "LOW | RHEL-08-010540 | AUDIT | The RHEL 8 must use a separate file system for /var." +# debug: +# msg: "WARNING: /var is not mounted on a separate partition" +# changed_when: +# - rhel8stig_audit_complex +# when: +# - rhel_08_010540 +# - not rhel8stig_system_is_container +# - rhel8stig_complex +# - ansible_mounts | selectattr('mount', 'match', '^/var$') | list | length == 0 +# tags: +# - RHEL-08-010540 +# - complexity-high +# - mount +# - var + +# - name: "LOW | RHEL-08-010541 | AUDIT | RHEL 8 must use a separate file system for /var/log." +# debug: +# msg: +# - "WARNING!! /var/log is not mounted on a seperate partition" +# changed_when: +# - rhel8stig_audit_complex +# when: +# - rhel_08_010541 +# - not rhel8stig_system_is_container +# - rhel8stig_complex +# - ansible_mounts | selectattr('mount', 'match', '^/var/log$') | list | length == 0 +# tags: +# - RHEL-08-010541 +# - complexity_high +# - mount +# - auditd + +# - name: "LOW | RHEL-08-010542 | AUDIT | The RHEL 8 must use a separate file system for the system audit data path." +# debug: +# msg: +# - "WARNING!! /var/log/audit is not mounted on a seperate partition" +# changed_when: +# - rhel8stig_audit_complex +# when: +# - rhel_08_010542 +# - not rhel8stig_system_is_container +# - rhel8stig_complex +# - ansible_mounts | selectattr('mount', 'match', '^/var/log/audit$') | list | length == 0 +# tags: +# - RHEL-08-010542 +# - complexity_high +# - mount +# - auditd + +# - name: "LOW | RHEL-08-020024 | PATCH | RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types." +# lineinfile: +# path: /etc/security/limits.conf +# regexp: '^\* hard maxlogins' +# line: '* hard maxlogins 10' +# insertbefore: '^# End of file' +# create: yes +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020024 +# tags: +# - RHEL-08-020024 + +# - name: "LOW | RHEL-08-020042 | PATCH | RHEL 8 must prevent users from disabling session control mechanisms." +# lineinfile: +# path: /etc/shells +# regexp: 'tmux' +# state: absent +# when: +# - rhel_08_020042 +# tags: +# - RHEL-08-020042 +# - tmux + +# - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon." +# block: +# - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon. | Set session required for pam_lastlog.so" +# pamd: +# name: postlogin +# type: session +# control: optional +# new_control: required +# module_path: pam_lastlog.so +# state: updated + +# - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon. | Remove default=1 and optional control" +# pamd: +# name: postlogin +# type: session +# state: args_absent +# control: "{{ item }}" +# module_path: pam_lastlog.so +# module_arguments: silent +# with_items: +# - '[default=1]' +# - required +# when: +# - rhel_08_020340 +# tags: +# - RHEL-08-020340 + +# - name: "LOW | RHEL-08-030063 | PATCH | RHEL 8 must resolve audit information before writing to disk." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^log_format =' +# line: "log_format = ENRICHED" +# notify: restart auditd +# when: +# - rhel_08_030063 +# tags: +# - RHEL-08-030063 +# - auditd + +# - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon." +# block: +# - name: "LOW | RHEL-08-030601 | AUDIT | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Get GRUB_CMDLINE_LINUX settings" +# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' +# changed_when: false +# failed_when: false +# register: rhel8stig_030601_grub_cmdline_linux + +# - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit to 1 as active" +# shell: grubby --update-kernel=ALL --args="audit=1" +# args: +# warn: no + +# - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if doesnt exist" +# lineinfile: +# path: /etc/default/grub +# regexp: '^GRUB_CMDLINE_LINUX=' +# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_030601_grub_cmdline_linux.stdout }} audit=1"' +# when: '"audit=" not in rhel8stig_030601_grub_cmdline_linux.stdout' + +# - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if exists" +# replace: +# path: /etc/default/grub +# regexp: 'audit=([^\s|"])+' +# replace: "audit=1" +# when: '"audit=" in rhel8stig_030601_grub_cmdline_linux.stdout' +# when: +# - rhel_08_030601 +# tags: +# - RHEL-08-030601 +# - grub + +# - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon." +# block: +# - name: "LOW | RHEL-08-030602 | AUDIT | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Get GRUB_CMDLINE_LINUX settings" +# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' +# changed_when: false +# failed_when: false +# register: rhel8stig_030602_grub_cmdline_linux + +# - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | set audit_backlog_limit active" +# shell: grubby --update-kernel=ALL --args="audit_backlog_limit=8192" +# args: +# warn: no + +# - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if doesn't exist" +# lineinfile: +# path: /etc/default/grub +# regexp: '^GRUB_CMDLINE_LINUX=' +# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_030602_grub_cmdline_linux.stdout }} audit_backlog_limit=8192"' +# when: '"audit_backlog_limit=" not in rhel8stig_030602_grub_cmdline_linux.stdout' + +# - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if exists" +# replace: +# path: /etc/default/grub +# regexp: 'audit_backlog_limit=([^\s|"])+' +# replace: "audit_backlog_limit=8192" +# when: '"audit_backlog_limit=" in rhel8stig_030602_grub_cmdline_linux.stdout' +# when: +# - rhel_08_030602 +# tags: +# - RHEL-08-030602 +# - grub + +# - name: "LOW | RHEL-08-030603 | PATCH | RHEL 8 must enable Linux audit logging for the USBGuard daemon" +# lineinfile: +# path: /etc/usbguard/usbguard-daemon.conf +# regexp: '^AuditBackend=' +# line: "AuditBackend=LinuxAudit" +# create: yes +# owner: root +# group: root +# mode: 0600 +# when: +# - rhel_08_030603 +# tags: +# - RHEL-08-030603 +# - usb + +# - name: "LOW | RHEL-08-030741 | PATCH | RHEL 8 must disable the chrony daemon from acting as a server." +# lineinfile: +# path: /etc/chrony.conf +# regexp: '^port|#port' +# line: "port 0" +# when: +# - rhel_08_030741 +# tags: +# - RHEL-08-030741 +# - chrony + +# - name: "LOW | RHEL-08-030742 | PATCH | RHEL 8 must disable network management of the chrony daemon." +# lineinfile: +# path: /etc/chrony.conf +# regexp: '^cmdport|#cmdport' +# line: "cmdport 0" +# when: +# - rhel_08_030742 +# tags: +# - RHEL-08-030742 +# - chrony + +# - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities." +# block: +# - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get GRUB_CMDLINE_LINUX settings" +# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel8stig_040004_grub_cmdline_linux + +# - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti=on active" +# shell: grubby --update-kernel=ALL --args="pti=on" +# args: +# warn: no + +# - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti if doesn't exist" +# lineinfile: +# path: /etc/default/grub +# regexp: '^GRUB_CMDLINE_LINUX=' +# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_040004_grub_cmdline_linux.stdout }} pti=on"' +# when: '"pti=" not in rhel8stig_040004_grub_cmdline_linux.stdout' + +# - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti exists" +# replace: +# path: /etc/default/grub +# regexp: 'pti=([^\s|"])+' +# replace: "pti=on" +# when: '"pti=" in rhel8stig_040004_grub_cmdline_linux.stdout' +# when: +# - rhel_08_040004 +# tags: +# - RHEL-08-040004 +# - grub + +# - name: "LOW | RHEL-08-040021 | PATCH | RHEL 8 must disable the asynchronous transfer mode (ATM) protocol." +# lineinfile: +# path: /etc/modprobe.d/blacklist.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# create: yes +# owner: root +# group: root +# mode: 0640 +# notify: reboot system +# with_items: +# - { regexp: '^install ATM', line: 'install ATM /bin/true', insertafter: 'EOF' } +# - { regexp: '^blacklist ATM', line: 'blacklist ATM', insertafter: '^install ATM /bin/true' } +# when: +# - rhel_08_040021 +# tags: +# - RHEL-08-040021 +# - modprobe +# - atm + +# - name: "LOW | RHEL-08-040022 | PATCH | RHEL 8 must disable the controller area network (CAN) protocol." +# lineinfile: +# path: /etc/modprobe.d/blacklist.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# create: yes +# owner: root +# group: root +# mode: 0640 +# notify: reboot system +# with_items: +# - { regexp: '^install CAN', line: 'install CAN /bin/true', insertafter: 'EOF' } +# - { regexp: 'blacklist CAN', line: 'blacklist CAN', insertafter: '^install CAN /bin/true' } +# when: +# - rhel_08_040022 +# tags: +# - RHEL-08-040022 +# - modprobe +# - can + +# - name: "LOW | RHEL-08-040023 | PATCH | RHEL 8 must disable the stream control transmission (SCTP) protocol." +# lineinfile: +# path: /etc/modprobe.d/blacklist.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# create: yes +# owner: root +# group: root +# mode: 0640 +# notify: reboot system +# with_items: +# - { regexp: '^install SCTP', line: 'install SCTP /bin/true', insertafter: 'EOF' } +# - { regexp: '^blacklist SCTP', line: 'blacklist SCTP', insertafter: '^install SCTP' } +# when: +# - rhel_08_040023 +# tags: +# - RHEL-08-040023 +# - modprobe +# - sctp + +# - name: "LOW | RHEL-08-040024 | PATCH | RHEL 8 must disable the transparent inter-process communication (TIPC) protocol." +# lineinfile: +# path: /etc/modprobe.d/blacklist.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# create: yes +# owner: root +# group: root +# mode: 0640 +# notify: reboot system +# with_items: +# - { regexp: '^install TIPC', line: 'install TIPC /bin/true', insertafter: 'EOF' } +# - { regexp: '^blacklist TIPC', line: 'blacklist TIPC', insertafter: '^install TIPC' } +# when: +# - rhel_08_040024 +# tags: +# - RHEL-08-040024 +# - modprobe +# - tipc + +# - name: "LOW | RHEL-08-040025 | PATCH | RHEL 8 must disable mounting of cramfs." +# lineinfile: +# path: /etc/modprobe.d/blacklist.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# create: yes +# owner: root +# group: root +# mode: 0640 +# notify: reboot system +# with_items: +# - { regexp: '^install cramfs', line: 'install cramfs /bin/true', insertafter: 'EOF' } +# - { regexp: 'blacklist cramfs', line: 'blacklist cramfs', insertafter: '^install cramfs' } +# when: +# - rhel_08_040025 +# tags: +# - RHEL-08-040025 +# - modprobe +# - cramfs + +# - name: "LOW | RHEL-08-040026 | PATCH | RHEL 8 must disable IEEE 1394 (FireWire) Support." +# lineinfile: +# path: /etc/modprobe.d/blacklist.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# create: yes +# owner: root +# group: root +# mode: 0640 +# notify: reboot system +# with_items: +# - { regexp: '^install firewire-core', line: 'install firewire-core /bin/true', insertafter: 'EOF' } +# - { regexp: '^blacklist firewire-core', line: 'blacklist firewire-core', insertafter: '^install firewire-core' } +# when: +# - rhel_08_040026 +# tags: +# - RHEL-08-040026 +# - modprobe +# - firewire + +# - name: | +# "LOW | RHEL-08-040300 | PATCH | The RHEL 8 file integrity tool must be configured to verify extended attributes." +# "LOW | RHEL-08-040310 | PATCH | The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs)." +# template: +# src: aide.conf.j2 +# dest: /etc/aide.conf +# owner: root +# group: root +# mode: '0600' +# when: +# - rhel_08_040300 +# - rhel_08_040310 +# tags: +# - RHEL-08-040300 +# - RHEL-08-040310 +# - aide From 54d284a5209a7ca2983aae9ccc030234dcbcf692 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 9 Aug 2021 13:26:55 -0400 Subject: [PATCH 016/110] Updated fix-cat1.yml just incase Signed-off-by: George Nalen --- tasks/fix-cat1.yml | 232 +++++++++++++++++++++++++++++---------------- 1 file changed, 152 insertions(+), 80 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index afd65723..48bd0e43 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -1,5 +1,6 @@ --- -- name: "HIGH | RHEL-08-010000 | AUDIT | The RHEL 8 must be a vendor-supported release." + +- name: "RHEL-08-010000 | HIGH | AUDIT | The RHEL 8 must be a vendor-supported release." debug: msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} changed_when: ansible_distribution_version is not version_compare(rhel8stig_min_supported_os_ver[ansible_distribution], '>=') @@ -7,21 +8,30 @@ - rhel_08_010000 tags: - RHEL-08-010000 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230221r627750_rule + - V-230221 -- name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." +- name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." block: - - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." + - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." dnf: name: dracut-fips state: present notify: rebuild initramfs + when: + - not ansible_fips - - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" + - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" command: fips-mode-setup --enable register: rhel_08_010020_kernel_fips_enable changed_when: rhel_08_010020_kernel_fips_enable.rc == 0 + when: + - not ansible_fips - - name: "HIGH | RHEL-08-010020 | AUDIT | Check if prelink package is installed" + - name: "RHEL-08-010020 | HIGH | AUDIT | Check if prelink package is installed" command: rpm -q prelink args: warn: no @@ -30,7 +40,7 @@ check_mode: no register: rhel_08_010020_prelink_installed - - name: "HIGH | RHEL-08-010020 | PATCH | Disable prelinking." + - name: "RHEL-08-010020 | HIGH | PATCH | Disable prelinking." lineinfile: dest: /etc/sysconfig/prelink regexp: ^#?PRELINKING @@ -38,14 +48,14 @@ when: rhel_08_010020_prelink_installed.rc == 0 notify: undo existing prelinking - - name: "HIGH | RHEL-08-010020 | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" + - name: "RHEL-08-010020 | HIGH | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub check_mode: no failed_when: no changed_when: rhel_08_010020_default_grub_missing_audit.rc > 0 register: rhel_08_010020_default_grub_missing_audit - - name: "HIGH | RHEL-08-010020 | AUDIT | parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" + - name: "RHEL-08-010020 | HIGH | AUDIT | parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" command: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline check_mode: no changed_when: no @@ -53,7 +63,7 @@ when: rhel_08_010020_default_grub_missing_audit is changed register: rhel_08_010020_grub_cmdline_linux_audit - - name: "HIGH | RHEL-08-010020 | PATCH | Copy over a sane /etc/default/grub" + - name: "RHEL-08-010020 | HIGH | PATCH | Copy over a sane /etc/default/grub" template: src: etc_default_grub.j2 dest: /etc/default/grub @@ -64,7 +74,7 @@ grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}" when: rhel_08_010020_default_grub_missing_audit is changed - - name: "HIGH | RHEL-08-010020 | PATCH | fips=1 must be in /etc/default/grub" + - name: "RHEL-08-010020 | HIGH | PATCH | fips=1 must be in /etc/default/grub" replace: path: /etc/default/grub regexp: "{{ rhel8stig_regexp_quoted_params }}" @@ -80,7 +90,7 @@ notify: - confirm grub2 user cfg - - name: "HIGH | RHEL-08-010020 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." + - name: "RHEL-08-010020 | HIGH | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." replace: path: /etc/default/grub regexp: "{{ rhel8stig_regexp_quoted_params }}" @@ -100,7 +110,7 @@ notify: confirm grub2 user cfg register: result - - name: "HIGH | RHEL-08-010020 | AUDIT | Verify kernel parameters in /etc/default/grub" + - name: "RHEL-08-010020 | HIGH | AUDIT | Verify kernel parameters in /etc/default/grub" command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub check_mode: no with_items: @@ -124,45 +134,32 @@ when: rhel_08_010020 tags: - RHEL-08-010020 + - CAT1 + - CCI-000068 + - SRG-OS-000033-GPOS-00014 + - SV-230223r627750_rule + - V-230223 - name: | - "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance." - "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes." + "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance." + "RHEL-08-010150 | HIGH |PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes." block: - # the createuser.cfg task is a workaround for the the ansible bug https://github.com/ansible/ansible/pull/59823 - name: | - "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Create user.cfg" - "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Create user.cfg" - shell: test -f {{ file_q }} && echo exists || {{ create_cmd }} - args: - warn: no - check_mode: "{{ ansible_check_mode is not defined }}" - register: rhel8stig_create_grub_user_cfg - changed_when: - - rhel8stig_create_grub_user_cfg.stdout == "created" - failed_when: - - rhel8stig_create_grub_user_cfg.stdout != "created" - - rhel8stig_create_grub_user_cfg.stdout != "exists" - vars: - file_q: "{{ (rhel8stig_grub_cfg_path | dirname ~ '/user.cfg') | quote }}" - create_cmd: "({{ ansible_check_mode | ternary('', 'touch ' ~ file_q ~ ' && ') }}echo created)" - - - name: | - "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set Grub Password" - "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set Grub Password" + "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set Grub Password" + "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set Grub Password" lineinfile: path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg" create: yes regexp: ^GRUB2_PASSWORD= - line: GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }} + line: "GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}" owner: root group: root mode: 0640 notify: confirm grub2 user cfg - name: | - "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set UEFI superusers" - "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set UEFI superusers" + "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set UEFI superusers" + "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set UEFI superusers" lineinfile: dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg" regexp: '^set superusers' @@ -176,22 +173,35 @@ tags: - RHEL-08-010140 - RHEL-08-010150 + - CAT1 + - CCI-000213 + - SRG-OS-000080-GPOS-00048 + - SV-230234r627750_rule + - SV-230235r627750_rule + - V-230234 + - V-230235 - grub - bootloader -- name: "HIGH | RHEL-08-010370 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." +- name: "RHEL-08-010370 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." block: - - name: "HIGH | RHEL-08-010370 | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Gather Repos" + - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Dnf Default" + lineinfile: + path: /etc/dnf/dnf.conf + regexp: '^gpgcheck=' + line: gpgcheck=1 + + - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Gather Repos" find: paths: /etc/yum.repos.d pattern: '*.repo' register: rhel_08_010370_repos_files_list_full - - name: "HIGH | RHEL-08-010370 | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Flatten result" + - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Flatten result" set_fact: rhel_08_010370_repos_files_list: "{{ rhel_08_010370_repos_files_list_full.files | map(attribute='path') | flatten }}" - - name: "HIGH | RHEL-08-010370 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Set gpgcheck" + - name: "RHEL-08-010370 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Set gpgcheck" lineinfile: path: "{{ item }}" regexp: '^gpgcheck' @@ -202,9 +212,14 @@ - rhel_08_010370 tags: - RHEL-08-010370 + - CAT1 + - CCI-001749 + - SRG-OS-000366-GPOS-00153 + - SV-230264r627750_rule + - V-230264 - yum -- name: "HIGH | RHEL-08-010371 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." +- name: "RHEL-08-010371 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." lineinfile: path: /etc/dnf/dnf.conf regexp: '^localpkg_gpgcheck=' @@ -213,9 +228,14 @@ - rhel_08_010371 tags: - RHEL-08-010371 + - CAT1 + - CCI-001749 + - SRG-OS-000366-GPOS-00153 + - SV-230265r627750_rule + - V-230265 - dnf -- name: "HIGH | RHEL-08-010460 | PATCH | There must be no shosts.equiv files on the RHEL 8 operating system." +- name: "RHEL-08-010460 | HIGH | PATCH | There must be no shosts.equiv files on the RHEL 8 operating system." file: path: /etc/ssh/shosts.equiv state: absent @@ -223,18 +243,23 @@ - rhel_08_010460 tags: - RHEL-08-010460 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230283r627750_rule + - V-230283 - shosts -- name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system." +- name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system." block: - - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Find .shosts files" + - name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Find .shosts files" find: path: '/' recurse: yes patterns: '*.shosts' register: rhel_08_010470_shost_files - - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Remove .shosts files" + - name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Remove .shosts files" file: path: "{{ item.path }}" state: absent @@ -244,9 +269,14 @@ - rhel_08_010470 tags: - RHEL-08-010470 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230284r627750_rule + - V-230284 - shosts -- name: "HIGH | RHEL-08-010820 | PATCH | Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed." +- name: "RHEL-08-010820 | HIGH | PATCH | Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed." lineinfile: path: /etc/gdm/custom.conf regexp: (?i)automaticloginenable @@ -257,10 +287,15 @@ - rhel_08_010820 tags: - RHEL-08-010820 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00229 + - SV-230329r627750_rule + - V-230329 -- name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords." +- name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords." block: - - name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Remove nullok" + - name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Remove nullok" replace: path: "{{ item }}" regexp: ' nullok' @@ -269,7 +304,7 @@ - /etc/pam.d/system-auth - /etc/pam.d/password-auth - - name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Set PermitEmptyPasswords to no" + - name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Set PermitEmptyPasswords to no" lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitEmptyPasswords' @@ -280,48 +315,52 @@ - rhel8stig_disruption_high tags: - RHEL-08-020330 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230380r627750_rule + - V-230380 - disruption_high -- name: "HIGH | RHEL-08-040000 | PATCH | RHEL 8 must not have the telnet-server package installed." +- name: "RHEL-08-040000 | HIGH | PATCH | RHEL 8 must not have the telnet-server package installed." dnf: name: telnet-server state: absent when: - rhel_08_040000 + - - "'telnet-server' in ansible_facts.packages" tags: - RHEL-08-040000 + - CAT1 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230487r627750_rule + - V-230487 -- name: "HIGH | RHEL-08-040010 | PATCH | RHEL 8 must not have the rsh-server package installed." +- name: "RHEL-08-040010 | HIGH | PATCH | RHEL 8 must not have the rsh-server package installed." dnf: name: rsh-server state: absent when: - rhel_08_040010 + - "'rsh-server' in ansible_facts.packages" tags: - RHEL-08-040010 + - CAT1 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230492r627750_rule + - V-230492 -- name: "HIGH | RHEL-08-040060 | PATCH | RHEL 8 must enforce SSHv2 for network access to all accounts." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^.*Protocol' - line: 'Protocol 2' - notify: restart sshd - when: - - rhel_08_040060 - - rhel8stig_ssh_required - tags: - - RHEL-08-040060 - - ssh - -- name: "HIGH | RHEL-08-040170 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8." +- name: "RHEL-08-040170 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8." block: - - name: "HIGH | RHEL-08-040170 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Mask ctrl-alt-del.target" + - name: "RHEL-08-040170 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Mask ctrl-alt-del.target" systemd: name: ctrl-alt-del.target masked: yes notify: systemctl daemon-reload - - name: "HIGH | RHEL-08-040170 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Create symlink to /dev/null" + - name: "RHEL-08-040170 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Create symlink to /dev/null" file: src: /dev/null dest: /etc/systemd/system/ctrl-alt-del.target @@ -331,16 +370,21 @@ - rhel_08_040170 tags: - RHEL-08-040170 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230529r627750_rule + - V-230529 -- name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed." +- name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed." block: - - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Check for setting existing" + - name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Check for setting existing" command: grep -s logout /etc/dconf/db/local.d/* changed_when: false failed_when: false register: rhel_08_040171_logout_settings_status - - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Add if missing" + - name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Add if missing" lineinfile: path: /etc/dconf/db/local.d/00-disable-CAD regexp: "{{ item.regexp }}" @@ -355,7 +399,7 @@ - { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' } when: rhel_08_040171_logout_settings_status.stdout | length == 0 - - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Edit if exists" + - name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Edit if exists" replace: path: "{{ rhel_08_040171_logout_settings_status.stdout }}" regexp: '^[L|l]ogout=.*' @@ -363,10 +407,16 @@ when: rhel_08_040171_logout_settings_status.stdout | length > 0 when: - rhel_08_040171 + - "'gnome-desktop' in ansible_facts.packages" tags: - RHEL-08-040171 - -- name: "HIGH | RHEL-08-040172 | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled." + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230530r646883_rule + - V-230530 + +- name: "RHEL-08-040172 | HIGH | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled." lineinfile: path: /etc/systemd/system.conf regexp: '^CtrlAltDelBurstAction=|^#CtrlAltDelBurstAction=' @@ -376,33 +426,44 @@ - rhel_08_040172 tags: - RHEL-08-040172 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230531r627750_rule + - V-230531 -- name: "HIGH | RHEL-08-040190 | PATCH | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support." +- name: "RHEL-08-040190 | HIGH | PATCH | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support." dnf: name: tftp-server state: absent when: - rhel_08_040190 + - "'tftp-server' in ansible_facts.packages" - not rhel8stig_tftp_required tags: - RHEL-08-040190 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230533r627750_rule + - V-230533 - tftp -- name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system." +- name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system." block: - - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Get list of non-root accounts with UID of 0" + - name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Get list of non-root accounts with UID of 0" shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" changed_when: false failed_when: false register: rhel_08_040200_nonroot_uid - - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Lock non-root account with UID of 0" + - name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Lock non-root account with UID of 0" command: "passwd -l {{ item }}" with_items: - "{{ rhel_08_040200_nonroot_uid.stdout_lines }}" when: rhel_08_040200_nonroot_uid.stdout | length > 0 - - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Display accounts that were locked" + - name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Display accounts that were locked" debug: msg: - "WARNING!! The following accounts were locked since they had UID of 0 and were not the root user" @@ -413,14 +474,25 @@ - rhel8stig_disruption_high tags: - RHEL-08-040200 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230534r627750_rule + - V-230534 - disruption_high -- name: "HIGH | RHEL-08-040360 | PATCH | A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8." +- name: "RHEL-08-040360 | HIGH | PATCH | A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8." dnf: name: vsftpd state: absent when: - rhel_08_040360 + - "'vsftpd' in ansible_facts.packages" tags: - RHEL-08-040360 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230558r627750_rule + - V-230558 - ftp From 44936d683d3fc1793f10a32104f41a51ca4acb6d Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 9 Aug 2021 13:52:30 -0400 Subject: [PATCH 017/110] Updated fix-cat3.yml to be 1.2 compliant with new tags Signed-off-by: George Nalen --- tasks/fix-cat3.yml | 1119 +++++++++++++++++++++++++------------------- 1 file changed, 626 insertions(+), 493 deletions(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 097e5979..d1aa4943 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -6,498 +6,631 @@ - rhel_08_010171 tags: - RHEL-08-010171 + - CAT3 + - CCI-001084 + - SRG-OS-000134-GPOS-00068 + - SV-230241r627750_rule + - V-230241 - policycoreutils -# - name: "LOW | RHEL-08-010292 | PATCH | RHEL 8 must ensure the SSH server uses strong entropy." -# lineinfile: -# path: /etc/sysconfig/sshd -# regexp: '^SSH_USE_STRONG_RNG=|^.*SSH_USE_STRONG_RNG=' -# line: SSH_USE_STRONG_RNG=32 -# notify: restart sshd -# when: -# - rhel_08_010292 -# tags: -# - RHEL-08-010292 -# - sshd - -# - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." -# block: -# - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer. | Set kernel message buffer if using numbered link files" -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^kernel.dmesg_restrict =' -# line: "kernel.dmesg_restrict = 1" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched > 0 -# - rhel8stig_sysctlconf_filename.files[0].islnk - -# - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer. | Set kernel message buffer no numbered link files" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^kernel.dmesg_restrict =' -# line: "kernel.dmesg_restrict = 1" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched == 0 or -# not rhel8stig_sysctlconf_filename.files[0].islnk -# when: -# - rhel_08_010375 -# tags: -# - RHEL-08-010375 -# - sysctl - -# - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." -# block: -# - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users. | Set kernel profiling if using numbered link files" -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^kernel.perf_event_paranoid =' -# line: 'kernel.perf_event_paranoid = 2' -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched > 0 -# - rhel8stig_sysctlconf_filename.files[0].islnk - -# - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users. | Set kernel profiling no numbered link files" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^kernel.perf_event_paranoid =' -# line: 'kernel.perf_event_paranoid = 2' -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched == 0 or -# not rhel8stig_sysctlconf_filename.files[0].islnk -# when: -# - rhel_08_010376 -# tags: -# - RHEL-08-010376 -# - sysctl - -# - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8." -# block: -# - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Find .conf files" -# find: -# paths: /etc -# recurse: yes -# file_type: any -# depth: 2 -# patterns: -# - yum.conf -# - dnf.conf -# register: rhel_08_010440_package_confs - -# - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Set settings" -# lineinfile: -# path: "{{ item.path }}" -# regexp: '^.*clean_requirements_on_remove' -# line: 'clean_requirements_on_remove=True' -# with_items: -# - "{{ rhel_08_010440_package_confs.files }}" -# when: -# - rhel_08_010440 -# tags: -# - RHEL-08-010440 - -# - name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service." -# systemd: -# name: rngd.service -# state: started -# enabled: yes -# when: -# - rhel_08_010471 -# tags: -# - RHEL-08-010471 - -# - name: "LOW | RHEL-08-010540 | AUDIT | The RHEL 8 must use a separate file system for /var." -# debug: -# msg: "WARNING: /var is not mounted on a separate partition" -# changed_when: -# - rhel8stig_audit_complex -# when: -# - rhel_08_010540 -# - not rhel8stig_system_is_container -# - rhel8stig_complex -# - ansible_mounts | selectattr('mount', 'match', '^/var$') | list | length == 0 -# tags: -# - RHEL-08-010540 -# - complexity-high -# - mount -# - var - -# - name: "LOW | RHEL-08-010541 | AUDIT | RHEL 8 must use a separate file system for /var/log." -# debug: -# msg: -# - "WARNING!! /var/log is not mounted on a seperate partition" -# changed_when: -# - rhel8stig_audit_complex -# when: -# - rhel_08_010541 -# - not rhel8stig_system_is_container -# - rhel8stig_complex -# - ansible_mounts | selectattr('mount', 'match', '^/var/log$') | list | length == 0 -# tags: -# - RHEL-08-010541 -# - complexity_high -# - mount -# - auditd - -# - name: "LOW | RHEL-08-010542 | AUDIT | The RHEL 8 must use a separate file system for the system audit data path." -# debug: -# msg: -# - "WARNING!! /var/log/audit is not mounted on a seperate partition" -# changed_when: -# - rhel8stig_audit_complex -# when: -# - rhel_08_010542 -# - not rhel8stig_system_is_container -# - rhel8stig_complex -# - ansible_mounts | selectattr('mount', 'match', '^/var/log/audit$') | list | length == 0 -# tags: -# - RHEL-08-010542 -# - complexity_high -# - mount -# - auditd - -# - name: "LOW | RHEL-08-020024 | PATCH | RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types." -# lineinfile: -# path: /etc/security/limits.conf -# regexp: '^\* hard maxlogins' -# line: '* hard maxlogins 10' -# insertbefore: '^# End of file' -# create: yes -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020024 -# tags: -# - RHEL-08-020024 - -# - name: "LOW | RHEL-08-020042 | PATCH | RHEL 8 must prevent users from disabling session control mechanisms." -# lineinfile: -# path: /etc/shells -# regexp: 'tmux' -# state: absent -# when: -# - rhel_08_020042 -# tags: -# - RHEL-08-020042 -# - tmux - -# - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon." -# block: -# - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon. | Set session required for pam_lastlog.so" -# pamd: -# name: postlogin -# type: session -# control: optional -# new_control: required -# module_path: pam_lastlog.so -# state: updated - -# - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon. | Remove default=1 and optional control" -# pamd: -# name: postlogin -# type: session -# state: args_absent -# control: "{{ item }}" -# module_path: pam_lastlog.so -# module_arguments: silent -# with_items: -# - '[default=1]' -# - required -# when: -# - rhel_08_020340 -# tags: -# - RHEL-08-020340 - -# - name: "LOW | RHEL-08-030063 | PATCH | RHEL 8 must resolve audit information before writing to disk." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^log_format =' -# line: "log_format = ENRICHED" -# notify: restart auditd -# when: -# - rhel_08_030063 -# tags: -# - RHEL-08-030063 -# - auditd - -# - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon." -# block: -# - name: "LOW | RHEL-08-030601 | AUDIT | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Get GRUB_CMDLINE_LINUX settings" -# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' -# changed_when: false -# failed_when: false -# register: rhel8stig_030601_grub_cmdline_linux - -# - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit to 1 as active" -# shell: grubby --update-kernel=ALL --args="audit=1" -# args: -# warn: no - -# - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if doesnt exist" -# lineinfile: -# path: /etc/default/grub -# regexp: '^GRUB_CMDLINE_LINUX=' -# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_030601_grub_cmdline_linux.stdout }} audit=1"' -# when: '"audit=" not in rhel8stig_030601_grub_cmdline_linux.stdout' - -# - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if exists" -# replace: -# path: /etc/default/grub -# regexp: 'audit=([^\s|"])+' -# replace: "audit=1" -# when: '"audit=" in rhel8stig_030601_grub_cmdline_linux.stdout' -# when: -# - rhel_08_030601 -# tags: -# - RHEL-08-030601 -# - grub - -# - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon." -# block: -# - name: "LOW | RHEL-08-030602 | AUDIT | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Get GRUB_CMDLINE_LINUX settings" -# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' -# changed_when: false -# failed_when: false -# register: rhel8stig_030602_grub_cmdline_linux - -# - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | set audit_backlog_limit active" -# shell: grubby --update-kernel=ALL --args="audit_backlog_limit=8192" -# args: -# warn: no - -# - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if doesn't exist" -# lineinfile: -# path: /etc/default/grub -# regexp: '^GRUB_CMDLINE_LINUX=' -# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_030602_grub_cmdline_linux.stdout }} audit_backlog_limit=8192"' -# when: '"audit_backlog_limit=" not in rhel8stig_030602_grub_cmdline_linux.stdout' - -# - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if exists" -# replace: -# path: /etc/default/grub -# regexp: 'audit_backlog_limit=([^\s|"])+' -# replace: "audit_backlog_limit=8192" -# when: '"audit_backlog_limit=" in rhel8stig_030602_grub_cmdline_linux.stdout' -# when: -# - rhel_08_030602 -# tags: -# - RHEL-08-030602 -# - grub - -# - name: "LOW | RHEL-08-030603 | PATCH | RHEL 8 must enable Linux audit logging for the USBGuard daemon" -# lineinfile: -# path: /etc/usbguard/usbguard-daemon.conf -# regexp: '^AuditBackend=' -# line: "AuditBackend=LinuxAudit" -# create: yes -# owner: root -# group: root -# mode: 0600 -# when: -# - rhel_08_030603 -# tags: -# - RHEL-08-030603 -# - usb - -# - name: "LOW | RHEL-08-030741 | PATCH | RHEL 8 must disable the chrony daemon from acting as a server." -# lineinfile: -# path: /etc/chrony.conf -# regexp: '^port|#port' -# line: "port 0" -# when: -# - rhel_08_030741 -# tags: -# - RHEL-08-030741 -# - chrony - -# - name: "LOW | RHEL-08-030742 | PATCH | RHEL 8 must disable network management of the chrony daemon." -# lineinfile: -# path: /etc/chrony.conf -# regexp: '^cmdport|#cmdport' -# line: "cmdport 0" -# when: -# - rhel_08_030742 -# tags: -# - RHEL-08-030742 -# - chrony - -# - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities." -# block: -# - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get GRUB_CMDLINE_LINUX settings" -# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel8stig_040004_grub_cmdline_linux - -# - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti=on active" -# shell: grubby --update-kernel=ALL --args="pti=on" -# args: -# warn: no - -# - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti if doesn't exist" -# lineinfile: -# path: /etc/default/grub -# regexp: '^GRUB_CMDLINE_LINUX=' -# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_040004_grub_cmdline_linux.stdout }} pti=on"' -# when: '"pti=" not in rhel8stig_040004_grub_cmdline_linux.stdout' - -# - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti exists" -# replace: -# path: /etc/default/grub -# regexp: 'pti=([^\s|"])+' -# replace: "pti=on" -# when: '"pti=" in rhel8stig_040004_grub_cmdline_linux.stdout' -# when: -# - rhel_08_040004 -# tags: -# - RHEL-08-040004 -# - grub - -# - name: "LOW | RHEL-08-040021 | PATCH | RHEL 8 must disable the asynchronous transfer mode (ATM) protocol." -# lineinfile: -# path: /etc/modprobe.d/blacklist.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# create: yes -# owner: root -# group: root -# mode: 0640 -# notify: reboot system -# with_items: -# - { regexp: '^install ATM', line: 'install ATM /bin/true', insertafter: 'EOF' } -# - { regexp: '^blacklist ATM', line: 'blacklist ATM', insertafter: '^install ATM /bin/true' } -# when: -# - rhel_08_040021 -# tags: -# - RHEL-08-040021 -# - modprobe -# - atm - -# - name: "LOW | RHEL-08-040022 | PATCH | RHEL 8 must disable the controller area network (CAN) protocol." -# lineinfile: -# path: /etc/modprobe.d/blacklist.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# create: yes -# owner: root -# group: root -# mode: 0640 -# notify: reboot system -# with_items: -# - { regexp: '^install CAN', line: 'install CAN /bin/true', insertafter: 'EOF' } -# - { regexp: 'blacklist CAN', line: 'blacklist CAN', insertafter: '^install CAN /bin/true' } -# when: -# - rhel_08_040022 -# tags: -# - RHEL-08-040022 -# - modprobe -# - can - -# - name: "LOW | RHEL-08-040023 | PATCH | RHEL 8 must disable the stream control transmission (SCTP) protocol." -# lineinfile: -# path: /etc/modprobe.d/blacklist.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# create: yes -# owner: root -# group: root -# mode: 0640 -# notify: reboot system -# with_items: -# - { regexp: '^install SCTP', line: 'install SCTP /bin/true', insertafter: 'EOF' } -# - { regexp: '^blacklist SCTP', line: 'blacklist SCTP', insertafter: '^install SCTP' } -# when: -# - rhel_08_040023 -# tags: -# - RHEL-08-040023 -# - modprobe -# - sctp - -# - name: "LOW | RHEL-08-040024 | PATCH | RHEL 8 must disable the transparent inter-process communication (TIPC) protocol." -# lineinfile: -# path: /etc/modprobe.d/blacklist.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# create: yes -# owner: root -# group: root -# mode: 0640 -# notify: reboot system -# with_items: -# - { regexp: '^install TIPC', line: 'install TIPC /bin/true', insertafter: 'EOF' } -# - { regexp: '^blacklist TIPC', line: 'blacklist TIPC', insertafter: '^install TIPC' } -# when: -# - rhel_08_040024 -# tags: -# - RHEL-08-040024 -# - modprobe -# - tipc - -# - name: "LOW | RHEL-08-040025 | PATCH | RHEL 8 must disable mounting of cramfs." -# lineinfile: -# path: /etc/modprobe.d/blacklist.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# create: yes -# owner: root -# group: root -# mode: 0640 -# notify: reboot system -# with_items: -# - { regexp: '^install cramfs', line: 'install cramfs /bin/true', insertafter: 'EOF' } -# - { regexp: 'blacklist cramfs', line: 'blacklist cramfs', insertafter: '^install cramfs' } -# when: -# - rhel_08_040025 -# tags: -# - RHEL-08-040025 -# - modprobe -# - cramfs - -# - name: "LOW | RHEL-08-040026 | PATCH | RHEL 8 must disable IEEE 1394 (FireWire) Support." -# lineinfile: -# path: /etc/modprobe.d/blacklist.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# create: yes -# owner: root -# group: root -# mode: 0640 -# notify: reboot system -# with_items: -# - { regexp: '^install firewire-core', line: 'install firewire-core /bin/true', insertafter: 'EOF' } -# - { regexp: '^blacklist firewire-core', line: 'blacklist firewire-core', insertafter: '^install firewire-core' } -# when: -# - rhel_08_040026 -# tags: -# - RHEL-08-040026 -# - modprobe -# - firewire - -# - name: | -# "LOW | RHEL-08-040300 | PATCH | The RHEL 8 file integrity tool must be configured to verify extended attributes." -# "LOW | RHEL-08-040310 | PATCH | The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs)." -# template: -# src: aide.conf.j2 -# dest: /etc/aide.conf -# owner: root -# group: root -# mode: '0600' -# when: -# - rhel_08_040300 -# - rhel_08_040310 -# tags: -# - RHEL-08-040300 -# - RHEL-08-040310 -# - aide +- name: "LOW | RHEL-08-010292 | PATCH | RHEL 8 must ensure the SSH server uses strong entropy." + lineinfile: + path: /etc/sysconfig/sshd + regexp: '^SSH_USE_STRONG_RNG=|^.*SSH_USE_STRONG_RNG=' + line: SSH_USE_STRONG_RNG=32 + notify: restart sshd + when: + - rhel_08_010292 + tags: + - RHEL-08-010292 + - CAT3 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230253r627750_rule + - V-230253 + - sshd + +- name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." + block: + - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer. | Set kernel message buffer if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.dmesg_restrict =' + line: "kernel.dmesg_restrict = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk + + - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer. | Set kernel message buffer no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^kernel.dmesg_restrict =' + line: "kernel.dmesg_restrict = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010375 + tags: + - RHEL-08-010375 + - CAT3 + - CCI-001090 + - SRG-OS-000138-GPOS-00069 + - SV-230269r627750_rule + - V-230269 + - sysctl + +- name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." + block: + - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users. | Set kernel profiling if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.perf_event_paranoid =' + line: 'kernel.perf_event_paranoid = 2' + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk + + - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users. | Set kernel profiling no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^kernel.perf_event_paranoid =' + line: 'kernel.perf_event_paranoid = 2' + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010376 + tags: + - RHEL-08-010376 + - CAT3 + - CCI-001090 + - SRG-OS-000138-GPOS-00069 + - SV-230270r627750_rule + - V-230270 + - sysctl + +- name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8." + block: + - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Find .conf files" + find: + paths: /etc + recurse: yes + file_type: any + depth: 2 + patterns: + - yum.conf + - dnf.conf + register: rhel_08_010440_package_confs + + - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Set settings" + lineinfile: + path: "{{ item.path }}" + regexp: '^.*clean_requirements_on_remove' + line: 'clean_requirements_on_remove=True' + with_items: + - "{{ rhel_08_010440_package_confs.files }}" + when: + - rhel_08_010440 + tags: + - RHEL-08-010440 + - CAT3 + - CCI-002617 + - SRG-OS-000437-GPOS-00194 + - SV-230281r627750_rule + - V-230281 + +- name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service." + systemd: + name: rngd.service + state: started + enabled: yes + when: + - rhel_08_010471 + tags: + - RHEL-08-010471 + - CAT3 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230285r627750_rule + - V-230285 + +- name: "LOW | RHEL-08-010540 | AUDIT | The RHEL 8 must use a separate file system for /var." + debug: + msg: "WARNING: /var is not mounted on a separate partition" + changed_when: + - rhel8stig_audit_complex + when: + - rhel_08_010540 + - not rhel8stig_system_is_container + - rhel8stig_complex + - ansible_mounts | selectattr('mount', 'match', '^/var$') | list | length == 0 + tags: + - RHEL-08-010540 + - CAT3 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230292r627750_rule + - V-230292 + - complexity-high + - mount + - var + +- name: "LOW | RHEL-08-010541 | AUDIT | RHEL 8 must use a separate file system for /var/log." + debug: + msg: + - "WARNING!! /var/log is not mounted on a seperate partition" + changed_when: + - rhel8stig_audit_complex + when: + - rhel_08_010541 + - not rhel8stig_system_is_container + - rhel8stig_complex + - ansible_mounts | selectattr('mount', 'match', '^/var/log$') | list | length == 0 + tags: + - RHEL-08-010541 + - CAT3 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230293r627750_rule + - V-230293 + - complexity_high + - mount + - auditd + +- name: "LOW | RHEL-08-010542 | AUDIT | The RHEL 8 must use a separate file system for the system audit data path." + debug: + msg: + - "WARNING!! /var/log/audit is not mounted on a seperate partition" + changed_when: + - rhel8stig_audit_complex + when: + - rhel_08_010542 + - not rhel8stig_system_is_container + - rhel8stig_complex + - ansible_mounts | selectattr('mount', 'match', '^/var/log/audit$') | list | length == 0 + tags: + - RHEL-08-010542 + - CAT3 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230294r627750_rule + - V-230294 + - complexity_high + - mount + - auditd + +- name: "LOW | RHEL-08-020024 | PATCH | RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types." + lineinfile: + path: /etc/security/limits.conf + regexp: '^\* hard maxlogins' + line: '* hard maxlogins 10' + insertbefore: '^# End of file' + create: yes + owner: root + group: root + mode: 0644 + when: + - rhel_08_020024 + tags: + - RHEL-08-020024 + - CAT3 + - CCI-000054 + - SRG-OS-000027-GPOS-00008 + - SV-230346r627750_rule + - V-230346 + +- name: "LOW | RHEL-08-020042 | PATCH | RHEL 8 must prevent users from disabling session control mechanisms." + lineinfile: + path: /etc/shells + regexp: 'tmux' + state: absent + when: + - rhel_08_020042 + tags: + - RHEL-08-020042 + - CAT3 + - CCI-000056 + - SRG-OS-000028-GPOS-00009 + - SV-230350r627750_rule + - V-230350 + - tmux + +- name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon." + block: + - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon. | Set session required for pam_lastlog.so" + pamd: + name: postlogin + type: session + control: optional + new_control: required + module_path: pam_lastlog.so + state: updated + + - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon. | Remove default=1 and optional control" + pamd: + name: postlogin + type: session + state: args_absent + control: "{{ item }}" + module_path: pam_lastlog.so + module_arguments: silent + with_items: + - '[default=1]' + - required + when: + - rhel_08_020340 + tags: + - RHEL-08-020340 + - CAT3 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230381r627750_rule + - V-230381 + +- name: "LOW | RHEL-08-030063 | PATCH | RHEL 8 must resolve audit information before writing to disk." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^log_format =' + line: "log_format = ENRICHED" + notify: restart auditd + when: + - rhel_08_030063 + tags: + - RHEL-08-030063 + - CAT3 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230395r627750_rule + - V-230395 + - auditd + +- name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon." + block: + - name: "LOW | RHEL-08-030601 | AUDIT | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + register: rhel8stig_030601_grub_cmdline_linux + + - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit to 1 as active" + shell: grubby --update-kernel=ALL --args="audit=1" + args: + warn: no + + - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if doesnt exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_030601_grub_cmdline_linux.stdout }} audit=1"' + when: '"audit=" not in rhel8stig_030601_grub_cmdline_linux.stdout' + + - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if exists" + replace: + path: /etc/default/grub + regexp: 'audit=([^\s|"])+' + replace: "audit=1" + when: '"audit=" in rhel8stig_030601_grub_cmdline_linux.stdout' + when: + - rhel_08_030601 + tags: + - RHEL-08-030601 + - CAT3 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230468r627750_rule + - V-230468 + - grub + +- name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon." + block: + - name: "LOW | RHEL-08-030602 | AUDIT | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + register: rhel8stig_030602_grub_cmdline_linux + + - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | set audit_backlog_limit active" + shell: grubby --update-kernel=ALL --args="audit_backlog_limit=8192" + args: + warn: no + + - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_030602_grub_cmdline_linux.stdout }} audit_backlog_limit=8192"' + when: '"audit_backlog_limit=" not in rhel8stig_030602_grub_cmdline_linux.stdout' + + - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if exists" + replace: + path: /etc/default/grub + regexp: 'audit_backlog_limit=([^\s|"])+' + replace: "audit_backlog_limit=8192" + when: '"audit_backlog_limit=" in rhel8stig_030602_grub_cmdline_linux.stdout' + when: + - rhel_08_030602 + tags: + - RHEL-08-030602 + - CAT3 + - CCI-001849 + - SV-230469r627750_rule + - V-230469 + - grub + +- name: "LOW | RHEL-08-030603 | PATCH | RHEL 8 must enable Linux audit logging for the USBGuard daemon" + lineinfile: + path: /etc/usbguard/usbguard-daemon.conf + regexp: '^AuditBackend=' + line: "AuditBackend=LinuxAudit" + create: yes + owner: root + group: root + mode: 0600 + when: + - rhel_08_030603 + tags: + - RHEL-08-030603 + - CAT3 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230470r627750_rule + - V-230470 + - usb + +- name: "LOW | RHEL-08-030741 | PATCH | RHEL 8 must disable the chrony daemon from acting as a server." + lineinfile: + path: /etc/chrony.conf + regexp: '^port|#port' + line: "port 0" + when: + - rhel_08_030741 + tags: + - RHEL-08-030741 + - CAT3 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230485r627750_rule + - V-230485 + - chrony + +- name: "LOW | RHEL-08-030742 | PATCH | RHEL 8 must disable network management of the chrony daemon." + lineinfile: + path: /etc/chrony.conf + regexp: '^cmdport|#cmdport' + line: "cmdport 0" + when: + - rhel_08_030742 + tags: + - RHEL-08-030742 + - CAT3 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230486r627750_rule + - V-230486 + - chrony + +- name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities." + block: + - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + args: + warn: no + changed_when: false + failed_when: false + register: rhel8stig_040004_grub_cmdline_linux + + - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti=on active" + shell: grubby --update-kernel=ALL --args="pti=on" + args: + warn: no + + - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_040004_grub_cmdline_linux.stdout }} pti=on"' + when: '"pti=" not in rhel8stig_040004_grub_cmdline_linux.stdout' + + - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti exists" + replace: + path: /etc/default/grub + regexp: 'pti=([^\s|"])+' + replace: "pti=on" + when: '"pti=" in rhel8stig_040004_grub_cmdline_linux.stdout' + when: + - rhel_08_040004 + tags: + - RHEL-08-040004 + - CAT3 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230491r627750_rule + - V-230491 + - grub + +- name: "LOW | RHEL-08-040021 | PATCH | RHEL 8 must disable the asynchronous transfer mode (ATM) protocol." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + owner: root + group: root + mode: 0640 + notify: reboot system + with_items: + - { regexp: '^install ATM', line: 'install ATM /bin/true', insertafter: 'EOF' } + - { regexp: '^blacklist ATM', line: 'blacklist ATM', insertafter: '^install ATM /bin/true' } + when: + - rhel_08_040021 + tags: + - RHEL-08-040021 + - CAT3 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230494r627750_rule + - V-230494 + - modprobe + - atm + +- name: "LOW | RHEL-08-040022 | PATCH | RHEL 8 must disable the controller area network (CAN) protocol." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + owner: root + group: root + mode: 0640 + notify: reboot system + with_items: + - { regexp: '^install CAN', line: 'install CAN /bin/true', insertafter: 'EOF' } + - { regexp: 'blacklist CAN', line: 'blacklist CAN', insertafter: '^install CAN /bin/true' } + when: + - rhel_08_040022 + tags: + - RHEL-08-040022 + - CAT3 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230495r627750_rule + - V-230495 + - modprobe + - can + +- name: "LOW | RHEL-08-040023 | PATCH | RHEL 8 must disable the stream control transmission (SCTP) protocol." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + owner: root + group: root + mode: 0640 + notify: reboot system + with_items: + - { regexp: '^install SCTP', line: 'install SCTP /bin/true', insertafter: 'EOF' } + - { regexp: '^blacklist SCTP', line: 'blacklist SCTP', insertafter: '^install SCTP' } + when: + - rhel_08_040023 + tags: + - RHEL-08-040023 + - CAT3 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230496r627750_rule + - V-230496 + - modprobe + - sctp + +- name: "LOW | RHEL-08-040024 | PATCH | RHEL 8 must disable the transparent inter-process communication (TIPC) protocol." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + owner: root + group: root + mode: 0640 + notify: reboot system + with_items: + - { regexp: '^install TIPC', line: 'install TIPC /bin/true', insertafter: 'EOF' } + - { regexp: '^blacklist TIPC', line: 'blacklist TIPC', insertafter: '^install TIPC' } + when: + - rhel_08_040024 + tags: + - RHEL-08-040024 + - CAT3 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230497r627750_rule + - V-230497 + - modprobe + - tipc + +- name: "LOW | RHEL-08-040025 | PATCH | RHEL 8 must disable mounting of cramfs." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + owner: root + group: root + mode: 0640 + notify: reboot system + with_items: + - { regexp: '^install cramfs', line: 'install cramfs /bin/true', insertafter: 'EOF' } + - { regexp: 'blacklist cramfs', line: 'blacklist cramfs', insertafter: '^install cramfs' } + when: + - rhel_08_040025 + tags: + - RHEL-08-040025 + - CAT3 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230498r627750_rule + - V-230498 + - modprobe + - cramfs + +- name: "LOW | RHEL-08-040026 | PATCH | RHEL 8 must disable IEEE 1394 (FireWire) Support." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + owner: root + group: root + mode: 0640 + notify: reboot system + with_items: + - { regexp: '^install firewire-core', line: 'install firewire-core /bin/true', insertafter: 'EOF' } + - { regexp: '^blacklist firewire-core', line: 'blacklist firewire-core', insertafter: '^install firewire-core' } + when: + - rhel_08_040026 + tags: + - RHEL-08-040026 + - CAT3 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230499r627750_rule + - V-230499 + - modprobe + - firewire + +- name: | + "LOW | RHEL-08-040300 | PATCH | The RHEL 8 file integrity tool must be configured to verify extended attributes." + "LOW | RHEL-08-040310 | PATCH | The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs)." + template: + src: aide.conf.j2 + dest: /etc/aide.conf + owner: root + group: root + mode: '0600' + when: + - rhel_08_040300 + - rhel_08_040310 + tags: + - CAT3 + - RHEL-08-040300 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230551r627750_rule + - V-230551 + - RHEL-08-040310 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230552r627750_rule + - V-230552 + - aide From 5e51a7f17e0118cb1d2e719f8cd94b4a713eedb2 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 9 Aug 2021 14:03:15 -0400 Subject: [PATCH 018/110] Updated fix-cat1 adn fix-cat3 for linting Signed-off-by: George Nalen --- tasks/fix-cat1.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 48bd0e43..37ee395e 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -22,14 +22,14 @@ state: present notify: rebuild initramfs when: - - not ansible_fips + - not ansible_fips - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" command: fips-mode-setup --enable register: rhel_08_010020_kernel_fips_enable changed_when: rhel_08_010020_kernel_fips_enable.rc == 0 when: - - not ansible_fips + - not ansible_fips - name: "RHEL-08-010020 | HIGH | AUDIT | Check if prelink package is installed" command: rpm -q prelink @@ -190,7 +190,7 @@ path: /etc/dnf/dnf.conf regexp: '^gpgcheck=' line: gpgcheck=1 - + - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Gather Repos" find: paths: /etc/yum.repos.d @@ -415,7 +415,7 @@ - SRG-OS-000480-GPOS-00227 - SV-230530r646883_rule - V-230530 - + - name: "RHEL-08-040172 | HIGH | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled." lineinfile: path: /etc/systemd/system.conf From 560010fab86d4f1f16b17ff89b1c755b7c2d8ac7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Aug 2021 13:48:30 +0100 Subject: [PATCH 019/110] Added new audit vars to files Signed-off-by: Mark Bolwell --- defaults/main.yml | 11 ++++++++--- templates/ansible_vars_goss.yml.j2 | 11 +++++++---- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9df54c0b..87a8557e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -60,6 +60,11 @@ audit_content: git # enable audits to run - this runs the audit and get the latest content run_audit: false +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true +# Timeout for those cmds that take longer to run where timeout set +audit_cmd_timeout: 30000 + ### End Goss enablements #### #### Detailed settings found at the end of this document #### @@ -775,13 +780,13 @@ audit_local_copy: "some path to copy from" # get_url: audit_files_url: "some url maybe s3?" -# Where the goss audit configuration will be stored -audit_files: "/var/tmp/{{ benchmark }}-Audit/" - ## Goss configuration information # Where the goss configs and outputs are stored audit_out_dir: '/var/tmp' +# Where the goss audit configuration will be stored audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" + +# If changed these can affect other products pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 18370471..1948b59e 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -10,15 +10,18 @@ rhel8stig_os_distribution: {{ ansible_distribution | lower }} rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' -%}false{% else -%}true{% endif -%} +# Some tests may need to scan every filesystem or have an impact on a system +# these may need be scheduled to minimise impact also ability to set a timeout if taking too long +run_heavy_tests: {{ audit_run_heavy_tests }} +timeout_ms: {{ audit_cmd_timeout }} + +### Remediation Settings + # turn the categories on/off rhel8stig_cat1: {{ rhel8stig_cat1_patch }} rhel8stig_cat2: {{ rhel8stig_cat2_patch }} rhel8stig_cat3: {{ rhel8stig_cat3_patch }} -# Some tests may need to scan every filesystem or have an impact on a system -# these may need be scheduled to minimise impact -run_heavy_tests: true -timeout_ms: 20000 # If using the supplied graphical interface rhel8stig_gui: false From 4213147dfb44409540d976696f04868a6676e559 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Aug 2021 17:15:35 +0100 Subject: [PATCH 020/110] Added tag to prelim Signed-off-by: Mark Bolwell --- tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/main.yml b/tasks/main.yml index 397cfc8f..d741078b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -54,6 +54,7 @@ become: yes tags: - prelim_tasks + - run_audit - import_tasks: pre_remediation_audit.yml when: From 54bec5340ca4b380e946d75216ca5b52550328d6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Aug 2021 17:15:55 +0100 Subject: [PATCH 021/110] moved bootloader check to prelim Signed-off-by: Mark Bolwell --- tasks/pre_remediation_audit.yml | 37 --------------------------------- tasks/prelim.yml | 37 +++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 37 deletions(-) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index f6c997e8..1e05b74d 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -67,43 +67,6 @@ when: - run_audit -- name: "Check whether machine is UEFI-based" - stat: - path: /sys/firmware/efi - register: rhel8_efi_boot - tags: - - goss_template - -- name: set bootloader type - block: - - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" - set_fact: - rhel8stig_bootloader_path: /boot/efi/EFI/{{ ansible_distribution | lower }} - rhel8stig_legacy_boot: false - when: - - rhel8_efi_boot.stat.exists - - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path - - - name: "PRELIM | set fact if UEFI boot | CentOS " - set_fact: - rhel8stig_bootloader_path: /boot/efi/EFI/centos - rhel8stig_legacy_boot: false - when: - - rhel8_efi_boot.stat.exists - - ansible_distribution == 'CentOS' - - - name: "PRELIM | set if not UEFI boot" - set_fact: - rhel8stig_bootloader_path: /boot/grub2/ - rhel8stig_legacy_boot: true - when: not rhel8_efi_boot.stat.exists - - - name: output bootloader and efi state - debug: - msg: - - "bootloader path set to {{ rhel8stig_bootloader_path }}" - - "legacy boot equals {{ rhel8stig_legacy_boot }}" - - name: Copy ansible default vars values to test audit template: src: ansible_vars_goss.yml.j2 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 154e6988..4e32340f 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -369,3 +369,40 @@ manager: auto tags: - always + +- name: "PRELIM | Check whether machine is UEFI-based" + stat: + path: /sys/firmware/efi + register: rhel8_efi_boot + tags: + - goss_template + +- name: PRELIM | set bootloader type + block: + - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" + set_fact: + rhel8stig_bootloader_path: /boot/efi/EFI/redhat + rhel8stig_legacy_boot: false + when: + - rhel8_efi_boot.stat.exists + - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path + + - name: "PRELIM | set fact if UEFI boot | CentOS " + set_fact: + rhel8stig_bootloader_path: /boot/efi/EFI/centos + rhel8stig_legacy_boot: false + when: + - rhel8_efi_boot.stat.exists + - ansible_distribution == 'CentOS' + + - name: "PRELIM | set if not UEFI boot" + set_fact: + rhel8stig_bootloader_path: /boot/grub2/ + rhel8stig_legacy_boot: true + when: not rhel8_efi_boot.stat.exists + + - name: PRELIM | output bootloader and efi state + debug: + msg: + - "bootloader path set to {{ rhel8stig_bootloader_path }}" + - "legacy boot equals {{ rhel8stig_legacy_boot }}" From ec7287c2c147f56f1fd11df286f4165d5ff0d2a4 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 10 Aug 2021 13:29:51 -0400 Subject: [PATCH 022/110] Updated cat2 1-2 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 10845 ++++++++++++++++++++++--------------------- 1 file changed, 5428 insertions(+), 5417 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 59595d09..797f4b94 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1,4 +1,5 @@ --- + - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." dnf: name: "*" @@ -8,6 +9,11 @@ - rhel_08_010010 tags: - RHEL-08-010010 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230222r627750_rule + - V-230222 - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection." block: @@ -27,5423 +33,5428 @@ when: rhel_08_010030 tags: - RHEL-08-010030 - -- name: | - "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." - "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" - block: - - name: | - "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" - "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?Banner' - line: 'Banner /etc/issue' - - - name: | - "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" - "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" - copy: - dest: "{{ item }}" - content: "{{ rhel8stig_logon_banner }}" - owner: root - group: root - mode: '0644' - notify: restart sshd - with_items: - - /etc/issue - - /etc/issue.net - when: - # - not system_is_ec2 - - rhel_08_010040 or - rhel_08_010060 - tags: - - RHEL-08-010040 - - RHEL-08-010060 - -- name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." - copy: - dest: /etc/dconf/db/local.d/01-banner-message - content: | - [org/gnome/login-screen] - banner-message-enable=true - banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' - mode: '0644' - owner: root - group: root - vars: - newline: "\n" - notify: dconf update - when: - - rhel_08_010050 - - "'dconf' in ansible_facts.packages" - - rhel8stig_always_configure_dconf + - CAT2 + - CCI-001199 + - SRG-OS-000185-GPOS-00079 + - SV-230224r627750_rule + - V-230224 + +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" +# block: +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?Banner' +# line: 'Banner /etc/issue' + +# - name: | +# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" +# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" +# copy: +# dest: "{{ item }}" +# content: "{{ rhel8stig_logon_banner }}" +# owner: root +# group: root +# mode: '0644' +# notify: restart sshd +# with_items: +# - /etc/issue +# - /etc/issue.net +# when: +# # - not system_is_ec2 +# - rhel_08_010040 or +# rhel_08_010060 +# tags: +# - RHEL-08-010040 +# - RHEL-08-010060 + +# - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." +# copy: +# dest: /etc/dconf/db/local.d/01-banner-message +# content: | +# [org/gnome/login-screen] +# banner-message-enable=true +# banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' +# mode: '0644' +# owner: root +# group: root +# vars: +# newline: "\n" +# notify: dconf update +# when: +# - rhel_08_010050 +# - "'dconf' in ansible_facts.packages" +# - rhel8stig_always_configure_dconf - tags: - - RHEL-08-010050 - -- name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." - lineinfile: - path: /etc/rsyslog.d/50-default.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - create: yes - mode: '0644' - notify: restart rsyslog - with_items: - - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } - - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } - when: - - rhel_08_010070 - tags: - - RHEL-08-010070 - -# This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. -- name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." - block: - - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" - command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem - changed_when: false - failed_when: false - register: rhel_08_010090_certs_list - - - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" - debug: - msg: - - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" - - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" - - "{{ rhel_08_010090_certs_list.stdout_lines }}" - when: - - rhel_08_010090 - tags: - - RHEL-08-010090 - -- name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." - block: - - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" - file: - path: "{{ rhel8stig_path_to_sshkey }}" - state: directory - mode: '0700' - - - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" - openssh_keypair: - path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" - when: - - rhel_08_010100 - tags: - - RHEL-08-010100 - -- name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." - lineinfile: - path: /etc/login.defs - regexp: '^ENCRYPT_METHOD.*' - line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" - when: - - rhel_08_010110 - tags: - - RHEL-08-010110 - - login - -- name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." - block: - - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" - command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' - changed_when: false - failed_when: false - register: rhel_08_010120_non_fips_hashed_accounts - - - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" - command: "passwd -l {{ item }}" - args: - warn: no - with_items: - - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" - when: - - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 - - - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" - debug: - msg: - - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" - - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" - when: - - not rhel8stig_disruption_high - - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 - when: - - rhel_08_010120 - - rhel8stig_disruption_high - tags: - - RHEL-08-010120 - - disruption_high - -- name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" - pamd: - name: "{{ item }}" - type: password - control: sufficient - module_path: pam_unix.so - module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" - state: args_present - with_items: - - password-auth - - system-auth - when: - - rhel_08_010130 - tags: - - RHEL-08-010130 - -- name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." - lineinfile: - path: /usr/lib/systemd/system/rescue.service - regexp: '^ExecStart=' - line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" - create: yes - owner: root - group: root - mode: 0644 - - when: - - rhel_08_010151 - tags: - - RHEL-08-010151 - - systemd - -- name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Add sha512 argument" - pamd: - name: "{{ item }}" - type: password - control: sufficient - module_path: pam_unix.so - module_arguments: sha512 - state: args_present - with_items: - - password-auth - - system-auth - when: - - rhel_08_010160 - tags: - - RHEL-08-010160 - -- name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication." - block: - - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" - find: - path: / - patterns: '*.keytab' - recurse: yes - register: rhel8stig_010161_keytab_files - - - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Remove .keytab files" - file: - path: "{{ item.path }}" - state: absent - with_items: - - "{{ rhel8stig_010161_keytab_files.files }}" - when: rhel8stig_010161_keytab_files.matched > 0 - when: - - rhel_08_010161 - tags: - - RHEL-08-010161 - - kerberos - -- name: "MEDIUM | RHEL-08-010162 | PATCH | The krb5-workstation package must not be installed on RHEL 8." - dnf: - name: krb5-workstation - state: absent - when: - - rhel_08_010162 - tags: - - RHEL-08-010162 - - kerberos - -- name: | - "MEDIUM | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services." - "MEDIUM | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." - selinux: - state: enforcing - policy: targeted - check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" - notify: reboot system - when: - - rhel_08_010170 or rhel_08_010450 - - not rhel8stig_system_is_container - - rhel8stig_disruption_high - tags: - - RHEL-08-010170 - - RHEL-08-010450 - - selinux - - disruption_high - -- name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." - block: - - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" - shell: "find / ! -user root -type d -perm -0002 -exec ls -lLd {} \\; | sed 's/.* //'" - changed_when: false - failed_when: false - register: rhel_08_010180_public_not_root_owned - - - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Chown non-root public folders" - file: - path: "{{ item }}" - owner: root - group: root - with_items: - - "{{ rhel_08_010180_public_not_root_owned.stdout_lines }}" - when: - - rhel_08_010180 - tags: - - RHEL-08-010180 - -- name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." - block: - - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" - shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" - changed_when: false - failed_when: false - register: rhel_08_010190_world_writable_files - - - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" - file: - path: "{{ item }}" - mode: '1777' - with_items: - - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" - when: - - rhel_08_010190 - tags: - - RHEL-08-010190 - -- name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." - lineinfile: - path: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - notify: restart sshd - with_items: - - { regexp: '(?i)^#?ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} - - { regexp: '(?i)^#?ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } - when: - - rhel_08_010200 - - rhel8stig_ssh_required - tags: - - RHEL-08-010200 - - ssh - -- name: | - "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." - "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." - "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." - file: - path: /var/log/messages - owner: root - group: root - mode: '0640' - when: - - rhel_08_010210 or - rhel_08_010220 or - rhel_08_010230 - tags: - - RHEL-08-010210 - - RHEL-08-010220 - - RHEL-08-010230 - -- name: | - "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." - "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." - "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." - file: - path: /var/log - owner: root - group: root - mode: '0755' - when: - - rhel_08_010240 or - rhel_08_010250 or - rhel_08_010260 - tags: - - RHEL-08-010240 - - RHEL-08-010250 - - RHEL-08-010260 - -- name: | - "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." - "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" - block: - - name: | - "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" - "MEDIUM | RHEL-08-010291 | AUDIT | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Get current FIPS mode state" - command: fips-mode-setup --check - changed_when: false - failed_when: false - register: rhel_08_010290_pre_fips_check - - - name: | - "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" - "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Enable FIPS" - command: fips-mode-setup --enable - register: rhel_08_010290_fips_enable - notify: reboot system - when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' - - - name: | - "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" - "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Add ssh ciphers" - lineinfile: - path: "{{ item.path }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - notify: reboot system - with_items: - - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^MACs', line: "MACs {{ rhel8stig_ssh_macs_settings }}" } - - { path: /etc/crypto-policies/back-ends/opensshserver.config, regexp: '^CRYPTO_POLICY=', line: "CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" } - when: - - rhel_08_010290 or - rhel_08_010291 - tags: - - RHEL-08-010290 - - RHEL-08-010291 - - fips - -- name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." - block: - - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" - command: fips-mode-setup --check - changed_when: false - failed_when: false - register: rhel_08_010293_pre_fips_check - - - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" - command: fips-mode-setup --enable - register: rhel_08_010290_fips_enable - notify: reboot system - when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' - when: - - rhel_08_010293 - tags: - - RHEL-08-010293 - - fips - -- name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." - lineinfile: - path: /etc/crypto-policies/back-ends/opensslcnf.config - regexp: '^MinProtocol =' - line: "MinProtocol = TLSv1.2" - notify: reboot system - when: - - rhel_08_010294 - tags: - - RHEL-08-010294 - - openssl - -- name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package" - lineinfile: - path: /etc/crypto-policies/back-ends/gnutls.config - regexp: '^(.*\+VERS-ALL:)' - line: '\1{{ rhel8stig_gnutls_encryption }}' - backrefs: true - create: yes - owner: root - group: root - mode: 0640 - notify: reboot system - when: - - rhel_08_010295 - tags: - - RHEL-08-010295 - - gnutls - -- name: | - "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive." - "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root." - "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root." - block: - - name: | - "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive" - "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" - "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root. | Get commands no group-owned by root" - shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" - args: - warn: no - changed_when: false - failed_when: false - register: rhel_08_010300_commands - - - name: | - "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions" - "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions" - "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root. | Set permissions" - file: - path: "{{ item }}" - owner: root - group: root - mode: '0755' - force: yes - with_items: - - "{{ rhel_08_010300_commands.stdout_lines }}" - when: - - rhel_08_010300 or - rhel_08_010310 or - rhel_08_010320 - tags: - - RHEL-08-010300 - - RHEL-08-010310 - - RHEL-08-010320 - -- name: | - "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive." - "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root." - "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root." - block: - - name: | - "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" - "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root. | Get library files not owned by root" - "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" - shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" - args: - warn: no - changed_when: false - failed_when: false - register: rhel_08_010330_library_files - - - name: | - "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" - "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" - "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" - file: - path: "{{ item }}" - owner: root - group: root - mode: '0755' - with_items: - - "{{ rhel_08_010330_library_files.stdout_lines }}" - when: - - rhel_08_010330 or - rhel_08_010340 or - rhel_08_010350 - tags: - - RHEL-08-010330 - - RHEL-08-010340 - - RHEL-08-010350 - -- name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." - cron: - name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' - user: "{{ rhel8stig_aide_cron.user }}" - cron_file: "{{ rhel8stig_aide_cron.cron_file }}" - job: "{{ rhel8stig_aide_cron.job + ((rhel8stig_aide_cron.notify_by_mail) | ternary(rhel8stig_aide_cron.notify_cmd,'')) }}" - minute: "{{ rhel8stig_aide_cron.minute | default((rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | - ternary('0', omit)) | default(omit) }}" - hour: "{{ rhel8stig_aide_cron.hour | default((rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['daily', 'weekly', 'monthly']) | - ternary('0', omit)) | default(omit) }}" - weekday: "{{ rhel8stig_aide_cron.weekday | default((rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['weekly']) | - ternary('0', omit)) | default(omit) }}" - day: "{{ rhel8stig_aide_cron.day | default((rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['monthly']) | - ternary('1', omit)) | default(omit) }}" - special_time: "{{ (rhel8stig_cron_special_disable and - rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | - ternary(omit, rhel8stig_aide_cron.special_time) }}" - when: - - rhel_08_010360 - - rhel8stig_disruption_high - tags: - - RHEL-08-010360 - - aide - -- name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." - block: - - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if using numbered link files" - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^kernel.kexec_load_disabled =' - line: "kernel.kexec_load_disabled = 1" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched > 0 - - rhel8stig_sysctlconf_filename.files[0].islnk - - - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if no numbered link files" - lineinfile: - path: /etc/sysctl.conf - regexp: '^kernel.kexec_load_disabled =' - line: "kernel.kexec_load_disabled = 1" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched == 0 or - not rhel8stig_sysctlconf_filename.files[0].islnk - when: - - rhel_08_010372 - tags: - - RHEL-08-010372 - - sysctl - -- name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks." - block: - - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if using numbered link files" - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^fs.protected_symlinks =' - line: "fs.protected_symlinks = 1" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched > 0 - - rhel8stig_sysctlconf_filename.files[0].islnk - - - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if no numbered link files" - lineinfile: - path: /etc/sysctl.conf - regexp: '^fs.protected_symlinks =' - line: "fs.protected_symlinks = 1" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched == 0 or - not rhel8stig_sysctlconf_filename.files[0].islnk - when: - - rhel_08_010373 - tags: - - RHEL-08-010373 - - sysctl - -- name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." - block: - - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if using numbered link files" - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^fs.protected_hardlinks =' - line: "fs.protected_hardlinks = 1" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched > 0 - - rhel8stig_sysctlconf_filename.files[0].islnk - - - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if no numbered link files" - lineinfile: - path: /etc/sysctl.conf - regexp: '^fs.protected_hardlinks =' - line: "fs.protected_hardlinks = 1" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched == 0 or - not rhel8stig_sysctlconf_filename.files[0].islnk - when: - - rhel_08_010374 - tags: - - RHEL-08-010374 - - sysctl - -- name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." - replace: - path: "{{ item }}" - regexp: '^([^#].*)NOPASSWD(.*)' - replace: '\1PASSWD\2' - with_items: - - "{{ rhel8stig_sudoers_files.stdout_lines }}" - when: - - rhel_08_010380 - - rhel8stig_using_password_auth - tags: - - RHEL-08-010380 - - sudoers - -- name: "MEDIUM | RHEL-08-010381 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation." - replace: - path: "{{ item }}" - regexp: '^([^#].*)!authenticate(.*)' - replace: '\1authenticate\2' - with_items: - - "{{ rhel8stig_sudoers_files.stdout_lines }}" - when: - - rhel_08_010381 - - rhel8stig_using_password_auth - tags: - - RHEL-08-010381 - - sudoers - -- name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." - block: - - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" - dnf: - name: esc - state: present - when: rhel8stig_gui - - - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" - dnf: - name: openssl-pkcs11 - state: present - when: - - rhel_08_010390 - tags: - - RHEL-08-010390 - - multifactor - -- name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." - lineinfile: - path: '{{ rhel8stig_sssd_conf }}' - regexp: '^certificate_verification = {{ item }}' - state: absent - with_items: - - 'no_ocsp, no_verification' - - no_ocsp - - no_verification - notify: restart sssd - when: - - "'sssd' in ansible_facts.packages" - - rhel8stig_sssd_conf_present.stat.exists - - rhel_08_010400 - tags: - - RHEL-08-010400 - -- name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." - dnf: - name: opensc - state: present - when: - - rhel_08_010410 - tags: - - RHEL-08-010410 - - opensc - - piv - -- name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution." - block: - - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state" - shell: dmesg |grep "NX (" - changed_when: false - failed_when: false - register: rhel_08_010420_nx_bit_state - - - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set" - debug: - msg: - - "Good News! You are setup with execute disable active." - when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout' - - - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" - debug: - msg: - - "ALERT!! You do not have execute disable active. Please change the setting in your BIOS settings" - when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' - when: - - rhel_08_010420 - tags: - - RHEL-08-010420 - -- name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks." - block: - - name: "MEDIUM | RHEL-08-010421 | AUDIT | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: no - changed_when: false - failed_when: false - register: rhel8stig_010421_grub_cmdline_linux - - - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active" - shell: grubby --update-kernel=ALL --args="page_poison=1" - - - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010421_grub_cmdline_linux.stdout }} page_poison=1"' - when: '"page_poison=" not in rhel8stig_010421_grub_cmdline_linux.stdout' - - - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if exists" - replace: - path: /etc/default/grub - regexp: 'page_poison=([^\s|"])+' - replace: "page_poison=1" - when: '"page_poison=" in rhel8stig_010421_grub_cmdline_linux.stdout' - when: - - rhel_08_010421 - tags: - - RHEL-08-010421 - - grub - -- name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls." - block: - - name: "MEDIUM | RHEL-08-010422 | AUDIT | RHEL 8 must disable virtual syscalls. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: no - changed_when: false - failed_when: false - register: rhel8stig_010422_grub_cmdline_linux - - - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active" - shell: grubby --update-kernel=ALL --args="vsyscall=none" - - - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010422_grub_cmdline_linux.stdout }} vsyscall=none"' - when: '"vsyscall=" not in rhel8stig_010422_grub_cmdline_linux.stdout' - - - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if exists" - replace: - path: /etc/default/grub - regexp: 'vsyscall=([^\s|"])+' - replace: "vsyscall=none" - when: '"vsyscall=" in rhel8stig_010422_grub_cmdline_linux.stdout' - when: - - rhel_08_010422 - tags: - - RHEL-08-010422 - - grub - -- name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks." - block: - - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: no - changed_when: false - failed_when: false - register: rhel8stig_010423_grub_cmdline_linux - - - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active" - shell: grubby --update-kernel=ALL --args="slub_debug=P" - - - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010423_grub_cmdline_linux.stdout }} slub_debug=P"' - when: '"slub_debug=" not in rhel8stig_010423_grub_cmdline_linux.stdout' - - - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if exists" - replace: - path: /etc/default/grub - regexp: 'slub_debug=([^\s|"])+' - replace: "slub_debug=P" - when: '"slub_debug=" in rhel8stig_010423_grub_cmdline_linux.stdout' - when: - - rhel_08_010423 - tags: - - RHEL-08-010423 - - grub - -- name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." - sysctl: - name: kernel.randomize_va_space - value: '2' - state: present - reload: "{{ rhel8stig_sysctl_reload }}" - sysctl_set: yes - ignoreerrors: yes - notify: sysctl system - when: - - rhel_08_010430 - tags: - - RHEL-08-010430 - - sysctl - -- name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." - block: - - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files" - find: - paths: /etc/ssh - recurse: yes - file_type: file - patterns: 'ssh_host*_key.pub' - hidden: true - changed_when: false - failed_when: false - register: rhel_08_010480_public_files - - - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" - file: - path: "{{ item.path }}" - mode: '0644' - with_items: - - "{{ rhel_08_010480_public_files.files }}" - notify: restart sshd - when: - - rhel_08_010480 - - rhel8stig_ssh_required - tags: - - RHEL-08-010480 - - ssh - -- name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." - block: - - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Find files" - find: - paths: /etc/ssh - recurse: yes - file_type: file - patterns: 'ssh_host*key' - hidden: true - changed_when: false - failed_when: false - register: rhel_08_010490_private_host_key_files - - - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" - file: - path: "{{ item.path }}" - mode: '0640' - with_items: - - "{{ rhel_08_010490_private_host_key_files.files }}" - notify: restart sshd - when: - - rhel_08_010490 - - rhel8stig_ssh_required - tags: - - RHEL-08-010490 - - ssh - -- name: "MEDIUM | RHEL-08-010500 | PATCH | The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?StrictModes' - line: 'StrictModes yes' - notify: restart sshd - when: - - rhel_08_010500 - - rhel8stig_ssh_required - tags: - - RHEL-08-010500 - - ssh - -- name: "MEDIUM | RHEL-08-010510 | PATCH | The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?Compression' - line: 'Compression {{ rhel8stig_sshd_compression }}' - notify: restart sshd - when: - - rhel_08_010510 - - rhel8stig_ssh_required - tags: - - RHEL-08-010510 - - ssh - -- name: "MEDIUM | RHEL-08-010520 | PATCH | The RHEL 8 SSH daemon must not allow authentication using known host’s authentication." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?IgnoreUserKnownHosts' - line: 'IgnoreUserKnownHosts yes' - notify: restart sshd - when: - - rhel_08_010520 - - rhel8stig_ssh_required - tags: - - RHEL-08-010520 - - ssh - -- name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow unused methods of authentication." - lineinfile: - path: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '(?i)^#?KerberosAuthentication', line: "KerberosAuthentication no" } - - { regexp: '(?i)^#?GSSAPIAuthentication', line: "GSSAPIAuthentication no" } - notify: restart sshd - when: - - rhel_08_010521 - tags: - - RHEL-08-010521 - - ssh - -- name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." - debug: - msg: "WARNING!!!! /tmp is not mounted on a separate partition" - changed_when: - - rhel8stig_audit_complex - when: - - rhel_08_010543 - - not rhel8stig_system_is_container - - rhel8stig_complex - - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 - tags: - - RHEL-08-010543 - - complexity-high - - mount - - tmp - -- name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?PermitRootLogin' - line: 'PermitRootLogin no' - notify: restart sshd - when: - - rhel_08_010550 - - rhel8stig_ssh_required - tags: - - RHEL-08-010550 - - ssh - -- name: "MEDIUM | RHEL-08-010560 | PATCH | The auditd service must be running in RHEL 8." - service: - name: auditd - state: started - enabled: yes - when: - - rhel_08_010560 - - not rhel8stig_system_is_container - tags: - - RHEL-08-010560 - - auditd - -- name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." - service: - name: rsyslog.service - state: started - enabled: true - when: - - rhel_08_010561 - tags: - - RHEL-08-010561 - - rsyslog - -- name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." - mount: - path: /home - state: mounted - src: "{{ home_mount.device }}" - fstype: "{{ home_mount.fstype }}" - opts: "{{ home_mount.options }},nosuid" - when: - - rhel_08_010570 - - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 - - "'nosuid' not in home_mount.options" - vars: - home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" - tags: - - RHEL-08-010570 - - mounts - - home - -- name: "MEDIUM | RHEL-08-010571 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory." - mount: - path: /boot - state: mounted - src: "{{ boot_mount.device }}" - fstype: "{{ boot_mount.fstype }}" - opts: "{{ boot_mount.options }},nosuid" - when: - - rhel_08_010571 - - ansible_mounts | selectattr('mount', 'match', '^/boot$') | list | length != 0 - - "'nosuid' not in boot_mount.options" - vars: - boot_mount: "{{ ansible_mounts | json_query('[?mount == `/boot`] | [0]') }}" - tags: - - RHEL-08-010571 - - mounts - - boot - -- name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions." - block: - - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" - shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' - args: - warn: no - changed_when: no - check_mode: no - register: rhel8stig_010580_mounts_nodev - - - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Split results" - set_fact: - rhel8stig_010580_mounts: "{{ rhel8stig_010580_mounts_nodev.stdout_lines | map('regex_replace', ld_mount_regex, ld_mount_yaml) | map('from_yaml') | list }}" - - with_items: "{{ rhel8stig_010580_mounts_nodev.stdout_lines }}" - vars: - ld_mount_regex: >- - ^(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*) - ld_mount_yaml: | - device: >-4 - \g - mpoint: >-4 - \g - fs: >-4 - \g - opts: >-4 - \g - when: rhel8stig_010580_mounts_nodev.stdout | length > 0 - - - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Set value" - mount: - path: "{{ item.mpoint }}" - state: mounted - src: "{{ item.device }}" - fstype: "{{ item.fs }}" - opts: "{{ item.opts }},nodev" - with_items: - - "{{ rhel8stig_010580_mounts | default([]) }}" - when: - - item.device != "/" - - "'odev' not in item.opts" - - rhel8stig_010580_mounts_nodev.stdout | length > 0 - when: - - rhel_08_010580 - tags: - - RHEL-08-010580 - - mounts - - non-root - -- name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent code from being executed on file systems that contain user home directories." - mount: - path: /home - state: mounted - src: "{{ home_mount.device }}" - fstype: "{{ home_mount.fstype }}" - opts: "{{ home_mount.options }},noexec" - when: - - rhel_08_010590 - - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 - - "'noexec' not in home_mount.options" - vars: - home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" - tags: - - RHEL-08-010590 - - mounts - - home - -- name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media." - block: - - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /media" - mount: - path: /media - state: mounted - src: "{{ removable_mount.device }}" - fstype: "{{ removable_mount.fstype }}" - opts: "{{ removable_mount.options }},nodev" - when: - - rhel_08_010600 - - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - - "'nodev' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - - - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /mnt" - mount: - path: /mnt - state: mounted - src: "{{ removable_mount2.device }}" - fstype: "{{ removable_mount2.fstype }}" - opts: "{{ removable_mount2.options }},nodev" - when: - - rhel_08_010600 - - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - - "'nodev' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" - when: - - rhel_08_010600 - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - tags: - - RHEL-08-010600 - - mounts - - media - -- name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media." - block: - - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /media" - mount: - path: /media - state: mounted - src: "{{ removable_mount.device }}" - fstype: "{{ removable_mount.fstype }}" - opts: "{{ removable_mount.options }},noexec" - when: - - rhel_08_010600 - - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - - "'noexec' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - - - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /mnt" - mount: - path: /mnt - state: mounted - src: "{{ removable_mount2.device }}" - fstype: "{{ removable_mount2.fstype }}" - opts: "{{ removable_mount2.options }},noexec" - when: - - rhel_08_010610 - - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - - "'noexec' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" - when: - - rhel_08_010610 - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - tags: - - RHEL-08-010610 - - mounts - - media - -- name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." - block: - - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media" - mount: - path: /media - state: mounted - src: "{{ removable_mount.device }}" - fstype: "{{ removable_mount.fstype }}" - opts: "{{ removable_mount.options }},nosuid" - when: - - rhel_08_010620 - - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - - "'nosuid' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - - - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" - mount: - path: /mnt - state: mounted - src: "{{ removable_mount2.device }}" - fstype: "{{ removable_mount2.fstype }}" - opts: "{{ removable_mount2.options }},nosuid" - when: - - rhel_08_010620 - - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - - "'nosuid' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" - when: - - rhel_08_010620 - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) - tags: - - RHEL-08-010620 - - mounts - - media - -- name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)." - mount: - path: "{{ item }}" - src: "{{ ansible_mounts | json_query(device_query) }}" - fstype: "{{ ansible_mounts | json_query(fstype_query) }}" - opts: "{{ ansible_mounts | json_query(options_query) }},noexec" - state: mounted - vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' - with_items: "{{ rhel8stig_nfs_mounts }}" - when: - - rhel_08_010630 - - "'noexec' not in (ansible_mounts | json_query(options_query))" - tags: - - RHEL-08-010630 - - mounts - - nfs - -- name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)." - mount: - path: "{{ item }}" - src: "{{ ansible_mounts | json_query(device_query) }}" - fstype: "{{ ansible_mounts | json_query(fstype_query) }}" - opts: "{{ ansible_mounts | json_query(options_query) }},nodev" - state: mounted - vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' - with_items: "{{ rhel8stig_nfs_mounts }}" - when: - - rhel_08_010640 - - "'nodev' not in (ansible_mounts | json_query(options_query))" - tags: - - RHEL-08-010640 - -- name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)" - mount: - path: "{{ item }}" - src: "{{ ansible_mounts | json_query(device_query) }}" - fstype: "{{ ansible_mounts | json_query(fstype_query) }}" - opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" - state: mounted - vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' - with_items: "{{ rhel8stig_nfs_mounts }}" - when: - - rhel_08_010650 - - "'nosuid' not in (ansible_mounts | json_query(options_query))" - tags: - - RHEL-08-010650 - -- name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs." - block: - - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions" - shell: find {{ item.mount }} -xdev -type f -perm -002 - args: - warn: no - changed_when: false - failed_when: false - register: rhel_08_010660_world_writable_files - with_items: - - "{{ ansible_mounts }}" - - - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening" - set_fact: - rhel_08_010660_change_perms: "{{ rhel_08_010660_world_writable_files.results | map(attribute='stdout_lines') | flatten }}" - - - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Compare to home directories" - include_tasks: audit_homedirinifiles.yml - loop: - - "{{ rhel_08_stig_interactive_homedir_inifiles }}" - loop_control: - loop_var: ini_item - when: - - rhel_08_010660_change_perms != [] - - - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions" - file: - path: "{{ item }}" - mode: '0755' - state: file - with_items: - - "{{ rhel_08_010660_change_perms }}" - when: - - rhel_08_010660_change_perms != [] - when: - - rhel_08_010660 - - rhel8stig_disruption_high - # - rhel_08_stig_interactive_homedir_inifiles is defined - tags: - - RHEL-08-010660 - -- name: "MEDIUM | RHEL-08-010670 | PATCH | RHEL 8 must disable kernel dumps unless needed." - service: - name: kdump - enabled: no - state: stopped - when: - - rhel_08_010670 - - not rhel8stig_kdump_needed - tags: - - RHEL-08-010670 - - kdump - -- name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." - block: - - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if using numbered link files" - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^kernel.core_pattern =' - line: "kernel.core_pattern = |/bin/false" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched > 0 - - rhel8stig_sysctlconf_filename.files[0].islnk - - - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if no numbered link files" - lineinfile: - path: /etc/sysctl.conf - regexp: '^kernel.core_pattern =' - line: "kernel.core_pattern = |/bin/false" - notify: sysctl system - when: - - rhel8stig_sysctlconf_filename.matched == 0 or - not rhel8stig_sysctlconf_filename.files[0].islnk - when: - - rhel_08_010671 - tags: - - RHEL-08-010671 - - sysctl - -- name: "MEDIUM | RHEL-08-010672 | PATCH | RHEL 8 must disable acquiring, saving, and processing core dumps." - systemd: - name: systemd-coredump.socket - masked: yes - daemon_reload: yes - notify: systemctl daemon-reload - when: - - rhel_08_010672 - tags: - - RHEL-08-010672 - - systemd - -- name: "MEDIUM | RHEL-08-010673 | PATCH | RHEL 8 must disable core dumps for all users." - lineinfile: - path: /etc/security/limits.conf - regexp: '^\*.*hard.*core' - line: "* hard core 0" - insertbefore: '# End of file' - when: - - rhel_08_010673 - tags: - - RHEL-08-010673 - - security - - limits - -- name: "MEDIUM | RHEL-08-010674 | PATCH | RHEL 8 must disable storing core dumps." - lineinfile: - path: /etc/systemd/coredump.conf - regexp: '^(S|s)torage=|#(S|s)torage=' - line: "Storage=none" - when: - - rhel_08_010674 - tags: - - RHEL-08-010674 - - systemd - -- name: "MEDIUM | RHEL-08-010675 | PATCH | RHEL 8 must disable core dump backtraces." - lineinfile: - path: /etc/systemd/coredump.conf - regexp: '^(P|p)rocess(S|s)ize(M|m)ax=|(P|p)rocess(S|s)ize(M|m)ax=' - line: "ProcessSizeMax=0" - when: - - rhel_08_010675 - tags: - - RHEL-08-010675 - - systemd - -# NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. -- name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." - block: - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf" - shell: grep "dns" /etc/nsswitch.conf | grep -v "#" - changed_when: no - failed_when: false - check_mode: no - register: rhel_08_010680_nsswitch_check - - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf" - command: grep -c "# Generated by NetworkManager" /etc/resolv.conf - changed_when: no - failed_when: false - check_mode: no - register: rhel_08_010680_networkmanager_check - - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf" - shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l - changed_when: no - failed_when: false - check_mode: no - register: rhel_08_010680_nameserver_count - - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf" - shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf - when: - - "'dns' not in rhel_08_010680_nsswitch_check.stdout" - - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf" - lineinfile: - dest: /etc/resolv.conf - regexp: "{{ item.regexp }}" - line: "nameserver {{ item.line }}" - insertafter: "{{ item.after }}" - with_items: # Written as lineinfile replaces last found so reverse logic to keep order of servers - - { regexp: ^nameserver, line: '{{ rhel8stig_dns_servers.1 }}', after: ^search } - - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }})', line: '{{ rhel8stig_dns_servers.0 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } - # - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }}|{{ rhel8stig_dns_servers.0 }})', line: '{{ rhel8stig_dns_servers.2 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } - when: - - not rhel8_stig_use_resolv_template - - rhel_08_010680_networkmanager_check.stdout == '0' - - rhel_08_010680_nameserver_count.stdout | int >= 2 - - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf using a template when not NetworkManager controlled" - template: - src: resolv.conf.j2 - dest: /etc/resolv.conf - owner: root - group: root - mode: 0644 - when: - - rhel_08_010680_networkmanager_check.stdout == '0' - - rhel8_stig_use_resolv_template - - - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp." - debug: - msg: "The file /etc/resolv.conf is managed by network manager and/or shows less than two DNS servers configured. Please correct this in your DHCP configurations." - changed_when: true - when: - - rhel_08_010680_networkmanager_check.stdout != '0' or rhel_08_010680_nameserver_count.stdout| int < 2 - - not rhel8_stig_use_resolv_template - when: - - rhel_08_010680 - - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container - - not system_is_ec2 - tags: - - RHEL-08-010680 - -- name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." - block: - - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" - shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath - with_items: "{{ rhel_08_stig_interactive_homedir_results }}" - register: rhel_08_010690_ini_path_grep_list - changed_when: no - failed_when: false - - - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." - debug: - msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. - with_items: - - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" - - - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." - lineinfile: - path: "{{ item }}" - regexp: "^PATH=" - line: "{{ rhel_08_010690_user_path }}" - with_items: - - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" - when: - - rhel_08_010690 - - rhel8stig_disruption_high - - rhel8stig_change_user_path - tags: - - RHEL-08-010690 - - complexity-high - -- name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." - block: - - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories" - command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 - changed_when: false - failed_when: false - register: rhel_08_010700_world_writable_directories - - - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" - file: - path: "{{ item }}" - owner: root - with_items: - - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" - when: rhel_08_010700_world_writable_directories.stdout | length > 0 - when: - - rhel_08_010700 - tags: - - RHEL-08-010700 - -- name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group." - block: - - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories" - command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 - changed_when: false - failed_when: false - register: rhel_08_010710_world_writable_directories - - - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" - file: - path: "{{ item }}" - group: root - with_items: - - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" - when: rhel_08_010710_world_writable_directories.stdout | length > 0 - when: - - rhel_08_010710 - tags: - - RHEL-08-010710 - -- name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file." - block: - - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory" - shell: pwck -r | grep user | cut -f2 -d"'" - changed_when: false - failed_when: false - register: rhel_08_010720_users_no_home_dir - - - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory" - shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' - changed_when: false - failed_when: false - register: rhel_08_010720_user_list - - - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" - debug: - msg: - - "WARNING!!!!The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" - - "{{ rhel_08_010720_user_list.stdout_lines }}" - when: rhel_08_010720_user_list.stdout | length > 0 - when: - - rhel_08_010720 - tags: - - RHEL-08-010720 - -- name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - block: - - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) - changed_when: false - failed_when: false - register: rhel_08_010730_home_directories - - - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - file: - path: "{{ item }}" - mode: 0750 - with_items: - - "{{ rhel_08_010730_home_directories.stdout_lines }}" - when: rhel_08_010730_home_directories.stdout | length > 0 - when: - - rhel_08_010730 - tags: - - RHEL-08-010730 - -- name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." - file: - path: "{{ item.dir }}" - group: "{{ item.gid }}" - state: directory - with_items: "{{ rhel8stig_passwd }}" - loop_control: - label: "{{ rhel8stig_passwd_label }}" - when: - - rhel_08_010740 - - item.uid >= rhel8stig_interactive_uid_start - tags: - - skip_ansible_lint - - RHEL-08-010740 - -- name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." - file: - path: "{{ item.dir }}" - state: directory - with_items: "{{ rhel8stig_passwd }}" - loop_control: - label: "{{ rhel8stig_passwd_label }}" - when: - - rhel_08_010750 - - item.uid >= rhel8stig_interactive_uid_start - tags: - - skip_ansible_lint - - RHEL-08-010750 - -- name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." - lineinfile: - path: /etc/login.defs - regexp: '.*?CREATE_HOME.*' - line: CREATE_HOME yes - when: - - rhel_08_010760 - tags: - - RHEL-08-010760 - - login - - home - -- name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." - file: - path: "{{ item }}" - mode: 0740 - with_items: - - "{{ rhel_08_stig_interactive_homedir_inifiles }}" - when: - - rhel_08_010770 - - rhel8stig_disruption_high - - rhel_08_stig_interactive_homedir_inifiles is defined - tags: - - RHEL-08-010770 - - complexity-high - -- name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." - block: - - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" - shell: find / -nouser - args: - warn: no - changed_when: false - failed_when: false - register: rhel_08_010780_nouser_files - - - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" - debug: - msg: - - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" - - "{{ rhel_08_010780_nouser_files.stdout_lines }}" - when: rhel_08_010780_nouser_files.stdout | length > 0 - when: - - rhel_08_010780 - tags: - - RHEL-08-010780 - -- name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." - block: - - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" - shell: find / -nogroup - changed_when: false - failed_when: false - register: rhel_08_010790_nogroup_files - - - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" - debug: - msg: - - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" - - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" - when: rhel_08_010790_nogroup_files.stdout | length > 0 - when: - - rhel_08_010790 - tags: - - RHEL-08-010790 - -- name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." - debug: - msg: "WARNING!!!! /home is not mounted on a separate partition" - changed_when: - - rhel8stig_audit_complex - when: - - rhel_08_010800 - - not rhel8stig_system_is_container - - rhel8stig_complex - - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 - tags: - - RHEL-08-010800 - - complexity-high - - mount - - home - -- name: "MEDIUM | RHEL-08-010830 | PATCH |Unattended or automatic logon to RHEL 8 via ssh must not be allowed." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?PermitUserEnvironment' - line: 'PermitUserEnvironment no' - notify: restart sshd - when: - - rhel_08_010830 - - rhel8stig_disruption_high - tags: - - RHEL-08-010830 - - ssh - - disruption_high - -- name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." - debug: - msg: - - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." - - "To do this please run sudo chage -l account_name for the accounts you need to check" - - "The results will display the Account Expires information" - - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name' - when: - - rhel_08_020000 - tags: - - RHEL-08-020000 - -- name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020010 - tags: - - RHEL-08-020010 - - pamd - -- name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^deny =|^\# deny =' - line: "deny = {{ rhel8stig_pam_faillock.attempts }}" - when: - - rhel_08_020011 - tags: - - RHEL-08-020011 - - pamd - -- name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020012 - tags: - - RHEL-08-020012 - - pamd - -- name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^fail_interval =|^\# fail_interval =' - line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" - with_items: - - system-auth - - password-auth - when: - - rhel_08_020013 - tags: - - RHEL-08-020013 - - pamd - -- name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020013 - tags: - - RHEL-08-020013 - - pamd - -- name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^unlock_time =|^\# unlock_time =' - line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}" - with_items: - - system-auth - - password-auth - when: - - rhel_08_020015 - tags: - - RHEL-08-020015 - - pamd - -- name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist." - block: - - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist.| Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020016 - tags: - - RHEL-08-020016 - - pamd - -- name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist." - block: - - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^dir =|^\# dir =' - line: "dir = /var/log/faillock" - with_items: - - system-auth - - password-auth - when: - - rhel_08_020017 - tags: - - RHEL-08-020017 - - pamd - -- name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020018 - tags: - - RHEL-08-020018 - - pamd - -- name: "MEDIUM | RHEL-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^silent|^\# silent' - line: "silent" - with_items: - - system-auth - - password-auth - when: - - rhel_08_020019 - tags: - - RHEL-08-020019 - - pamd - -- name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020020 - tags: - - RHEL-08-020020 - - pamd - -- name: "MEDIUM | RHEL-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^audit|^\# audit' - line: "audit" - with_items: - - system-auth - - password-auth - when: - - rhel_08_020021 - tags: - - RHEL-08-020021 - - pamd - -- name: "MEDIUM | RHEL-020022| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}sfail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - when: - - rhel_08_020022 - tags: - - RHEL-08-020022 - - pamd - -- name: "MEDIUM | RHEL-020023| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^even_deny_root|^\# even_deny_root' - line: "even_deny_root" - with_items: - - system-auth - - password-auth - when: - - rhel_08_020023 - tags: - - RHEL-08-020023 - - pamd - -- name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." - block: - - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" - command: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" - changed_when: false - failed_when: false - register: rhel_08_020030_lock_enabled - - - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" - lineinfile: - path: "{{ rhel_08_020030_lock_enabled.stdout }}" - regexp: '^lock-enabled' - line: lock-enabled=true - when: rhel_08_020030_lock_enabled.stdout | length > 0 - notify: dconf update - - - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist" - lineinfile: - path: /etc/dconf/db/local.d/00-screensaver - create: yes - regexp: '^lock-enabled' - owner: root - group: root - mode: 0644 - line: | - [org/gnome/desktop/screensaver] - # Set this to true to lock the screen when the screensaver activates - lock-enabled=true - when: rhel_08_020030_lock_enabled.stdout | length == 0 - notify: dconf update - when: - - rhel_08_020030 - - "'dconf' in ansible_facts.packages" - - rhel8stig_always_configure_dconf +# tags: +# - RHEL-08-010050 + +# - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." +# lineinfile: +# path: /etc/rsyslog.d/50-default.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# create: yes +# mode: '0644' +# notify: restart rsyslog +# with_items: +# - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } +# - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } +# when: +# - rhel_08_010070 +# tags: +# - RHEL-08-010070 + +# # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." +# block: +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" +# command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem +# changed_when: false +# failed_when: false +# register: rhel_08_010090_certs_list + +# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" +# debug: +# msg: +# - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" +# - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" +# - "{{ rhel_08_010090_certs_list.stdout_lines }}" +# when: +# - rhel_08_010090 +# tags: +# - RHEL-08-010090 + +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." +# block: +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" +# file: +# path: "{{ rhel8stig_path_to_sshkey }}" +# state: directory +# mode: '0700' + +# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" +# openssh_keypair: +# path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" +# when: +# - rhel_08_010100 +# tags: +# - RHEL-08-010100 + +# - name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." +# lineinfile: +# path: /etc/login.defs +# regexp: '^ENCRYPT_METHOD.*' +# line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" +# when: +# - rhel_08_010110 +# tags: +# - RHEL-08-010110 +# - login + +# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." +# block: +# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" +# command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' +# changed_when: false +# failed_when: false +# register: rhel_08_010120_non_fips_hashed_accounts + +# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" +# command: "passwd -l {{ item }}" +# args: +# warn: no +# with_items: +# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" +# when: +# - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 + +# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" +# debug: +# msg: +# - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" +# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" +# when: +# - not rhel8stig_disruption_high +# - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 +# when: +# - rhel_08_010120 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010120 +# - disruption_high + +# - name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" +# pamd: +# name: "{{ item }}" +# type: password +# control: sufficient +# module_path: pam_unix.so +# module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" +# state: args_present +# with_items: +# - password-auth +# - system-auth +# when: +# - rhel_08_010130 +# tags: +# - RHEL-08-010130 + +# - name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." +# lineinfile: +# path: /usr/lib/systemd/system/rescue.service +# regexp: '^ExecStart=' +# line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" +# create: yes +# owner: root +# group: root +# mode: 0644 + +# when: +# - rhel_08_010151 +# tags: +# - RHEL-08-010151 +# - systemd + +# - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Add sha512 argument" +# pamd: +# name: "{{ item }}" +# type: password +# control: sufficient +# module_path: pam_unix.so +# module_arguments: sha512 +# state: args_present +# with_items: +# - password-auth +# - system-auth +# when: +# - rhel_08_010160 +# tags: +# - RHEL-08-010160 + +# - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication." +# block: +# - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" +# find: +# path: / +# patterns: '*.keytab' +# recurse: yes +# register: rhel8stig_010161_keytab_files + +# - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Remove .keytab files" +# file: +# path: "{{ item.path }}" +# state: absent +# with_items: +# - "{{ rhel8stig_010161_keytab_files.files }}" +# when: rhel8stig_010161_keytab_files.matched > 0 +# when: +# - rhel_08_010161 +# tags: +# - RHEL-08-010161 +# - kerberos + +# - name: "MEDIUM | RHEL-08-010162 | PATCH | The krb5-workstation package must not be installed on RHEL 8." +# dnf: +# name: krb5-workstation +# state: absent +# when: +# - rhel_08_010162 +# tags: +# - RHEL-08-010162 +# - kerberos + +# - name: | +# "MEDIUM | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services." +# "MEDIUM | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." +# selinux: +# state: enforcing +# policy: targeted +# check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" +# notify: reboot system +# when: +# - rhel_08_010170 or rhel_08_010450 +# - not rhel8stig_system_is_container +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010170 +# - RHEL-08-010450 +# - selinux +# - disruption_high + +# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." +# block: +# - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" +# shell: "find / ! -user root -type d -perm -0002 -exec ls -lLd {} \\; | sed 's/.* //'" +# changed_when: false +# failed_when: false +# register: rhel_08_010180_public_not_root_owned + +# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Chown non-root public folders" +# file: +# path: "{{ item }}" +# owner: root +# group: root +# with_items: +# - "{{ rhel_08_010180_public_not_root_owned.stdout_lines }}" +# when: +# - rhel_08_010180 +# tags: +# - RHEL-08-010180 + +# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." +# block: +# - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" +# shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" +# changed_when: false +# failed_when: false +# register: rhel_08_010190_world_writable_files + +# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" +# file: +# path: "{{ item }}" +# mode: '1777' +# with_items: +# - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" +# when: +# - rhel_08_010190 +# tags: +# - RHEL-08-010190 + +# - name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# notify: restart sshd +# with_items: +# - { regexp: '(?i)^#?ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} +# - { regexp: '(?i)^#?ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } +# when: +# - rhel_08_010200 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010200 +# - ssh + +# - name: | +# "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." +# "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." +# "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." +# file: +# path: /var/log/messages +# owner: root +# group: root +# mode: '0640' +# when: +# - rhel_08_010210 or +# rhel_08_010220 or +# rhel_08_010230 +# tags: +# - RHEL-08-010210 +# - RHEL-08-010220 +# - RHEL-08-010230 + +# - name: | +# "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." +# "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." +# "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." +# file: +# path: /var/log +# owner: root +# group: root +# mode: '0755' +# when: +# - rhel_08_010240 or +# rhel_08_010250 or +# rhel_08_010260 +# tags: +# - RHEL-08-010240 +# - RHEL-08-010250 +# - RHEL-08-010260 + +# - name: | +# "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." +# "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" +# block: +# - name: | +# "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" +# "MEDIUM | RHEL-08-010291 | AUDIT | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Get current FIPS mode state" +# command: fips-mode-setup --check +# changed_when: false +# failed_when: false +# register: rhel_08_010290_pre_fips_check + +# - name: | +# "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" +# "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Enable FIPS" +# command: fips-mode-setup --enable +# register: rhel_08_010290_fips_enable +# notify: reboot system +# when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' + +# - name: | +# "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" +# "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Add ssh ciphers" +# lineinfile: +# path: "{{ item.path }}" +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# notify: reboot system +# with_items: +# - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^MACs', line: "MACs {{ rhel8stig_ssh_macs_settings }}" } +# - { path: /etc/crypto-policies/back-ends/opensshserver.config, regexp: '^CRYPTO_POLICY=', line: "CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" } +# when: +# - rhel_08_010290 or +# rhel_08_010291 +# tags: +# - RHEL-08-010290 +# - RHEL-08-010291 +# - fips + +# - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." +# block: +# - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" +# command: fips-mode-setup --check +# changed_when: false +# failed_when: false +# register: rhel_08_010293_pre_fips_check + +# - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" +# command: fips-mode-setup --enable +# register: rhel_08_010290_fips_enable +# notify: reboot system +# when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' +# when: +# - rhel_08_010293 +# tags: +# - RHEL-08-010293 +# - fips + +# - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." +# lineinfile: +# path: /etc/crypto-policies/back-ends/opensslcnf.config +# regexp: '^MinProtocol =' +# line: "MinProtocol = TLSv1.2" +# notify: reboot system +# when: +# - rhel_08_010294 +# tags: +# - RHEL-08-010294 +# - openssl + +# - name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package" +# lineinfile: +# path: /etc/crypto-policies/back-ends/gnutls.config +# regexp: '^(.*\+VERS-ALL:)' +# line: '\1{{ rhel8stig_gnutls_encryption }}' +# backrefs: true +# create: yes +# owner: root +# group: root +# mode: 0640 +# notify: reboot system +# when: +# - rhel_08_010295 +# tags: +# - RHEL-08-010295 +# - gnutls + +# - name: | +# "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive." +# "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root." +# "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root." +# block: +# - name: | +# "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive" +# "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" +# "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root. | Get commands no group-owned by root" +# shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel_08_010300_commands + +# - name: | +# "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions" +# "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions" +# "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root. | Set permissions" +# file: +# path: "{{ item }}" +# owner: root +# group: root +# mode: '0755' +# force: yes +# with_items: +# - "{{ rhel_08_010300_commands.stdout_lines }}" +# when: +# - rhel_08_010300 or +# rhel_08_010310 or +# rhel_08_010320 +# tags: +# - RHEL-08-010300 +# - RHEL-08-010310 +# - RHEL-08-010320 + +# - name: | +# "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive." +# "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root." +# "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root." +# block: +# - name: | +# "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" +# "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root. | Get library files not owned by root" +# "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" +# shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel_08_010330_library_files + +# - name: | +# "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" +# "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" +# "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" +# file: +# path: "{{ item }}" +# owner: root +# group: root +# mode: '0755' +# with_items: +# - "{{ rhel_08_010330_library_files.stdout_lines }}" +# when: +# - rhel_08_010330 or +# rhel_08_010340 or +# rhel_08_010350 +# tags: +# - RHEL-08-010330 +# - RHEL-08-010340 +# - RHEL-08-010350 + +# - name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." +# cron: +# name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' +# user: "{{ rhel8stig_aide_cron.user }}" +# cron_file: "{{ rhel8stig_aide_cron.cron_file }}" +# job: "{{ rhel8stig_aide_cron.job + ((rhel8stig_aide_cron.notify_by_mail) | ternary(rhel8stig_aide_cron.notify_cmd,'')) }}" +# minute: "{{ rhel8stig_aide_cron.minute | default((rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | +# ternary('0', omit)) | default(omit) }}" +# hour: "{{ rhel8stig_aide_cron.hour | default((rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['daily', 'weekly', 'monthly']) | +# ternary('0', omit)) | default(omit) }}" +# weekday: "{{ rhel8stig_aide_cron.weekday | default((rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['weekly']) | +# ternary('0', omit)) | default(omit) }}" +# day: "{{ rhel8stig_aide_cron.day | default((rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['monthly']) | +# ternary('1', omit)) | default(omit) }}" +# special_time: "{{ (rhel8stig_cron_special_disable and +# rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | +# ternary(omit, rhel8stig_aide_cron.special_time) }}" +# when: +# - rhel_08_010360 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010360 +# - aide + +# - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." +# block: +# - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if using numbered link files" +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^kernel.kexec_load_disabled =' +# line: "kernel.kexec_load_disabled = 1" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched > 0 +# - rhel8stig_sysctlconf_filename.files[0].islnk + +# - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if no numbered link files" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^kernel.kexec_load_disabled =' +# line: "kernel.kexec_load_disabled = 1" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched == 0 or +# not rhel8stig_sysctlconf_filename.files[0].islnk +# when: +# - rhel_08_010372 +# tags: +# - RHEL-08-010372 +# - sysctl + +# - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks." +# block: +# - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if using numbered link files" +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^fs.protected_symlinks =' +# line: "fs.protected_symlinks = 1" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched > 0 +# - rhel8stig_sysctlconf_filename.files[0].islnk + +# - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if no numbered link files" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^fs.protected_symlinks =' +# line: "fs.protected_symlinks = 1" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched == 0 or +# not rhel8stig_sysctlconf_filename.files[0].islnk +# when: +# - rhel_08_010373 +# tags: +# - RHEL-08-010373 +# - sysctl + +# - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." +# block: +# - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if using numbered link files" +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^fs.protected_hardlinks =' +# line: "fs.protected_hardlinks = 1" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched > 0 +# - rhel8stig_sysctlconf_filename.files[0].islnk + +# - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if no numbered link files" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^fs.protected_hardlinks =' +# line: "fs.protected_hardlinks = 1" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched == 0 or +# not rhel8stig_sysctlconf_filename.files[0].islnk +# when: +# - rhel_08_010374 +# tags: +# - RHEL-08-010374 +# - sysctl + +# - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." +# replace: +# path: "{{ item }}" +# regexp: '^([^#].*)NOPASSWD(.*)' +# replace: '\1PASSWD\2' +# with_items: +# - "{{ rhel8stig_sudoers_files.stdout_lines }}" +# when: +# - rhel_08_010380 +# - rhel8stig_using_password_auth +# tags: +# - RHEL-08-010380 +# - sudoers + +# - name: "MEDIUM | RHEL-08-010381 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation." +# replace: +# path: "{{ item }}" +# regexp: '^([^#].*)!authenticate(.*)' +# replace: '\1authenticate\2' +# with_items: +# - "{{ rhel8stig_sudoers_files.stdout_lines }}" +# when: +# - rhel_08_010381 +# - rhel8stig_using_password_auth +# tags: +# - RHEL-08-010381 +# - sudoers + +# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." +# block: +# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" +# dnf: +# name: esc +# state: present +# when: rhel8stig_gui + +# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" +# dnf: +# name: openssl-pkcs11 +# state: present +# when: +# - rhel_08_010390 +# tags: +# - RHEL-08-010390 +# - multifactor + +# - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." +# lineinfile: +# path: '{{ rhel8stig_sssd_conf }}' +# regexp: '^certificate_verification = {{ item }}' +# state: absent +# with_items: +# - 'no_ocsp, no_verification' +# - no_ocsp +# - no_verification +# notify: restart sssd +# when: +# - "'sssd' in ansible_facts.packages" +# - rhel8stig_sssd_conf_present.stat.exists +# - rhel_08_010400 +# tags: +# - RHEL-08-010400 + +# - name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." +# dnf: +# name: opensc +# state: present +# when: +# - rhel_08_010410 +# tags: +# - RHEL-08-010410 +# - opensc +# - piv + +# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution." +# block: +# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state" +# shell: dmesg |grep "NX (" +# changed_when: false +# failed_when: false +# register: rhel_08_010420_nx_bit_state + +# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set" +# debug: +# msg: +# - "Good News! You are setup with execute disable active." +# when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout' + +# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" +# debug: +# msg: +# - "ALERT!! You do not have execute disable active. Please change the setting in your BIOS settings" +# when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' +# when: +# - rhel_08_010420 +# tags: +# - RHEL-08-010420 + +# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks." +# block: +# - name: "MEDIUM | RHEL-08-010421 | AUDIT | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" +# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel8stig_010421_grub_cmdline_linux + +# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active" +# shell: grubby --update-kernel=ALL --args="page_poison=1" + +# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist" +# lineinfile: +# path: /etc/default/grub +# regexp: '^GRUB_CMDLINE_LINUX=' +# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010421_grub_cmdline_linux.stdout }} page_poison=1"' +# when: '"page_poison=" not in rhel8stig_010421_grub_cmdline_linux.stdout' + +# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if exists" +# replace: +# path: /etc/default/grub +# regexp: 'page_poison=([^\s|"])+' +# replace: "page_poison=1" +# when: '"page_poison=" in rhel8stig_010421_grub_cmdline_linux.stdout' +# when: +# - rhel_08_010421 +# tags: +# - RHEL-08-010421 +# - grub + +# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls." +# block: +# - name: "MEDIUM | RHEL-08-010422 | AUDIT | RHEL 8 must disable virtual syscalls. | Get GRUB_CMDLINE_LINUX settings" +# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel8stig_010422_grub_cmdline_linux + +# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active" +# shell: grubby --update-kernel=ALL --args="vsyscall=none" + +# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist" +# lineinfile: +# path: /etc/default/grub +# regexp: '^GRUB_CMDLINE_LINUX=' +# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010422_grub_cmdline_linux.stdout }} vsyscall=none"' +# when: '"vsyscall=" not in rhel8stig_010422_grub_cmdline_linux.stdout' + +# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if exists" +# replace: +# path: /etc/default/grub +# regexp: 'vsyscall=([^\s|"])+' +# replace: "vsyscall=none" +# when: '"vsyscall=" in rhel8stig_010422_grub_cmdline_linux.stdout' +# when: +# - rhel_08_010422 +# tags: +# - RHEL-08-010422 +# - grub + +# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks." +# block: +# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" +# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel8stig_010423_grub_cmdline_linux + +# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active" +# shell: grubby --update-kernel=ALL --args="slub_debug=P" + +# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist" +# lineinfile: +# path: /etc/default/grub +# regexp: '^GRUB_CMDLINE_LINUX=' +# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010423_grub_cmdline_linux.stdout }} slub_debug=P"' +# when: '"slub_debug=" not in rhel8stig_010423_grub_cmdline_linux.stdout' + +# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if exists" +# replace: +# path: /etc/default/grub +# regexp: 'slub_debug=([^\s|"])+' +# replace: "slub_debug=P" +# when: '"slub_debug=" in rhel8stig_010423_grub_cmdline_linux.stdout' +# when: +# - rhel_08_010423 +# tags: +# - RHEL-08-010423 +# - grub + +# - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." +# sysctl: +# name: kernel.randomize_va_space +# value: '2' +# state: present +# reload: "{{ rhel8stig_sysctl_reload }}" +# sysctl_set: yes +# ignoreerrors: yes +# notify: sysctl system +# when: +# - rhel_08_010430 +# tags: +# - RHEL-08-010430 +# - sysctl + +# - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." +# block: +# - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files" +# find: +# paths: /etc/ssh +# recurse: yes +# file_type: file +# patterns: 'ssh_host*_key.pub' +# hidden: true +# changed_when: false +# failed_when: false +# register: rhel_08_010480_public_files + +# - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" +# file: +# path: "{{ item.path }}" +# mode: '0644' +# with_items: +# - "{{ rhel_08_010480_public_files.files }}" +# notify: restart sshd +# when: +# - rhel_08_010480 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010480 +# - ssh + +# - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." +# block: +# - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Find files" +# find: +# paths: /etc/ssh +# recurse: yes +# file_type: file +# patterns: 'ssh_host*key' +# hidden: true +# changed_when: false +# failed_when: false +# register: rhel_08_010490_private_host_key_files + +# - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" +# file: +# path: "{{ item.path }}" +# mode: '0640' +# with_items: +# - "{{ rhel_08_010490_private_host_key_files.files }}" +# notify: restart sshd +# when: +# - rhel_08_010490 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010490 +# - ssh + +# - name: "MEDIUM | RHEL-08-010500 | PATCH | The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?StrictModes' +# line: 'StrictModes yes' +# notify: restart sshd +# when: +# - rhel_08_010500 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010500 +# - ssh + +# - name: "MEDIUM | RHEL-08-010510 | PATCH | The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?Compression' +# line: 'Compression {{ rhel8stig_sshd_compression }}' +# notify: restart sshd +# when: +# - rhel_08_010510 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010510 +# - ssh + +# - name: "MEDIUM | RHEL-08-010520 | PATCH | The RHEL 8 SSH daemon must not allow authentication using known host’s authentication." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?IgnoreUserKnownHosts' +# line: 'IgnoreUserKnownHosts yes' +# notify: restart sshd +# when: +# - rhel_08_010520 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010520 +# - ssh + +# - name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow unused methods of authentication." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '(?i)^#?KerberosAuthentication', line: "KerberosAuthentication no" } +# - { regexp: '(?i)^#?GSSAPIAuthentication', line: "GSSAPIAuthentication no" } +# notify: restart sshd +# when: +# - rhel_08_010521 +# tags: +# - RHEL-08-010521 +# - ssh + +# - name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." +# debug: +# msg: "WARNING!!!! /tmp is not mounted on a separate partition" +# changed_when: +# - rhel8stig_audit_complex +# when: +# - rhel_08_010543 +# - not rhel8stig_system_is_container +# - rhel8stig_complex +# - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 +# tags: +# - RHEL-08-010543 +# - complexity-high +# - mount +# - tmp + +# - name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?PermitRootLogin' +# line: 'PermitRootLogin no' +# notify: restart sshd +# when: +# - rhel_08_010550 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-010550 +# - ssh + +# - name: "MEDIUM | RHEL-08-010560 | PATCH | The auditd service must be running in RHEL 8." +# service: +# name: auditd +# state: started +# enabled: yes +# when: +# - rhel_08_010560 +# - not rhel8stig_system_is_container +# tags: +# - RHEL-08-010560 +# - auditd + +# - name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." +# service: +# name: rsyslog.service +# state: started +# enabled: true +# when: +# - rhel_08_010561 +# tags: +# - RHEL-08-010561 +# - rsyslog + +# - name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." +# mount: +# path: /home +# state: mounted +# src: "{{ home_mount.device }}" +# fstype: "{{ home_mount.fstype }}" +# opts: "{{ home_mount.options }},nosuid" +# when: +# - rhel_08_010570 +# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 +# - "'nosuid' not in home_mount.options" +# vars: +# home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" +# tags: +# - RHEL-08-010570 +# - mounts +# - home + +# - name: "MEDIUM | RHEL-08-010571 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory." +# mount: +# path: /boot +# state: mounted +# src: "{{ boot_mount.device }}" +# fstype: "{{ boot_mount.fstype }}" +# opts: "{{ boot_mount.options }},nosuid" +# when: +# - rhel_08_010571 +# - ansible_mounts | selectattr('mount', 'match', '^/boot$') | list | length != 0 +# - "'nosuid' not in boot_mount.options" +# vars: +# boot_mount: "{{ ansible_mounts | json_query('[?mount == `/boot`] | [0]') }}" +# tags: +# - RHEL-08-010571 +# - mounts +# - boot + +# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions." +# block: +# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" +# shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' +# args: +# warn: no +# changed_when: no +# check_mode: no +# register: rhel8stig_010580_mounts_nodev + +# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Split results" +# set_fact: +# rhel8stig_010580_mounts: "{{ rhel8stig_010580_mounts_nodev.stdout_lines | map('regex_replace', ld_mount_regex, ld_mount_yaml) | map('from_yaml') | list }}" + +# with_items: "{{ rhel8stig_010580_mounts_nodev.stdout_lines }}" +# vars: +# ld_mount_regex: >- +# ^(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*) +# ld_mount_yaml: | +# device: >-4 +# \g +# mpoint: >-4 +# \g +# fs: >-4 +# \g +# opts: >-4 +# \g +# when: rhel8stig_010580_mounts_nodev.stdout | length > 0 + +# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Set value" +# mount: +# path: "{{ item.mpoint }}" +# state: mounted +# src: "{{ item.device }}" +# fstype: "{{ item.fs }}" +# opts: "{{ item.opts }},nodev" +# with_items: +# - "{{ rhel8stig_010580_mounts | default([]) }}" +# when: +# - item.device != "/" +# - "'odev' not in item.opts" +# - rhel8stig_010580_mounts_nodev.stdout | length > 0 +# when: +# - rhel_08_010580 +# tags: +# - RHEL-08-010580 +# - mounts +# - non-root + +# - name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent code from being executed on file systems that contain user home directories." +# mount: +# path: /home +# state: mounted +# src: "{{ home_mount.device }}" +# fstype: "{{ home_mount.fstype }}" +# opts: "{{ home_mount.options }},noexec" +# when: +# - rhel_08_010590 +# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 +# - "'noexec' not in home_mount.options" +# vars: +# home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" +# tags: +# - RHEL-08-010590 +# - mounts +# - home + +# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media." +# block: +# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /media" +# mount: +# path: /media +# state: mounted +# src: "{{ removable_mount.device }}" +# fstype: "{{ removable_mount.fstype }}" +# opts: "{{ removable_mount.options }},nodev" +# when: +# - rhel_08_010600 +# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 +# - "'nodev' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + +# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /mnt" +# mount: +# path: /mnt +# state: mounted +# src: "{{ removable_mount2.device }}" +# fstype: "{{ removable_mount2.fstype }}" +# opts: "{{ removable_mount2.options }},nodev" +# when: +# - rhel_08_010600 +# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 +# - "'nodev' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" +# when: +# - rhel_08_010600 +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# tags: +# - RHEL-08-010600 +# - mounts +# - media + +# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media." +# block: +# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /media" +# mount: +# path: /media +# state: mounted +# src: "{{ removable_mount.device }}" +# fstype: "{{ removable_mount.fstype }}" +# opts: "{{ removable_mount.options }},noexec" +# when: +# - rhel_08_010600 +# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 +# - "'noexec' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + +# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /mnt" +# mount: +# path: /mnt +# state: mounted +# src: "{{ removable_mount2.device }}" +# fstype: "{{ removable_mount2.fstype }}" +# opts: "{{ removable_mount2.options }},noexec" +# when: +# - rhel_08_010610 +# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 +# - "'noexec' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" +# when: +# - rhel_08_010610 +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# tags: +# - RHEL-08-010610 +# - mounts +# - media + +# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." +# block: +# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media" +# mount: +# path: /media +# state: mounted +# src: "{{ removable_mount.device }}" +# fstype: "{{ removable_mount.fstype }}" +# opts: "{{ removable_mount.options }},nosuid" +# when: +# - rhel_08_010620 +# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 +# - "'nosuid' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + +# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" +# mount: +# path: /mnt +# state: mounted +# src: "{{ removable_mount2.device }}" +# fstype: "{{ removable_mount2.fstype }}" +# opts: "{{ removable_mount2.options }},nosuid" +# when: +# - rhel_08_010620 +# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 +# - "'nosuid' not in home_mount.options" +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# vars: +# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" +# when: +# - rhel_08_010620 +# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) +# tags: +# - RHEL-08-010620 +# - mounts +# - media + +# - name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)." +# mount: +# path: "{{ item }}" +# src: "{{ ansible_mounts | json_query(device_query) }}" +# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" +# opts: "{{ ansible_mounts | json_query(options_query) }},noexec" +# state: mounted +# vars: +# device_query: '[?mount == `{{ item }}`] | [0].device' +# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' +# options_query: '[?mount == `{{ item }}`] | [0].options' +# with_items: "{{ rhel8stig_nfs_mounts }}" +# when: +# - rhel_08_010630 +# - "'noexec' not in (ansible_mounts | json_query(options_query))" +# tags: +# - RHEL-08-010630 +# - mounts +# - nfs + +# - name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)." +# mount: +# path: "{{ item }}" +# src: "{{ ansible_mounts | json_query(device_query) }}" +# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" +# opts: "{{ ansible_mounts | json_query(options_query) }},nodev" +# state: mounted +# vars: +# device_query: '[?mount == `{{ item }}`] | [0].device' +# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' +# options_query: '[?mount == `{{ item }}`] | [0].options' +# with_items: "{{ rhel8stig_nfs_mounts }}" +# when: +# - rhel_08_010640 +# - "'nodev' not in (ansible_mounts | json_query(options_query))" +# tags: +# - RHEL-08-010640 + +# - name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)" +# mount: +# path: "{{ item }}" +# src: "{{ ansible_mounts | json_query(device_query) }}" +# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" +# opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" +# state: mounted +# vars: +# device_query: '[?mount == `{{ item }}`] | [0].device' +# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' +# options_query: '[?mount == `{{ item }}`] | [0].options' +# with_items: "{{ rhel8stig_nfs_mounts }}" +# when: +# - rhel_08_010650 +# - "'nosuid' not in (ansible_mounts | json_query(options_query))" +# tags: +# - RHEL-08-010650 + +# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs." +# block: +# - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions" +# shell: find {{ item.mount }} -xdev -type f -perm -002 +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel_08_010660_world_writable_files +# with_items: +# - "{{ ansible_mounts }}" + +# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening" +# set_fact: +# rhel_08_010660_change_perms: "{{ rhel_08_010660_world_writable_files.results | map(attribute='stdout_lines') | flatten }}" + +# - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Compare to home directories" +# include_tasks: audit_homedirinifiles.yml +# loop: +# - "{{ rhel_08_stig_interactive_homedir_inifiles }}" +# loop_control: +# loop_var: ini_item +# when: +# - rhel_08_010660_change_perms != [] + +# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions" +# file: +# path: "{{ item }}" +# mode: '0755' +# state: file +# with_items: +# - "{{ rhel_08_010660_change_perms }}" +# when: +# - rhel_08_010660_change_perms != [] +# when: +# - rhel_08_010660 +# - rhel8stig_disruption_high +# # - rhel_08_stig_interactive_homedir_inifiles is defined +# tags: +# - RHEL-08-010660 + +# - name: "MEDIUM | RHEL-08-010670 | PATCH | RHEL 8 must disable kernel dumps unless needed." +# service: +# name: kdump +# enabled: no +# state: stopped +# when: +# - rhel_08_010670 +# - not rhel8stig_kdump_needed +# tags: +# - RHEL-08-010670 +# - kdump + +# - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." +# block: +# - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if using numbered link files" +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^kernel.core_pattern =' +# line: "kernel.core_pattern = |/bin/false" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched > 0 +# - rhel8stig_sysctlconf_filename.files[0].islnk + +# - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if no numbered link files" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^kernel.core_pattern =' +# line: "kernel.core_pattern = |/bin/false" +# notify: sysctl system +# when: +# - rhel8stig_sysctlconf_filename.matched == 0 or +# not rhel8stig_sysctlconf_filename.files[0].islnk +# when: +# - rhel_08_010671 +# tags: +# - RHEL-08-010671 +# - sysctl + +# - name: "MEDIUM | RHEL-08-010672 | PATCH | RHEL 8 must disable acquiring, saving, and processing core dumps." +# systemd: +# name: systemd-coredump.socket +# masked: yes +# daemon_reload: yes +# notify: systemctl daemon-reload +# when: +# - rhel_08_010672 +# tags: +# - RHEL-08-010672 +# - systemd + +# - name: "MEDIUM | RHEL-08-010673 | PATCH | RHEL 8 must disable core dumps for all users." +# lineinfile: +# path: /etc/security/limits.conf +# regexp: '^\*.*hard.*core' +# line: "* hard core 0" +# insertbefore: '# End of file' +# when: +# - rhel_08_010673 +# tags: +# - RHEL-08-010673 +# - security +# - limits + +# - name: "MEDIUM | RHEL-08-010674 | PATCH | RHEL 8 must disable storing core dumps." +# lineinfile: +# path: /etc/systemd/coredump.conf +# regexp: '^(S|s)torage=|#(S|s)torage=' +# line: "Storage=none" +# when: +# - rhel_08_010674 +# tags: +# - RHEL-08-010674 +# - systemd + +# - name: "MEDIUM | RHEL-08-010675 | PATCH | RHEL 8 must disable core dump backtraces." +# lineinfile: +# path: /etc/systemd/coredump.conf +# regexp: '^(P|p)rocess(S|s)ize(M|m)ax=|(P|p)rocess(S|s)ize(M|m)ax=' +# line: "ProcessSizeMax=0" +# when: +# - rhel_08_010675 +# tags: +# - RHEL-08-010675 +# - systemd + +# # NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." +# block: +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf" +# shell: grep "dns" /etc/nsswitch.conf | grep -v "#" +# changed_when: no +# failed_when: false +# check_mode: no +# register: rhel_08_010680_nsswitch_check + +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf" +# command: grep -c "# Generated by NetworkManager" /etc/resolv.conf +# changed_when: no +# failed_when: false +# check_mode: no +# register: rhel_08_010680_networkmanager_check + +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf" +# shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l +# changed_when: no +# failed_when: false +# check_mode: no +# register: rhel_08_010680_nameserver_count + +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf" +# shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf +# when: +# - "'dns' not in rhel_08_010680_nsswitch_check.stdout" + +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf" +# lineinfile: +# dest: /etc/resolv.conf +# regexp: "{{ item.regexp }}" +# line: "nameserver {{ item.line }}" +# insertafter: "{{ item.after }}" +# with_items: # Written as lineinfile replaces last found so reverse logic to keep order of servers +# - { regexp: ^nameserver, line: '{{ rhel8stig_dns_servers.1 }}', after: ^search } +# - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }})', line: '{{ rhel8stig_dns_servers.0 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } +# # - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }}|{{ rhel8stig_dns_servers.0 }})', line: '{{ rhel8stig_dns_servers.2 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } +# when: +# - not rhel8_stig_use_resolv_template +# - rhel_08_010680_networkmanager_check.stdout == '0' +# - rhel_08_010680_nameserver_count.stdout | int >= 2 + +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf using a template when not NetworkManager controlled" +# template: +# src: resolv.conf.j2 +# dest: /etc/resolv.conf +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_010680_networkmanager_check.stdout == '0' +# - rhel8_stig_use_resolv_template + +# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp." +# debug: +# msg: "The file /etc/resolv.conf is managed by network manager and/or shows less than two DNS servers configured. Please correct this in your DHCP configurations." +# changed_when: true +# when: +# - rhel_08_010680_networkmanager_check.stdout != '0' or rhel_08_010680_nameserver_count.stdout| int < 2 +# - not rhel8_stig_use_resolv_template +# when: +# - rhel_08_010680 +# - not rhel8stig_system_is_chroot +# - not rhel8stig_system_is_container +# - not system_is_ec2 +# tags: +# - RHEL-08-010680 + +# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." +# block: +# - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" +# shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath +# with_items: "{{ rhel_08_stig_interactive_homedir_results }}" +# register: rhel_08_010690_ini_path_grep_list +# changed_when: no +# failed_when: false + +# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." +# debug: +# msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. +# with_items: +# - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" + +# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." +# lineinfile: +# path: "{{ item }}" +# regexp: "^PATH=" +# line: "{{ rhel_08_010690_user_path }}" +# with_items: +# - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" +# when: +# - rhel_08_010690 +# - rhel8stig_disruption_high +# - rhel8stig_change_user_path +# tags: +# - RHEL-08-010690 +# - complexity-high + +# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." +# block: +# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories" +# command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 +# changed_when: false +# failed_when: false +# register: rhel_08_010700_world_writable_directories + +# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" +# file: +# path: "{{ item }}" +# owner: root +# with_items: +# - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" +# when: rhel_08_010700_world_writable_directories.stdout | length > 0 +# when: +# - rhel_08_010700 +# tags: +# - RHEL-08-010700 + +# - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group." +# block: +# - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories" +# command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 +# changed_when: false +# failed_when: false +# register: rhel_08_010710_world_writable_directories + +# - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" +# file: +# path: "{{ item }}" +# group: root +# with_items: +# - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" +# when: rhel_08_010710_world_writable_directories.stdout | length > 0 +# when: +# - rhel_08_010710 +# tags: +# - RHEL-08-010710 + +# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file." +# block: +# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory" +# shell: pwck -r | grep user | cut -f2 -d"'" +# changed_when: false +# failed_when: false +# register: rhel_08_010720_users_no_home_dir + +# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory" +# shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' +# changed_when: false +# failed_when: false +# register: rhel_08_010720_user_list + +# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" +# debug: +# msg: +# - "WARNING!!!!The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" +# - "{{ rhel_08_010720_user_list.stdout_lines }}" +# when: rhel_08_010720_user_list.stdout | length > 0 +# when: +# - rhel_08_010720 +# tags: +# - RHEL-08-010720 + +# - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." +# block: +# - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." +# shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) +# changed_when: false +# failed_when: false +# register: rhel_08_010730_home_directories + +# - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." +# file: +# path: "{{ item }}" +# mode: 0750 +# with_items: +# - "{{ rhel_08_010730_home_directories.stdout_lines }}" +# when: rhel_08_010730_home_directories.stdout | length > 0 +# when: +# - rhel_08_010730 +# tags: +# - RHEL-08-010730 + +# - name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." +# file: +# path: "{{ item.dir }}" +# group: "{{ item.gid }}" +# state: directory +# with_items: "{{ rhel8stig_passwd }}" +# loop_control: +# label: "{{ rhel8stig_passwd_label }}" +# when: +# - rhel_08_010740 +# - item.uid >= rhel8stig_interactive_uid_start +# tags: +# - skip_ansible_lint +# - RHEL-08-010740 + +# - name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." +# file: +# path: "{{ item.dir }}" +# state: directory +# with_items: "{{ rhel8stig_passwd }}" +# loop_control: +# label: "{{ rhel8stig_passwd_label }}" +# when: +# - rhel_08_010750 +# - item.uid >= rhel8stig_interactive_uid_start +# tags: +# - skip_ansible_lint +# - RHEL-08-010750 + +# - name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." +# lineinfile: +# path: /etc/login.defs +# regexp: '.*?CREATE_HOME.*' +# line: CREATE_HOME yes +# when: +# - rhel_08_010760 +# tags: +# - RHEL-08-010760 +# - login +# - home + +# - name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." +# file: +# path: "{{ item }}" +# mode: 0740 +# with_items: +# - "{{ rhel_08_stig_interactive_homedir_inifiles }}" +# when: +# - rhel_08_010770 +# - rhel8stig_disruption_high +# - rhel_08_stig_interactive_homedir_inifiles is defined +# tags: +# - RHEL-08-010770 +# - complexity-high + +# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." +# block: +# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" +# shell: find / -nouser +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel_08_010780_nouser_files + +# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" +# debug: +# msg: +# - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" +# - "{{ rhel_08_010780_nouser_files.stdout_lines }}" +# when: rhel_08_010780_nouser_files.stdout | length > 0 +# when: +# - rhel_08_010780 +# tags: +# - RHEL-08-010780 + +# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." +# block: +# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" +# shell: find / -nogroup +# changed_when: false +# failed_when: false +# register: rhel_08_010790_nogroup_files + +# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" +# debug: +# msg: +# - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" +# - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" +# when: rhel_08_010790_nogroup_files.stdout | length > 0 +# when: +# - rhel_08_010790 +# tags: +# - RHEL-08-010790 + +# - name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." +# debug: +# msg: "WARNING!!!! /home is not mounted on a separate partition" +# changed_when: +# - rhel8stig_audit_complex +# when: +# - rhel_08_010800 +# - not rhel8stig_system_is_container +# - rhel8stig_complex +# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 +# tags: +# - RHEL-08-010800 +# - complexity-high +# - mount +# - home + +# - name: "MEDIUM | RHEL-08-010830 | PATCH |Unattended or automatic logon to RHEL 8 via ssh must not be allowed." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?PermitUserEnvironment' +# line: 'PermitUserEnvironment no' +# notify: restart sshd +# when: +# - rhel_08_010830 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-010830 +# - ssh +# - disruption_high + +# - name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." +# debug: +# msg: +# - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." +# - "To do this please run sudo chage -l account_name for the accounts you need to check" +# - "The results will display the Account Expires information" +# - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name' +# when: +# - rhel_08_020000 +# tags: +# - RHEL-08-020000 + +# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." +# block: +# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020010 +# tags: +# - RHEL-08-020010 +# - pamd + +# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." +# block: +# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" +# lineinfile: +# path: "/etc/security/faillock.conf" +# regexp: '^deny =|^\# deny =' +# line: "deny = {{ rhel8stig_pam_faillock.attempts }}" +# when: +# - rhel_08_020011 +# tags: +# - RHEL-08-020011 +# - pamd + +# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." +# block: +# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020012 +# tags: +# - RHEL-08-020012 +# - pamd + +# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." +# block: +# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" +# lineinfile: +# path: "/etc/security/faillock.conf" +# regexp: '^fail_interval =|^\# fail_interval =' +# line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020013 +# tags: +# - RHEL-08-020013 +# - pamd + +# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." +# block: +# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020013 +# tags: +# - RHEL-08-020013 +# - pamd + +# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." +# block: +# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" +# lineinfile: +# path: "/etc/security/faillock.conf" +# regexp: '^unlock_time =|^\# unlock_time =' +# line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}" +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020015 +# tags: +# - RHEL-08-020015 +# - pamd + +# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist." +# block: +# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist.| Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020016 +# tags: +# - RHEL-08-020016 +# - pamd + +# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist." +# block: +# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" +# lineinfile: +# path: "/etc/security/faillock.conf" +# regexp: '^dir =|^\# dir =' +# line: "dir = /var/log/faillock" +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020017 +# tags: +# - RHEL-08-020017 +# - pamd + +# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." +# block: +# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020018 +# tags: +# - RHEL-08-020018 +# - pamd + +# - name: "MEDIUM | RHEL-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." +# block: +# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" +# lineinfile: +# path: "/etc/security/faillock.conf" +# regexp: '^silent|^\# silent' +# line: "silent" +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020019 +# tags: +# - RHEL-08-020019 +# - pamd + +# - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." +# block: +# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020020 +# tags: +# - RHEL-08-020020 +# - pamd + +# - name: "MEDIUM | RHEL-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." +# block: +# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" +# lineinfile: +# path: "/etc/security/faillock.conf" +# regexp: '^audit|^\# audit' +# line: "audit" +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020021 +# tags: +# - RHEL-08-020021 +# - pamd + +# - name: "MEDIUM | RHEL-020022| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." +# block: +# - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}sfail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020022 +# tags: +# - RHEL-08-020022 +# - pamd + +# - name: "MEDIUM | RHEL-020023| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." +# block: +# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so preauth' +# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^auth required pam_faillock.so authfail' +# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' +# insertafter: '^auth' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" +# lineinfile: +# path: "/etc/pam.d/{{ item }}" +# regexp: '^account required pam_faillock.so' +# line: 'account required pam_faillock.so' +# insertafter: '^account' +# notify: restart sssd +# with_items: +# - system-auth +# - password-auth + +# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" +# lineinfile: +# path: "/etc/security/faillock.conf" +# regexp: '^even_deny_root|^\# even_deny_root' +# line: "even_deny_root" +# with_items: +# - system-auth +# - password-auth +# when: +# - rhel_08_020023 +# tags: +# - RHEL-08-020023 +# - pamd + +# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." +# block: +# - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" +# command: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" +# changed_when: false +# failed_when: false +# register: rhel_08_020030_lock_enabled + +# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" +# lineinfile: +# path: "{{ rhel_08_020030_lock_enabled.stdout }}" +# regexp: '^lock-enabled' +# line: lock-enabled=true +# when: rhel_08_020030_lock_enabled.stdout | length > 0 +# notify: dconf update + +# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist" +# lineinfile: +# path: /etc/dconf/db/local.d/00-screensaver +# create: yes +# regexp: '^lock-enabled' +# owner: root +# group: root +# mode: 0644 +# line: | +# [org/gnome/desktop/screensaver] +# # Set this to true to lock the screen when the screensaver activates +# lock-enabled=true +# when: rhel_08_020030_lock_enabled.stdout | length == 0 +# notify: dconf update +# when: +# - rhel_08_020030 +# - "'dconf' in ansible_facts.packages" +# - rhel8stig_always_configure_dconf - tags: - - RHEL-08-020030 - - gui - -- name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." - block: - - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" - dnf: - name: tmux - state: present - - - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Configure tmux" - lineinfile: - path: /etc/tmux.conf - regexp: '^set \-g' - line: "set -g lock-command vlock" - create: yes - owner: root - group: root - mode: 0644 - when: - - rhel_08_020040 - tags: - - RHEL-08-020040 - - tmux - -- name: " MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization." - lineinfile: - path: /etc/bashrc - regexp: '^\[ -n "$PS1" -a -z "$TMUX" \]' - line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' - when: - - rhel_08_020041 - tags: - - RHEL-08-020041 - - tmux - -- name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." - block: - - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' - args: - warn: no - changed_when: false - failed_when: false - register: rhel_08_020050_removal_action - - - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" - changed_when: false - failed_when: false - register: rhel_08_020050_removal_action_file - - - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist" - lineinfile: - path: /etc/dconf/db/distro.d/20-authselect - create: yes - owner: root - group: root - mode: 0644 - line: | - [org/gnome/settings-daemon/peripherals/smartcard] - removal-action='lock-screen' - when: rhel_08_020050_removal_action.stdout | length == 0 - notify: dconf update - - - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" - lineinfile: - path: "{{ rhel_08_020050_removal_action.stdout }}" - regexp: ^removal-action= - line: removal-action='lock-screen' - when: rhel_08_020050_removal_action.stdout | length > 0 - notify: dconf update - - - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" - lineinfile: - path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' - line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action - when: rhel_08_020050_removal_action_file.stdout | length > 0 - notify: dconf update - - - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" - lineinfile: - path: /etc/dconf/db/distro.d/locks/20-authselect - create: yes - line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action - owner: root - group: root - mode: 0640 - when: rhel_08_020050_removal_action_file.stdout | length == 0 - notify: dconf update - when: - - rhel_08_020050 - tags: - - RHEL-08-020050 - - smartcard - -- name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." - block: - - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" - shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' - args: - warn: no - changed_when: false - failed_when: false - register: rhel_08_020060_idle_delay_param - - - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist" - lineinfile: - path: /etc/dconf/db/local.d/00-screensaver - create: yes - owner: root - group: root - mode: 0640 - regexp: '^idle-delay' - line: | - [org/gnome/desktop/session] - # Set the lock time out to 900 seconds before the session is considered idle - idle-delay=uint32 900 - notify: dconf update - when: rhel_08_020060_idle_delay_param.stdout | length == 0 - - - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" - lineinfile: - path: "{{ rhel_08_020060_idle_delay_param.stdout }}" - regexp: '^idle-delay=' - line: idle-delay=uint32 900 - owner: root - group: root - mode: 0640 - notify: dconf update - when: rhel_08_020060_idle_delay_param.stdout | length > 0 - when: - - rhel_08_020060 - - "'dconf' in ansible_facts.packages" - - rhel8stig_always_configure_dconf +# tags: +# - RHEL-08-020030 +# - gui + +# - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." +# block: +# - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" +# dnf: +# name: tmux +# state: present + +# - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Configure tmux" +# lineinfile: +# path: /etc/tmux.conf +# regexp: '^set \-g' +# line: "set -g lock-command vlock" +# create: yes +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020040 +# tags: +# - RHEL-08-020040 +# - tmux + +# - name: " MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization." +# lineinfile: +# path: /etc/bashrc +# regexp: '^\[ -n "$PS1" -a -z "$TMUX" \]' +# line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' +# when: +# - rhel_08_020041 +# tags: +# - RHEL-08-020041 +# - tmux + +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." +# block: +# - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" +# shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel_08_020050_removal_action + +# - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" +# shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" +# changed_when: false +# failed_when: false +# register: rhel_08_020050_removal_action_file + +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist" +# lineinfile: +# path: /etc/dconf/db/distro.d/20-authselect +# create: yes +# owner: root +# group: root +# mode: 0644 +# line: | +# [org/gnome/settings-daemon/peripherals/smartcard] +# removal-action='lock-screen' +# when: rhel_08_020050_removal_action.stdout | length == 0 +# notify: dconf update + +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" +# lineinfile: +# path: "{{ rhel_08_020050_removal_action.stdout }}" +# regexp: ^removal-action= +# line: removal-action='lock-screen' +# when: rhel_08_020050_removal_action.stdout | length > 0 +# notify: dconf update + +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" +# lineinfile: +# path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' +# line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action +# when: rhel_08_020050_removal_action_file.stdout | length > 0 +# notify: dconf update + +# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" +# lineinfile: +# path: /etc/dconf/db/distro.d/locks/20-authselect +# create: yes +# line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action +# owner: root +# group: root +# mode: 0640 +# when: rhel_08_020050_removal_action_file.stdout | length == 0 +# notify: dconf update +# when: +# - rhel_08_020050 +# tags: +# - RHEL-08-020050 +# - smartcard + +# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." +# block: +# - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" +# shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel_08_020060_idle_delay_param + +# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist" +# lineinfile: +# path: /etc/dconf/db/local.d/00-screensaver +# create: yes +# owner: root +# group: root +# mode: 0640 +# regexp: '^idle-delay' +# line: | +# [org/gnome/desktop/session] +# # Set the lock time out to 900 seconds before the session is considered idle +# idle-delay=uint32 900 +# notify: dconf update +# when: rhel_08_020060_idle_delay_param.stdout | length == 0 + +# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" +# lineinfile: +# path: "{{ rhel_08_020060_idle_delay_param.stdout }}" +# regexp: '^idle-delay=' +# line: idle-delay=uint32 900 +# owner: root +# group: root +# mode: 0640 +# notify: dconf update +# when: rhel_08_020060_idle_delay_param.stdout | length > 0 +# when: +# - rhel_08_020060 +# - "'dconf' in ansible_facts.packages" +# - rhel8stig_always_configure_dconf - tags: - - RHEL-08-020060 - - gui - -- name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." - lineinfile: - path: /etc/tmux.conf - regexp: '^set -g lock-after-time' - line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" - owner: root - group: root - mode: 0644 - when: - - rhel_08_020070 - tags: - - RHEL-08-020070 - - tmux - -- name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings." - lineinfile: - path: /etc/dconf/db/local.d/locks/session - create: yes - line: "{{ item }}" - owner: root - group: root - mode: 0640 - with_items: - - /org/gnome/desktop/session/idle-delay - - /org/gnome/desktop/screensaver/lock-enabled - - /org/gnome/desktop/screensaver/lock-delay - - /org/gnome/settings-daemon/plugins/media-keys/logout - - /org/gnome/login-screen/disable-user-list - - /org/gnome/login-screen/banner-message-text - - /org/gnome/login-screen/banner-message-enable - - /org/gnome/desktop/lockdown/disable-lock-screen - when: - - rhel_08_020080 - - "'dconf' in ansible_facts.packages" - - rhel8stig_always_configure_dconf - tags: - - RHEL-08-020080 - -- name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." - lineinfile: - path: "{{ rhel8stig_sssd_conf }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - owner: root - group: root - mode: 0640 - with_items: - - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } - - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } - - { regexp: '^maprule = {{ rhel8stig_sssd.maprule }}', line: 'maprule = {{ rhel8stig_sssd.maprule }}' } - - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains }}' } - notify: restart sssd - when: - - "'sssd' in ansible_facts.packages" - - rhel8stig_sssd_conf_present.stat.exists - - rhel_08_020090 - tags: - - RHEL-08-020090 - -- name: "MEDIUM | RHEL-08-020100 | PATCH RHEL 8 must ensure a password complexity module is enabled." - lineinfile: - path: "{{ item.path }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: '^password' - owner: root - group: root - mode: 0640 - with_items: - - { path: /etc/pam.d/system-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } - - { path: /etc/pam.d/password-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } - when: - - rhel_08_020100 - tags: - - RHEL-08-020100 - -- name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*ucredit' - line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" - when: - - rhel_08_020110 - tags: - - RHEL-08-020110 - - pwquality - -- name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*lcredit' - line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}" - when: - - rhel_08_020120 - tags: - - RHEL-08-020120 - - pwquality - -- name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*dcredit' - line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}" - when: - - rhel_08_020130 - tags: - - RHEL-08-020130 - - pwquality - -- name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*maxclassrepeat' - line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" - when: - - rhel_08_020140 - tags: - - RHEL-08-020140 - - pwquality - -- name: "MEDIUM | RHEL-020150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*maxrepeat' - line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}" - when: - - rhel_08_020150 - tags: - - RHEL-08-020150 - - pwquality - -- name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*minclass' - line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}" - when: - - rhel_08_020160 - tags: - - RHEL-08-020160 - - pwquality - -- name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*difok' - line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}" - when: - - rhel_08_020170 - tags: - - RHEL-08-020170 - - pwquality - -- name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow." - block: - - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users" - command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: rhel_08_020180_users - - - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction" - command: chage -m 1 {{ item }} - with_items: "{{ rhel_08_020180_users.stdout_lines }}" - when: - - rhel_08_020180 - tags: - - RHEL8-08-020180 - - password - -- name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def." - lineinfile: - path: /etc/login.defs - create: yes - owner: root - group: root - mode: 0644 - regexp: ^#?PASS_MIN_DAYS - line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}" - when: - - rhel_08_020190 - tags: - - RHEL-08-020190 - - login - -- name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction." - lineinfile: - path: /etc/login.defs - create: yes - owner: root - group: root - mode: 0644 - regexp: ^#?PASS_MAX_DAYS - line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" - when: - - rhel_08_020200 - tags: - - RHEL-08-020200 - - login - -- name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime." - block: - - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users" - command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" - check_mode: no - changed_when: rhel_08_020210_users.stdout | length > 0 - register: rhel_08_020210_users - - - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user." - command: chage -d '-1 day' {{ item }} - check_mode: "{{ rhel8stig_disruptive_check_mode }}" - with_items: "{{ rhel_08_020210_users.stdout_lines }}" - - - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime" - command: chage -M 60 {{ item }} - check_mode: "{{ rhel8stig_disruptive_check_mode }}" - with_items: "{{ rhel_08_020210_users.stdout_lines }}" - when: - - rhel_08_020210 - - rhel8stig_disruption_high - tags: - - RHEL-08-020210 - - disruption-high - - password - -- name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations." - block: - - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" - pamd: - name: "{{ item }}" - state: before - type: password - control: sufficient - module_path: pam_unix.so - new_type: password - new_control: required - new_module_path: pam_pwhistory.so - with_items: - - "system-auth" - - "password-auth" - - # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent - - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Check for existing password history reuse settings" - command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" - check_mode: no - changed_when: no - failed_when: rhel_08_020220_pw_hist_settings.rc > 1 - register: rhel_08_020220_pw_hist_settings - with_items: - - "system-auth" - - "password-auth" - - # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. - - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" - pamd: - name: "{{ item.item }}" - state: updated - type: password - control: required - module_path: pam_pwhistory.so - module_arguments: - - use_authtok - - remember={{ rhel8stig_pam_pwhistory.remember | default(5) }} - - retry={{ rhel8stig_pam_pwhistory.retries | default(3) }} - with_items: "{{ rhel_08_020220_pw_hist_settings.results }}" - when: item.rc == 1 - when: - - rhel_08_020220 - tags: - - RHEL-08-020220 - - pamd - -- name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*minlen' - line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" - when: - - rhel_08_020230 - tags: - - RHEL-08-020230 - - pwquality - -- name: "MEDIUM | RHEL-08-020231 | PATCH | RHEL 8 passwords for new users must have a minimum of 15 characters." - lineinfile: - path: /etc/login.defs - regexp: '^PASS_MIN_LEN|^#PASS_MIN_LEN' - line: "PASS_MIN_LEN 15" - owner: root - group: root - mode: 0644 - when: - - rhel_08_020231 - tags: - - RHEL-08-020231 - - passwords - -- name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." - block: - - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users" - command: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd - changed_when: false - failed_when: false - register: rhel_08_020240_duplicate_uid_users - - - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" - debug: - msg: - - "ALERT!!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" - - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" - when: - - rhel_08_020240 - tags: - - RHEL-08-020240 - -- name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts." - block: - - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth" - shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth - changed_when: false - failed_when: false - register: rhel_08_020250_sc_auth_sss - - - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth" - shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth - changed_when: false - failed_when: false - register: rhel_08_020250_system_auth_sss - - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" - lineinfile: - path: "{{ rhel8stig_sssd_conf }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - owner: root - group: root - mode: 0640 - notify: restart sssd - with_items: - - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } - - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' } - - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth" - lineinfile: - path: /etc/pam.d/smartcard-auth - line: auth sufficient pam_sss.so try_cert_auth - owner: root - group: root - mode: 0644 - notify: restart sssd - when: rhel_08_020250_sc_auth_sss.stdout | length == 0 - - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth" - pamd: - name: /etc/pam.d/smartcard-auth - state: updated - type: auth - control: sufficient - module_path: pam_sss.so - module_arguments: 'try_cert_auth' - notify: restart sssd - when: rhel_08_020250_sc_auth_sss.stdout | length > 0 - - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth" - pamd: - name: /etc/pam.d/system-auth - state: after - type: auth - control: required - module_path: pam_env.so - new_type: auth - new_control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' - new_module_path: pam_sss.so - module_arguments: try_cert_auth - notify: restart sssd - when: rhel_08_020250_system_auth_sss.stdout | length == 0 - - - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth" - pamd: - name: /etc/pam.d/system-auth - state: updated - type: auth - control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' - module_path: pam_env.so - module_arguments: try_cert_auth - notify: restart sssd - when: rhel_08_020250_system_auth_sss.stdout | length > 0 - when: - - "'sssd' in ansible_facts.packages" - - rhel8stig_sssd_conf_present.stat.exists - - rhel_08_020250 - tags: - - RHEL-08-020250 - - pamd - -- name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity." - command: useradd -D -f 35 - when: - - rhel_08_020260 - tags: - - RHEL-08-020260 - - useradd - -- name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." - block: - - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." - command: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" - changed_when: false - failed_when: false - register: rhel_08_020270_system_users - - - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." - debug: - msg: - - "WARNING!!!Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" - - "{{ rhel_08_020270_system_users.stdout_lines }}" - when: - - rhel_08_020270 - tags: - - RHEL-08-020270 - -- name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - regexp: '^#?\s*ocredit' - line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}" - owner: root - group: root - mode: 0644 - when: - - rhel_08_020280 - tags: - - RHEL-08-020280 - - pwquality - -- name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." - lineinfile: - path: "{{ rhel8stig_sssd_conf }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - owner: root - group: root - mode: 0640 - with_items: - - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } - - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } - when: - - "'sssd' in ansible_facts.packages" - - rhel8stig_sssd_conf_present.stat.exists - - rhel_08_020290 - tags: - - RHEL-08-020290 - - sssd - -- name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - regexp: '^#?\s*dictcheck' - line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" - owner: root - group: root - mode: 0644 - when: - - rhel_08_020300 - tags: - - RHEL-08-020300 - - pwquality - -- name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." - lineinfile: - dest: /etc/login.defs - regexp: ^#?FAIL_DELAY - line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" - owner: root - group: root - mode: 0644 - when: - - rhel_08_020310 - tags: - - RHEL-08-020310 - - login - -- name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts." - block: - - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts" - command: "grep '^{{ item }}:' /etc/passwd" - check_mode: no - failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1 - changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0 - register: rhel_08_020320_unnecessary_accounts_found - with_items: "{{ rhel8stig_unnecessary_accounts }}" - - - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts" - user: - name: "{{ item }}" - state: absent - remove: "{{ rhel8stig_remove_unnecessary_user_files }}" - register: rhel_08_020320_accounts_removed - with_items: "{{ rhel8stig_unnecessary_accounts }}" - - - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" - include_tasks: parse_etc_passwd.yml - vars: - rhel8stig_passwd_tasks: "RHEL-08-020320" - when: rhel_08_020320_accounts_removed is changed - when: - - rhel_08_020320 - tags: - - RHEL-08-020320 - -- name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." - lineinfile: - dest: /etc/ssh/sshd_config - regexp: '(?i)^#?PrintLastLog' - line: 'PrintLastLog yes' - validate: /usr/sbin/sshd -t -f %s - owner: root - group: root - mode: 0644 - notify: restart sshd - when: - - rhel_08_020350 - - rhel8stig_ssh_required - tags: - - RHEL-08-020350 - - ssh - -- name: "MEDIUM | RHEL-08-020351 | PATCH | RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." - lineinfile: - path: /etc/login.defs - regexp: ^#?UMASK.* - line: "UMASK {{ rhel8stig_login_defaults.umask | default('077') }}" - owner: root - group: root - mode: 0644 - when: - - rhel_08_020351 - tags: - - RHEL-08-020351 - -- name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts." - block: - - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Find umask files" - find: - paths: /home - patterns: '^\.' - contains: 'umask' - recurse: yes - hidden: yes - use_regex: yes - register: rhel8stig_020352_files - - - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" - lineinfile: - path: "{{ item.path }}" - regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})" - state: absent - with_items: - - "{{ rhel8stig_020352_files.files }}" - when: rhel8stig_020352_files.matched > 0 - when: - - rhel_08_020352 - tags: - - RHEL-08-020352 - - umask - -- name: "MEDIUM | RHEL-08-020353 | PATCH | RHEL 8 must define default permissions for logon and non-logon shells." - replace: - path: "{{ item }}" - regexp: 'umask\s\d\d\d' - replace: "umask {{ rhel8stig_login_defaults.umask | default('077') }}" - with_items: - - /etc/bashrc - - /etc/csh.cshrc - when: - - rhel_08_020353 - tags: - - RHEL-08-020353 - - umask - -- name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv' } - - { regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv' } - - { regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv' } - - { regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv' } - notify: restart auditd - when: - - rhel_08_030000 - tags: - - RHEL-08-030000 - - auditd - -- name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8." - lineinfile: - path: /etc/rsyslog.conf - regexp: '^cron.*' - line: 'cron.* /var/log/cron' - when: - - rhel_08_030010 - tags: - - RHEL-08-030010 - - cron - -- name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^action_mail_acct =' - line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}" - register: rhel_08_030020_action_mail_acct_result - failed_when: - - rhel_08_030020_action_mail_acct_result is failed - - rhel_08_030020_action_mail_acct_result.rc != 257 - when: - - rhel_08_030020 - tags: - - RHEL-08-030020 - - auditd - -- name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure." - lineinfile: - path: /etc/aliases - regexp: '^postmaster:' - line: 'postmaster: root' - when: - - rhel_08_030030 - tags: - - RHEL-08-030030 - - aliases - -- name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^disk_error_action =' - line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}" - when: - - rhel_08_030040 - tags: - - RHEL-08-030040 - - auditd - -- name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^max_log_file_action =' - line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" - when: - - rhel_08_030050 - tags: - - RHEL-08-030050 - - auditd - -- name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^disk_full_action =' - line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" - owner: root - group: root - mode: 0644 - when: - - rhel_08_030060 - tags: - - RHEL-08-030060 - - auditd - -- name: "MEDIUM | RHEL-08-030061 | PATCH | The RHEL 8 audit system must audit local events." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^local_events =' - line: "local_events = yes" - owner: root - group: root - mode: 0644 - when: - - rhel_08_030061 - tags: - - RHEL-08-030061 - - auditd - -- name: "MEDIUM | RHEL-08-030062 | PATCH | RHEL 8 must label all off-loaded audit logs before sending them to the central log server." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^name_format =' - line: "name_format = hostname" - notify: restart auditd - when: - - rhel_08_030062 - tags: - - RHEL-08-030062 - - auditd - -- name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^log_group =' - line: "log_group = root" - mode: 0600 - when: - - rhel_08_030070 - tags: - - RHEL-08-030070 - -- name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." - block: - - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " - changed_when: false - failed_when: false - register: rhel8stig_030080_audit_log_file - - - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner" - file: - path: "{{ rhel8stig_030080_audit_log_file.stdout }}" - owner: root - when: rhel8stig_030080_audit_log_file.stdout | length > 0 - when: - - rhel_08_030080 - tags: - - RHEL-08-030080 - -- name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Set audit log group" - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^log_group' - line: "log_group = root" - when: - - rhel_08_030090 - tags: - - RHEL-08-030090 - -- name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." - block: - - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' - changed_when: false - failed_when: false - register: rhel_08_030100_audit_log_dir - - - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner" - file: - path: "{{ rhel_08_030100_audit_log_dir.stdout }}" - owner: root - state: directory - when: rhel_08_030100_audit_log_dir.stdout | length > 0 - tags: - - skip_ansible_lint - when: - - rhel_08_030100 - tags: - - RHEL-08-030100 - -- name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." - block: - - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' - args: - warn: no - changed_when: false - failed_when: false - register: rhel_08_030110_audit_log_dir - - - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group" - file: - path: "{{ rhel_08_030110_audit_log_dir.stdout }}" - group: root - state: directory - when: rhel_08_030110_audit_log_dir.stdout | length > 0 - tags: - - skip_ansible_lint - when: - - rhel_08_030110 - tags: - - skip_ansible_lint - - RHEL-08-030110 - -- name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access." - block: - - name: "MEDIUM | RHEL-08-030120 | AUDIT | RHEL 8 audit log directories must have a mode of 700 or less permissive to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' - changed_when: false - failed_when: false - register: rhel_08_030120_audit_log_dir - - - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" - file: - path: "{{ rhel_08_030120_audit_log_dir.stdout }}" - mode: 0700 - state: directory - when: rhel_08_030120_audit_log_dir.stdout | length > 0 - when: - - rhel_08_030120 - tags: - - RHEL-08-030120 - -- name: "MEDIUM | RHEL-08-030121 | PATCH | RHEL 8 audit system must protect auditing rules from unauthorized change." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-e ' - line: "-e 2" - when: - - rhel_08_030121 - tags: - - RHEL-08-030121 - - auditd - -- name: "MEDIUM | RHEL-08-030122 | PATCH | RHEL 8 audit system must protect logon UIDs from unauthorized change." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^--loginuid-' - line: "--loginuid-immutable" - when: - - rhel_08_030122 - tags: - - RHEL-08-030122 - - auditd - -- name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/shadow' - line: '-w /etc/shadow -p wa -k identity' - notify: restart auditd - when: - - rhel_08_030130 - tags: - - RHEL-08-030130 - - auditd - -- name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/security/opasswd' - line: -w /etc/security/opasswd -p wa -k identity - notify: restart auditd - when: - - rhel_08_030140 - tags: - - RHEL-08-030140 - - auditd - -- name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/passwd' - line: -w /etc/passwd -p wa -k identity - notify: restart auditd - when: - - rhel_08_030150 - tags: - - RHEL-08-030150 - - auditd - -- name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/gshadow' - line: -w /etc/gshadow -p wa -k identity - notify: restart auditd - when: - - rhel_08_030160 - tags: - - RHEL-08-030160 - - auditd - -- name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/group' - line: -w /etc/group -p wa -k identity - notify: restart auditd - when: - - rhel_08_030170 - tags: - - RHEL-08-030170 - - auditd - -- name: "MEDIUM | RHEL-08-030171 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/sudoers ' - line: -w /etc/sudoers -p wa -k identity - notify: restart auditd - when: - - rhel_08_030171 - tags: - - RHEL-08-030171 - - auditd - -- name: "MEDIUM | RHEL-08-030172 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-w /etc/sudoers.d/' - line: -w /etc/sudoers.d/ -p wa -k identity - notify: restart auditd - when: - - rhel_08_030172 - tags: - - RHEL-08-030172 - - auditd - -- name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." - block: - - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Install audit" - dnf: - name: audit - state: present - - - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Enable and start service" - service: - name: auditd - enabled: yes - state: started - when: - - rhel_08_030180 - tags: - - rhel_08_030180 - - dnf - - auditd - -- name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' - line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' - notify: restart auditd - when: - - rhel_08_030190 - tags: - - RHEL-08-030190 - - auditd - -- name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030200 - tags: - - RHEL-08-030200 - - auditd - -- name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030210 - tags: - - RHEL-08-030210 - - auditd - -- name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030220 - tags: - - RHEL-08-030220 - - auditd - -- name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030230 - tags: - - RHEL-08-030230 - - auditd - -- name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030240 - tags: - - RHEL-08-030240 - - auditd - -- name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage - notify: restart auditd - when: - - rhel_08_030250 - tags: - - RHEL-08-030250 - - auditd - -- name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030260 - tags: - - RHEL-08-030260 - - auditd - -- name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030270 - tags: - - RHEL-08-030270 - - auditd - -- name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh - notify: restart auditd - when: - - rhel_08_030280 - tags: - - RHEL-08-030280 - - auditd - -- name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd - notify: restart auditd - when: - - rhel_08_030290 - tags: - - RHEL-08-030290 - - auditd - -- name: | - "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." - "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - - -a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - - -a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - notify: restart auditd - when: - - rhel_08_030300 or - rhel_08_030302 - tags: - - RHEL-08-030300 - - RHEL-08-030302 - - auditd - -- name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - notify: restart auditd - when: - - rhel_08_030301 - tags: - - RHEL-08-030301 - - auditd - -- name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030310 - tags: - - RHEL-08-030310 - - auditd - -- name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030311 - tags: - - RHEL-08-030311 - - auditd - -- name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030312 - tags: - - RHEL-08-030312 - - auditd - -- name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030313 - tags: - - RHEL-08-030313 - - auditd - -- name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030314 - tags: - - RHEL-08-030314 - - auditd - -- name: "MEDIUM | RHEL-08-03015 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030315 - tags: - - RHEL-08-030315 - - auditd - -- name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030316 - tags: - - RHEL-08-030316 - - auditd - -- name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd - when: - - rhel_08_030317 - tags: - - RHEL-08-030317 - - auditd - -- name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh - notify: restart auditd - when: - - rhel_08_030320 - tags: - - RHEL-08-030320 - - auditd - -- name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030330 - tags: - - RHEL-08-030330 - - auditd - -- name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check - notify: restart auditd - when: - - rhel_08_030340 - tags: - - RHEL-08-030340 - - auditd - -- name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd - notify: restart auditd - when: - - rhel_08_030350 - tags: - - RHEL-08-030350 - - auditd - -- name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - notify: restart auditd - when: - - rhel_08_030360 - tags: - - RHEL-08-030360 - - auditd - -- name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030361 - tags: - - RHEL-08-030361 - - auditd - -- name: "MEDIUM | RHEL-0-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030362 - tags: - - RHEL-08-030362 - - auditd - -- name: "MEDIUM | RHEL-08-030363 | PATCH | Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030363 - tags: - - RHEL-08-030363 - - auditd - -- name: "MEDIUM | RHEL-08-030364 | PATCH | Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030364 - tags: - - RHEL-08-030364 - - auditd - -- name: "MEDIUM | RHEL-08-030365 | PATCH | Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030365 - tags: - - RHEL-08-030365 - - auditd - -- name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd - notify: restart auditd - when: - - rhel_08_030370 - tags: - - RHEL-08-030370 - - auditd - -- name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - notify: restart auditd - when: - - rhel_08_030380 - tags: - - RHEL-08-030380 - - auditd - -- name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - notify: restart auditd - when: - - rhel_08_030390 - tags: - - RHEL-08-030390 - - auditd - -- name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab - notify: restart auditd - when: - - rhel_08_030400 - tags: - - RHEL-08-030400 - - auditd - -- name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd - notify: restart auditd - when: - - rhel_08_030410 - tags: - - RHEL-08-030410 - - auditd - -- name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030420 - tags: - - RHEL-08-030420 - - auditd - -- name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030430 - tags: - - RHEL-08-030430 - - auditd - -- name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030440 - tags: - - RHEL-08-030440 - - auditd - -- name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030450 - tags: - - RHEL-08-030450 - - auditd - -- name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030460 - tags: - - RHEL-08-030460 - - auditd - -- name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030470 - tags: - - RHEL-08-030470 - - auditd - -- name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030480 - tags: - - RHEL-08-030480 - - auditd - -- name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030490 - tags: - - RHEL-08-030490 - - auditd - -- name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030500 - tags: - - RHEL-08-030500 - - auditd - -- name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030510 - tags: - - RHEL-08-030510 - - auditd - -- name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd - when: - - rhel_08_030520 - tags: - - RHEL-08-030520 - - auditd - -- name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030530 - tags: - - RHEL-08-030530 - - auditd - -- name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030540 - tags: - - RHEL-08-030540 - - auditd - -- name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd - notify: restart auditd - when: - - rhel_08_030550 - tags: - - RHEL-08-030550 - - auditd - -- name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod - notify: restart auditd - when: - - rhel_08_030560 - tags: - - RHEL-08-030560 - - auditd - -- name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - notify: restart auditd - when: - - rhel_08_030570 - tags: - - RHEL-08-030570 - - auditd - -- name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules - notify: restart auditd - when: - - rhel_08_030580 - tags: - - RHEL-08-030580 - - auditd - -- name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -w /var/log/faillock -p wa -k logins - notify: restart auditd - when: - - rhel_08_030590 - tags: - - RHEL-08-030590 - - auditd - -- name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -w /var/log/lastlog -p wa -k logins - notify: restart auditd - when: - - rhel_08_030600 - tags: - - RHEL-08-030600 - - auditd - -- name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." - file: - path: "{{ item }}" - mode: 0640 - with_items: - - /etc/audit/rules.d/audit.rules - - /etc/audit/auditd.conf - when: - - rhel_08_030610 - tags: - - RHEL-08-030610 - - permissions - -- name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." - block: - - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms" - shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " - changed_when: false - failed_when: false - register: rhel_08_030620_tools - - - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" - file: - path: "{{ item }}" - mode: 0755 - with_items: - - "{{ rhel_08_030620_tools.stdout_lines }}" - when: - - rhel_08_030620 - tags: - - RHEL-08-030620 - - permissions - -- name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." - file: - path: "{{ item }}" - owner: root - with_items: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/audisp-remote - - /sbin/audisp-syslog - - /sbin/augenrules - when: - - rhel_08_030630 - tags: - - RHEL-08-030630 - - permissions - -- name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." - file: - path: "{{ item }}" - owner: root - with_items: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/audisp-remote - - /sbin/audisp-syslog - - /sbin/augenrules - when: - - rhel_08_030640 - tags: - - RHEL-08-030640 - - permissions - -- name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." - lineinfile: - path: /etc/aide.conf - line: "{{ item }}" - owner: root - group: root - mode: 0600 - with_items: - - "# Audit Tools" - - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 - when: - - rhel_08_030650 - tags: - - RHEL-08-030650 - - aide - -- name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility." - block: - - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition" - shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' - changed_when: false - failed_when: false - register: rhel_08_030660_audit_log_path - - - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition" - shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" - changed_when: false - failed_when: false - register: rhel_08_030660_audit_log_partition - - - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" - debug: - msg: - - "ALERT!!!Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" - - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" - - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}" - when: - - rhel_08_030660 - tags: - - RHEL-08-030660 - -- name: "MEDIUM | RHEL-08-030670 | PATCH | RHEL 8 must have the packages required for offloading audit logs installed." - dnf: - name: rsyslog - state: present - when: - - rhel_08_030670 - tags: - - RHEL-08-030670 - - rsyslog - -- name: "MEDIUM | RHEL-08-030680 | PATCH | RHEL 8 must have the packages required for encrypting offloaded audit logs installed." - dnf: - name: gnutls - state: present - when: - - rhel_08_030680 - tags: - - RHEL-08-030680 - - gnutls - -- name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." - lineinfile: - path: /etc/rsyslog.conf - regexp: '^.*\@\@' - line: "*.* @@{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" - when: - - rhel_08_030690 - tags: - - RHEL-08-030690 - - auditd - -- name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^overflow_action =' - line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}' - notify: restart auditd - when: - - rhel_08_030700 - tags: - - RHEL-08-030700 - - auditd - -- name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." - lineinfile: - path: /etc/rsyslog.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^\$DefaultNetstreamDriver', line: '$DefaultNetstreamDriver gtls' } - - { regexp: '^\$ActionSendStreamDriverMode', line: '$ActionSendStreamDriverMode 1' } - when: - - rhel_08_030710 - tags: - - RHEL-08-030710 - - auditd - -- name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must authenticate the remote logging server for off-loading audit logs." - lineinfile: - path: /etc/rsyslog.conf - regexp: '^\$ActionSendStreamDriverAuthMode' - line: "$ActionSendStreamDriverAuthMode x509/name" - notify: restart auditd - when: - - rhel_08_030720 - tags: - - rhel_08_030720 - - auditd - -- name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." - lineinfile: - path: /etc/audit/auditd.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^space_left =', line: 'space_left = 25%' } - - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } - when: - - rhel_08_030730 - tags: - - RHEL-08-030730 - - auditd - -- name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - lineinfile: - path: /etc/chrony.conf - regexp: '^server' - line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16' - notify: restart {{ rhel8stig_time_service }} - when: - - rhel_08_030740 - tags: - - RHEL-08-030740 - - chronyd - -- name: "MEDIUM | RHEL-08-040001 | PATCH | RHEL 8 must not have any automated bug reporting tools installed." - shell: dnf remove abrt* - failed_when: false - args: - warn: false - when: - - rhel_08_040001 - tags: - - RHEL-08-040001 - - dnf - - abrt - -- name: "MEDIUM | RHEL-08-040002 | PATCH | RHEL 8 must not have the sendmail package installed." - dnf: - name: sendmail - state: absent - when: - - rhel_08_040002 - tags: - - RHEL-08-040002 - - dnf - - sendmail - -- name: | - "MEDIUM | RHEL-08-040003 | PATCH | RHEL 8 must not have the gssproxy package installed." - "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." - dnf: - name: gssproxy - state: absent - when: - - rhel_08_040003 or - rhel_08_040370 - tags: - - RHEL-08-040003 - - RHEL-08-040370 - - dnf - - gssproxy - -- name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." - lineinfile: - path: /etc/modprobe.d/blacklist.conf - create: yes - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - owner: root - group: root - mode: 0640 - insertafter: "{{ item.insertafter }}" - notify: reboot system - with_items: - - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } - - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } - when: - - rhel_08_040020 - tags: - - RHEL-08-040020 - - camera - -- name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." - block: - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block" - block: - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld" - shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u - register: rhel8stig_PPSM_CLSA_check_firewalld - changed_when: false - failed_when: false - check_mode: no - when: - - rhel_08_040030 - tags: - - RHEL-08-040030 - - firewall - - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" - debug: - msg: - - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." - - "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}" - changed_when: true - when: - - rhel_08_040030 - - rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines is defined - tags: - - RHEL-08-040030 - - firewall - when: - - rhel_08_040030 - - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container - - rhel8stig_firewall_service == "firewalld" - - rhel8stig_start_firewall_service - tags: - - RHEL-08-040030 - - firewall - - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block" - block: - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables" - shell: iptables-save | grep -i accept | grep -i input - register: rhel8stig_PPSM_CLSA_check_iptables - changed_when: false - failed_when: false - check_mode: no - when: rhel_08_040030 - tags: - - RHEL-08-040030 - - firewall - - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" - debug: - msg: - - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}." - - "{{ rhel8stig_PPSM_CLSA_check_iptables.stdout_lines }}" - changed_when: true - when: - - rhel_08_040030 - - rhel8stig_PPSM_CLSA_check_iptables.stdout_lines is defined - tags: - - RHEL-08-040030 - - firewall - when: - - rhel_08_040030 - - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container - - rhel8stig_firewall_service == "iptables" - - rhel8stig_start_firewall_service - tags: - - RHEL-08-040030 - - firewall - - - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use" - debug: - msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." - changed_when: true - when: - - rhel_08_040030 - - not rhel8stig_start_firewall_service - tags: - - RHEL-08-040030 - - firewall - when: - - rhel_08_040030 - - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container - - rhel8stig_disruptive - tags: - - RHEL-08-040030 - - firewall - -- name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required." - block: - - name: "MEDIUM | RHEL-08-040070 | AUDIT | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error" - shell: "systemctl show autofs | grep LoadState | cut -d= -f2" - changed_when: false - failed_when: false - register: rhel_08_040070_autofs_status - - - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists" - service: - name: autofs - state: stopped - enabled: no - when: rhel_08_040070_autofs_status.stdout == "loaded" - when: - - rhel_08_040070 - tags: - - RHEL-08-040070 - - autofs - -- name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." - lineinfile: - path: "{{ item.path }}" - create: yes - owner: root - group: root - mode: 0640 - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - with_items: - - { path: /etc/modprobe.d/usb-storage.conf, regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } - - { path: /etc/modprobe.d/blacklist.conf, regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} - when: - - rhel_08_040080 - tags: - - RHEL-08-040080 - - usb_devices - -- name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." - block: - - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" - dnf: - name: firewalld - state: present - when: rhel8stig_firewall_service == "firewalld" - - - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" - dnf: - name: iptables-services - state: present - when: rhel8stig_firewall_service == "iptables" - - - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" - service: - name: "{{ rhel8stig_firewall_service }}" - state: started - enabled: yes - when: - - rhel_08_040100 - tags: - - RHEL-08-040100 - - firewall - - "{{ rhel8stig_firewall_service }}" - -- name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." - block: - - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" - firewalld: - zone: "{{ rhel8stig_custom_firewall_zone }}" - permanent: true - state: present - - - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" - firewalld: - zone: "{{ rhel8stig_custom_firewall_zone }}" - permanent: true - state: enabled - service: "{{ item }}" - with_items: - - "{{ rhel8stig_white_list_services }}" - - - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" - command: firewall-cmd --reload - changed_when: rhel_08_040090_zone_reload.rc == 0 - failed_when: rhel_08_040090_zone_reload.rc >= 2 - register: rhel_08_040090_zone_reload - - - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default" - command: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" - changed_when: rhel_08_040090_default_zone_set.rc == 0 - failed_when: rhel_08_040090_default_zone_set.rc >= 2 - register: rhel_08_040090_default_zone_set - when: - - rhel_08_040090 - tags: - - RHEL-08-040090 - - firewall - -- name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." - block: - - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" - command: rpm -q NetworkManager - args: - warn: no - check_mode: no - changed_when: no - register: rhel_08_nmcli_available - failed_when: no - - - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" - command: nmcli radio wifi - args: - warn: no - register: rhel_08_wifi_enabled - check_mode: no - changed_when: rhel_08_wifi_enabled.stdout != "disabled" - when: rhel_08_nmcli_available.rc == 0 - - - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" - command: nmcli radio wifi off - when: rhel_08_wifi_enabled is changed - when: - - rhel_08_040110 - tags: - - RHEL-08-040110 - - wifi - -- name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled." - lineinfile: - path: /etc/modprobe.d/bluetooth.conf - regexp: '^install bluetooth ' - line: "install bluetooth /bin/true" - create: yes - owner: root - group: root - mode: 0640 - notify: reboot system - when: - - rhel_08_040111 - tags: - - RHEL-08-040111 - - bluetooth - -- name: | - "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." - "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." - "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." - block: - - name: | - "MEDIUM | RHEL-08-040120 | AUDIT | RHEL 8 must mount /dev/shm with the nodev option." - "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option." - "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option." - shell: mount | grep /dev/shm - args: - warn: no - changed_when: false - failed_when: false - register: rhel8stig_040120_dev_shm_status - - - name: | - "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." - "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." - "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." - mount: - path: /dev/shm - state: mounted - src: tmpfs - fstype: tmpfs - opts: "defaults{{ rhel_08_040120 | ternary (',nodev', '') }}{{ rhel_08_040121 | ternary (',nosuid', '') }}{{ rhel_08_040122 | ternary (',noexec', '') }}" - when: rhel8stig_040120_dev_shm_status.stdout | length > 0 - when: - - rhel_08_040120 or - rhel_08_040121 or - rhel_08_040122 - tags: - - RHEL-08-040120 - - RHEL-08-040121 - - RHEL-08-040122 - - mounts - -- name: | - "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." - "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." - "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." - block: - - name: | - "MEDIUM | RHEL-08-040123 | AUDIT | RHEL 8 must mount /tmp with the nodev option." - "MEDIUM | RHEL-08-040124 | AUDIT | RHEL 8 must mount /tmp with the nosuid option." - "MEDIUM | RHEL-08-040125 | AUDIT | RHEL 8 must mount /tmp with the noexec option." - shell: mount | grep /tmp - changed_when: false - failed_when: false - register: rhel8stig_040123_dev_status - - - name: | - "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." - "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." - "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." - mount: - path: /tmp - state: mounted - src: "{{ tmp_mount.device }}" - fstype: xfs - opts: "defaults{{ rhel_08_040123 | ternary (',nodev', '') }}{{ rhel_08_040124 | ternary (',nosuid', '') }}{{ rhel_08_040125 | ternary (',noexec', '') }}" - vars: - tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/tmp`] | [0]') }}" - when: rhel8stig_040123_dev_status.stdout | length > 0 - - when: - - rhel_08_040123 or - rhel_08_040124 or - rhel_08_040125 - tags: - - RHEL-08-040123 - - RHEL-08-040124 - - RHEL-08-04125 - - mounts - -- name: | - "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." - "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." - "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." - block: - - name: | - "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." - "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." - "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." - shell: mount | grep /var/log - changed_when: false - failed_when: false - register: rhel8stig_040126_var_log_status - - - name: | - "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." - "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." - "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." - mount: - path: /var/log - state: mounted - src: "{{ var_log_mount.device }}" - fstype: xfs - opts: "defaults{{ rhel_08_040126 | ternary (',nodev', '') }}{{ rhel_08_040127 | ternary (',nosuid', '') }}{{ rhel_08_040128 | ternary (',noexec', '') }}" - vars: - var_log_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log`] | [0]') }}" - when: rhel8stig_040126_var_log_status.stdout | length > 0 - when: - - rhel_08_040126 or - rhel_08_040127 or - rhel_08_040128 - tags: - - RHEL-08-040126 - - RHEL-08-040127 - - RHEL-08-040128 - - mounts - -- name: | - "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." - "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." - "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." - block: - - name: | - "MEDIUM | RHEL-08-040129 | AUDIT | RHEL 8 must mount /var/log/audit with the nodev option." - "MEDIUM | RHEL-08-040130 | AUDIT | RHEL 8 must mount /var/log/audit with the nosuid option." - "MEDIUM | RHEL-08-040131 | AUDIT | RHEL 8 must mount /var/log/audit with the noexec option." - shell: mount | grep /var/log/audit - changed_when: false - failed_when: false - register: rhel8stig_040129_var_log_audit_status - - - name: | - "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." - "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." - "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." - mount: - path: /var/log/audit - state: mounted - src: "{{ audit_mount.device }}" - fstype: xfs - opts: "defaults{{ rhel_08_040129 | ternary (',nodev', '') }}{{ rhel_08_040130 | ternary (',nosuid', '') }}{{ rhel_08_040131 | ternary (',noexec', '') }}" - vars: - audit_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log/audit`] | [0]') }}" - when: rhel8stig_040129_var_log_audit_status.stdout | length > 0 - when: - - rhel_08_040129 or - rhel_08_040130 or - rhel_08_040131 - tags: - - RHEL-08-040129 - - RHEL-08-040130 - - RHEL-08-040131 - - mounts - -- name: | - "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" - "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." - "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." - block: - - name: | - "MEDIUM | RHEL-08-040132 | AUDIT | RHEL 8 must mount /var/tmp with the nodev option" - "MEDIUM | RHEL-08-040133 | AUDIT | RHEL 8 must mount /var/tmp with the nosuid option." - "MEDIUM | RHEL-08-040134 | AUDIT | RHEL 8 must mount /var/tmp with the noexec option." - shell: mount | grep /var/tmp - changed_when: false - failed_when: false - register: rhel8stig_040132_var_tmp_status - - - name: | - "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" - "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." - "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." - mount: - path: /var/tmp - state: mounted - src: "{{ var_tmp_mount.device }}" - fstype: xfs - opts: "defaults{{ rhel_08_040132 | ternary (',nodev', '') }}{{ rhel_08_040133 | ternary (',nosuid', '') }}{{ rhel_08_040134 | ternary (',noexec', '') }}" - vars: - var_tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/var/tmp`] | [0]') }}" - when: rhel8stig_040132_var_tmp_status.stdout | length > 0 - when: - - rhel_08_040132 or - rhel_08_040133 or - rhel_08_040134 - tags: - - RHEL-08-040132 - - RHEL-08-040133 - - RHEL-08-040134 - - mounts - -- name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." - block: - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" - dnf: - name: fapolicyd - state: present - - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" - shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts - changed_when: false - failed_when: false - - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" - service: - name: fapolicyd - state: started - enabled: yes - - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " - lineinfile: - path: /etc/fapolicyd/fapolicyd.rules - line: "{{ item }}" - with_items: - - "{{ rhel8stig_fapolicy_white_list }}" - - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" - lineinfile: - path: /etc/fapolicyd/fapolicyd.conf - regexp: '^permissive =' - line: 'permissive = 0' - when: - - rhel_08_040135 - tags: - - RHEL-08-040135 - - fapolicyd - -- name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." - block: - - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Install usbguard" - dnf: - name: usbguard - state: present - - - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Start/Enable service" - service: - name: usbguard - state: started - enabled: yes - when: - - rhel_08_040140 - tags: - - RHEL-08-040140 - - usbguard - -- name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." - block: - - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" - dnf: - name: nftables - state: present - - - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" - service: - name: nftables - state: started - enabled: yes - - - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" - lineinfile: - path: /etc/firewalld/firewalld.conf - regexp: '^FirewallBackend=' - line: 'FirewallBackend=nftables' - when: - - rhel_08_040150 - tags: - - RHEL-08-040150 - - firewall - - nftables - -- name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." - block: - - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Install openssh-server" - dnf: - name: openssh-server - state: present - - - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" - service: - name: sshd - state: started - enabled: yes - when: - - rhel_08_040160 - tags: - - rhel_08_040160 - - ssh - -- name: "MEDIUM | RHEL-0-040161 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?RekeyLimit' - line: 'RekeyLimit 1G 1h' - notify: restart sshd - when: - - rhel_08_040161 - tags: - - RHEL-08-040161 - - sshd - -- name: "MEDIUM | RHEL-08-040162 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections by the client." - lineinfile: - path: /etc/ssh/ssh_config - regexp: '(?i)^#?RekeyLimit' - line: 'RekeyLimit 1G 1h' - notify: restart sshd - when: - - rhel_08_040162 - tags: - - RHEL-08-040162 - - sshd - -- name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." - systemd: - name: debug-shell.service - state: stopped - enabled: no - masked: yes - daemon_reload: yes - when: - - rhel_08_040180 - tags: - - RHEL-08-040180 - - debug-shell - -- name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted." - block: - - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - with_items: - - net.ipv4.conf.default.accept_redirects - - net.ipv6.conf.default.accept_redirects - - - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } - - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } - when: - - rhel_08_040210 - tags: - - RHEL-08-040210 - - icmp - -- name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." - block: - - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects in sysctl" - sysctl: - name: net.ipv4.conf.all.send_redirects - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - - - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects default value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.all.send_redirects' - line: 'net.ipv4.conf.all.send_redirects=0' - when: - - rhel_08_040220 - tags: - - RHEL-08-040220 - - icmp - -- name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." - block: - - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast in sysctl" - sysctl: - name: net.ipv4.icmp_echo_ignore_broadcasts - state: present - value: '1' - reload: "{{ rhel8stig_sysctl_reload }}" - - - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast default value to 1" - lineinfile: - name: /etc/sysctl.conf - regexp: '^net.ipv4.icmp_echo_ignore_broadcasts' - line: 'net.ipv4.icmp_echo_ignore_broadcasts=1' - when: - - rhel_08_040230 - tags: - - RHEL-08-040230 - - icmp - -- name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets." - block: - - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - with_items: - - net.ipv4.conf.all.accept_source_route - - net.ipv6.conf.all.accept_source_route - - - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route default value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } - - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } - when: - - rhel_08_040240 - tags: - - RHEL-08-040240 - - icmp - -- name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default." - block: - - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - with_items: - - net.ipv4.conf.default.accept_source_route - - net.ipv6.conf.default.accept_source_route - - - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } - - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } - when: - - rhel_08_040250 - tags: - - RHEL-08-040250 - - icmp - -- name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router." - block: - - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - with_items: - - net.ipv4.ip_forward - - net.ipv6.conf.all.forwarding - - - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.ip_forward', line: 'net.ipv4.ip_forward=0' } - - { regexp: '^net.ipv6.conf.all.forwarding', line: 'net.ipv6.conf.all.forwarding=0' } - - when: - - rhel_08_040260 - - not rhel8stig_system_is_router - tags: - - RHEL-08-040260 - - icmp - -- name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces." - block: - - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra in sysctl" - sysctl: - name: net.ipv6.conf.all.accept_ra - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - - - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv6.conf.all.accept_ra' - line: 'net.ipv6.conf.all.accept_ra=0' - when: - - rhel_08_040261 - - not rhel8stig_system_is_router - tags: - - RHEL-08-040261 - - icmp - -- name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default." - block: - - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra in sysctl" - sysctl: - name: net.ipv6.conf.default.accept_ra - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - - - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra to value 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv6.conf.default.accept_ra' - line: 'net.ipv6.conf.default.accept_ra=0' - when: - - rhel_08_040262 - - not rhel8stig_system_is_router - tags: - - RHEL-08-040262 - - icmp - -- name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." - block: - - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects in sysctl" - sysctl: - name: net.ipv4.conf.default.send_redirects - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - - - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.default.send_redirects' - line: 'net.ipv4.conf.default.send_redirects=0' - when: - - rhel_08_040270 - tags: - - RHEL-08-040270 - - icmp - -- name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." - block: - - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" - sysctl: - name: "{{ item }}" - state: present - value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" - with_items: - - net.ipv4.conf.all.accept_redirects - - net.ipv6.conf.all.accept_redirects - - - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" - lineinfile: - path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } - - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } - when: - - rhel_08_040280 - tags: - - RHEL-08-040280 - - icmp - -- name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^kernel.unprivileged_bpf_disabled' - line: 'kernel.unprivileged_bpf_disabled = 1' - owner: root - group: root - mode: 0640 - notify: sysctl system - when: - - rhel_08_040281 - tags: - - RHEL-08-040281 - - sysctl - -- name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^kernel.yama.ptrace_scope' - line: 'kernel.yama.ptrace_scope = 1' - notify: sysctl system - when: - - rhel_08_040282 - tags: - - RHEL-08-040282 - - sysctl - -- name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access." - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^kernel.kptr_restrict' - line: 'kernel.kptr_restrict = 1' - owner: root - group: root - mode: 0640 - notify: sysctl system - when: - - rhel_08_040283 - tags: - - RHEL-08-040283 - - sysctl - -- name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces." - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^user.max_user_namespaces' - line: 'user.max_user_namespaces = 0' - notify: sysctl system - when: - - rhel_08_040284 - tags: - - RHEL-08-040284 - - sysctl - -- name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces." - lineinfile: - path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" - regexp: '^net.ipv4.conf.all.rp_filter' - line: 'net.ipv4.conf.all.rp_filter = 1' - notify: sysctl system - when: - - rhel_08_040285 - tags: - - RHEL-08-040285 - - sysctl - -- name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying." - block: - - name: "MEDIUM | RHEL-08-040290 | AUDIT | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Check if postfix is installed." - command: rpm -q postfix - failed_when: no - check_mode: no - changed_when: no - register: rhel_08_040290_rpm_audit - - - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" - command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" - check_mode: no - when: '"postfix-" in rhel_08_040290_rpm_audit.stdout' - when: - - rhel_08_040290 - tags: - - RHEL-08-040290 - -- name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." - package: - name: xorg-x11-server-common - state: absent - when: - - rhel_08_040320 - - not rhel8stig_gui - -- name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." - block: - - name: "MEDIUM | RHEL-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" - shell: "ip link | grep -i promisc | cut -d ':' -f 2" - check_mode: no - failed_when: no - changed_when: rhel_08_040670_promisc_check.stdout != '' - ignore_errors: yes - register: rhel_08_040670_promisc_check - - - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" - shell: "ip link set dev {{ item }} promisc off" - with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" - when: - - rhel_08_040330 - - not rhel8stig_net_promisc_mode_required - tags: - - RHEL-08-040330 - -- name: "MEDIUM | RHEL-08-040340 | PATCH | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?X11Forwarding' - line: 'X11Forwarding no' - create: yes - owner: root - group: root - mode: 0640 - notify: restart sshd - when: - - rhel_08_040340 - - rhel8stig_ssh_required - tags: - - RHEL-08-040340 - - ssh - -- name: "MEDIUM | RHEL-08-040341 | PATCH | The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?X11UseLocalhost' - line: 'X11UseLocalhost yes' - when: - - rhel_08_040341 - tags: - - RHEL-08-040341 - - ssh - -- name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." - lineinfile: - path: /etc/xinetd.d/tftp - regexp: "(?i)^.*server_args.*=" - line: "\tserver_args\t\t= -s /var/lib/tftpboot" - insertafter: "\tserver\t\t\t=" - state: present - register: result - failed_when: - - result is failed - - result.rc != 257 - when: - - rhel_08_040350 - - rhel8stig_tftp_required - tags: - - skip_ansible_lint - - RHEL-08-040350 - - tftp - -- name: "MEDIUM | RHEL-08-040380 | PATCH | The iprutils package must not be installed unless mission essential on RHEL 8." - dnf: - name: iprutils - state: absent - when: - - rhel_08_040380 - tags: - - RHEL-08-040380 - - iprutils - -- name: "MEDIUM | RHEL-08-040390 | PATCH | The tuned package must not be installed unless mission essential on RHEL 8." - dnf: - name: tuned - state: absent - when: - - rhel_08_040390 - tags: - - RHEL-08-040390 - - tuned +# tags: +# - RHEL-08-020060 +# - gui + +# - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." +# lineinfile: +# path: /etc/tmux.conf +# regexp: '^set -g lock-after-time' +# line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020070 +# tags: +# - RHEL-08-020070 +# - tmux + +# - name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings." +# lineinfile: +# path: /etc/dconf/db/local.d/locks/session +# create: yes +# line: "{{ item }}" +# owner: root +# group: root +# mode: 0640 +# with_items: +# - /org/gnome/desktop/session/idle-delay +# - /org/gnome/desktop/screensaver/lock-enabled +# - /org/gnome/desktop/screensaver/lock-delay +# - /org/gnome/settings-daemon/plugins/media-keys/logout +# - /org/gnome/login-screen/disable-user-list +# - /org/gnome/login-screen/banner-message-text +# - /org/gnome/login-screen/banner-message-enable +# - /org/gnome/desktop/lockdown/disable-lock-screen +# when: +# - rhel_08_020080 +# - "'dconf' in ansible_facts.packages" +# - rhel8stig_always_configure_dconf +# tags: +# - RHEL-08-020080 + +# - name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." +# lineinfile: +# path: "{{ rhel8stig_sssd_conf }}" +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# owner: root +# group: root +# mode: 0640 +# with_items: +# - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } +# - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } +# - { regexp: '^maprule = {{ rhel8stig_sssd.maprule }}', line: 'maprule = {{ rhel8stig_sssd.maprule }}' } +# - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains }}' } +# notify: restart sssd +# when: +# - "'sssd' in ansible_facts.packages" +# - rhel8stig_sssd_conf_present.stat.exists +# - rhel_08_020090 +# tags: +# - RHEL-08-020090 + +# - name: "MEDIUM | RHEL-08-020100 | PATCH RHEL 8 must ensure a password complexity module is enabled." +# lineinfile: +# path: "{{ item.path }}" +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: '^password' +# owner: root +# group: root +# mode: 0640 +# with_items: +# - { path: /etc/pam.d/system-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } +# - { path: /etc/pam.d/password-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } +# when: +# - rhel_08_020100 +# tags: +# - RHEL-08-020100 + +# - name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*ucredit' +# line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" +# when: +# - rhel_08_020110 +# tags: +# - RHEL-08-020110 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*lcredit' +# line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}" +# when: +# - rhel_08_020120 +# tags: +# - RHEL-08-020120 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*dcredit' +# line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}" +# when: +# - rhel_08_020130 +# tags: +# - RHEL-08-020130 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*maxclassrepeat' +# line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" +# when: +# - rhel_08_020140 +# tags: +# - RHEL-08-020140 +# - pwquality + +# - name: "MEDIUM | RHEL-020150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*maxrepeat' +# line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}" +# when: +# - rhel_08_020150 +# tags: +# - RHEL-08-020150 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*minclass' +# line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}" +# when: +# - rhel_08_020160 +# tags: +# - RHEL-08-020160 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*difok' +# line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}" +# when: +# - rhel_08_020170 +# tags: +# - RHEL-08-020170 +# - pwquality + +# - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow." +# block: +# - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users" +# command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" +# changed_when: false +# failed_when: false +# register: rhel_08_020180_users + +# - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction" +# command: chage -m 1 {{ item }} +# with_items: "{{ rhel_08_020180_users.stdout_lines }}" +# when: +# - rhel_08_020180 +# tags: +# - RHEL8-08-020180 +# - password + +# - name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def." +# lineinfile: +# path: /etc/login.defs +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: ^#?PASS_MIN_DAYS +# line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}" +# when: +# - rhel_08_020190 +# tags: +# - RHEL-08-020190 +# - login + +# - name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction." +# lineinfile: +# path: /etc/login.defs +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: ^#?PASS_MAX_DAYS +# line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" +# when: +# - rhel_08_020200 +# tags: +# - RHEL-08-020200 +# - login + +# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime." +# block: +# - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users" +# command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" +# check_mode: no +# changed_when: rhel_08_020210_users.stdout | length > 0 +# register: rhel_08_020210_users + +# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user." +# command: chage -d '-1 day' {{ item }} +# check_mode: "{{ rhel8stig_disruptive_check_mode }}" +# with_items: "{{ rhel_08_020210_users.stdout_lines }}" + +# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime" +# command: chage -M 60 {{ item }} +# check_mode: "{{ rhel8stig_disruptive_check_mode }}" +# with_items: "{{ rhel_08_020210_users.stdout_lines }}" +# when: +# - rhel_08_020210 +# - rhel8stig_disruption_high +# tags: +# - RHEL-08-020210 +# - disruption-high +# - password + +# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations." +# block: +# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" +# pamd: +# name: "{{ item }}" +# state: before +# type: password +# control: sufficient +# module_path: pam_unix.so +# new_type: password +# new_control: required +# new_module_path: pam_pwhistory.so +# with_items: +# - "system-auth" +# - "password-auth" + +# # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent +# - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Check for existing password history reuse settings" +# command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" +# check_mode: no +# changed_when: no +# failed_when: rhel_08_020220_pw_hist_settings.rc > 1 +# register: rhel_08_020220_pw_hist_settings +# with_items: +# - "system-auth" +# - "password-auth" + +# # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. +# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" +# pamd: +# name: "{{ item.item }}" +# state: updated +# type: password +# control: required +# module_path: pam_pwhistory.so +# module_arguments: +# - use_authtok +# - remember={{ rhel8stig_pam_pwhistory.remember | default(5) }} +# - retry={{ rhel8stig_pam_pwhistory.retries | default(3) }} +# with_items: "{{ rhel_08_020220_pw_hist_settings.results }}" +# when: item.rc == 1 +# when: +# - rhel_08_020220 +# tags: +# - RHEL-08-020220 +# - pamd + +# - name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: '^#?\s*minlen' +# line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" +# when: +# - rhel_08_020230 +# tags: +# - RHEL-08-020230 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020231 | PATCH | RHEL 8 passwords for new users must have a minimum of 15 characters." +# lineinfile: +# path: /etc/login.defs +# regexp: '^PASS_MIN_LEN|^#PASS_MIN_LEN' +# line: "PASS_MIN_LEN 15" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020231 +# tags: +# - RHEL-08-020231 +# - passwords + +# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." +# block: +# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users" +# command: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd +# changed_when: false +# failed_when: false +# register: rhel_08_020240_duplicate_uid_users + +# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" +# debug: +# msg: +# - "ALERT!!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" +# - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" +# when: +# - rhel_08_020240 +# tags: +# - RHEL-08-020240 + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts." +# block: +# - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth" +# shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth +# changed_when: false +# failed_when: false +# register: rhel_08_020250_sc_auth_sss + +# - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth" +# shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth +# changed_when: false +# failed_when: false +# register: rhel_08_020250_system_auth_sss + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" +# lineinfile: +# path: "{{ rhel8stig_sssd_conf }}" +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# owner: root +# group: root +# mode: 0640 +# notify: restart sssd +# with_items: +# - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } +# - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' } + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth" +# lineinfile: +# path: /etc/pam.d/smartcard-auth +# line: auth sufficient pam_sss.so try_cert_auth +# owner: root +# group: root +# mode: 0644 +# notify: restart sssd +# when: rhel_08_020250_sc_auth_sss.stdout | length == 0 + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth" +# pamd: +# name: /etc/pam.d/smartcard-auth +# state: updated +# type: auth +# control: sufficient +# module_path: pam_sss.so +# module_arguments: 'try_cert_auth' +# notify: restart sssd +# when: rhel_08_020250_sc_auth_sss.stdout | length > 0 + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth" +# pamd: +# name: /etc/pam.d/system-auth +# state: after +# type: auth +# control: required +# module_path: pam_env.so +# new_type: auth +# new_control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' +# new_module_path: pam_sss.so +# module_arguments: try_cert_auth +# notify: restart sssd +# when: rhel_08_020250_system_auth_sss.stdout | length == 0 + +# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth" +# pamd: +# name: /etc/pam.d/system-auth +# state: updated +# type: auth +# control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' +# module_path: pam_env.so +# module_arguments: try_cert_auth +# notify: restart sssd +# when: rhel_08_020250_system_auth_sss.stdout | length > 0 +# when: +# - "'sssd' in ansible_facts.packages" +# - rhel8stig_sssd_conf_present.stat.exists +# - rhel_08_020250 +# tags: +# - RHEL-08-020250 +# - pamd + +# - name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity." +# command: useradd -D -f 35 +# when: +# - rhel_08_020260 +# tags: +# - RHEL-08-020260 +# - useradd + +# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." +# block: +# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." +# command: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" +# changed_when: false +# failed_when: false +# register: rhel_08_020270_system_users + +# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." +# debug: +# msg: +# - "WARNING!!!Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" +# - "{{ rhel_08_020270_system_users.stdout_lines }}" +# when: +# - rhel_08_020270 +# tags: +# - RHEL-08-020270 + +# - name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# regexp: '^#?\s*ocredit' +# line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020280 +# tags: +# - RHEL-08-020280 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." +# lineinfile: +# path: "{{ rhel8stig_sssd_conf }}" +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# owner: root +# group: root +# mode: 0640 +# with_items: +# - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } +# - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } +# when: +# - "'sssd' in ansible_facts.packages" +# - rhel8stig_sssd_conf_present.stat.exists +# - rhel_08_020290 +# tags: +# - RHEL-08-020290 +# - sssd + +# - name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords." +# lineinfile: +# path: /etc/security/pwquality.conf +# create: yes +# regexp: '^#?\s*dictcheck' +# line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020300 +# tags: +# - RHEL-08-020300 +# - pwquality + +# - name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." +# lineinfile: +# dest: /etc/login.defs +# regexp: ^#?FAIL_DELAY +# line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020310 +# tags: +# - RHEL-08-020310 +# - login + +# - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts." +# block: +# - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts" +# command: "grep '^{{ item }}:' /etc/passwd" +# check_mode: no +# failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1 +# changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0 +# register: rhel_08_020320_unnecessary_accounts_found +# with_items: "{{ rhel8stig_unnecessary_accounts }}" + +# - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts" +# user: +# name: "{{ item }}" +# state: absent +# remove: "{{ rhel8stig_remove_unnecessary_user_files }}" +# register: rhel_08_020320_accounts_removed +# with_items: "{{ rhel8stig_unnecessary_accounts }}" + +# - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" +# include_tasks: parse_etc_passwd.yml +# vars: +# rhel8stig_passwd_tasks: "RHEL-08-020320" +# when: rhel_08_020320_accounts_removed is changed +# when: +# - rhel_08_020320 +# tags: +# - RHEL-08-020320 + +# - name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." +# lineinfile: +# dest: /etc/ssh/sshd_config +# regexp: '(?i)^#?PrintLastLog' +# line: 'PrintLastLog yes' +# validate: /usr/sbin/sshd -t -f %s +# owner: root +# group: root +# mode: 0644 +# notify: restart sshd +# when: +# - rhel_08_020350 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-020350 +# - ssh + +# - name: "MEDIUM | RHEL-08-020351 | PATCH | RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." +# lineinfile: +# path: /etc/login.defs +# regexp: ^#?UMASK.* +# line: "UMASK {{ rhel8stig_login_defaults.umask | default('077') }}" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_020351 +# tags: +# - RHEL-08-020351 + +# - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts." +# block: +# - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Find umask files" +# find: +# paths: /home +# patterns: '^\.' +# contains: 'umask' +# recurse: yes +# hidden: yes +# use_regex: yes +# register: rhel8stig_020352_files + +# - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" +# lineinfile: +# path: "{{ item.path }}" +# regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})" +# state: absent +# with_items: +# - "{{ rhel8stig_020352_files.files }}" +# when: rhel8stig_020352_files.matched > 0 +# when: +# - rhel_08_020352 +# tags: +# - RHEL-08-020352 +# - umask + +# - name: "MEDIUM | RHEL-08-020353 | PATCH | RHEL 8 must define default permissions for logon and non-logon shells." +# replace: +# path: "{{ item }}" +# regexp: 'umask\s\d\d\d' +# replace: "umask {{ rhel8stig_login_defaults.umask | default('077') }}" +# with_items: +# - /etc/bashrc +# - /etc/csh.cshrc +# when: +# - rhel_08_020353 +# tags: +# - RHEL-08-020353 +# - umask + +# - name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv' } +# - { regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv' } +# - { regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv' } +# - { regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv' } +# notify: restart auditd +# when: +# - rhel_08_030000 +# tags: +# - RHEL-08-030000 +# - auditd + +# - name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8." +# lineinfile: +# path: /etc/rsyslog.conf +# regexp: '^cron.*' +# line: 'cron.* /var/log/cron' +# when: +# - rhel_08_030010 +# tags: +# - RHEL-08-030010 +# - cron + +# - name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^action_mail_acct =' +# line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}" +# register: rhel_08_030020_action_mail_acct_result +# failed_when: +# - rhel_08_030020_action_mail_acct_result is failed +# - rhel_08_030020_action_mail_acct_result.rc != 257 +# when: +# - rhel_08_030020 +# tags: +# - RHEL-08-030020 +# - auditd + +# - name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure." +# lineinfile: +# path: /etc/aliases +# regexp: '^postmaster:' +# line: 'postmaster: root' +# when: +# - rhel_08_030030 +# tags: +# - RHEL-08-030030 +# - aliases + +# - name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^disk_error_action =' +# line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}" +# when: +# - rhel_08_030040 +# tags: +# - RHEL-08-030040 +# - auditd + +# - name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^max_log_file_action =' +# line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" +# when: +# - rhel_08_030050 +# tags: +# - RHEL-08-030050 +# - auditd + +# - name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^disk_full_action =' +# line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_030060 +# tags: +# - RHEL-08-030060 +# - auditd + +# - name: "MEDIUM | RHEL-08-030061 | PATCH | The RHEL 8 audit system must audit local events." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^local_events =' +# line: "local_events = yes" +# owner: root +# group: root +# mode: 0644 +# when: +# - rhel_08_030061 +# tags: +# - RHEL-08-030061 +# - auditd + +# - name: "MEDIUM | RHEL-08-030062 | PATCH | RHEL 8 must label all off-loaded audit logs before sending them to the central log server." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^name_format =' +# line: "name_format = hostname" +# notify: restart auditd +# when: +# - rhel_08_030062 +# tags: +# - RHEL-08-030062 +# - auditd + +# - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^log_group =' +# line: "log_group = root" +# mode: 0600 +# when: +# - rhel_08_030070 +# tags: +# - RHEL-08-030070 + +# - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." +# block: +# - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file" +# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " +# changed_when: false +# failed_when: false +# register: rhel8stig_030080_audit_log_file + +# - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner" +# file: +# path: "{{ rhel8stig_030080_audit_log_file.stdout }}" +# owner: root +# when: rhel8stig_030080_audit_log_file.stdout | length > 0 +# when: +# - rhel_08_030080 +# tags: +# - RHEL-08-030080 + +# - name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Set audit log group" +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^log_group' +# line: "log_group = root" +# when: +# - rhel_08_030090 +# tags: +# - RHEL-08-030090 + +# - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." +# block: +# - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory" +# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' +# changed_when: false +# failed_when: false +# register: rhel_08_030100_audit_log_dir + +# - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner" +# file: +# path: "{{ rhel_08_030100_audit_log_dir.stdout }}" +# owner: root +# state: directory +# when: rhel_08_030100_audit_log_dir.stdout | length > 0 +# tags: +# - skip_ansible_lint +# when: +# - rhel_08_030100 +# tags: +# - RHEL-08-030100 + +# - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." +# block: +# - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" +# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel_08_030110_audit_log_dir + +# - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group" +# file: +# path: "{{ rhel_08_030110_audit_log_dir.stdout }}" +# group: root +# state: directory +# when: rhel_08_030110_audit_log_dir.stdout | length > 0 +# tags: +# - skip_ansible_lint +# when: +# - rhel_08_030110 +# tags: +# - skip_ansible_lint +# - RHEL-08-030110 + +# - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access." +# block: +# - name: "MEDIUM | RHEL-08-030120 | AUDIT | RHEL 8 audit log directories must have a mode of 700 or less permissive to prevent unauthorized read access. | Get audit log directory" +# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' +# changed_when: false +# failed_when: false +# register: rhel_08_030120_audit_log_dir + +# - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" +# file: +# path: "{{ rhel_08_030120_audit_log_dir.stdout }}" +# mode: 0700 +# state: directory +# when: rhel_08_030120_audit_log_dir.stdout | length > 0 +# when: +# - rhel_08_030120 +# tags: +# - RHEL-08-030120 + +# - name: "MEDIUM | RHEL-08-030121 | PATCH | RHEL 8 audit system must protect auditing rules from unauthorized change." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-e ' +# line: "-e 2" +# when: +# - rhel_08_030121 +# tags: +# - RHEL-08-030121 +# - auditd + +# - name: "MEDIUM | RHEL-08-030122 | PATCH | RHEL 8 audit system must protect logon UIDs from unauthorized change." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^--loginuid-' +# line: "--loginuid-immutable" +# when: +# - rhel_08_030122 +# tags: +# - RHEL-08-030122 +# - auditd + +# - name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/shadow' +# line: '-w /etc/shadow -p wa -k identity' +# notify: restart auditd +# when: +# - rhel_08_030130 +# tags: +# - RHEL-08-030130 +# - auditd + +# - name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/security/opasswd' +# line: -w /etc/security/opasswd -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030140 +# tags: +# - RHEL-08-030140 +# - auditd + +# - name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/passwd' +# line: -w /etc/passwd -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030150 +# tags: +# - RHEL-08-030150 +# - auditd + +# - name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/gshadow' +# line: -w /etc/gshadow -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030160 +# tags: +# - RHEL-08-030160 +# - auditd + +# - name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/group' +# line: -w /etc/group -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030170 +# tags: +# - RHEL-08-030170 +# - auditd + +# - name: "MEDIUM | RHEL-08-030171 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/sudoers ' +# line: -w /etc/sudoers -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030171 +# tags: +# - RHEL-08-030171 +# - auditd + +# - name: "MEDIUM | RHEL-08-030172 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-w /etc/sudoers.d/' +# line: -w /etc/sudoers.d/ -p wa -k identity +# notify: restart auditd +# when: +# - rhel_08_030172 +# tags: +# - RHEL-08-030172 +# - auditd + +# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." +# block: +# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Install audit" +# dnf: +# name: audit +# state: present + +# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Enable and start service" +# service: +# name: auditd +# enabled: yes +# state: started +# when: +# - rhel_08_030180 +# tags: +# - rhel_08_030180 +# - dnf +# - auditd + +# - name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# regexp: '^-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' +# line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' +# notify: restart auditd +# when: +# - rhel_08_030190 +# tags: +# - RHEL-08-030190 +# - auditd + +# - name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030200 +# tags: +# - RHEL-08-030200 +# - auditd + +# - name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030210 +# tags: +# - RHEL-08-030210 +# - auditd + +# - name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030220 +# tags: +# - RHEL-08-030220 +# - auditd + +# - name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030230 +# tags: +# - RHEL-08-030230 +# - auditd + +# - name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030240 +# tags: +# - RHEL-08-030240 +# - auditd + +# - name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage +# notify: restart auditd +# when: +# - rhel_08_030250 +# tags: +# - RHEL-08-030250 +# - auditd + +# - name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030260 +# tags: +# - RHEL-08-030260 +# - auditd + +# - name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod +# - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030270 +# tags: +# - RHEL-08-030270 +# - auditd + +# - name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh +# notify: restart auditd +# when: +# - rhel_08_030280 +# tags: +# - RHEL-08-030280 +# - auditd + +# - name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd +# notify: restart auditd +# when: +# - rhel_08_030290 +# tags: +# - RHEL-08-030290 +# - auditd + +# - name: | +# "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." +# "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +# - -a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +# - -a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +# notify: restart auditd +# when: +# - rhel_08_030300 or +# rhel_08_030302 +# tags: +# - RHEL-08-030300 +# - RHEL-08-030302 +# - auditd + +# - name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +# notify: restart auditd +# when: +# - rhel_08_030301 +# tags: +# - RHEL-08-030301 +# - auditd + +# - name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030310 +# tags: +# - RHEL-08-030310 +# - auditd + +# - name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030311 +# tags: +# - RHEL-08-030311 +# - auditd + +# - name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030312 +# tags: +# - RHEL-08-030312 +# - auditd + +# - name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030313 +# tags: +# - RHEL-08-030313 +# - auditd + +# - name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030314 +# tags: +# - RHEL-08-030314 +# - auditd + +# - name: "MEDIUM | RHEL-08-03015 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030315 +# tags: +# - RHEL-08-030315 +# - auditd + +# - name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030316 +# tags: +# - RHEL-08-030316 +# - auditd + +# - name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +# notify: restart auditd +# when: +# - rhel_08_030317 +# tags: +# - RHEL-08-030317 +# - auditd + +# - name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh +# notify: restart auditd +# when: +# - rhel_08_030320 +# tags: +# - RHEL-08-030320 +# - auditd + +# - name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030330 +# tags: +# - RHEL-08-030330 +# - auditd + +# - name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check +# notify: restart auditd +# when: +# - rhel_08_030340 +# tags: +# - RHEL-08-030340 +# - auditd + +# - name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +# notify: restart auditd +# when: +# - rhel_08_030350 +# tags: +# - RHEL-08-030350 +# - auditd + +# - name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# - -a always,exit -F arch=b64 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# notify: restart auditd +# when: +# - rhel_08_030360 +# tags: +# - RHEL-08-030360 +# - auditd + +# - name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# - -a always,exit -F arch=b64 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# notify: restart auditd +# when: +# - rhel_08_030361 +# tags: +# - RHEL-08-030361 +# - auditd + +# - name: "MEDIUM | RHEL-0-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# - -a always,exit -F arch=b64 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# notify: restart auditd +# when: +# - rhel_08_030362 +# tags: +# - RHEL-08-030362 +# - auditd + +# - name: "MEDIUM | RHEL-08-030363 | PATCH | Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# - -a always,exit -F arch=b64 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# notify: restart auditd +# when: +# - rhel_08_030363 +# tags: +# - RHEL-08-030363 +# - auditd + +# - name: "MEDIUM | RHEL-08-030364 | PATCH | Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# - -a always,exit -F arch=b64 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# notify: restart auditd +# when: +# - rhel_08_030364 +# tags: +# - RHEL-08-030364 +# - auditd + +# - name: "MEDIUM | RHEL-08-030365 | PATCH | Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# - -a always,exit -F arch=b64 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +# notify: restart auditd +# when: +# - rhel_08_030365 +# tags: +# - RHEL-08-030365 +# - auditd + +# - name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd +# notify: restart auditd +# when: +# - rhel_08_030370 +# tags: +# - RHEL-08-030370 +# - auditd + +# - name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# notify: restart auditd +# when: +# - rhel_08_030380 +# tags: +# - RHEL-08-030380 +# - auditd + +# - name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# - -a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +# notify: restart auditd +# when: +# - rhel_08_030390 +# tags: +# - RHEL-08-030390 +# - auditd + +# - name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab +# notify: restart auditd +# when: +# - rhel_08_030400 +# tags: +# - RHEL-08-030400 +# - auditd + +# - name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +# notify: restart auditd +# when: +# - rhel_08_030410 +# tags: +# - RHEL-08-030410 +# - auditd + +# - name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030420 +# tags: +# - RHEL-08-030420 +# - auditd + +# - name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030430 +# tags: +# - RHEL-08-030430 +# - auditd + +# - name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030440 +# tags: +# - RHEL-08-030440 +# - auditd + +# - name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030450 +# tags: +# - RHEL-08-030450 +# - auditd + +# - name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030460 +# tags: +# - RHEL-08-030460 +# - auditd + +# - name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +# notify: restart auditd +# when: +# - rhel_08_030470 +# tags: +# - RHEL-08-030470 +# - auditd + +# - name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030480 +# tags: +# - RHEL-08-030480 +# - auditd + +# - name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030490 +# tags: +# - RHEL-08-030490 +# - auditd + +# - name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030500 +# tags: +# - RHEL-08-030500 +# - auditd + +# - name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030510 +# tags: +# - RHEL-08-030510 +# - auditd + +# - name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +# notify: restart auditd +# when: +# - rhel_08_030520 +# tags: +# - RHEL-08-030520 +# - auditd + +# - name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030530 +# tags: +# - RHEL-08-030530 +# - auditd + +# - name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: "{{ item }}" +# with_items: +# - -a always,exit -F arch=b32 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# - -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030540 +# tags: +# - RHEL-08-030540 +# - auditd + +# - name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +# notify: restart auditd +# when: +# - rhel_08_030550 +# tags: +# - RHEL-08-030550 +# - auditd + +# - name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod +# notify: restart auditd +# when: +# - rhel_08_030560 +# tags: +# - RHEL-08-030560 +# - auditd + +# - name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng +# notify: restart auditd +# when: +# - rhel_08_030570 +# tags: +# - RHEL-08-030570 +# - auditd + +# - name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules +# notify: restart auditd +# when: +# - rhel_08_030580 +# tags: +# - RHEL-08-030580 +# - auditd + +# - name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -w /var/log/faillock -p wa -k logins +# notify: restart auditd +# when: +# - rhel_08_030590 +# tags: +# - RHEL-08-030590 +# - auditd + +# - name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." +# lineinfile: +# path: /etc/audit/rules.d/audit.rules +# line: -w /var/log/lastlog -p wa -k logins +# notify: restart auditd +# when: +# - rhel_08_030600 +# tags: +# - RHEL-08-030600 +# - auditd + +# - name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." +# file: +# path: "{{ item }}" +# mode: 0640 +# with_items: +# - /etc/audit/rules.d/audit.rules +# - /etc/audit/auditd.conf +# when: +# - rhel_08_030610 +# tags: +# - RHEL-08-030610 +# - permissions + +# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." +# block: +# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms" +# shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " +# changed_when: false +# failed_when: false +# register: rhel_08_030620_tools + +# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" +# file: +# path: "{{ item }}" +# mode: 0755 +# with_items: +# - "{{ rhel_08_030620_tools.stdout_lines }}" +# when: +# - rhel_08_030620 +# tags: +# - RHEL-08-030620 +# - permissions + +# - name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." +# file: +# path: "{{ item }}" +# owner: root +# with_items: +# - /sbin/auditctl +# - /sbin/aureport +# - /sbin/ausearch +# - /sbin/autrace +# - /sbin/auditd +# - /sbin/audisp-remote +# - /sbin/audisp-syslog +# - /sbin/augenrules +# when: +# - rhel_08_030630 +# tags: +# - RHEL-08-030630 +# - permissions + +# - name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." +# file: +# path: "{{ item }}" +# owner: root +# with_items: +# - /sbin/auditctl +# - /sbin/aureport +# - /sbin/ausearch +# - /sbin/autrace +# - /sbin/auditd +# - /sbin/audisp-remote +# - /sbin/audisp-syslog +# - /sbin/augenrules +# when: +# - rhel_08_030640 +# tags: +# - RHEL-08-030640 +# - permissions + +# - name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." +# lineinfile: +# path: /etc/aide.conf +# line: "{{ item }}" +# owner: root +# group: root +# mode: 0600 +# with_items: +# - "# Audit Tools" +# - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 +# - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 +# when: +# - rhel_08_030650 +# tags: +# - RHEL-08-030650 +# - aide + +# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility." +# block: +# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition" +# shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' +# changed_when: false +# failed_when: false +# register: rhel_08_030660_audit_log_path + +# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition" +# shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" +# changed_when: false +# failed_when: false +# register: rhel_08_030660_audit_log_partition + +# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" +# debug: +# msg: +# - "ALERT!!!Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" +# - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" +# - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}" +# when: +# - rhel_08_030660 +# tags: +# - RHEL-08-030660 + +# - name: "MEDIUM | RHEL-08-030670 | PATCH | RHEL 8 must have the packages required for offloading audit logs installed." +# dnf: +# name: rsyslog +# state: present +# when: +# - rhel_08_030670 +# tags: +# - RHEL-08-030670 +# - rsyslog + +# - name: "MEDIUM | RHEL-08-030680 | PATCH | RHEL 8 must have the packages required for encrypting offloaded audit logs installed." +# dnf: +# name: gnutls +# state: present +# when: +# - rhel_08_030680 +# tags: +# - RHEL-08-030680 +# - gnutls + +# - name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." +# lineinfile: +# path: /etc/rsyslog.conf +# regexp: '^.*\@\@' +# line: "*.* @@{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" +# when: +# - rhel_08_030690 +# tags: +# - RHEL-08-030690 +# - auditd + +# - name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: '^overflow_action =' +# line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}' +# notify: restart auditd +# when: +# - rhel_08_030700 +# tags: +# - RHEL-08-030700 +# - auditd + +# - name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." +# lineinfile: +# path: /etc/rsyslog.conf +# create: yes +# owner: root +# group: root +# mode: 0644 +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^\$DefaultNetstreamDriver', line: '$DefaultNetstreamDriver gtls' } +# - { regexp: '^\$ActionSendStreamDriverMode', line: '$ActionSendStreamDriverMode 1' } +# when: +# - rhel_08_030710 +# tags: +# - RHEL-08-030710 +# - auditd + +# - name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must authenticate the remote logging server for off-loading audit logs." +# lineinfile: +# path: /etc/rsyslog.conf +# regexp: '^\$ActionSendStreamDriverAuthMode' +# line: "$ActionSendStreamDriverAuthMode x509/name" +# notify: restart auditd +# when: +# - rhel_08_030720 +# tags: +# - rhel_08_030720 +# - auditd + +# - name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." +# lineinfile: +# path: /etc/audit/auditd.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^space_left =', line: 'space_left = 25%' } +# - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } +# when: +# - rhel_08_030730 +# tags: +# - RHEL-08-030730 +# - auditd + +# - name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." +# lineinfile: +# path: /etc/chrony.conf +# regexp: '^server' +# line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16' +# notify: restart {{ rhel8stig_time_service }} +# when: +# - rhel_08_030740 +# tags: +# - RHEL-08-030740 +# - chronyd + +# - name: "MEDIUM | RHEL-08-040001 | PATCH | RHEL 8 must not have any automated bug reporting tools installed." +# shell: dnf remove abrt* +# failed_when: false +# args: +# warn: false +# when: +# - rhel_08_040001 +# tags: +# - RHEL-08-040001 +# - dnf +# - abrt + +# - name: "MEDIUM | RHEL-08-040002 | PATCH | RHEL 8 must not have the sendmail package installed." +# dnf: +# name: sendmail +# state: absent +# when: +# - rhel_08_040002 +# tags: +# - RHEL-08-040002 +# - dnf +# - sendmail + +# - name: | +# "MEDIUM | RHEL-08-040003 | PATCH | RHEL 8 must not have the gssproxy package installed." +# "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." +# dnf: +# name: gssproxy +# state: absent +# when: +# - rhel_08_040003 or +# rhel_08_040370 +# tags: +# - RHEL-08-040003 +# - RHEL-08-040370 +# - dnf +# - gssproxy + +# - name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." +# lineinfile: +# path: /etc/modprobe.d/blacklist.conf +# create: yes +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# owner: root +# group: root +# mode: 0640 +# insertafter: "{{ item.insertafter }}" +# notify: reboot system +# with_items: +# - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } +# - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } +# when: +# - rhel_08_040020 +# tags: +# - RHEL-08-040020 +# - camera + +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." +# block: +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block" +# block: +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld" +# shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u +# register: rhel8stig_PPSM_CLSA_check_firewalld +# changed_when: false +# failed_when: false +# check_mode: no +# when: +# - rhel_08_040030 +# tags: +# - RHEL-08-040030 +# - firewall + +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" +# debug: +# msg: +# - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." +# - "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}" +# changed_when: true +# when: +# - rhel_08_040030 +# - rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines is defined +# tags: +# - RHEL-08-040030 +# - firewall +# when: +# - rhel_08_040030 +# - not rhel8stig_system_is_chroot +# - not rhel8stig_system_is_container +# - rhel8stig_firewall_service == "firewalld" +# - rhel8stig_start_firewall_service +# tags: +# - RHEL-08-040030 +# - firewall + +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block" +# block: +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables" +# shell: iptables-save | grep -i accept | grep -i input +# register: rhel8stig_PPSM_CLSA_check_iptables +# changed_when: false +# failed_when: false +# check_mode: no +# when: rhel_08_040030 +# tags: +# - RHEL-08-040030 +# - firewall + +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" +# debug: +# msg: +# - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}." +# - "{{ rhel8stig_PPSM_CLSA_check_iptables.stdout_lines }}" +# changed_when: true +# when: +# - rhel_08_040030 +# - rhel8stig_PPSM_CLSA_check_iptables.stdout_lines is defined +# tags: +# - RHEL-08-040030 +# - firewall +# when: +# - rhel_08_040030 +# - not rhel8stig_system_is_chroot +# - not rhel8stig_system_is_container +# - rhel8stig_firewall_service == "iptables" +# - rhel8stig_start_firewall_service +# tags: +# - RHEL-08-040030 +# - firewall + +# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use" +# debug: +# msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." +# changed_when: true +# when: +# - rhel_08_040030 +# - not rhel8stig_start_firewall_service +# tags: +# - RHEL-08-040030 +# - firewall +# when: +# - rhel_08_040030 +# - not rhel8stig_system_is_chroot +# - not rhel8stig_system_is_container +# - rhel8stig_disruptive +# tags: +# - RHEL-08-040030 +# - firewall + +# - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required." +# block: +# - name: "MEDIUM | RHEL-08-040070 | AUDIT | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error" +# shell: "systemctl show autofs | grep LoadState | cut -d= -f2" +# changed_when: false +# failed_when: false +# register: rhel_08_040070_autofs_status + +# - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists" +# service: +# name: autofs +# state: stopped +# enabled: no +# when: rhel_08_040070_autofs_status.stdout == "loaded" +# when: +# - rhel_08_040070 +# tags: +# - RHEL-08-040070 +# - autofs + +# - name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." +# lineinfile: +# path: "{{ item.path }}" +# create: yes +# owner: root +# group: root +# mode: 0640 +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# with_items: +# - { path: /etc/modprobe.d/usb-storage.conf, regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } +# - { path: /etc/modprobe.d/blacklist.conf, regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} +# when: +# - rhel_08_040080 +# tags: +# - RHEL-08-040080 +# - usb_devices + +# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." +# block: +# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" +# dnf: +# name: firewalld +# state: present +# when: rhel8stig_firewall_service == "firewalld" + +# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" +# dnf: +# name: iptables-services +# state: present +# when: rhel8stig_firewall_service == "iptables" + +# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" +# service: +# name: "{{ rhel8stig_firewall_service }}" +# state: started +# enabled: yes +# when: +# - rhel_08_040100 +# tags: +# - RHEL-08-040100 +# - firewall +# - "{{ rhel8stig_firewall_service }}" + +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." +# block: +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" +# firewalld: +# zone: "{{ rhel8stig_custom_firewall_zone }}" +# permanent: true +# state: present + +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" +# firewalld: +# zone: "{{ rhel8stig_custom_firewall_zone }}" +# permanent: true +# state: enabled +# service: "{{ item }}" +# with_items: +# - "{{ rhel8stig_white_list_services }}" + +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" +# command: firewall-cmd --reload +# changed_when: rhel_08_040090_zone_reload.rc == 0 +# failed_when: rhel_08_040090_zone_reload.rc >= 2 +# register: rhel_08_040090_zone_reload + +# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default" +# command: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" +# changed_when: rhel_08_040090_default_zone_set.rc == 0 +# failed_when: rhel_08_040090_default_zone_set.rc >= 2 +# register: rhel_08_040090_default_zone_set +# when: +# - rhel_08_040090 +# tags: +# - RHEL-08-040090 +# - firewall + +# - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." +# block: +# - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" +# command: rpm -q NetworkManager +# args: +# warn: no +# check_mode: no +# changed_when: no +# register: rhel_08_nmcli_available +# failed_when: no + +# - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" +# command: nmcli radio wifi +# args: +# warn: no +# register: rhel_08_wifi_enabled +# check_mode: no +# changed_when: rhel_08_wifi_enabled.stdout != "disabled" +# when: rhel_08_nmcli_available.rc == 0 + +# - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" +# command: nmcli radio wifi off +# when: rhel_08_wifi_enabled is changed +# when: +# - rhel_08_040110 +# tags: +# - RHEL-08-040110 +# - wifi + +# - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled." +# lineinfile: +# path: /etc/modprobe.d/bluetooth.conf +# regexp: '^install bluetooth ' +# line: "install bluetooth /bin/true" +# create: yes +# owner: root +# group: root +# mode: 0640 +# notify: reboot system +# when: +# - rhel_08_040111 +# tags: +# - RHEL-08-040111 +# - bluetooth + +# - name: | +# "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." +# "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." +# "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." +# block: +# - name: | +# "MEDIUM | RHEL-08-040120 | AUDIT | RHEL 8 must mount /dev/shm with the nodev option." +# "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option." +# "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option." +# shell: mount | grep /dev/shm +# args: +# warn: no +# changed_when: false +# failed_when: false +# register: rhel8stig_040120_dev_shm_status + +# - name: | +# "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." +# "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." +# "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." +# mount: +# path: /dev/shm +# state: mounted +# src: tmpfs +# fstype: tmpfs +# opts: "defaults{{ rhel_08_040120 | ternary (',nodev', '') }}{{ rhel_08_040121 | ternary (',nosuid', '') }}{{ rhel_08_040122 | ternary (',noexec', '') }}" +# when: rhel8stig_040120_dev_shm_status.stdout | length > 0 +# when: +# - rhel_08_040120 or +# rhel_08_040121 or +# rhel_08_040122 +# tags: +# - RHEL-08-040120 +# - RHEL-08-040121 +# - RHEL-08-040122 +# - mounts + +# - name: | +# "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." +# "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." +# "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." +# block: +# - name: | +# "MEDIUM | RHEL-08-040123 | AUDIT | RHEL 8 must mount /tmp with the nodev option." +# "MEDIUM | RHEL-08-040124 | AUDIT | RHEL 8 must mount /tmp with the nosuid option." +# "MEDIUM | RHEL-08-040125 | AUDIT | RHEL 8 must mount /tmp with the noexec option." +# shell: mount | grep /tmp +# changed_when: false +# failed_when: false +# register: rhel8stig_040123_dev_status + +# - name: | +# "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." +# "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." +# "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." +# mount: +# path: /tmp +# state: mounted +# src: "{{ tmp_mount.device }}" +# fstype: xfs +# opts: "defaults{{ rhel_08_040123 | ternary (',nodev', '') }}{{ rhel_08_040124 | ternary (',nosuid', '') }}{{ rhel_08_040125 | ternary (',noexec', '') }}" +# vars: +# tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/tmp`] | [0]') }}" +# when: rhel8stig_040123_dev_status.stdout | length > 0 + +# when: +# - rhel_08_040123 or +# rhel_08_040124 or +# rhel_08_040125 +# tags: +# - RHEL-08-040123 +# - RHEL-08-040124 +# - RHEL-08-04125 +# - mounts + +# - name: | +# "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." +# "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." +# "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." +# block: +# - name: | +# "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." +# "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." +# "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." +# shell: mount | grep /var/log +# changed_when: false +# failed_when: false +# register: rhel8stig_040126_var_log_status + +# - name: | +# "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." +# "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." +# "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." +# mount: +# path: /var/log +# state: mounted +# src: "{{ var_log_mount.device }}" +# fstype: xfs +# opts: "defaults{{ rhel_08_040126 | ternary (',nodev', '') }}{{ rhel_08_040127 | ternary (',nosuid', '') }}{{ rhel_08_040128 | ternary (',noexec', '') }}" +# vars: +# var_log_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log`] | [0]') }}" +# when: rhel8stig_040126_var_log_status.stdout | length > 0 +# when: +# - rhel_08_040126 or +# rhel_08_040127 or +# rhel_08_040128 +# tags: +# - RHEL-08-040126 +# - RHEL-08-040127 +# - RHEL-08-040128 +# - mounts + +# - name: | +# "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." +# "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." +# "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." +# block: +# - name: | +# "MEDIUM | RHEL-08-040129 | AUDIT | RHEL 8 must mount /var/log/audit with the nodev option." +# "MEDIUM | RHEL-08-040130 | AUDIT | RHEL 8 must mount /var/log/audit with the nosuid option." +# "MEDIUM | RHEL-08-040131 | AUDIT | RHEL 8 must mount /var/log/audit with the noexec option." +# shell: mount | grep /var/log/audit +# changed_when: false +# failed_when: false +# register: rhel8stig_040129_var_log_audit_status + +# - name: | +# "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." +# "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." +# "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." +# mount: +# path: /var/log/audit +# state: mounted +# src: "{{ audit_mount.device }}" +# fstype: xfs +# opts: "defaults{{ rhel_08_040129 | ternary (',nodev', '') }}{{ rhel_08_040130 | ternary (',nosuid', '') }}{{ rhel_08_040131 | ternary (',noexec', '') }}" +# vars: +# audit_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log/audit`] | [0]') }}" +# when: rhel8stig_040129_var_log_audit_status.stdout | length > 0 +# when: +# - rhel_08_040129 or +# rhel_08_040130 or +# rhel_08_040131 +# tags: +# - RHEL-08-040129 +# - RHEL-08-040130 +# - RHEL-08-040131 +# - mounts + +# - name: | +# "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" +# "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." +# "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." +# block: +# - name: | +# "MEDIUM | RHEL-08-040132 | AUDIT | RHEL 8 must mount /var/tmp with the nodev option" +# "MEDIUM | RHEL-08-040133 | AUDIT | RHEL 8 must mount /var/tmp with the nosuid option." +# "MEDIUM | RHEL-08-040134 | AUDIT | RHEL 8 must mount /var/tmp with the noexec option." +# shell: mount | grep /var/tmp +# changed_when: false +# failed_when: false +# register: rhel8stig_040132_var_tmp_status + +# - name: | +# "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" +# "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." +# "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." +# mount: +# path: /var/tmp +# state: mounted +# src: "{{ var_tmp_mount.device }}" +# fstype: xfs +# opts: "defaults{{ rhel_08_040132 | ternary (',nodev', '') }}{{ rhel_08_040133 | ternary (',nosuid', '') }}{{ rhel_08_040134 | ternary (',noexec', '') }}" +# vars: +# var_tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/var/tmp`] | [0]') }}" +# when: rhel8stig_040132_var_tmp_status.stdout | length > 0 +# when: +# - rhel_08_040132 or +# rhel_08_040133 or +# rhel_08_040134 +# tags: +# - RHEL-08-040132 +# - RHEL-08-040133 +# - RHEL-08-040134 +# - mounts + +# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." +# block: +# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" +# dnf: +# name: fapolicyd +# state: present + +# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" +# shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts +# changed_when: false +# failed_when: false + +# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" +# service: +# name: fapolicyd +# state: started +# enabled: yes + +# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " +# lineinfile: +# path: /etc/fapolicyd/fapolicyd.rules +# line: "{{ item }}" +# with_items: +# - "{{ rhel8stig_fapolicy_white_list }}" + +# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" +# lineinfile: +# path: /etc/fapolicyd/fapolicyd.conf +# regexp: '^permissive =' +# line: 'permissive = 0' +# when: +# - rhel_08_040135 +# tags: +# - RHEL-08-040135 +# - fapolicyd + +# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." +# block: +# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Install usbguard" +# dnf: +# name: usbguard +# state: present + +# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Start/Enable service" +# service: +# name: usbguard +# state: started +# enabled: yes +# when: +# - rhel_08_040140 +# tags: +# - RHEL-08-040140 +# - usbguard + +# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." +# block: +# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" +# dnf: +# name: nftables +# state: present + +# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" +# service: +# name: nftables +# state: started +# enabled: yes + +# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" +# lineinfile: +# path: /etc/firewalld/firewalld.conf +# regexp: '^FirewallBackend=' +# line: 'FirewallBackend=nftables' +# when: +# - rhel_08_040150 +# tags: +# - RHEL-08-040150 +# - firewall +# - nftables + +# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." +# block: +# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Install openssh-server" +# dnf: +# name: openssh-server +# state: present + +# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" +# service: +# name: sshd +# state: started +# enabled: yes +# when: +# - rhel_08_040160 +# tags: +# - rhel_08_040160 +# - ssh + +# - name: "MEDIUM | RHEL-0-040161 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?RekeyLimit' +# line: 'RekeyLimit 1G 1h' +# notify: restart sshd +# when: +# - rhel_08_040161 +# tags: +# - RHEL-08-040161 +# - sshd + +# - name: "MEDIUM | RHEL-08-040162 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections by the client." +# lineinfile: +# path: /etc/ssh/ssh_config +# regexp: '(?i)^#?RekeyLimit' +# line: 'RekeyLimit 1G 1h' +# notify: restart sshd +# when: +# - rhel_08_040162 +# tags: +# - RHEL-08-040162 +# - sshd + +# - name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." +# systemd: +# name: debug-shell.service +# state: stopped +# enabled: no +# masked: yes +# daemon_reload: yes +# when: +# - rhel_08_040180 +# tags: +# - RHEL-08-040180 +# - debug-shell + +# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted." +# block: +# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.conf.default.accept_redirects +# - net.ipv6.conf.default.accept_redirects + +# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } +# - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } +# when: +# - rhel_08_040210 +# tags: +# - RHEL-08-040210 +# - icmp + +# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." +# block: +# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects in sysctl" +# sysctl: +# name: net.ipv4.conf.all.send_redirects +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" + +# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects default value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^net.ipv4.conf.all.send_redirects' +# line: 'net.ipv4.conf.all.send_redirects=0' +# when: +# - rhel_08_040220 +# tags: +# - RHEL-08-040220 +# - icmp + +# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." +# block: +# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast in sysctl" +# sysctl: +# name: net.ipv4.icmp_echo_ignore_broadcasts +# state: present +# value: '1' +# reload: "{{ rhel8stig_sysctl_reload }}" + +# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast default value to 1" +# lineinfile: +# name: /etc/sysctl.conf +# regexp: '^net.ipv4.icmp_echo_ignore_broadcasts' +# line: 'net.ipv4.icmp_echo_ignore_broadcasts=1' +# when: +# - rhel_08_040230 +# tags: +# - RHEL-08-040230 +# - icmp + +# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets." +# block: +# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.conf.all.accept_source_route +# - net.ipv6.conf.all.accept_source_route + +# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route default value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } +# - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } +# when: +# - rhel_08_040240 +# tags: +# - RHEL-08-040240 +# - icmp + +# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default." +# block: +# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.conf.default.accept_source_route +# - net.ipv6.conf.default.accept_source_route + +# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } +# - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } +# when: +# - rhel_08_040250 +# tags: +# - RHEL-08-040250 +# - icmp + +# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router." +# block: +# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.ip_forward +# - net.ipv6.conf.all.forwarding + +# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.ip_forward', line: 'net.ipv4.ip_forward=0' } +# - { regexp: '^net.ipv6.conf.all.forwarding', line: 'net.ipv6.conf.all.forwarding=0' } + +# when: +# - rhel_08_040260 +# - not rhel8stig_system_is_router +# tags: +# - RHEL-08-040260 +# - icmp + +# - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces." +# block: +# - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra in sysctl" +# sysctl: +# name: net.ipv6.conf.all.accept_ra +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" + +# - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^net.ipv6.conf.all.accept_ra' +# line: 'net.ipv6.conf.all.accept_ra=0' +# when: +# - rhel_08_040261 +# - not rhel8stig_system_is_router +# tags: +# - RHEL-08-040261 +# - icmp + +# - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default." +# block: +# - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra in sysctl" +# sysctl: +# name: net.ipv6.conf.default.accept_ra +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" + +# - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra to value 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^net.ipv6.conf.default.accept_ra' +# line: 'net.ipv6.conf.default.accept_ra=0' +# when: +# - rhel_08_040262 +# - not rhel8stig_system_is_router +# tags: +# - RHEL-08-040262 +# - icmp + +# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." +# block: +# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects in sysctl" +# sysctl: +# name: net.ipv4.conf.default.send_redirects +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" + +# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^net.ipv4.conf.default.send_redirects' +# line: 'net.ipv4.conf.default.send_redirects=0' +# when: +# - rhel_08_040270 +# tags: +# - RHEL-08-040270 +# - icmp + +# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." +# block: +# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" +# sysctl: +# name: "{{ item }}" +# state: present +# value: '0' +# reload: "{{ rhel8stig_sysctl_reload }}" +# with_items: +# - net.ipv4.conf.all.accept_redirects +# - net.ipv6.conf.all.accept_redirects + +# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# with_items: +# - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } +# - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } +# when: +# - rhel_08_040280 +# tags: +# - RHEL-08-040280 +# - icmp + +# - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^kernel.unprivileged_bpf_disabled' +# line: 'kernel.unprivileged_bpf_disabled = 1' +# owner: root +# group: root +# mode: 0640 +# notify: sysctl system +# when: +# - rhel_08_040281 +# tags: +# - RHEL-08-040281 +# - sysctl + +# - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^kernel.yama.ptrace_scope' +# line: 'kernel.yama.ptrace_scope = 1' +# notify: sysctl system +# when: +# - rhel_08_040282 +# tags: +# - RHEL-08-040282 +# - sysctl + +# - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access." +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^kernel.kptr_restrict' +# line: 'kernel.kptr_restrict = 1' +# owner: root +# group: root +# mode: 0640 +# notify: sysctl system +# when: +# - rhel_08_040283 +# tags: +# - RHEL-08-040283 +# - sysctl + +# - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces." +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^user.max_user_namespaces' +# line: 'user.max_user_namespaces = 0' +# notify: sysctl system +# when: +# - rhel_08_040284 +# tags: +# - RHEL-08-040284 +# - sysctl + +# - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces." +# lineinfile: +# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" +# regexp: '^net.ipv4.conf.all.rp_filter' +# line: 'net.ipv4.conf.all.rp_filter = 1' +# notify: sysctl system +# when: +# - rhel_08_040285 +# tags: +# - RHEL-08-040285 +# - sysctl + +# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying." +# block: +# - name: "MEDIUM | RHEL-08-040290 | AUDIT | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Check if postfix is installed." +# command: rpm -q postfix +# failed_when: no +# check_mode: no +# changed_when: no +# register: rhel_08_040290_rpm_audit + +# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" +# command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" +# check_mode: no +# when: '"postfix-" in rhel_08_040290_rpm_audit.stdout' +# when: +# - rhel_08_040290 +# tags: +# - RHEL-08-040290 + +# - name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." +# package: +# name: xorg-x11-server-common +# state: absent +# when: +# - rhel_08_040320 +# - not rhel8stig_gui + +# - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." +# block: +# - name: "MEDIUM | RHEL-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" +# shell: "ip link | grep -i promisc | cut -d ':' -f 2" +# check_mode: no +# failed_when: no +# changed_when: rhel_08_040670_promisc_check.stdout != '' +# ignore_errors: yes +# register: rhel_08_040670_promisc_check + +# - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" +# shell: "ip link set dev {{ item }} promisc off" +# with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" +# when: +# - rhel_08_040330 +# - not rhel8stig_net_promisc_mode_required +# tags: +# - RHEL-08-040330 + +# - name: "MEDIUM | RHEL-08-040340 | PATCH | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?X11Forwarding' +# line: 'X11Forwarding no' +# create: yes +# owner: root +# group: root +# mode: 0640 +# notify: restart sshd +# when: +# - rhel_08_040340 +# - rhel8stig_ssh_required +# tags: +# - RHEL-08-040340 +# - ssh + +# - name: "MEDIUM | RHEL-08-040341 | PATCH | The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display." +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: '(?i)^#?X11UseLocalhost' +# line: 'X11UseLocalhost yes' +# when: +# - rhel_08_040341 +# tags: +# - RHEL-08-040341 +# - ssh + +# - name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." +# lineinfile: +# path: /etc/xinetd.d/tftp +# regexp: "(?i)^.*server_args.*=" +# line: "\tserver_args\t\t= -s /var/lib/tftpboot" +# insertafter: "\tserver\t\t\t=" +# state: present +# register: result +# failed_when: +# - result is failed +# - result.rc != 257 +# when: +# - rhel_08_040350 +# - rhel8stig_tftp_required +# tags: +# - skip_ansible_lint +# - RHEL-08-040350 +# - tftp + +# - name: "MEDIUM | RHEL-08-040380 | PATCH | The iprutils package must not be installed unless mission essential on RHEL 8." +# dnf: +# name: iprutils +# state: absent +# when: +# - rhel_08_040380 +# tags: +# - RHEL-08-040380 +# - iprutils + +# - name: "MEDIUM | RHEL-08-040390 | PATCH | The tuned package must not be installed unless mission essential on RHEL 8." +# dnf: +# name: tuned +# state: absent +# when: +# - rhel_08_040390 +# tags: +# - RHEL-08-040390 +# - tuned From e672bde736b04fe902c67f87ac6e21d93a557709 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 10 Aug 2021 14:54:00 -0400 Subject: [PATCH 023/110] Updated cat2 3-10 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 326 +++++++++++++++++++++++++-------------------- 1 file changed, 182 insertions(+), 144 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 797f4b94..952017b3 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -39,154 +39,192 @@ - SV-230224r627750_rule - V-230224 -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" -# block: -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?Banner' -# line: 'Banner /etc/issue' - -# - name: | -# "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" -# "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" -# copy: -# dest: "{{ item }}" -# content: "{{ rhel8stig_logon_banner }}" -# owner: root -# group: root -# mode: '0644' -# notify: restart sshd -# with_items: -# - /etc/issue -# - /etc/issue.net -# when: -# # - not system_is_ec2 -# - rhel_08_010040 or -# rhel_08_010060 -# tags: -# - RHEL-08-010040 -# - RHEL-08-010060 - -# - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." -# copy: -# dest: /etc/dconf/db/local.d/01-banner-message -# content: | -# [org/gnome/login-screen] -# banner-message-enable=true -# banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' -# mode: '0644' -# owner: root -# group: root -# vars: -# newline: "\n" -# notify: dconf update -# when: -# - rhel_08_010050 -# - "'dconf' in ansible_facts.packages" -# - rhel8stig_always_configure_dconf - -# tags: -# - RHEL-08-010050 - -# - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." -# lineinfile: -# path: /etc/rsyslog.d/50-default.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# create: yes -# mode: '0644' -# notify: restart rsyslog -# with_items: -# - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } -# - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } -# when: -# - rhel_08_010070 -# tags: -# - RHEL-08-010070 - -# # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." -# block: -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" -# command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem -# changed_when: false -# failed_when: false -# register: rhel_08_010090_certs_list - -# - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" -# debug: -# msg: -# - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" -# - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" -# - "{{ rhel_08_010090_certs_list.stdout_lines }}" -# when: -# - rhel_08_010090 -# tags: -# - RHEL-08-010090 - -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." -# block: -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" -# file: -# path: "{{ rhel8stig_path_to_sshkey }}" -# state: directory -# mode: '0700' - -# - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" -# openssh_keypair: -# path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" -# when: -# - rhel_08_010100 -# tags: -# - RHEL-08-010100 +- name: | + "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon." + "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon" + block: + - name: | + "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" + "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?Banner' + line: 'Banner /etc/issue' + + - name: | + "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" + "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" + copy: + dest: "{{ item }}" + content: "{{ rhel8stig_logon_banner }}" + owner: root + group: root + mode: '0644' + notify: restart sshd + with_items: + - /etc/issue + - /etc/issue.net + when: + # - not system_is_ec2 + - rhel_08_010040 or + rhel_08_010060 + tags: + - CAT2 + - RHEL-08-010040 + - CCI-000048 + - SRG-OS-000023-GPOS-00006 + - SV-230226r627750_rule + - V-230226 + - RHEL-08-010060 + - CCI-000048 + - SRG-OS-000023-GPOS-00006 + - SV-230227r627750_rule + - V-230227 + +- name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." + copy: + dest: /etc/dconf/db/local.d/01-banner-message + content: | + [org/gnome/login-screen] + banner-message-enable=true + banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' + mode: '0644' + owner: root + group: root + vars: + newline: "\n" + notify: dconf update + when: + - rhel_08_010050 + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + tags: + - RHEL-08-010050 + - CAT2 + - CCI-000048 + - SRG-OS-000023-GPOS-00006 + - SV-230226r627750_rule + - V-230226 + +- name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." + lineinfile: + path: /etc/rsyslog.d/50-default.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + create: yes + mode: '0644' + notify: restart rsyslog + with_items: + - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } + - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } + when: + - rhel_08_010070 + tags: + - RHEL-08-010070 + - CAT2 + - CCI-000067 + - SRG-OS-000032-GPOS-00013 + - SV-230228r627750_rule + - V-230228 -# - name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." -# lineinfile: -# path: /etc/login.defs -# regexp: '^ENCRYPT_METHOD.*' -# line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" -# when: -# - rhel_08_010110 -# tags: -# - RHEL-08-010110 -# - login +# This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. +- name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." + block: + - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" + command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem + changed_when: false + failed_when: false + register: rhel_08_010090_certs_list -# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." -# block: -# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" -# command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' -# changed_when: false -# failed_when: false -# register: rhel_08_010120_non_fips_hashed_accounts + - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" + debug: + msg: + - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" + - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" + - "{{ rhel_08_010090_certs_list.stdout_lines }}" + when: + - rhel_08_010090 + tags: + - RHEL-08-010090 + - CAT2 + - CCI-000185 + - SRG-OS-000066-GPOS-00034 + - SV-230229r627750_rule + - V-230229 -# - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" -# command: "passwd -l {{ item }}" -# args: -# warn: no -# with_items: -# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" -# when: -# - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 +- name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." + block: + - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" + file: + path: "{{ rhel8stig_path_to_sshkey }}" + state: directory + mode: '0700' + + - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" + openssh_keypair: + path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" + when: + - rhel_08_010100 + tags: + - RHEL-08-010100 + - CAT2 + - CCI-000186 + - SRG-OS-000067-GPOS-00035 + - SV-230230r627750_rule + - V-230230 + +- name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." + lineinfile: + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD.*' + line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" + when: + - rhel_08_010110 + tags: + - RHEL-08-010110 + - CAT2 + - CCI-000196 + - SRG-OS-000073-GPOS-00041 + - SV-230231r627750_rule + - V-230231 + - login -# - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" -# debug: -# msg: -# - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" -# - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" -# when: -# - not rhel8stig_disruption_high -# - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 -# when: -# - rhel_08_010120 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010120 -# - disruption_high +- name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." + block: + - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" + command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' + changed_when: false + failed_when: false + register: rhel_08_010120_non_fips_hashed_accounts + + - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" + command: "passwd -l {{ item }}" + args: + warn: no + with_items: + - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" + when: + - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 + + - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" + debug: + msg: + - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" + - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" + when: + - not rhel8stig_disruption_high + - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 + when: + - rhel_08_010120 + - rhel8stig_disruption_high + tags: + - RHEL-08-010120 + - CAT2 + - CCI-000196 + - SRG-OS-000073-GPOS-00041 + - SV-230232r627750_rule + - V-230232 + - disruption_high # - name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" # pamd: From 359fa077d6f33fcf6440afe687d1a8aa977204c0 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 10 Aug 2021 15:11:01 -0400 Subject: [PATCH 024/110] Updated cat2 11-22 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 386 ++++++++++++++++++++++++++------------------- 1 file changed, 226 insertions(+), 160 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 952017b3..3369b5c5 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -226,176 +226,242 @@ - V-230232 - disruption_high -# - name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords. | Add rounds argument" -# pamd: -# name: "{{ item }}" -# type: password -# control: sufficient -# module_path: pam_unix.so -# module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" -# state: args_present -# with_items: -# - password-auth -# - system-auth -# when: -# - rhel_08_010130 -# tags: -# - RHEL-08-010130 - -# - name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." -# lineinfile: -# path: /usr/lib/systemd/system/rescue.service -# regexp: '^ExecStart=' -# line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" -# create: yes -# owner: root -# group: root -# mode: 0644 - -# when: -# - rhel_08_010151 -# tags: -# - RHEL-08-010151 -# - systemd - -# - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. | Add sha512 argument" -# pamd: -# name: "{{ item }}" -# type: password -# control: sufficient -# module_path: pam_unix.so -# module_arguments: sha512 -# state: args_present -# with_items: -# - password-auth -# - system-auth -# when: -# - rhel_08_010160 -# tags: -# - RHEL-08-010160 +- name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords." + pamd: + name: "{{ item }}" + type: password + control: sufficient + module_path: pam_unix.so + module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" + state: args_present + with_items: + - password-auth + - system-auth + when: + - rhel_08_010130 + tags: + - RHEL-08-010130 + - CAT2 + - CCI-000196 + - SRG-OS-000073-GPOS-00041 + - SV-230233r627750_rule + - V-230233 + - pamd -# - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication." -# block: -# - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" -# find: -# path: / -# patterns: '*.keytab' -# recurse: yes -# register: rhel8stig_010161_keytab_files +- name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." + lineinfile: + path: /usr/lib/systemd/system/rescue.service + regexp: '^ExecStart=' + line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" + create: yes + owner: root + group: root + mode: 0644 + when: + - rhel_08_010151 + tags: + - RHEL-08-010151 + - CAT2 + - CCI-000213 + - SRG-OS-000080-GPOS-00048 + - SV-230236r627750_rule + - V-230236 + - systemd + +- name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." + pamd: + name: "{{ item }}" + type: password + control: sufficient + module_path: pam_unix.so + module_arguments: sha512 + state: args_present + with_items: + - password-auth + - system-auth + when: + - rhel_08_010160 + tags: + - RHEL-08-010160 + - CAT2 + - CCI-000803 + - SRG-OS-000120-GPOS-00061 + - SV-230237r627750_rule + - V-230237 + - pamd -# - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Remove .keytab files" -# file: -# path: "{{ item.path }}" -# state: absent -# with_items: -# - "{{ rhel8stig_010161_keytab_files.files }}" -# when: rhel8stig_010161_keytab_files.matched > 0 -# when: -# - rhel_08_010161 -# tags: -# - RHEL-08-010161 -# - kerberos +- name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication." + block: + - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" + find: + path: / + patterns: '*.keytab' + recurse: yes + register: rhel8stig_010161_keytab_files + + - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Remove .keytab files" + file: + path: "{{ item.path }}" + state: absent + with_items: + - "{{ rhel8stig_010161_keytab_files.files }}" + when: rhel8stig_010161_keytab_files.matched > 0 + when: + - rhel_08_010161 + tags: + - RHEL-08-010161 + - CAT2 + - CCI-000803 + - SRG-OS-000120-GPOS-00061 + - SV-230238r646862_rule + - V-230238 + - kerberos -# - name: "MEDIUM | RHEL-08-010162 | PATCH | The krb5-workstation package must not be installed on RHEL 8." -# dnf: -# name: krb5-workstation -# state: absent -# when: -# - rhel_08_010162 -# tags: -# - RHEL-08-010162 -# - kerberos +- name: "MEDIUM | RHEL-08-010162 | PATCH | The krb5-workstation package must not be installed on RHEL 8." + dnf: + name: krb5-workstation + state: absent + when: + - rhel_08_010162 + tags: + - RHEL-08-010162 + - CAT2 + - CCI-000803 + - SRG-OS-000120-GPOS-00061 + - SV-230239r646864_rule + - V-230239 + - kerberos -# - name: | -# "MEDIUM | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services." -# "MEDIUM | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." -# selinux: -# state: enforcing -# policy: targeted -# check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" -# notify: reboot system -# when: -# - rhel_08_010170 or rhel_08_010450 -# - not rhel8stig_system_is_container -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010170 -# - RHEL-08-010450 -# - selinux -# - disruption_high +- name: | + "MEDIUM | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services." + "MEDIUM | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." + selinux: + state: enforcing + policy: targeted + check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" + notify: reboot system + when: + - rhel_08_010170 or rhel_08_010450 + - not rhel8stig_system_is_container + - rhel8stig_disruption_high + tags: + - CAT2 + - RHEL-08-010170 + - CCI-001084 + - SRG-OS-000134-GPOS-00068 + - SV-230240r627750_rule + - V-230240 + - RHEL-08-010450 + - CCI-002696 + - SRG-OS-000445-GPOS-00199 + - SV-230282r627750_rule + - V-230282 + - selinux + - disruption_high -# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." -# block: -# - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" -# shell: "find / ! -user root -type d -perm -0002 -exec ls -lLd {} \\; | sed 's/.* //'" -# changed_when: false -# failed_when: false -# register: rhel_08_010180_public_not_root_owned +- name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources." + block: + - name: "MEDIUM | RHEL-08-010180 | AUDIT | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Find public folders not owned by root" + shell: "find / ! -user root -type d -perm -0002 -exec ls -lLd {} \\; | sed 's/.* //'" + changed_when: false + failed_when: false + register: rhel_08_010180_public_not_root_owned -# - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Chown non-root public folders" -# file: -# path: "{{ item }}" -# owner: root -# group: root -# with_items: -# - "{{ rhel_08_010180_public_not_root_owned.stdout_lines }}" -# when: -# - rhel_08_010180 -# tags: -# - RHEL-08-010180 + - name: "MEDIUM | RHEL-08-010180 | PATCH | All RHEL 8 public directories must be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. | Chown non-root public folders" + file: + path: "{{ item }}" + owner: root + group: root + with_items: + - "{{ rhel_08_010180_public_not_root_owned.stdout_lines }}" + when: + - rhel_08_010180 + tags: + - RHEL-08-010180 + - CAT2 + - CCI-001090 + - SRG-OS-000138-GPOS-00069 + - SV-230242r627750_rule + - V-230242 + - permissions -# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." -# block: -# - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" -# shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" -# changed_when: false -# failed_when: false -# register: rhel_08_010190_world_writable_files +- name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." + block: + - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" + shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" + changed_when: false + failed_when: false + register: rhel_08_010190_world_writable_files -# - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" -# file: -# path: "{{ item }}" -# mode: '1777' -# with_items: -# - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" -# when: -# - rhel_08_010190 -# tags: -# - RHEL-08-010190 + - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" + file: + path: "{{ item }}" + mode: '1777' + with_items: + - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" + when: + - rhel_08_010190 + tags: + - RHEL-08-010190 + - CAT2 + - CCI-001090 + - SRG-OS-000138-GPOS-00069 + - SV-230243r627750_rule + - V-230243 + - permissions -# - name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# notify: restart sshd -# with_items: -# - { regexp: '(?i)^#?ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} -# - { regexp: '(?i)^#?ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } -# when: -# - rhel_08_010200 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010200 -# - ssh +- name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." + lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: restart sshd + with_items: + - { regexp: '(?i)^#?ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} + - { regexp: '(?i)^#?ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } + when: + - rhel_08_010200 + - rhel8stig_ssh_required + tags: + - RHEL-08-010200 + - CAT2 + - CCI-001133 + - SRG-OS-000163-GPOS-00072 + - SV-230244r627750_rule + - V-230244 + - ssh -# - name: | -# "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." -# "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." -# "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." -# file: -# path: /var/log/messages -# owner: root -# group: root -# mode: '0640' -# when: -# - rhel_08_010210 or -# rhel_08_010220 or -# rhel_08_010230 -# tags: -# - RHEL-08-010210 -# - RHEL-08-010220 -# - RHEL-08-010230 +- name: | + "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." + "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." + "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." + file: + path: /var/log/messages + owner: root + group: root + mode: '0640' + when: + - rhel_08_010210 or + rhel_08_010220 or + rhel_08_010230 + tags: + - CAT2 + - RHEL-08-010210 + - CCI-001314 + - SRG-OS-000206-GPOS-00084 + - SV-230245r627750_rule + - V-230245 + - RHEL-08-010220 + - CCI-001314 + - SRG-OS-000206-GPOS-00084 + - SV-230246r627750_rule + - V-230246 + - RHEL-08-010230 + - CCI-001314 + - SRG-OS-000206-GPOS-00084 + - SV-230247r627750_rule + - V-230247 + - permissions # - name: | # "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." From dfb5a4a15405d52681543d0041f9bbc103542787 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 10 Aug 2021 15:21:44 -0400 Subject: [PATCH 025/110] Updated cat2 22-30 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 234 ++++++++++++++++++++++++++------------------- 1 file changed, 136 insertions(+), 98 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3369b5c5..daff2c20 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -463,110 +463,148 @@ - V-230247 - permissions -# - name: | -# "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." -# "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." -# "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." -# file: -# path: /var/log -# owner: root -# group: root -# mode: '0755' -# when: -# - rhel_08_010240 or -# rhel_08_010250 or -# rhel_08_010260 -# tags: -# - RHEL-08-010240 -# - RHEL-08-010250 -# - RHEL-08-010260 - -# - name: | -# "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms." -# "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections" -# block: -# - name: | -# "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" -# "MEDIUM | RHEL-08-010291 | AUDIT | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Get current FIPS mode state" -# command: fips-mode-setup --check -# changed_when: false -# failed_when: false -# register: rhel_08_010290_pre_fips_check +- name: | + "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." + "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." + "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." + file: + path: /var/log + owner: root + group: root + mode: '0755' + when: + - rhel_08_010240 or + rhel_08_010250 or + rhel_08_010260 + tags: + - CAT2 + - RHEL-08-010240 + - CCI-001314 + - SRG-OS-000206-GPOS-00084 + - SV-230248r627750_rule + - V-230248 + - RHEL-08-010250 + - CCI-001314 + - SRG-OS-000206-GPOS-00084 + - SV-230249r627750_rule + - V-230249 + - RHEL-08-010260 + - CCI-001314 + - SRG-OS-000206-GPOS-00084 + - SV-230250r627750_rule + - V-230250 + - permissions -# - name: | -# "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" -# "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Enable FIPS" -# command: fips-mode-setup --enable -# register: rhel_08_010290_fips_enable -# notify: reboot system -# when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' +- name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms." + "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections." + block: + - name: | + "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" + "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Get current FIPS mode state" + command: fips-mode-setup --check + changed_when: false + failed_when: false + register: rhel_08_010290_pre_fips_check -# - name: | -# "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) and ciphers employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" -# "MEDIUM | RHEL-08-010291 | PATCH | RHEL 8 must implement DoD-approved encryption to protect the confidentiality of SSH connections | Add ssh ciphers" -# lineinfile: -# path: "{{ item.path }}" -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# notify: reboot system -# with_items: -# - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^MACs', line: "MACs {{ rhel8stig_ssh_macs_settings }}" } -# - { path: /etc/crypto-policies/back-ends/opensshserver.config, regexp: '^CRYPTO_POLICY=', line: "CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" } -# when: -# - rhel_08_010290 or -# rhel_08_010291 -# tags: -# - RHEL-08-010290 -# - RHEL-08-010291 -# - fips + - name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" + "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Enable FIPS" + command: fips-mode-setup --enable + register: rhel_08_010290_fips_enable + notify: reboot system + when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' -# - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." -# block: -# - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" -# command: fips-mode-setup --check -# changed_when: false -# failed_when: false -# register: rhel_08_010293_pre_fips_check + - name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" + "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Add ssh ciphers" + lineinfile: + path: "{{ item.path }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: reboot system + with_items: + - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^MACs', line: "MACs {{ rhel8stig_ssh_macs_settings }}" } + - { path: /etc/crypto-policies/back-ends/opensshserver.config, regexp: '^CRYPTO_POLICY=', line: "CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" } + when: + - rhel_08_010290 or + rhel_08_010291 + tags: + - CAT2 + - RHEL-08-010290 + - CCI-001453 + - SRG-OS-000250-GPOS-00093 + - SV-230251r646866_rule + - V-230251 + - RHEL-08-010291 + - CCI-001453 + - SRG-OS-000250-GPOS-00093 + - SV-230252r646869_rule + - V-230252 + - fips + +- name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." + block: + - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" + command: fips-mode-setup --check + changed_when: false + failed_when: false + register: rhel_08_010293_pre_fips_check -# - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" -# command: fips-mode-setup --enable -# register: rhel_08_010290_fips_enable -# notify: reboot system -# when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' -# when: -# - rhel_08_010293 -# tags: -# - RHEL-08-010293 -# - fips + - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" + command: fips-mode-setup --enable + register: rhel_08_010290_fips_enable + notify: reboot system + when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' + when: + - rhel_08_010293 + tags: + - RHEL-08-010293 + - CAT2 + - CCI-001453 + - SRG-OS-000250-GPOS-00093 + - SV-230254r627750_rule + - V-230254 + - fips -# - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." -# lineinfile: -# path: /etc/crypto-policies/back-ends/opensslcnf.config -# regexp: '^MinProtocol =' -# line: "MinProtocol = TLSv1.2" -# notify: reboot system -# when: -# - rhel_08_010294 -# tags: -# - RHEL-08-010294 -# - openssl +- name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." + lineinfile: + path: /etc/crypto-policies/back-ends/opensslcnf.config + regexp: '^MinProtocol =' + line: "MinProtocol = TLSv1.2" + notify: reboot system + when: + - rhel_08_010294 + tags: + - RHEL-08-010294 + - CAT2 + - CCI-001453 + - SRG-OS-000250-GPOS-00093 + - SV-230255r627750_rule + - V-230255 + - openssl -# - name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package" -# lineinfile: -# path: /etc/crypto-policies/back-ends/gnutls.config -# regexp: '^(.*\+VERS-ALL:)' -# line: '\1{{ rhel8stig_gnutls_encryption }}' -# backrefs: true -# create: yes -# owner: root -# group: root -# mode: 0640 -# notify: reboot system -# when: -# - rhel_08_010295 -# tags: -# - RHEL-08-010295 -# - gnutls +- name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package" + lineinfile: + path: /etc/crypto-policies/back-ends/gnutls.config + regexp: '^(.*\+VERS-ALL:)' + line: '\1{{ rhel8stig_gnutls_encryption }}' + backrefs: true + create: yes + owner: root + group: root + mode: 0640 + notify: reboot system + when: + - rhel_08_010295 + tags: + - RHEL-08-010295 + - CAT2 + - CCI-001453 + - SRG-OS-000250-GPOS-00093 + - SV-230256r627750_rule + - V-230256 + - gnutls # - name: | # "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive." From 568a6ae3e50cb34b3b0b079250da9c2490f2f647 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 10 Aug 2021 15:33:58 -0400 Subject: [PATCH 026/110] Updated cat2 31-40 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 392 +++++++++++++++++++++++++-------------------- 1 file changed, 220 insertions(+), 172 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index daff2c20..d08c754f 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -606,187 +606,235 @@ - V-230256 - gnutls -# - name: | -# "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive." -# "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root." -# "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root." -# block: -# - name: | -# "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive" -# "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" -# "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root. | Get commands no group-owned by root" -# shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel_08_010300_commands +- name: | + "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive." + "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root." + "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root or a system account." + block: + - name: | + "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive" + "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" + "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root or a system account. | Get commands no group-owned by root" + shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" + args: + warn: no + changed_when: false + failed_when: false + register: rhel_08_010300_commands -# - name: | -# "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions" -# "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions" -# "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root. | Set permissions" -# file: -# path: "{{ item }}" -# owner: root -# group: root -# mode: '0755' -# force: yes -# with_items: -# - "{{ rhel_08_010300_commands.stdout_lines }}" -# when: -# - rhel_08_010300 or -# rhel_08_010310 or -# rhel_08_010320 -# tags: -# - RHEL-08-010300 -# - RHEL-08-010310 -# - RHEL-08-010320 + - name: | + "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions" + "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions" + "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root or a system account. | Set permissions" + file: + path: "{{ item }}" + owner: root + group: root + mode: '0755' + force: yes + with_items: + - "{{ rhel_08_010300_commands.stdout_lines }}" + when: + - rhel_08_010300 or + rhel_08_010310 or + rhel_08_010320 + tags: + - CAT2 + - RHEL-08-010300 + - CCI-001499 + - SRG-OS-000259-GPOS-00100 + - SV-230257r627750_rule + - V-230257 + - RHEL-08-010310 + - CCI-001499 + - SRG-OS-000259-GPOS-00100 + - SV-230258r627750_rule + - V-230258 + - RHEL-08-010320 + - CCI-001499 + - SRG-OS-000259-GPOS-00100 + - SV-230259r627750_rule + - V-230259 + - permissions -# - name: | -# "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive." -# "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root." -# "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root." -# block: -# - name: | -# "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" -# "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root. | Get library files not owned by root" -# "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" -# shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel_08_010330_library_files +- name: | + "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive." + "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root." + "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root or a system account." + block: + - name: | + "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" + "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root. | Get library files not owned by root" + "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root or a system account. | Get library files not group-owned by root" + shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" + args: + warn: no + changed_when: false + failed_when: false + register: rhel_08_010330_library_files -# - name: | -# "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" -# "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" -# "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root. | Get library files not group-owned by root" -# file: -# path: "{{ item }}" -# owner: root -# group: root -# mode: '0755' -# with_items: -# - "{{ rhel_08_010330_library_files.stdout_lines }}" -# when: -# - rhel_08_010330 or -# rhel_08_010340 or -# rhel_08_010350 -# tags: -# - RHEL-08-010330 -# - RHEL-08-010340 -# - RHEL-08-010350 - -# - name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." -# cron: -# name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' -# user: "{{ rhel8stig_aide_cron.user }}" -# cron_file: "{{ rhel8stig_aide_cron.cron_file }}" -# job: "{{ rhel8stig_aide_cron.job + ((rhel8stig_aide_cron.notify_by_mail) | ternary(rhel8stig_aide_cron.notify_cmd,'')) }}" -# minute: "{{ rhel8stig_aide_cron.minute | default((rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | -# ternary('0', omit)) | default(omit) }}" -# hour: "{{ rhel8stig_aide_cron.hour | default((rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['daily', 'weekly', 'monthly']) | -# ternary('0', omit)) | default(omit) }}" -# weekday: "{{ rhel8stig_aide_cron.weekday | default((rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['weekly']) | -# ternary('0', omit)) | default(omit) }}" -# day: "{{ rhel8stig_aide_cron.day | default((rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['monthly']) | -# ternary('1', omit)) | default(omit) }}" -# special_time: "{{ (rhel8stig_cron_special_disable and -# rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | -# ternary(omit, rhel8stig_aide_cron.special_time) }}" -# when: -# - rhel_08_010360 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010360 -# - aide + - name: | + "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" + "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" + "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root or a system account. | Get library files not group-owned by root" + file: + path: "{{ item }}" + owner: root + group: root + mode: '0755' + with_items: + - "{{ rhel_08_010330_library_files.stdout_lines }}" + when: + - rhel_08_010330 or + rhel_08_010340 or + rhel_08_010350 + tags: + - CAT2 + - RHEL-08-010330 + - CCI-001499 + - SRG-OS-000259-GPOS-00100 + - SV-230260r627750_rule + - V-230260 + - RHEL-08-010340 + - CCI-001499 + - SRG-OS-000259-GPOS-00100 + - SV-230261r627750_rule + - V-230261 + - RHEL-08-010350 + - CCI-001499 + - SRG-OS-000259-GPOS-00100 + - SV-230262r627750_rule + - V-230262 + - permissions -# - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." -# block: -# - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if using numbered link files" -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^kernel.kexec_load_disabled =' -# line: "kernel.kexec_load_disabled = 1" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched > 0 -# - rhel8stig_sysctlconf_filename.files[0].islnk +- name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." + cron: + name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' + user: "{{ rhel8stig_aide_cron.user }}" + cron_file: "{{ rhel8stig_aide_cron.cron_file }}" + job: "{{ rhel8stig_aide_cron.job + ((rhel8stig_aide_cron.notify_by_mail) | ternary(rhel8stig_aide_cron.notify_cmd,'')) }}" + minute: "{{ rhel8stig_aide_cron.minute | default((rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | + ternary('0', omit)) | default(omit) }}" + hour: "{{ rhel8stig_aide_cron.hour | default((rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['daily', 'weekly', 'monthly']) | + ternary('0', omit)) | default(omit) }}" + weekday: "{{ rhel8stig_aide_cron.weekday | default((rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['weekly']) | + ternary('0', omit)) | default(omit) }}" + day: "{{ rhel8stig_aide_cron.day | default((rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['monthly']) | + ternary('1', omit)) | default(omit) }}" + special_time: "{{ (rhel8stig_cron_special_disable and + rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | + ternary(omit, rhel8stig_aide_cron.special_time) }}" + when: + - rhel_08_010360 + - rhel8stig_disruption_high + tags: + - RHEL-08-010360 + - CAT2 + - CCI-001744 + - SRG-OS-000363-GPOS-00150 + - SV-230263r627750_rule + - V-230263 + - aide -# - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if no numbered link files" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^kernel.kexec_load_disabled =' -# line: "kernel.kexec_load_disabled = 1" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched == 0 or -# not rhel8stig_sysctlconf_filename.files[0].islnk -# when: -# - rhel_08_010372 -# tags: -# - RHEL-08-010372 -# - sysctl +- name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." + block: + - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.kexec_load_disabled =' + line: "kernel.kexec_load_disabled = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk -# - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks." -# block: -# - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if using numbered link files" -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^fs.protected_symlinks =' -# line: "fs.protected_symlinks = 1" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched > 0 -# - rhel8stig_sysctlconf_filename.files[0].islnk + - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Set kernel exec load if no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^kernel.kexec_load_disabled =' + line: "kernel.kexec_load_disabled = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010372 + tags: + - RHEL-08-010372 + - CAT2 + - CCI-001749 + - SRG-OS-000366-GPOS-00153 + - SV-230266r627750_rule + - V-230266 + - sysctl -# - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if no numbered link files" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^fs.protected_symlinks =' -# line: "fs.protected_symlinks = 1" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched == 0 or -# not rhel8stig_sysctlconf_filename.files[0].islnk -# when: -# - rhel_08_010373 -# tags: -# - RHEL-08-010373 -# - sysctl +- name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks." + block: + - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^fs.protected_symlinks =' + line: "fs.protected_symlinks = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk -# - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." -# block: -# - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if using numbered link files" -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^fs.protected_hardlinks =' -# line: "fs.protected_hardlinks = 1" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched > 0 -# - rhel8stig_sysctlconf_filename.files[0].islnk + - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set protected symlinks if no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^fs.protected_symlinks =' + line: "fs.protected_symlinks = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010373 + tags: + - RHEL-08-010373 + - CAT2 + - CCI-002165 + - SRG-OS-000312-GPOS-00122 + - SV-230267r627750_rule + - V-230267 + - sysctl -# - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if no numbered link files" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^fs.protected_hardlinks =' -# line: "fs.protected_hardlinks = 1" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched == 0 or -# not rhel8stig_sysctlconf_filename.files[0].islnk -# when: -# - rhel_08_010374 -# tags: -# - RHEL-08-010374 -# - sysctl +- name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." + block: + - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^fs.protected_hardlinks =' + line: "fs.protected_hardlinks = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk + + - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Set protected hardlinks if no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^fs.protected_hardlinks =' + line: "fs.protected_hardlinks = 1" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010374 + tags: + - RHEL-08-010374 + - CAT2 + - CCI-002165 + - SRG-OS-000312-GPOS-00122 + - SV-230268r627750_rule + - V-230268 + - sysctl # - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." # replace: From 7300b258b7b945bd46a525915203405a9b9ab0e5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Aug 2021 09:35:09 +0100 Subject: [PATCH 027/110] Added Alma to os_ver supported Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index 87a8557e..de042050 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -449,6 +449,7 @@ rhel8stig_min_supported_os_ver: RedHat: "8.4" CentOS: "8.4" Rocky: "8.4" + AlmaLinux: "8.4" # RHEL-08-040260 # If system is not router, run tasks that disable router functions. From b10632e276aa1b0ed54e41d6e358975bc49f2c6a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Aug 2021 10:44:32 +0100 Subject: [PATCH 028/110] moved reboot and updated to use module Signed-off-by: Mark Bolwell --- handlers/main.yml | 10 ++++------ tasks/main.yml | 5 ----- 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index d6f21c68..ffcd81b6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -116,7 +116,6 @@ - "'dconf' in ansible_facts.packages" - rhel8stig_always_configure_dconf - - name: prereport score debug: msg: "Pre-run OpenSCAP score is {{ rhel8stig_prescanresults.Benchmark.TestResult.score['#text'] }}" @@ -127,8 +126,7 @@ msg: "Post-run OpenSCAP score is {{ rhel8stig_postscanresults.Benchmark.TestResult.score['#text'] }}" when: rhel8stig_oscap_scan -- name: reboot system - shell: sleep 3; reboot - async: 15 - poll: 0 - when: not rhel8stig_skip_reboot +- name: Reboot system + reboot: + when: + - not rhel8stig_skip_reboot diff --git a/tasks/main.yml b/tasks/main.yml index d741078b..0712c727 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -84,11 +84,6 @@ - name: flush handlers meta: flush_handlers -- name: Reboot system - reboot: - when: - - not rhel8stig_skip_reboot - - import_tasks: post_remediation_audit.yml when: - run_audit From 56ec2f38d7d8f166da977e5a0ba77af587e1be0d Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 08:48:57 -0400 Subject: [PATCH 029/110] Updated cat2 41-50 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 434 +++++++++++++++++++++++++-------------------- 1 file changed, 241 insertions(+), 193 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index d08c754f..3e0727a9 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -836,214 +836,262 @@ - V-230268 - sysctl -# - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." -# replace: -# path: "{{ item }}" -# regexp: '^([^#].*)NOPASSWD(.*)' -# replace: '\1PASSWD\2' -# with_items: -# - "{{ rhel8stig_sudoers_files.stdout_lines }}" -# when: -# - rhel_08_010380 -# - rhel8stig_using_password_auth -# tags: -# - RHEL-08-010380 -# - sudoers - -# - name: "MEDIUM | RHEL-08-010381 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation." -# replace: -# path: "{{ item }}" -# regexp: '^([^#].*)!authenticate(.*)' -# replace: '\1authenticate\2' -# with_items: -# - "{{ rhel8stig_sudoers_files.stdout_lines }}" -# when: -# - rhel_08_010381 -# - rhel8stig_using_password_auth -# tags: -# - RHEL-08-010381 -# - sudoers - -# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." -# block: -# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" -# dnf: -# name: esc -# state: present -# when: rhel8stig_gui - -# - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" -# dnf: -# name: openssl-pkcs11 -# state: present -# when: -# - rhel_08_010390 -# tags: -# - RHEL-08-010390 -# - multifactor - -# - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." -# lineinfile: -# path: '{{ rhel8stig_sssd_conf }}' -# regexp: '^certificate_verification = {{ item }}' -# state: absent -# with_items: -# - 'no_ocsp, no_verification' -# - no_ocsp -# - no_verification -# notify: restart sssd -# when: -# - "'sssd' in ansible_facts.packages" -# - rhel8stig_sssd_conf_present.stat.exists -# - rhel_08_010400 -# tags: -# - RHEL-08-010400 +- name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." + replace: + path: "{{ item }}" + regexp: '^([^#].*)NOPASSWD(.*)' + replace: '\1PASSWD\2' + with_items: + - "{{ rhel8stig_sudoers_files.stdout_lines }}" + when: + - rhel_08_010380 + - rhel8stig_using_password_auth + tags: + - RHEL-08-010380 + - CAT2 + - CCI-002038 + - SRG-OS-000373-GPOS-00156 + - SV-230271r627750_rule + - V-230271 + - sudoers + +- name: "MEDIUM | RHEL-08-010381 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation." + replace: + path: "{{ item }}" + regexp: '^([^#].*)!authenticate(.*)' + replace: '\1authenticate\2' + with_items: + - "{{ rhel8stig_sudoers_files.stdout_lines }}" + when: + - rhel_08_010381 + - rhel8stig_using_password_auth + tags: + - RHEL-08-010381 + - CAT2 + - CCI-002038 + - SV-230272r627750_rule + - V-230272 + - sudoers -# - name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." -# dnf: -# name: opensc -# state: present -# when: -# - rhel_08_010410 -# tags: -# - RHEL-08-010410 -# - opensc -# - piv +- name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." + block: + - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" + dnf: + name: esc + state: present + when: rhel8stig_gui + + - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" + dnf: + name: openssl-pkcs11 + state: present + when: + - rhel_08_010390 + tags: + - RHEL-08-010390 + - CAT2 + - CCI-001948 + - SRG-OS-000375-GPOS-00160 + - SV-230273r627750_rule + - V-230273 + - multifactor -# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution." -# block: -# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state" -# shell: dmesg |grep "NX (" -# changed_when: false -# failed_when: false -# register: rhel_08_010420_nx_bit_state +- name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." + lineinfile: + path: '{{ rhel8stig_sssd_conf }}' + regexp: '^certificate_verification = {{ item }}' + state: absent + with_items: + - 'no_ocsp, no_verification' + - no_ocsp + - no_verification + notify: restart sssd + when: + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists + - rhel_08_010400 + tags: + - RHEL-08-010400 + - CAT2 + - CCI-001948 + - SRG-OS-000375-GPOS-00160 + - SV-230274r627750_rule + - V-230274 + - multifactor -# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set" -# debug: -# msg: -# - "Good News! You are setup with execute disable active." -# when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout' +- name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." + dnf: + name: opensc + state: present + when: + - rhel_08_010410 + tags: + - RHEL-08-010410 + - CAT2 + - CCI-001953 + - SV-230275r627750_rule + - V-230275 + - opensc + - piv -# - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" -# debug: -# msg: -# - "ALERT!! You do not have execute disable active. Please change the setting in your BIOS settings" -# when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' -# when: -# - rhel_08_010420 -# tags: -# - RHEL-08-010420 +- name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution." + block: + - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state" + shell: dmesg |grep "NX (" + changed_when: false + failed_when: false + register: rhel_08_010420_nx_bit_state -# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks." -# block: -# - name: "MEDIUM | RHEL-08-010421 | AUDIT | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" -# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel8stig_010421_grub_cmdline_linux + - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set" + debug: + msg: + - "Good News! You are setup with execute disable active." + when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout' -# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active" -# shell: grubby --update-kernel=ALL --args="page_poison=1" + - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" + debug: + msg: + - "ALERT!! You do not have execute disable active. Please change the setting in your BIOS settings" + when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' + when: + - rhel_08_010420 + tags: + - RHEL-08-010420 + - CAT2 + - CCI-002824 + - SRG-OS-000433-GPOS-00192 + - SV-230276r627750_rule + - V-230276 -# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist" -# lineinfile: -# path: /etc/default/grub -# regexp: '^GRUB_CMDLINE_LINUX=' -# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010421_grub_cmdline_linux.stdout }} page_poison=1"' -# when: '"page_poison=" not in rhel8stig_010421_grub_cmdline_linux.stdout' +- name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks." + block: + - name: "MEDIUM | RHEL-08-010421 | AUDIT | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + args: + warn: no + changed_when: false + failed_when: false + register: rhel8stig_010421_grub_cmdline_linux -# - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if exists" -# replace: -# path: /etc/default/grub -# regexp: 'page_poison=([^\s|"])+' -# replace: "page_poison=1" -# when: '"page_poison=" in rhel8stig_010421_grub_cmdline_linux.stdout' -# when: -# - rhel_08_010421 -# tags: -# - RHEL-08-010421 -# - grub + - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active" + shell: grubby --update-kernel=ALL --args="page_poison=1" -# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls." -# block: -# - name: "MEDIUM | RHEL-08-010422 | AUDIT | RHEL 8 must disable virtual syscalls. | Get GRUB_CMDLINE_LINUX settings" -# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel8stig_010422_grub_cmdline_linux + - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010421_grub_cmdline_linux.stdout }} page_poison=1"' + when: '"page_poison=" not in rhel8stig_010421_grub_cmdline_linux.stdout' + + - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if exists" + replace: + path: /etc/default/grub + regexp: 'page_poison=([^\s|"])+' + replace: "page_poison=1" + when: '"page_poison=" in rhel8stig_010421_grub_cmdline_linux.stdout' + when: + - rhel_08_010421 + tags: + - RHEL-08-010421 + - CAT2 + - CCI-001084 + - SRG-OS-000134-GPOS-00068 + - SV-230277r627750_rule + - V-230277 + - grub -# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active" -# shell: grubby --update-kernel=ALL --args="vsyscall=none" +- name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls." + block: + - name: "MEDIUM | RHEL-08-010422 | AUDIT | RHEL 8 must disable virtual syscalls. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + args: + warn: no + changed_when: false + failed_when: false + register: rhel8stig_010422_grub_cmdline_linux -# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist" -# lineinfile: -# path: /etc/default/grub -# regexp: '^GRUB_CMDLINE_LINUX=' -# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010422_grub_cmdline_linux.stdout }} vsyscall=none"' -# when: '"vsyscall=" not in rhel8stig_010422_grub_cmdline_linux.stdout' + - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active" + shell: grubby --update-kernel=ALL --args="vsyscall=none" -# - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if exists" -# replace: -# path: /etc/default/grub -# regexp: 'vsyscall=([^\s|"])+' -# replace: "vsyscall=none" -# when: '"vsyscall=" in rhel8stig_010422_grub_cmdline_linux.stdout' -# when: -# - rhel_08_010422 -# tags: -# - RHEL-08-010422 -# - grub + - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010422_grub_cmdline_linux.stdout }} vsyscall=none"' + when: '"vsyscall=" not in rhel8stig_010422_grub_cmdline_linux.stdout' + + - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if exists" + replace: + path: /etc/default/grub + regexp: 'vsyscall=([^\s|"])+' + replace: "vsyscall=none" + when: '"vsyscall=" in rhel8stig_010422_grub_cmdline_linux.stdout' + when: + - rhel_08_010422 + tags: + - RHEL-08-010422 + - CAT2 + - CCI-001084 + - SV-230278r627750_rule + - V-230278 + - grub -# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks." -# block: -# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" -# shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel8stig_010423_grub_cmdline_linux +- name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks." + block: + - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + args: + warn: no + changed_when: false + failed_when: false + register: rhel8stig_010423_grub_cmdline_linux -# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active" -# shell: grubby --update-kernel=ALL --args="slub_debug=P" + - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active" + shell: grubby --update-kernel=ALL --args="slub_debug=P" -# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist" -# lineinfile: -# path: /etc/default/grub -# regexp: '^GRUB_CMDLINE_LINUX=' -# line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010423_grub_cmdline_linux.stdout }} slub_debug=P"' -# when: '"slub_debug=" not in rhel8stig_010423_grub_cmdline_linux.stdout' - -# - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if exists" -# replace: -# path: /etc/default/grub -# regexp: 'slub_debug=([^\s|"])+' -# replace: "slub_debug=P" -# when: '"slub_debug=" in rhel8stig_010423_grub_cmdline_linux.stdout' -# when: -# - rhel_08_010423 -# tags: -# - RHEL-08-010423 -# - grub - -# - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." -# sysctl: -# name: kernel.randomize_va_space -# value: '2' -# state: present -# reload: "{{ rhel8stig_sysctl_reload }}" -# sysctl_set: yes -# ignoreerrors: yes -# notify: sysctl system -# when: -# - rhel_08_010430 -# tags: -# - RHEL-08-010430 -# - sysctl + - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010423_grub_cmdline_linux.stdout }} slub_debug=P"' + when: '"slub_debug=" not in rhel8stig_010423_grub_cmdline_linux.stdout' + + - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if exists" + replace: + path: /etc/default/grub + regexp: 'slub_debug=([^\s|"])+' + replace: "slub_debug=P" + when: '"slub_debug=" in rhel8stig_010423_grub_cmdline_linux.stdout' + when: + - rhel_08_010423 + tags: + - RHEL-08-010423 + - CAT2 + - CCI-001084 + - SRG-OS-000134-GPOS-00068 + - SV-230279r627750_rule + - V-230279 + - grub + +- name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." + sysctl: + name: kernel.randomize_va_space + value: '2' + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: yes + ignoreerrors: yes + notify: sysctl system + when: + - rhel_08_010430 + tags: + - RHEL-08-010430 + - CAT2 + - CCI-002824 + - SRG-OS-000433-GPOS-00193 + - SV-230280r627750_rule + - V-230280 + - sysctl # - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." # block: From 3b3a20504b65858b9e820561ef888930584b44d7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Aug 2021 13:58:31 +0100 Subject: [PATCH 030/110] Added title comments Signed-off-by: Mark Bolwell --- tasks/post_remediation_audit.yml | 16 +++++++------- tasks/pre_remediation_audit.yml | 36 ++++++++++++++++---------------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 6bfa7719..aab7a502 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,6 +1,6 @@ --- -- name: "Run post_remediation {{ benchmark }} audit" +- name: "Post Audit | Run post_remediation {{ benchmark }} audit" goss: goss_path: "{{ audit_bin }}" path: "{{ goss_file }}" @@ -11,7 +11,7 @@ environment: GOSS_FMT_OPTIONS: Pretty -- name: ensure audit files readable by users +- name: Post Audit | ensure audit files readable by users file: path: "{{ item }}" mode: 0644 @@ -20,14 +20,14 @@ - "{{ post_audit_outfile }}" - "{{ pre_audit_outfile }}" -- name: Capture audit data if json format +- name: Post Audit | Capture audit data if json format block: - - name: "capture data {{ post_audit_outfile }}" + - name: "Post Audit | capture data {{ post_audit_outfile }}" command: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false - - name: Capture post-audit result + - name: Post Audit | Capture post-audit result set_fact: post_audit_summary: "{{ post_audit.stdout | from_json |json_query(summary) }}" vars: @@ -35,14 +35,14 @@ when: - audit_format == "json" -- name: Capture audit data if documentation format +- name: Post Audit | Capture audit data if documentation format block: - - name: "capture data {{ post_audit_outfile }}" + - name: "Post Audit | capture data {{ post_audit_outfile }}" command: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false - - name: Capture post-audit result + - name: Post Audit | Capture post-audit result set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" when: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 1e05b74d..e44584d0 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,19 +1,19 @@ --- -- name: Setup the LE audit +- name: Pre Audit Setup | Setup the LE audit include_tasks: LE_audit_setup.yml when: - setup_audit tags: - setup_audit -- name: "Ensure {{ audit_conf_dir }} exists" +- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' -- name: If using git for content set up +- name: Pre Audit Setup | If using git for content set up block: - name: Install git (rh8 python3) package: @@ -21,7 +21,7 @@ state: present when: ansible_distribution_major_version == 8 - - name: Install git (rh7 python2) + - name: Pre Audit Setup | Install git (rh7 python2) package: name: git state: present @@ -29,7 +29,7 @@ ansible_python_interpreter: "{{ python2_bin }}" when: ansible_distribution_major_version == 7 - - name: retrieve audit content files from git + - name: Pre Audit Setup | retrieve audit content files from git git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" @@ -37,7 +37,7 @@ when: - audit_content == 'git' -- name: copy to audit content files to server +- name: Pre Audit Setup | copy to audit content files to server copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dir }}" @@ -45,21 +45,21 @@ when: - audit_content == 'copy' -- name: get audit content from url +- name: Pre Audit Setup | get audit content from url get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" when: - audit_content == 'get_url' -- name: Check Goss is available +- name: Pre Audit Setup | Check Goss is available block: - - name: Check for goss file + - name: Pre Audit Setup | Check for goss file stat: path: "{{ audit_bin }}" register: goss_available - - name: If audit ensure goss is available + - name: Pre Audit Setup | If audit ensure goss is available assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" when: @@ -67,7 +67,7 @@ when: - run_audit -- name: Copy ansible default vars values to test audit +- name: Pre Audit Setup | Copy ansible default vars values to test audit template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" @@ -77,7 +77,7 @@ tags: - goss_template -- name: "Run pre_remediation {{ benchmark }} audit" +- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" goss: goss_path: "{{ audit_bin }}" path: "{{ goss_file }}" @@ -88,14 +88,14 @@ environment: GOSS_FMT_OPTIONS: Pretty -- name: Capture audit data if json format +- name: Pre Audit | Capture audit data if json format block: - - name: "capture data {{ pre_audit_outfile }}" + - name: "Pre Audit | capture data {{ pre_audit_outfile }}" command: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false - - name: Capture pre-audit result + - name: Pre Audit | Capture pre-audit result set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}" vars: @@ -103,14 +103,14 @@ when: - audit_format == "json" -- name: Capture audit data if documentation format +- name: Pre Audit | Capture audit data if documentation format block: - - name: "capture data {{ pre_audit_outfile }}" + - name: "Pre Audit | capture data {{ pre_audit_outfile }}" command: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false - - name: Capture pre-audit result + - name: Pre Audit | Capture pre-audit result set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: From 6e5d09d2b63233f220a1c3d8c566209500eee581 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 09:00:24 -0400 Subject: [PATCH 031/110] Updated cat2 51-60 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 321 ++++++++++++++++++++++++++------------------- 1 file changed, 183 insertions(+), 138 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3e0727a9..6c3cf1c5 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1093,154 +1093,199 @@ - V-230280 - sysctl -# - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." -# block: -# - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files" -# find: -# paths: /etc/ssh -# recurse: yes -# file_type: file -# patterns: 'ssh_host*_key.pub' -# hidden: true -# changed_when: false -# failed_when: false -# register: rhel_08_010480_public_files +- name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." + block: + - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files" + find: + paths: /etc/ssh + recurse: yes + file_type: file + patterns: 'ssh_host*_key.pub' + hidden: true + changed_when: false + failed_when: false + register: rhel_08_010480_public_files -# - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" -# file: -# path: "{{ item.path }}" -# mode: '0644' -# with_items: -# - "{{ rhel_08_010480_public_files.files }}" -# notify: restart sshd -# when: -# - rhel_08_010480 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010480 -# - ssh + - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" + file: + path: "{{ item.path }}" + mode: '0644' + with_items: + - "{{ rhel_08_010480_public_files.files }}" + notify: restart sshd + when: + - rhel_08_010480 + - rhel8stig_ssh_required + tags: + - RHEL-08-010480 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230286r627750_rule + - V-230286 + - ssh -# - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." -# block: -# - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Find files" -# find: -# paths: /etc/ssh -# recurse: yes -# file_type: file -# patterns: 'ssh_host*key' -# hidden: true -# changed_when: false -# failed_when: false -# register: rhel_08_010490_private_host_key_files +- name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." + block: + - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Find files" + find: + paths: /etc/ssh + recurse: yes + file_type: file + patterns: 'ssh_host*key' + hidden: true + changed_when: false + failed_when: false + register: rhel_08_010490_private_host_key_files -# - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" -# file: -# path: "{{ item.path }}" -# mode: '0640' -# with_items: -# - "{{ rhel_08_010490_private_host_key_files.files }}" -# notify: restart sshd -# when: -# - rhel_08_010490 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010490 -# - ssh + - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" + file: + path: "{{ item.path }}" + mode: '0640' + with_items: + - "{{ rhel_08_010490_private_host_key_files.files }}" + notify: restart sshd + when: + - rhel_08_010490 + - rhel8stig_ssh_required + tags: + - RHEL-08-010490 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230287r627750_rule + - V-230287 + - ssh -# - name: "MEDIUM | RHEL-08-010500 | PATCH | The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?StrictModes' -# line: 'StrictModes yes' -# notify: restart sshd -# when: -# - rhel_08_010500 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010500 -# - ssh +- name: "MEDIUM | RHEL-08-010500 | PATCH | The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?StrictModes' + line: 'StrictModes yes' + notify: restart sshd + when: + - rhel_08_010500 + - rhel8stig_ssh_required + tags: + - RHEL-08-010500 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230288r627750_rule + - V-230288 + - ssh -# - name: "MEDIUM | RHEL-08-010510 | PATCH | The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?Compression' -# line: 'Compression {{ rhel8stig_sshd_compression }}' -# notify: restart sshd -# when: -# - rhel_08_010510 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010510 -# - ssh +- name: "MEDIUM | RHEL-08-010510 | PATCH | The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?Compression' + line: 'Compression {{ rhel8stig_sshd_compression }}' + notify: restart sshd + when: + - rhel_08_010510 + - rhel8stig_ssh_required + tags: + - RHEL-08-010510 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230289r627750_rule + - V-230289 + - ssh -# - name: "MEDIUM | RHEL-08-010520 | PATCH | The RHEL 8 SSH daemon must not allow authentication using known host’s authentication." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?IgnoreUserKnownHosts' -# line: 'IgnoreUserKnownHosts yes' -# notify: restart sshd -# when: -# - rhel_08_010520 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010520 -# - ssh +- name: "MEDIUM | RHEL-08-010520 | PATCH | The RHEL 8 SSH daemon must not allow authentication using known host’s authentication." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?IgnoreUserKnownHosts' + line: 'IgnoreUserKnownHosts yes' + notify: restart sshd + when: + - rhel_08_010520 + - rhel8stig_ssh_required + tags: + - RHEL-08-010520 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230290r627750_rule + - V-230290 + - ssh -# - name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow unused methods of authentication." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '(?i)^#?KerberosAuthentication', line: "KerberosAuthentication no" } -# - { regexp: '(?i)^#?GSSAPIAuthentication', line: "GSSAPIAuthentication no" } -# notify: restart sshd -# when: -# - rhel_08_010521 -# tags: -# - RHEL-08-010521 -# - ssh +- name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow unused methods of authentication." + lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '(?i)^#?KerberosAuthentication', line: "KerberosAuthentication no" } + - { regexp: '(?i)^#?GSSAPIAuthentication', line: "GSSAPIAuthentication no" } + notify: restart sshd + when: + - rhel_08_010521 + tags: + - RHEL-08-010521 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230291r627750_rule + - V-230291 + - ssh -# - name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." -# debug: -# msg: "WARNING!!!! /tmp is not mounted on a separate partition" -# changed_when: -# - rhel8stig_audit_complex -# when: -# - rhel_08_010543 -# - not rhel8stig_system_is_container -# - rhel8stig_complex -# - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 -# tags: -# - RHEL-08-010543 -# - complexity-high -# - mount -# - tmp +- name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." + debug: + msg: "WARNING!!!! /tmp is not mounted on a separate partition" + changed_when: + - rhel8stig_audit_complex + when: + - rhel_08_010543 + - not rhel8stig_system_is_container + - rhel8stig_complex + - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 + tags: + - RHEL-08-010543 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230295r627750_rule + - V-230295 + - complexity-high + - mount + - tmp -# - name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?PermitRootLogin' -# line: 'PermitRootLogin no' -# notify: restart sshd -# when: -# - rhel_08_010550 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-010550 -# - ssh +- name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?PermitRootLogin' + line: 'PermitRootLogin no' + notify: restart sshd + when: + - rhel_08_010550 + - rhel8stig_ssh_required + tags: + - RHEL-08-010550 + - CAT2 + - CCI-000770 + - SRG-OS-000109-GPOS-00056 + - SV-230296r627750_rule + - V-230296 + - ssh -# - name: "MEDIUM | RHEL-08-010560 | PATCH | The auditd service must be running in RHEL 8." -# service: -# name: auditd -# state: started -# enabled: yes -# when: -# - rhel_08_010560 -# - not rhel8stig_system_is_container -# tags: -# - RHEL-08-010560 -# - auditd +- name: "MEDIUM | RHEL-08-010560 | PATCH | The auditd service must be running in RHEL 8." + service: + name: auditd + state: started + enabled: yes + when: + - rhel_08_010560 + - not rhel8stig_system_is_container + tags: + - RHEL-08-010560 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230297r627750_rule + - V-230297 + - auditd # - name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." # service: From 9dd1ac9411249eac2eec57ae14398715f3512dc9 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 10:54:25 -0400 Subject: [PATCH 032/110] Updated cat2 61-70 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 573 ++++++++++++++++++++++++--------------------- 1 file changed, 311 insertions(+), 262 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 6c3cf1c5..d66a90e4 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1287,274 +1287,323 @@ - V-230297 - auditd -# - name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." -# service: -# name: rsyslog.service -# state: started -# enabled: true -# when: -# - rhel_08_010561 -# tags: -# - RHEL-08-010561 -# - rsyslog - -# - name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." -# mount: -# path: /home -# state: mounted -# src: "{{ home_mount.device }}" -# fstype: "{{ home_mount.fstype }}" -# opts: "{{ home_mount.options }},nosuid" -# when: -# - rhel_08_010570 -# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 -# - "'nosuid' not in home_mount.options" -# vars: -# home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" -# tags: -# - RHEL-08-010570 -# - mounts -# - home - -# - name: "MEDIUM | RHEL-08-010571 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory." -# mount: -# path: /boot -# state: mounted -# src: "{{ boot_mount.device }}" -# fstype: "{{ boot_mount.fstype }}" -# opts: "{{ boot_mount.options }},nosuid" -# when: -# - rhel_08_010571 -# - ansible_mounts | selectattr('mount', 'match', '^/boot$') | list | length != 0 -# - "'nosuid' not in boot_mount.options" -# vars: -# boot_mount: "{{ ansible_mounts | json_query('[?mount == `/boot`] | [0]') }}" -# tags: -# - RHEL-08-010571 -# - mounts -# - boot - -# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions." -# block: -# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" -# shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' -# args: -# warn: no -# changed_when: no -# check_mode: no -# register: rhel8stig_010580_mounts_nodev - -# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Split results" -# set_fact: -# rhel8stig_010580_mounts: "{{ rhel8stig_010580_mounts_nodev.stdout_lines | map('regex_replace', ld_mount_regex, ld_mount_yaml) | map('from_yaml') | list }}" - -# with_items: "{{ rhel8stig_010580_mounts_nodev.stdout_lines }}" -# vars: -# ld_mount_regex: >- -# ^(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*) -# ld_mount_yaml: | -# device: >-4 -# \g -# mpoint: >-4 -# \g -# fs: >-4 -# \g -# opts: >-4 -# \g -# when: rhel8stig_010580_mounts_nodev.stdout | length > 0 - -# - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Set value" -# mount: -# path: "{{ item.mpoint }}" -# state: mounted -# src: "{{ item.device }}" -# fstype: "{{ item.fs }}" -# opts: "{{ item.opts }},nodev" -# with_items: -# - "{{ rhel8stig_010580_mounts | default([]) }}" -# when: -# - item.device != "/" -# - "'odev' not in item.opts" -# - rhel8stig_010580_mounts_nodev.stdout | length > 0 -# when: -# - rhel_08_010580 -# tags: -# - RHEL-08-010580 -# - mounts -# - non-root - -# - name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent code from being executed on file systems that contain user home directories." -# mount: -# path: /home -# state: mounted -# src: "{{ home_mount.device }}" -# fstype: "{{ home_mount.fstype }}" -# opts: "{{ home_mount.options }},noexec" -# when: -# - rhel_08_010590 -# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 -# - "'noexec' not in home_mount.options" -# vars: -# home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" -# tags: -# - RHEL-08-010590 -# - mounts -# - home - -# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media." -# block: -# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /media" -# mount: -# path: /media -# state: mounted -# src: "{{ removable_mount.device }}" -# fstype: "{{ removable_mount.fstype }}" -# opts: "{{ removable_mount.options }},nodev" -# when: -# - rhel_08_010600 -# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 -# - "'nodev' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - -# - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /mnt" -# mount: -# path: /mnt -# state: mounted -# src: "{{ removable_mount2.device }}" -# fstype: "{{ removable_mount2.fstype }}" -# opts: "{{ removable_mount2.options }},nodev" -# when: -# - rhel_08_010600 -# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 -# - "'nodev' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" -# when: -# - rhel_08_010600 -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# tags: -# - RHEL-08-010600 -# - mounts -# - media +- name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." + service: + name: rsyslog.service + state: started + enabled: true + when: + - rhel_08_010561 + tags: + - RHEL-08-010561 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230298r627750_rule + - V-230298 + - rsyslog + +- name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." + mount: + path: /home + state: mounted + src: "{{ home_mount.device }}" + fstype: "{{ home_mount.fstype }}" + opts: "{{ home_mount.options }},nosuid" + when: + - rhel_08_010570 + - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 + - "'nosuid' not in home_mount.options" + vars: + home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" + tags: + - RHEL-08-010570 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230299r627750_rule + - V-230299 + - mounts + - home + +- name: "MEDIUM | RHEL-08-010571 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory." + mount: + path: /boot + state: mounted + src: "{{ boot_mount.device }}" + fstype: "{{ boot_mount.fstype }}" + opts: "{{ boot_mount.options }},nosuid" + when: + - rhel_08_010571 + - ansible_mounts | selectattr('mount', 'match', '^/boot$') | list | length != 0 + - "'nosuid' not in boot_mount.options" + vars: + boot_mount: "{{ ansible_mounts | json_query('[?mount == `/boot`] | [0]') }}" + tags: + - RHEL-08-010571 + - CAT2 + - CCI-000366 + - SV-230300r627750_rule + - V-230300 + - mounts + - boot -# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media." -# block: -# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /media" -# mount: -# path: /media -# state: mounted -# src: "{{ removable_mount.device }}" -# fstype: "{{ removable_mount.fstype }}" -# opts: "{{ removable_mount.options }},noexec" -# when: -# - rhel_08_010600 -# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 -# - "'noexec' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" +- name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions." + block: + - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" + shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' + args: + warn: no + changed_when: no + check_mode: no + register: rhel8stig_010580_mounts_nodev + + - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Split results" + set_fact: + rhel8stig_010580_mounts: "{{ rhel8stig_010580_mounts_nodev.stdout_lines | map('regex_replace', ld_mount_regex, ld_mount_yaml) | map('from_yaml') | list }}" + + with_items: "{{ rhel8stig_010580_mounts_nodev.stdout_lines }}" + vars: + ld_mount_regex: >- + ^(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*)\s(?P[^'']*) + ld_mount_yaml: | + device: >-4 + \g + mpoint: >-4 + \g + fs: >-4 + \g + opts: >-4 + \g + when: rhel8stig_010580_mounts_nodev.stdout | length > 0 + + - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Set value" + mount: + path: "{{ item.mpoint }}" + state: mounted + src: "{{ item.device }}" + fstype: "{{ item.fs }}" + opts: "{{ item.opts }},nodev" + with_items: + - "{{ rhel8stig_010580_mounts | default([]) }}" + when: + - item.device != "/" + - "'odev' not in item.opts" + - rhel8stig_010580_mounts_nodev.stdout | length > 0 + when: + - rhel_08_010580 + tags: + - RHEL-08-010580 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230301r627750_rule + - V-230301 + - mounts + +- name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent code from being executed on file systems that contain user home directories." + mount: + path: /home + state: mounted + src: "{{ home_mount.device }}" + fstype: "{{ home_mount.fstype }}" + opts: "{{ home_mount.options }},noexec" + when: + - rhel_08_010590 + - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 + - "'noexec' not in home_mount.options" + vars: + home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" + tags: + - RHEL-08-010590 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230302r627750_rule + - V-230302 + - mounts + - home -# - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /mnt" -# mount: -# path: /mnt -# state: mounted -# src: "{{ removable_mount2.device }}" -# fstype: "{{ removable_mount2.fstype }}" -# opts: "{{ removable_mount2.options }},noexec" -# when: -# - rhel_08_010610 -# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 -# - "'noexec' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" -# when: -# - rhel_08_010610 -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# tags: -# - RHEL-08-010610 -# - mounts -# - media +- name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media." + block: + - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /media" + mount: + path: /media + state: mounted + src: "{{ removable_mount.device }}" + fstype: "{{ removable_mount.fstype }}" + opts: "{{ removable_mount.options }},nodev" + when: + - rhel_08_010600 + - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 + - "'nodev' not in home_mount.options" + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + vars: + removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + + - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /mnt" + mount: + path: /mnt + state: mounted + src: "{{ removable_mount2.device }}" + fstype: "{{ removable_mount2.fstype }}" + opts: "{{ removable_mount2.options }},nodev" + when: + - rhel_08_010600 + - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 + - "'nodev' not in home_mount.options" + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + vars: + removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" + when: + - rhel_08_010600 + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + tags: + - RHEL-08-010600 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230303r627750_rule + - V-230303 + - mounts + - media -# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." -# block: -# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media" -# mount: -# path: /media -# state: mounted -# src: "{{ removable_mount.device }}" -# fstype: "{{ removable_mount.fstype }}" -# opts: "{{ removable_mount.options }},nosuid" -# when: -# - rhel_08_010620 -# - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 -# - "'nosuid' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" +- name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media." + block: + - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /media" + mount: + path: /media + state: mounted + src: "{{ removable_mount.device }}" + fstype: "{{ removable_mount.fstype }}" + opts: "{{ removable_mount.options }},noexec" + when: + - rhel_08_010600 + - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 + - "'noexec' not in home_mount.options" + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + vars: + removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + + - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /mnt" + mount: + path: /mnt + state: mounted + src: "{{ removable_mount2.device }}" + fstype: "{{ removable_mount2.fstype }}" + opts: "{{ removable_mount2.options }},noexec" + when: + - rhel_08_010610 + - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 + - "'noexec' not in home_mount.options" + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + vars: + removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" + when: + - rhel_08_010610 + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + tags: + - RHEL-08-010610 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230304r627750_rule + - V-230304 + - mounts + - media -# - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" -# mount: -# path: /mnt -# state: mounted -# src: "{{ removable_mount2.device }}" -# fstype: "{{ removable_mount2.fstype }}" -# opts: "{{ removable_mount2.options }},nosuid" -# when: -# - rhel_08_010620 -# - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 -# - "'nosuid' not in home_mount.options" -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# vars: -# removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" -# when: -# - rhel_08_010620 -# - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) -# tags: -# - RHEL-08-010620 -# - mounts -# - media +- name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." + block: + - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media" + mount: + path: /media + state: mounted + src: "{{ removable_mount.device }}" + fstype: "{{ removable_mount.fstype }}" + opts: "{{ removable_mount.options }},nosuid" + when: + - rhel_08_010620 + - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 + - "'nosuid' not in home_mount.options" + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + vars: + removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + + - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" + mount: + path: /mnt + state: mounted + src: "{{ removable_mount2.device }}" + fstype: "{{ removable_mount2.fstype }}" + opts: "{{ removable_mount2.options }},nosuid" + when: + - rhel_08_010620 + - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 + - "'nosuid' not in home_mount.options" + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + vars: + removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" + when: + - rhel_08_010620 + - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + tags: + - RHEL-08-010620 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230305r627750_rule + - V-230305 + - mounts + - media -# - name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)." -# mount: -# path: "{{ item }}" -# src: "{{ ansible_mounts | json_query(device_query) }}" -# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" -# opts: "{{ ansible_mounts | json_query(options_query) }},noexec" -# state: mounted -# vars: -# device_query: '[?mount == `{{ item }}`] | [0].device' -# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' -# options_query: '[?mount == `{{ item }}`] | [0].options' -# with_items: "{{ rhel8stig_nfs_mounts }}" -# when: -# - rhel_08_010630 -# - "'noexec' not in (ansible_mounts | json_query(options_query))" -# tags: -# - RHEL-08-010630 -# - mounts -# - nfs +- name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)." + mount: + path: "{{ item }}" + src: "{{ ansible_mounts | json_query(device_query) }}" + fstype: "{{ ansible_mounts | json_query(fstype_query) }}" + opts: "{{ ansible_mounts | json_query(options_query) }},noexec" + state: mounted + vars: + device_query: '[?mount == `{{ item }}`] | [0].device' + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' + options_query: '[?mount == `{{ item }}`] | [0].options' + with_items: "{{ rhel8stig_nfs_mounts }}" + when: + - rhel_08_010630 + - "'noexec' not in (ansible_mounts | json_query(options_query))" + tags: + - RHEL-08-010630 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230306r627750_rule + - V-230306 + - mounts + - nfs -# - name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)." -# mount: -# path: "{{ item }}" -# src: "{{ ansible_mounts | json_query(device_query) }}" -# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" -# opts: "{{ ansible_mounts | json_query(options_query) }},nodev" -# state: mounted -# vars: -# device_query: '[?mount == `{{ item }}`] | [0].device' -# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' -# options_query: '[?mount == `{{ item }}`] | [0].options' -# with_items: "{{ rhel8stig_nfs_mounts }}" -# when: -# - rhel_08_010640 -# - "'nodev' not in (ansible_mounts | json_query(options_query))" -# tags: -# - RHEL-08-010640 +- name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)." + mount: + path: "{{ item }}" + src: "{{ ansible_mounts | json_query(device_query) }}" + fstype: "{{ ansible_mounts | json_query(fstype_query) }}" + opts: "{{ ansible_mounts | json_query(options_query) }},nodev" + state: mounted + vars: + device_query: '[?mount == `{{ item }}`] | [0].device' + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' + options_query: '[?mount == `{{ item }}`] | [0].options' + with_items: "{{ rhel8stig_nfs_mounts }}" + when: + - rhel_08_010640 + - "'nodev' not in (ansible_mounts | json_query(options_query))" + tags: + - RHEL-08-010640 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230307r627750_rule + - V-230307 + - nfs # - name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)" # mount: From 3c60e2332e625535e73e4d1077d95a6f01a61e53 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 11:06:00 -0400 Subject: [PATCH 033/110] Updated cat2 71-80 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 508 +++++++++++++++++++++++++-------------------- 1 file changed, 281 insertions(+), 227 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index d66a90e4..eac4bc41 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1603,252 +1603,306 @@ - SRG-OS-000480-GPOS-00227 - SV-230307r627750_rule - V-230307 + - mounts - nfs -# - name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)" -# mount: -# path: "{{ item }}" -# src: "{{ ansible_mounts | json_query(device_query) }}" -# fstype: "{{ ansible_mounts | json_query(fstype_query) }}" -# opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" -# state: mounted -# vars: -# device_query: '[?mount == `{{ item }}`] | [0].device' -# fstype_query: '[?mount == `{{ item }}`] | [0].fstype' -# options_query: '[?mount == `{{ item }}`] | [0].options' -# with_items: "{{ rhel8stig_nfs_mounts }}" -# when: -# - rhel_08_010650 -# - "'nosuid' not in (ansible_mounts | json_query(options_query))" -# tags: -# - RHEL-08-010650 - -# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs." -# block: -# - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions" -# shell: find {{ item.mount }} -xdev -type f -perm -002 -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel_08_010660_world_writable_files -# with_items: -# - "{{ ansible_mounts }}" - -# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening" -# set_fact: -# rhel_08_010660_change_perms: "{{ rhel_08_010660_world_writable_files.results | map(attribute='stdout_lines') | flatten }}" - -# - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Compare to home directories" -# include_tasks: audit_homedirinifiles.yml -# loop: -# - "{{ rhel_08_stig_interactive_homedir_inifiles }}" -# loop_control: -# loop_var: ini_item -# when: -# - rhel_08_010660_change_perms != [] +- name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)" + mount: + path: "{{ item }}" + src: "{{ ansible_mounts | json_query(device_query) }}" + fstype: "{{ ansible_mounts | json_query(fstype_query) }}" + opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" + state: mounted + vars: + device_query: '[?mount == `{{ item }}`] | [0].device' + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' + options_query: '[?mount == `{{ item }}`] | [0].options' + with_items: "{{ rhel8stig_nfs_mounts }}" + when: + - rhel_08_010650 + - "'nosuid' not in (ansible_mounts | json_query(options_query))" + tags: + - RHEL-08-010650 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230308r627750_rule + - V-230308 + - mounts + - nfs -# - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions" -# file: -# path: "{{ item }}" -# mode: '0755' -# state: file -# with_items: -# - "{{ rhel_08_010660_change_perms }}" -# when: -# - rhel_08_010660_change_perms != [] -# when: -# - rhel_08_010660 -# - rhel8stig_disruption_high -# # - rhel_08_stig_interactive_homedir_inifiles is defined -# tags: -# - RHEL-08-010660 +- name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs." + block: + - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions" + shell: find {{ item.mount }} -xdev -type f -perm -002 + args: + warn: no + changed_when: false + failed_when: false + register: rhel_08_010660_world_writable_files + with_items: + - "{{ ansible_mounts }}" -# - name: "MEDIUM | RHEL-08-010670 | PATCH | RHEL 8 must disable kernel dumps unless needed." -# service: -# name: kdump -# enabled: no -# state: stopped -# when: -# - rhel_08_010670 -# - not rhel8stig_kdump_needed -# tags: -# - RHEL-08-010670 -# - kdump + - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening" + set_fact: + rhel_08_010660_change_perms: "{{ rhel_08_010660_world_writable_files.results | map(attribute='stdout_lines') | flatten }}" + + - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Compare to home directories" + include_tasks: audit_homedirinifiles.yml + loop: + - "{{ rhel_08_stig_interactive_homedir_inifiles }}" + loop_control: + loop_var: ini_item + when: + - rhel_08_010660_change_perms != [] -# - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." -# block: -# - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if using numbered link files" -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^kernel.core_pattern =' -# line: "kernel.core_pattern = |/bin/false" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched > 0 -# - rhel8stig_sysctlconf_filename.files[0].islnk + - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions" + file: + path: "{{ item }}" + mode: '0755' + state: file + with_items: + - "{{ rhel_08_010660_change_perms }}" + when: + - rhel_08_010660_change_perms != [] + when: + - rhel_08_010660 + - rhel8stig_disruption_high + # - rhel_08_stig_interactive_homedir_inifiles is defined + tags: + - RHEL-08-010660 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230309r627750_rule + - V-230309 + - permissions -# - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if no numbered link files" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^kernel.core_pattern =' -# line: "kernel.core_pattern = |/bin/false" -# notify: sysctl system -# when: -# - rhel8stig_sysctlconf_filename.matched == 0 or -# not rhel8stig_sysctlconf_filename.files[0].islnk -# when: -# - rhel_08_010671 -# tags: -# - RHEL-08-010671 -# - sysctl +- name: "MEDIUM | RHEL-08-010670 | PATCH | RHEL 8 must disable kernel dumps unless needed." + service: + name: kdump + enabled: no + state: stopped + when: + - rhel_08_010670 + - not rhel8stig_kdump_needed + tags: + - RHEL-08-010670 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230310r627750_rule + - V-230310 + - kdump -# - name: "MEDIUM | RHEL-08-010672 | PATCH | RHEL 8 must disable acquiring, saving, and processing core dumps." -# systemd: -# name: systemd-coredump.socket -# masked: yes -# daemon_reload: yes -# notify: systemctl daemon-reload -# when: -# - rhel_08_010672 -# tags: -# - RHEL-08-010672 -# - systemd +- name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." + block: + - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if using numbered link files" + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.core_pattern =' + line: "kernel.core_pattern = |/bin/false" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched > 0 + - rhel8stig_sysctlconf_filename.files[0].islnk -# - name: "MEDIUM | RHEL-08-010673 | PATCH | RHEL 8 must disable core dumps for all users." -# lineinfile: -# path: /etc/security/limits.conf -# regexp: '^\*.*hard.*core' -# line: "* hard core 0" -# insertbefore: '# End of file' -# when: -# - rhel_08_010673 -# tags: -# - RHEL-08-010673 -# - security -# - limits + - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern. | Set kernel core pattern if no numbered link files" + lineinfile: + path: /etc/sysctl.conf + regexp: '^kernel.core_pattern =' + line: "kernel.core_pattern = |/bin/false" + notify: sysctl system + when: + - rhel8stig_sysctlconf_filename.matched == 0 or + not rhel8stig_sysctlconf_filename.files[0].islnk + when: + - rhel_08_010671 + tags: + - RHEL-08-010671 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230311r627750_rule + - V-230311 + - sysctl -# - name: "MEDIUM | RHEL-08-010674 | PATCH | RHEL 8 must disable storing core dumps." -# lineinfile: -# path: /etc/systemd/coredump.conf -# regexp: '^(S|s)torage=|#(S|s)torage=' -# line: "Storage=none" -# when: -# - rhel_08_010674 -# tags: -# - RHEL-08-010674 -# - systemd +- name: "MEDIUM | RHEL-08-010672 | PATCH | RHEL 8 must disable acquiring, saving, and processing core dumps." + systemd: + name: systemd-coredump.socket + masked: yes + daemon_reload: yes + notify: systemctl daemon-reload + when: + - rhel_08_010672 + tags: + - RHEL-08-010672 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230312r627750_rule + - V-230312 + - systemd -# - name: "MEDIUM | RHEL-08-010675 | PATCH | RHEL 8 must disable core dump backtraces." -# lineinfile: -# path: /etc/systemd/coredump.conf -# regexp: '^(P|p)rocess(S|s)ize(M|m)ax=|(P|p)rocess(S|s)ize(M|m)ax=' -# line: "ProcessSizeMax=0" -# when: -# - rhel_08_010675 -# tags: -# - RHEL-08-010675 -# - systemd +- name: "MEDIUM | RHEL-08-010673 | PATCH | RHEL 8 must disable core dumps for all users." + lineinfile: + path: /etc/security/limits.conf + regexp: '^\*.*hard.*core' + line: "* hard core 0" + insertbefore: '# End of file' + when: + - rhel_08_010673 + tags: + - RHEL-08-010673 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230313r627750_rul + - V-230313 + - security + - limits -# # NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." -# block: -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf" -# shell: grep "dns" /etc/nsswitch.conf | grep -v "#" -# changed_when: no -# failed_when: false -# check_mode: no -# register: rhel_08_010680_nsswitch_check +- name: "MEDIUM | RHEL-08-010674 | PATCH | RHEL 8 must disable storing core dumps." + lineinfile: + path: /etc/systemd/coredump.conf + regexp: '^(S|s)torage=|#(S|s)torage=' + line: "Storage=none" + when: + - rhel_08_010674 + tags: + - RHEL-08-010674 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230314r627750_rule + - V-230314 + - systemd -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf" -# command: grep -c "# Generated by NetworkManager" /etc/resolv.conf -# changed_when: no -# failed_when: false -# check_mode: no -# register: rhel_08_010680_networkmanager_check +- name: "MEDIUM | RHEL-08-010675 | PATCH | RHEL 8 must disable core dump backtraces." + lineinfile: + path: /etc/systemd/coredump.conf + regexp: '^(P|p)rocess(S|s)ize(M|m)ax=|(P|p)rocess(S|s)ize(M|m)ax=' + line: "ProcessSizeMax=0" + when: + - rhel_08_010675 + tags: + - RHEL-08-010675 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230315r627750_rule + - V-230315 + - systemd -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf" -# shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l -# changed_when: no -# failed_when: false -# check_mode: no -# register: rhel_08_010680_nameserver_count +# NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service. +- name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." + block: + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf" + shell: grep "dns" /etc/nsswitch.conf | grep -v "#" + changed_when: no + failed_when: false + check_mode: no + register: rhel_08_010680_nsswitch_check -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf" -# shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf -# when: -# - "'dns' not in rhel_08_010680_nsswitch_check.stdout" + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf" + command: grep -c "# Generated by NetworkManager" /etc/resolv.conf + changed_when: no + failed_when: false + check_mode: no + register: rhel_08_010680_networkmanager_check -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf" -# lineinfile: -# dest: /etc/resolv.conf -# regexp: "{{ item.regexp }}" -# line: "nameserver {{ item.line }}" -# insertafter: "{{ item.after }}" -# with_items: # Written as lineinfile replaces last found so reverse logic to keep order of servers -# - { regexp: ^nameserver, line: '{{ rhel8stig_dns_servers.1 }}', after: ^search } -# - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }})', line: '{{ rhel8stig_dns_servers.0 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } -# # - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }}|{{ rhel8stig_dns_servers.0 }})', line: '{{ rhel8stig_dns_servers.2 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } -# when: -# - not rhel8_stig_use_resolv_template -# - rhel_08_010680_networkmanager_check.stdout == '0' -# - rhel_08_010680_nameserver_count.stdout | int >= 2 - -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf using a template when not NetworkManager controlled" -# template: -# src: resolv.conf.j2 -# dest: /etc/resolv.conf -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_010680_networkmanager_check.stdout == '0' -# - rhel8_stig_use_resolv_template + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf" + shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l + changed_when: no + failed_when: false + check_mode: no + register: rhel_08_010680_nameserver_count -# - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp." -# debug: -# msg: "The file /etc/resolv.conf is managed by network manager and/or shows less than two DNS servers configured. Please correct this in your DHCP configurations." -# changed_when: true -# when: -# - rhel_08_010680_networkmanager_check.stdout != '0' or rhel_08_010680_nameserver_count.stdout| int < 2 -# - not rhel8_stig_use_resolv_template -# when: -# - rhel_08_010680 -# - not rhel8stig_system_is_chroot -# - not rhel8stig_system_is_container -# - not system_is_ec2 -# tags: -# - RHEL-08-010680 + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf" + shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf + when: + - "'dns' not in rhel_08_010680_nsswitch_check.stdout" -# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." -# block: -# - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" -# shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath -# with_items: "{{ rhel_08_stig_interactive_homedir_results }}" -# register: rhel_08_010690_ini_path_grep_list -# changed_when: no -# failed_when: false + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf" + lineinfile: + dest: /etc/resolv.conf + regexp: "{{ item.regexp }}" + line: "nameserver {{ item.line }}" + insertafter: "{{ item.after }}" + with_items: # Written as lineinfile replaces last found so reverse logic to keep order of servers + - { regexp: ^nameserver, line: '{{ rhel8stig_dns_servers.1 }}', after: ^search } + - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }})', line: '{{ rhel8stig_dns_servers.0 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } + # - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }}|{{ rhel8stig_dns_servers.0 }})', line: '{{ rhel8stig_dns_servers.2 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } + when: + - not rhel8_stig_use_resolv_template + - rhel_08_010680_networkmanager_check.stdout == '0' + - rhel_08_010680_nameserver_count.stdout | int >= 2 + + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf using a template when not NetworkManager controlled" + template: + src: resolv.conf.j2 + dest: /etc/resolv.conf + owner: root + group: root + mode: 0644 + when: + - rhel_08_010680_networkmanager_check.stdout == '0' + - rhel8_stig_use_resolv_template -# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." -# debug: -# msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. -# with_items: -# - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" + - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp." + debug: + msg: "The file /etc/resolv.conf is managed by network manager and/or shows less than two DNS servers configured. Please correct this in your DHCP configurations." + changed_when: true + when: + - rhel_08_010680_networkmanager_check.stdout != '0' or rhel_08_010680_nameserver_count.stdout| int < 2 + - not rhel8_stig_use_resolv_template + when: + - rhel_08_010680 + - not rhel8stig_system_is_chroot + - not rhel8stig_system_is_container + - not system_is_ec2 + tags: + - RHEL-08-010680 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230316r627750_rule + - V-230316 + - dns -# - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." -# lineinfile: -# path: "{{ item }}" -# regexp: "^PATH=" -# line: "{{ rhel_08_010690_user_path }}" -# with_items: -# - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" -# when: -# - rhel_08_010690 -# - rhel8stig_disruption_high -# - rhel8stig_change_user_path -# tags: -# - RHEL-08-010690 -# - complexity-high +- name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." + block: + - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" + shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath + with_items: "{{ rhel_08_stig_interactive_homedir_results }}" + register: rhel_08_010690_ini_path_grep_list + changed_when: no + failed_when: false + + - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." + debug: + msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. + with_items: + - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" + + - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." + lineinfile: + path: "{{ item }}" + regexp: "^PATH=" + line: "{{ rhel_08_010690_user_path }}" + with_items: + - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" + when: + - rhel_08_010690 + - rhel8stig_disruption_high + - rhel8stig_change_user_path + tags: + - RHEL-08-010690 + - CAT2 + - CCI-000366 + - SV-230317r627750_rule + - V-230317 + - complexity-high # - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." # block: From 185bde5a4ccde30d0432dc11d25e579411da6e1d Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 11:17:28 -0400 Subject: [PATCH 034/110] Updated cat2 81-90 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 382 ++++++++++++++++++++++++++------------------- 1 file changed, 219 insertions(+), 163 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index eac4bc41..5a275cee 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1904,185 +1904,241 @@ - V-230317 - complexity-high -# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." -# block: -# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories" -# command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 -# changed_when: false -# failed_when: false -# register: rhel_08_010700_world_writable_directories +- name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." + block: + - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories" + command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 + changed_when: false + failed_when: false + register: rhel_08_010700_world_writable_directories -# - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" -# file: -# path: "{{ item }}" -# owner: root -# with_items: -# - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" -# when: rhel_08_010700_world_writable_directories.stdout | length > 0 -# when: -# - rhel_08_010700 -# tags: -# - RHEL-08-010700 + - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" + file: + path: "{{ item }}" + owner: root + with_items: + - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" + when: rhel_08_010700_world_writable_directories.stdout | length > 0 + when: + - rhel_08_010700 + tags: + - RHEL-08-010700 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230318r627750_rule + - V-230318 + - permissions -# - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group." -# block: -# - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories" -# command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 -# changed_when: false -# failed_when: false -# register: rhel_08_010710_world_writable_directories +- name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group." + block: + - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories" + command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 + changed_when: false + failed_when: false + register: rhel_08_010710_world_writable_directories -# - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" -# file: -# path: "{{ item }}" -# group: root -# with_items: -# - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" -# when: rhel_08_010710_world_writable_directories.stdout | length > 0 -# when: -# - rhel_08_010710 -# tags: -# - RHEL-08-010710 + - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" + file: + path: "{{ item }}" + group: root + with_items: + - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" + when: rhel_08_010710_world_writable_directories.stdout | length > 0 + when: + - rhel_08_010710 + tags: + - RHEL-08-010710 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230319r627750_rule + - V-230319 + - permissions -# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file." -# block: -# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory" -# shell: pwck -r | grep user | cut -f2 -d"'" -# changed_when: false -# failed_when: false -# register: rhel_08_010720_users_no_home_dir +- name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file." + block: + - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory" + shell: pwck -r | grep user | cut -f2 -d"'" + changed_when: false + failed_when: false + register: rhel_08_010720_users_no_home_dir -# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory" -# shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' -# changed_when: false -# failed_when: false -# register: rhel_08_010720_user_list + - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory" + shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' + changed_when: false + failed_when: false + register: rhel_08_010720_user_list -# - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" -# debug: -# msg: -# - "WARNING!!!!The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" -# - "{{ rhel_08_010720_user_list.stdout_lines }}" -# when: rhel_08_010720_user_list.stdout | length > 0 -# when: -# - rhel_08_010720 -# tags: -# - RHEL-08-010720 + - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" + debug: + msg: + - "WARNING!!!!The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" + - "{{ rhel_08_010720_user_list.stdout_lines }}" + when: rhel_08_010720_user_list.stdout | length > 0 + when: + - rhel_08_010720 + tags: + - RHEL-08-010720 + - CAT2 + - CCI-000366 + - SV-230320r627750_rule + - V-230320 -# - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." -# block: -# - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." -# shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) -# changed_when: false -# failed_when: false -# register: rhel_08_010730_home_directories +- name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." + block: + - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." + shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) + changed_when: false + failed_when: false + register: rhel_08_010730_home_directories -# - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." -# file: -# path: "{{ item }}" -# mode: 0750 -# with_items: -# - "{{ rhel_08_010730_home_directories.stdout_lines }}" -# when: rhel_08_010730_home_directories.stdout | length > 0 -# when: -# - rhel_08_010730 -# tags: -# - RHEL-08-010730 + - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." + file: + path: "{{ item }}" + mode: 0750 + with_items: + - "{{ rhel_08_010730_home_directories.stdout_lines }}" + when: rhel_08_010730_home_directories.stdout | length > 0 + when: + - rhel_08_010730 + tags: + - RHEL-08-010730 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230321r627750_rule + - V-230321 + - permissions -# - name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." -# file: -# path: "{{ item.dir }}" -# group: "{{ item.gid }}" -# state: directory -# with_items: "{{ rhel8stig_passwd }}" -# loop_control: -# label: "{{ rhel8stig_passwd_label }}" -# when: -# - rhel_08_010740 -# - item.uid >= rhel8stig_interactive_uid_start -# tags: -# - skip_ansible_lint -# - RHEL-08-010740 +- name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." + file: + path: "{{ item.dir }}" + group: "{{ item.gid }}" + state: directory + with_items: "{{ rhel8stig_passwd }}" + loop_control: + label: "{{ rhel8stig_passwd_label }}" + when: + - rhel_08_010740 + - item.uid >= rhel8stig_interactive_uid_start + tags: + - skip_ansible_lint + - RHEL-08-010740 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230322r627750_rule + - V-230322 + - permissions -# - name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." -# file: -# path: "{{ item.dir }}" -# state: directory -# with_items: "{{ rhel8stig_passwd }}" -# loop_control: -# label: "{{ rhel8stig_passwd_label }}" -# when: -# - rhel_08_010750 -# - item.uid >= rhel8stig_interactive_uid_start -# tags: -# - skip_ansible_lint -# - RHEL-08-010750 +- name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." + file: + path: "{{ item.dir }}" + state: directory + with_items: "{{ rhel8stig_passwd }}" + loop_control: + label: "{{ rhel8stig_passwd_label }}" + when: + - rhel_08_010750 + - item.uid >= rhel8stig_interactive_uid_start + tags: + - skip_ansible_lint + - RHEL-08-010750 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230323r627750_rule + - V-230323 + - permissions -# - name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." -# lineinfile: -# path: /etc/login.defs -# regexp: '.*?CREATE_HOME.*' -# line: CREATE_HOME yes -# when: -# - rhel_08_010760 -# tags: -# - RHEL-08-010760 -# - login -# - home +- name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." + lineinfile: + path: /etc/login.defs + regexp: '.*?CREATE_HOME.*' + line: CREATE_HOME yes + when: + - rhel_08_010760 + tags: + - RHEL-08-010760 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230324r627750_rule + - V-230324 + - login + - home -# - name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." -# file: -# path: "{{ item }}" -# mode: 0740 -# with_items: -# - "{{ rhel_08_stig_interactive_homedir_inifiles }}" -# when: -# - rhel_08_010770 -# - rhel8stig_disruption_high -# - rhel_08_stig_interactive_homedir_inifiles is defined -# tags: -# - RHEL-08-010770 -# - complexity-high +- name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." + file: + path: "{{ item }}" + mode: 0740 + with_items: + - "{{ rhel_08_stig_interactive_homedir_inifiles }}" + when: + - rhel_08_010770 + - rhel8stig_disruption_high + - rhel_08_stig_interactive_homedir_inifiles is defined + tags: + - RHEL-08-010770 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230325r627750_rule + - V-230325 + - complexity-high -# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." -# block: -# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" -# shell: find / -nouser -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel_08_010780_nouser_files +- name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." + block: + - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" + shell: find / -nouser + args: + warn: no + changed_when: false + failed_when: false + register: rhel_08_010780_nouser_files -# - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" -# debug: -# msg: -# - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" -# - "{{ rhel_08_010780_nouser_files.stdout_lines }}" -# when: rhel_08_010780_nouser_files.stdout | length > 0 -# when: -# - rhel_08_010780 -# tags: -# - RHEL-08-010780 + - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" + debug: + msg: + - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" + - "{{ rhel_08_010780_nouser_files.stdout_lines }}" + when: rhel_08_010780_nouser_files.stdout | length > 0 + when: + - rhel_08_010780 + tags: + - RHEL-08-010780 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230326r627750_rule + - V-230326 + - permissions -# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." -# block: -# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" -# shell: find / -nogroup -# changed_when: false -# failed_when: false -# register: rhel_08_010790_nogroup_files +- name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." + block: + - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" + shell: find / -nogroup + changed_when: false + failed_when: false + register: rhel_08_010790_nogroup_files -# - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" -# debug: -# msg: -# - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" -# - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" -# when: rhel_08_010790_nogroup_files.stdout | length > 0 -# when: -# - rhel_08_010790 -# tags: -# - RHEL-08-010790 + - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" + debug: + msg: + - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" + - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" + when: rhel_08_010790_nogroup_files.stdout | length > 0 + when: + - rhel_08_010790 + tags: + - RHEL-08-010790 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230327r627750_rule + - V-230327 + - permissions # - name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." # debug: From c49bd255affba77b07a057c5021747543daa650d Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 11:33:09 -0400 Subject: [PATCH 035/110] Updated cat2 91-100 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 690 ++++++++++++++++++++++++--------------------- 1 file changed, 371 insertions(+), 319 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5a275cee..4ba72cbb 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2140,351 +2140,403 @@ - V-230327 - permissions -# - name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." -# debug: -# msg: "WARNING!!!! /home is not mounted on a separate partition" -# changed_when: -# - rhel8stig_audit_complex -# when: -# - rhel_08_010800 -# - not rhel8stig_system_is_container -# - rhel8stig_complex -# - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 -# tags: -# - RHEL-08-010800 -# - complexity-high -# - mount -# - home +- name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." + debug: + msg: "WARNING!!!! /home is not mounted on a separate partition" + changed_when: + - rhel8stig_audit_complex + when: + - rhel_08_010800 + - not rhel8stig_system_is_container + - rhel8stig_complex + - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 + tags: + - RHEL-08-010800 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230328r627750_rule + - V-23032 + - complexity-high + - mount + - home -# - name: "MEDIUM | RHEL-08-010830 | PATCH |Unattended or automatic logon to RHEL 8 via ssh must not be allowed." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?PermitUserEnvironment' -# line: 'PermitUserEnvironment no' -# notify: restart sshd -# when: -# - rhel_08_010830 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-010830 -# - ssh -# - disruption_high +- name: "MEDIUM | RHEL-08-010830 | PATCH | RHEL 8 must not allow users to override SSH environment variables." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?PermitUserEnvironment' + line: 'PermitUserEnvironment no' + notify: restart sshd + when: + - rhel_08_010830 + - rhel8stig_disruption_high + tags: + - RHEL-08-010830 + - CAT2 + - V-230330 + - CCI-000366 + - SRG-OS-000480-GPOS-00229 + - SV-230330r646870_rule + - V-230330 + - ssh + - disruption_high -# - name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." -# debug: -# msg: -# - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." -# - "To do this please run sudo chage -l account_name for the accounts you need to check" -# - "The results will display the Account Expires information" -# - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name' -# when: -# - rhel_08_020000 -# tags: -# - RHEL-08-020000 +- name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." + debug: + msg: + - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." + - "To do this please run sudo chage -l account_name for the accounts you need to check" + - "The results will display the Account Expires information" + - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name' + when: + - rhel_08_020000 + tags: + - RHEL-08-020000 + - CAT2 + - CCI-000016 + - SRG-OS-000002-GPOS-00002 + - SV-230331r627750_rule + - V-230331 + - accounts -# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." -# block: -# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth +- name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020010 -# tags: -# - RHEL-08-020010 -# - pamd + - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020010 + tags: + - RHEL-08-020010 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-230332r627750_rule + - V-230332 + - pamd -# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." -# block: -# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth +- name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" -# lineinfile: -# path: "/etc/security/faillock.conf" -# regexp: '^deny =|^\# deny =' -# line: "deny = {{ rhel8stig_pam_faillock.attempts }}" -# when: -# - rhel_08_020011 -# tags: -# - RHEL-08-020011 -# - pamd + - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^deny =|^\# deny =' + line: "deny = {{ rhel8stig_pam_faillock.attempts }}" + when: + - rhel_08_020011 + tags: + - RHEL-08-020011 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-230333r627750_rule + - V-230333 + - pamd -# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." -# block: -# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth +- name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020012 -# tags: -# - RHEL-08-020012 -# - pamd + - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020012 + tags: + - RHEL-08-020012 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-230334r627750_rule + - V-230334 + - pamd -# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." -# block: -# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth +- name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" -# lineinfile: -# path: "/etc/security/faillock.conf" -# regexp: '^fail_interval =|^\# fail_interval =' -# line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020013 -# tags: -# - RHEL-08-020013 -# - pamd + - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^fail_interval =|^\# fail_interval =' + line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020013 + tags: + - RHEL-08-020013 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-230335r627750_rule + - V-230335 + - pamd -# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." -# block: -# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth +- name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020013 -# tags: -# - RHEL-08-020013 -# - pamd + - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020013 + tags: + - RHEL-08-020013 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-230336r627750_rule + - V-230336 + - pamd -# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." -# block: -# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth +- name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" -# lineinfile: -# path: "/etc/security/faillock.conf" -# regexp: '^unlock_time =|^\# unlock_time =' -# line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}" -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020015 -# tags: -# - RHEL-08-020015 -# - pamd + - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^unlock_time =|^\# unlock_time =' + line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020015 + tags: + - RHEL-08-020015 + - CAT2 + - CCI-000044 + - RG-OS-000021-GPOS-00005 + - SV-230337r627750_rule + - V-230337 + - pamd -# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist." -# block: -# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist.| Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth +- name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist." + block: + - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist.| Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020016 -# tags: -# - RHEL-08-020016 -# - pamd + - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020016 + tags: + - RHEL-08-020016 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-230338r627750_rule + - V-230338 + - pamd # - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist." # block: From b525ed3f24d35b9b21f61dde6c13c8314dba6ae9 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 11:46:34 -0400 Subject: [PATCH 036/110] Updated cat2 101-110 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 762 ++++++++++++++++++++++++--------------------- 1 file changed, 406 insertions(+), 356 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4ba72cbb..4652dd14 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2538,393 +2538,443 @@ - V-230338 - pamd -# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist." -# block: -# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth +- name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist." + block: + - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" -# lineinfile: -# path: "/etc/security/faillock.conf" -# regexp: '^dir =|^\# dir =' -# line: "dir = /var/log/faillock" -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020017 -# tags: -# - RHEL-08-020017 -# - pamd + - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^dir =|^\# dir =' + line: "dir = /var/log/faillock" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020017 + tags: + - RHEL-08-020017 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-230339r627750_rule + - V-230339 + - pamd -# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." -# block: -# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth +- name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020018 -# tags: -# - RHEL-08-020018 -# - pamd + - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020018 + tags: + - RHEL-08-020018 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-230340r627750_rule + - V-230340 + - pamd -# - name: "MEDIUM | RHEL-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." -# block: -# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth +- name: "MEDIUM | RHEL-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" -# lineinfile: -# path: "/etc/security/faillock.conf" -# regexp: '^silent|^\# silent' -# line: "silent" -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020019 -# tags: -# - RHEL-08-020019 -# - pamd + - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^silent|^\# silent' + line: "silent" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020019 + tags: + - RHEL-08-020019 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-230341r627750_rule + - V-230341 + - pamd -# - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." -# block: -# - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth +- name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020020 -# tags: -# - RHEL-08-020020 -# - pamd + - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020020 + tags: + - RHEL-08-020020 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-230342r646872_rule + - V-230342 + - pamd -# - name: "MEDIUM | RHEL-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." -# block: -# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth +- name: "MEDIUM | RHEL-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." + block: + - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" -# lineinfile: -# path: "/etc/security/faillock.conf" -# regexp: '^audit|^\# audit' -# line: "audit" -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020021 -# tags: -# - RHEL-08-020021 -# - pamd + - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^audit|^\# audit' + line: "audit" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020021 + tags: + - RHEL-08-020021 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-230343r627750_rule + - V-230343 + - pamd -# - name: "MEDIUM | RHEL-020022| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." -# block: -# - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}sfail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth +- name: "MEDIUM | RHEL-020022| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}sfail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020022 -# tags: -# - RHEL-08-020022 -# - pamd + - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth + when: + - rhel_08_020022 + tags: + - RHEL-08-020022 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-230344r646874_rule + - V-230344 + - pamd -# - name: "MEDIUM | RHEL-020023| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." -# block: -# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so preauth' -# line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth +- name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." + block: + - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^auth required pam_faillock.so authfail' -# line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' -# insertafter: '^auth' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" -# lineinfile: -# path: "/etc/pam.d/{{ item }}" -# regexp: '^account required pam_faillock.so' -# line: 'account required pam_faillock.so' -# insertafter: '^account' -# notify: restart sssd -# with_items: -# - system-auth -# - password-auth + - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + lineinfile: + path: "/etc/pam.d/{{ item }}" + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + with_items: + - system-auth + - password-auth -# - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" -# lineinfile: -# path: "/etc/security/faillock.conf" -# regexp: '^even_deny_root|^\# even_deny_root' -# line: "even_deny_root" -# with_items: -# - system-auth -# - password-auth -# when: -# - rhel_08_020023 -# tags: -# - RHEL-08-020023 -# - pamd + - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^even_deny_root|^\# even_deny_root' + line: "even_deny_root" + with_items: + - system-auth + - password-auth + when: + - rhel_08_020023 + tags: + - RHEL-08-020023 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-230345r627750_rule + - V-230345 + - pamd -# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." -# block: -# - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" -# command: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" -# changed_when: false -# failed_when: false -# register: rhel_08_020030_lock_enabled +- name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." + block: + - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" + command: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" + changed_when: false + failed_when: false + register: rhel_08_020030_lock_enabled -# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" -# lineinfile: -# path: "{{ rhel_08_020030_lock_enabled.stdout }}" -# regexp: '^lock-enabled' -# line: lock-enabled=true -# when: rhel_08_020030_lock_enabled.stdout | length > 0 -# notify: dconf update + - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" + lineinfile: + path: "{{ rhel_08_020030_lock_enabled.stdout }}" + regexp: '^lock-enabled' + line: lock-enabled=true + when: rhel_08_020030_lock_enabled.stdout | length > 0 + notify: dconf update -# - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist" -# lineinfile: -# path: /etc/dconf/db/local.d/00-screensaver -# create: yes -# regexp: '^lock-enabled' -# owner: root -# group: root -# mode: 0644 -# line: | -# [org/gnome/desktop/screensaver] -# # Set this to true to lock the screen when the screensaver activates -# lock-enabled=true -# when: rhel_08_020030_lock_enabled.stdout | length == 0 -# notify: dconf update -# when: -# - rhel_08_020030 -# - "'dconf' in ansible_facts.packages" -# - rhel8stig_always_configure_dconf + - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist" + lineinfile: + path: /etc/dconf/db/local.d/00-screensaver + create: yes + regexp: '^lock-enabled' + owner: root + group: root + mode: 0644 + line: | + [org/gnome/desktop/screensaver] + # Set this to true to lock the screen when the screensaver activates + lock-enabled=true + when: rhel_08_020030_lock_enabled.stdout | length == 0 + notify: dconf update + when: + - rhel_08_020030 + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf -# tags: -# - RHEL-08-020030 -# - gui + tags: + - RHEL-08-020030 + - CAT2 + - CCI-000056 + - SRG-OS-000028-GPOS-00009 + - SV-230347r627750_rule + - V-230347 + - gui -# - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." -# block: -# - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" -# dnf: -# name: tmux -# state: present +- name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." + block: + - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" + dnf: + name: tmux + state: present -# - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Configure tmux" -# lineinfile: -# path: /etc/tmux.conf -# regexp: '^set \-g' -# line: "set -g lock-command vlock" -# create: yes -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020040 -# tags: -# - RHEL-08-020040 -# - tmux + - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Configure tmux" + lineinfile: + path: /etc/tmux.conf + regexp: '^set \-g' + line: "set -g lock-command vlock" + create: yes + owner: root + group: root + mode: 0644 + when: + - rhel_08_020040 + tags: + - RHEL-08-020040 + - CAT2 + - CCI-000056 + - RG-OS-000028-GPOS-00009 + - SV-230348r627750_rule + - V-230348 + - tmux -# - name: " MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization." -# lineinfile: -# path: /etc/bashrc -# regexp: '^\[ -n "$PS1" -a -z "$TMUX" \]' -# line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' -# when: -# - rhel_08_020041 -# tags: -# - RHEL-08-020041 -# - tmux +- name: " MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization." + lineinfile: + path: /etc/bashrc + regexp: '^\[ -n "$PS1" -a -z "$TMUX" \]' + line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' + when: + - rhel_08_020041 + tags: + - RHEL-08-020041 + - CAT2 + - CCI-000056 + - SRG-OS-000028-GPOS-00009 + - SV-230349r627750_rul + - V-230349 + - tmux # - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." # block: From 6b5fa67ca2eab012d59745379519f39517e00bf3 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 13:12:49 -0400 Subject: [PATCH 037/110] Updated cat2 111-120 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 501 +++++++++++++++++++++++++-------------------- 1 file changed, 277 insertions(+), 224 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4652dd14..0741fab3 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2976,245 +2976,298 @@ - V-230349 - tmux -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." -# block: -# - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" -# shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel_08_020050_removal_action +- name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." + block: + - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" + shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' + args: + warn: no + changed_when: false + failed_when: false + register: rhel_08_020050_removal_action -# - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" -# shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" -# changed_when: false -# failed_when: false -# register: rhel_08_020050_removal_action_file + - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" + shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" + changed_when: false + failed_when: false + register: rhel_08_020050_removal_action_file -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist" -# lineinfile: -# path: /etc/dconf/db/distro.d/20-authselect -# create: yes -# owner: root -# group: root -# mode: 0644 -# line: | -# [org/gnome/settings-daemon/peripherals/smartcard] -# removal-action='lock-screen' -# when: rhel_08_020050_removal_action.stdout | length == 0 -# notify: dconf update + - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist" + lineinfile: + path: /etc/dconf/db/distro.d/20-authselect + create: yes + owner: root + group: root + mode: 0644 + line: | + [org/gnome/settings-daemon/peripherals/smartcard] + removal-action='lock-screen' + when: rhel_08_020050_removal_action.stdout | length == 0 + notify: dconf update -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" -# lineinfile: -# path: "{{ rhel_08_020050_removal_action.stdout }}" -# regexp: ^removal-action= -# line: removal-action='lock-screen' -# when: rhel_08_020050_removal_action.stdout | length > 0 -# notify: dconf update + - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" + lineinfile: + path: "{{ rhel_08_020050_removal_action.stdout }}" + regexp: ^removal-action= + line: removal-action='lock-screen' + when: rhel_08_020050_removal_action.stdout | length > 0 + notify: dconf update -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" -# lineinfile: -# path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' -# line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action -# when: rhel_08_020050_removal_action_file.stdout | length > 0 -# notify: dconf update + - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" + lineinfile: + path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' + line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action + when: rhel_08_020050_removal_action_file.stdout | length > 0 + notify: dconf update -# - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" -# lineinfile: -# path: /etc/dconf/db/distro.d/locks/20-authselect -# create: yes -# line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action -# owner: root -# group: root -# mode: 0640 -# when: rhel_08_020050_removal_action_file.stdout | length == 0 -# notify: dconf update -# when: -# - rhel_08_020050 -# tags: -# - RHEL-08-020050 -# - smartcard + - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" + lineinfile: + path: /etc/dconf/db/distro.d/locks/20-authselect + create: yes + line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action + owner: root + group: root + mode: 0640 + when: rhel_08_020050_removal_action_file.stdout | length == 0 + notify: dconf update + when: + - rhel_08_020050 + tags: + - RHEL-08-020050 + - CAT2 + - CCI-000056 + - SRG-OS-000028-GPOS-00009 + - SV-230351r627750_rule + - V-230351 + - smartcard -# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." -# block: -# - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" -# shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel_08_020060_idle_delay_param +- name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." + block: + - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" + shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' + args: + warn: no + changed_when: false + failed_when: false + register: rhel_08_020060_idle_delay_param -# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist" -# lineinfile: -# path: /etc/dconf/db/local.d/00-screensaver -# create: yes -# owner: root -# group: root -# mode: 0640 -# regexp: '^idle-delay' -# line: | -# [org/gnome/desktop/session] -# # Set the lock time out to 900 seconds before the session is considered idle -# idle-delay=uint32 900 -# notify: dconf update -# when: rhel_08_020060_idle_delay_param.stdout | length == 0 - -# - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" -# lineinfile: -# path: "{{ rhel_08_020060_idle_delay_param.stdout }}" -# regexp: '^idle-delay=' -# line: idle-delay=uint32 900 -# owner: root -# group: root -# mode: 0640 -# notify: dconf update -# when: rhel_08_020060_idle_delay_param.stdout | length > 0 -# when: -# - rhel_08_020060 -# - "'dconf' in ansible_facts.packages" -# - rhel8stig_always_configure_dconf + - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist" + lineinfile: + path: /etc/dconf/db/local.d/00-screensaver + create: yes + owner: root + group: root + mode: 0640 + regexp: '^idle-delay' + line: | + [org/gnome/desktop/session] + # Set the lock time out to 900 seconds before the session is considered idle + idle-delay=uint32 900 + notify: dconf update + when: rhel_08_020060_idle_delay_param.stdout | length == 0 + + - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" + lineinfile: + path: "{{ rhel_08_020060_idle_delay_param.stdout }}" + regexp: '^idle-delay=' + line: idle-delay=uint32 900 + owner: root + group: root + mode: 0640 + notify: dconf update + when: rhel_08_020060_idle_delay_param.stdout | length > 0 + when: + - rhel_08_020060 + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf -# tags: -# - RHEL-08-020060 -# - gui + tags: + - RHEL-08-020060 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-230352r646876_rule + - V-230352 + - gui -# - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." -# lineinfile: -# path: /etc/tmux.conf -# regexp: '^set -g lock-after-time' -# line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020070 -# tags: -# - RHEL-08-020070 -# - tmux +- name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." + lineinfile: + path: /etc/tmux.conf + regexp: '^set -g lock-after-time' + line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" + owner: root + group: root + mode: 0644 + when: + - rhel_08_020070 + tags: + - RHEL-08-020070 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-230353r627750_rule + - V-230353 + - tmux -# - name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings." -# lineinfile: -# path: /etc/dconf/db/local.d/locks/session -# create: yes -# line: "{{ item }}" -# owner: root -# group: root -# mode: 0640 -# with_items: -# - /org/gnome/desktop/session/idle-delay -# - /org/gnome/desktop/screensaver/lock-enabled -# - /org/gnome/desktop/screensaver/lock-delay -# - /org/gnome/settings-daemon/plugins/media-keys/logout -# - /org/gnome/login-screen/disable-user-list -# - /org/gnome/login-screen/banner-message-text -# - /org/gnome/login-screen/banner-message-enable -# - /org/gnome/desktop/lockdown/disable-lock-screen -# when: -# - rhel_08_020080 -# - "'dconf' in ansible_facts.packages" -# - rhel8stig_always_configure_dconf -# tags: -# - RHEL-08-020080 - -# - name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." -# lineinfile: -# path: "{{ rhel8stig_sssd_conf }}" -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# owner: root -# group: root -# mode: 0640 -# with_items: -# - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } -# - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } -# - { regexp: '^maprule = {{ rhel8stig_sssd.maprule }}', line: 'maprule = {{ rhel8stig_sssd.maprule }}' } -# - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains }}' } -# notify: restart sssd -# when: -# - "'sssd' in ansible_facts.packages" -# - rhel8stig_sssd_conf_present.stat.exists -# - rhel_08_020090 -# tags: -# - RHEL-08-020090 +- name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings." + lineinfile: + path: /etc/dconf/db/local.d/locks/session + create: yes + line: "{{ item }}" + owner: root + group: root + mode: 0640 + with_items: + - /org/gnome/desktop/session/idle-delay + - /org/gnome/desktop/screensaver/lock-enabled + - /org/gnome/desktop/screensaver/lock-delay + - /org/gnome/settings-daemon/plugins/media-keys/logout + - /org/gnome/login-screen/disable-user-list + - /org/gnome/login-screen/banner-message-text + - /org/gnome/login-screen/banner-message-enable + - /org/gnome/desktop/lockdown/disable-lock-screen + when: + - rhel_08_020080 + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + tags: + - RHEL-08-020080 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-230354r627750_rule + - V-230354 + - gui -# - name: "MEDIUM | RHEL-08-020100 | PATCH RHEL 8 must ensure a password complexity module is enabled." -# lineinfile: -# path: "{{ item.path }}" -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: '^password' -# owner: root -# group: root -# mode: 0640 -# with_items: -# - { path: /etc/pam.d/system-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } -# - { path: /etc/pam.d/password-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } -# when: -# - rhel_08_020100 -# tags: -# - RHEL-08-020100 +- name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." + lineinfile: + path: "{{ rhel8stig_sssd_conf }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + owner: root + group: root + mode: 0640 + with_items: + - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } + - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } + - { regexp: '^maprule = {{ rhel8stig_sssd.maprule }}', line: 'maprule = {{ rhel8stig_sssd.maprule }}' } + - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains }}' } + notify: restart sssd + when: + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists + - rhel_08_020090 + tags: + - RHEL-08-020090 + - CAT2 + - CCI-000187 + - SRG-OS-000068-GPOS-00036 + - SV-230355r627750_rule + - V-230355 + - authentication -# - name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*ucredit' -# line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" -# when: -# - rhel_08_020110 -# tags: -# - RHEL-08-020110 -# - pwquality +- name: "MEDIUM | RHEL-08-020100 | PATCH RHEL 8 must ensure a password complexity module is enabled." + lineinfile: + path: "{{ item.path }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: '^password' + owner: root + group: root + mode: 0640 + with_items: + - { path: /etc/pam.d/system-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } + - { path: /etc/pam.d/password-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } + when: + - rhel_08_020100 + tags: + - RHEL-08-020100 + - CAT2 + - CCI-000192 + - SRG-OS-000069-GPOS-00037 + - SV-230356r627750_rule + - V-230356 + - pamd -# - name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*lcredit' -# line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}" -# when: -# - rhel_08_020120 -# tags: -# - RHEL-08-020120 -# - pwquality +- name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*ucredit' + line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" + when: + - rhel_08_020110 + tags: + - RHEL-08-020110 + - CAT2 + - CCI-000192 + - SRG-OS-000069-GPOS-00037 + - SV-230357r627750_rule + - V-230357 + - pwquality -# - name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*dcredit' -# line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}" -# when: -# - rhel_08_020130 -# tags: -# - RHEL-08-020130 -# - pwquality +- name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*lcredit' + line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}" + when: + - rhel_08_020120 + tags: + - RHEL-08-020120 + - CAT2 + - CCI-00019 + - SRG-OS-000070-GPOS-00038 + - SV-230358r627750_rule + - V-230358 + - pwquality -# - name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*maxclassrepeat' -# line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" -# when: -# - rhel_08_020140 -# tags: -# - RHEL-08-020140 -# - pwquality +- name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*dcredit' + line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}" + when: + - rhel_08_020130 + tags: + - RHEL-08-020130 + - CAT2 + - CCI-000194 + - SRG-OS-000071-GPOS-00039 + - SV-230359r627750_rule + - V-230359 + - pwquality + +- name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*maxclassrepeat' + line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" + when: + - rhel_08_020140 + tags: + - RHEL-08-020140 + - CAT2 + - CCI-000195 + - SRG-OS-000072-GPOS-00040 + - SV-230360r627750_rule + - V-230360 + - pwquality # - name: "MEDIUM | RHEL-020150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." # lineinfile: From 32e9faa608f15ef44aac8b7f76fe98d9e65128eb Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 13:24:29 -0400 Subject: [PATCH 038/110] Updated cat2 121-130 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 413 +++++++++++++++++++++++++-------------------- 1 file changed, 231 insertions(+), 182 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 0741fab3..f2d89cef 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3269,198 +3269,247 @@ - V-230360 - pwquality -# - name: "MEDIUM | RHEL-020150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*maxrepeat' -# line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}" -# when: -# - rhel_08_020150 -# tags: -# - RHEL-08-020150 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*minclass' -# line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}" -# when: -# - rhel_08_020160 -# tags: -# - RHEL-08-020160 -# - pwquality - -# - name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*difok' -# line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}" -# when: -# - rhel_08_020170 -# tags: -# - RHEL-08-020170 -# - pwquality - -# - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow." -# block: -# - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users" -# command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" -# changed_when: false -# failed_when: false -# register: rhel_08_020180_users - -# - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction" -# command: chage -m 1 {{ item }} -# with_items: "{{ rhel_08_020180_users.stdout_lines }}" -# when: -# - rhel_08_020180 -# tags: -# - RHEL8-08-020180 -# - password +- name: "MEDIUM | RHEL-020150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*maxrepeat' + line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}" + when: + - rhel_08_020150 + tags: + - RHEL-08-020150 + - CAT2 + - CCI-000195 + - SRG-OS-000072-GPOS-00040 + - SV-230361r627750_rule + - V-230361 + - pwquality -# - name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def." -# lineinfile: -# path: /etc/login.defs -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: ^#?PASS_MIN_DAYS -# line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}" -# when: -# - rhel_08_020190 -# tags: -# - RHEL-08-020190 -# - login +- name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*minclass' + line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}" + when: + - rhel_08_020160 + tags: + - RHEL-08-020160 + - CAT2 + - CCI-000195 + - SRG-OS-000072-GPOS-00040 + - SV-230362r627750_rule + - V-230362 + - pwquality -# - name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction." -# lineinfile: -# path: /etc/login.defs -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: ^#?PASS_MAX_DAYS -# line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" -# when: -# - rhel_08_020200 -# tags: -# - RHEL-08-020200 -# - login +- name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*difok' + line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}" + when: + - rhel_08_020170 + tags: + - RHEL-08-020170 + - CAT2 + - CCI-000195 + - SRG-OS-000072-GPOS-00040 + - SV-230363r627750_rule + - V-230363 + - pwquality -# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime." -# block: -# - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users" -# command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" -# check_mode: no -# changed_when: rhel_08_020210_users.stdout | length > 0 -# register: rhel_08_020210_users +- name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow." + block: + - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users" + command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: rhel_08_020180_users -# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user." -# command: chage -d '-1 day' {{ item }} -# check_mode: "{{ rhel8stig_disruptive_check_mode }}" -# with_items: "{{ rhel_08_020210_users.stdout_lines }}" + - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction" + command: chage -m 1 {{ item }} + with_items: "{{ rhel_08_020180_users.stdout_lines }}" + when: + - rhel_08_020180 + tags: + - RHEL8-08-020180 + - CAT2 + - CCI-000198 + - SRG-OS-000075-GPOS-00043 + - SV-230364r627750_rule + - V-230364 + - password -# - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime" -# command: chage -M 60 {{ item }} -# check_mode: "{{ rhel8stig_disruptive_check_mode }}" -# with_items: "{{ rhel_08_020210_users.stdout_lines }}" -# when: -# - rhel_08_020210 -# - rhel8stig_disruption_high -# tags: -# - RHEL-08-020210 -# - disruption-high -# - password +- name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def." + lineinfile: + path: /etc/login.defs + create: yes + owner: root + group: root + mode: 0644 + regexp: ^#?PASS_MIN_DAYS + line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}" + when: + - rhel_08_020190 + tags: + - RHEL-08-020190 + - CAT2 + - CCI-000198 + - SRG-OS-000075-GPOS-00043 + - SV-230365r627750_rule + - V-230365 + - login -# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations." -# block: -# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" -# pamd: -# name: "{{ item }}" -# state: before -# type: password -# control: sufficient -# module_path: pam_unix.so -# new_type: password -# new_control: required -# new_module_path: pam_pwhistory.so -# with_items: -# - "system-auth" -# - "password-auth" +- name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction." + lineinfile: + path: /etc/login.defs + create: yes + owner: root + group: root + mode: 0644 + regexp: ^#?PASS_MAX_DAYS + line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" + when: + - rhel_08_020200 + tags: + - RHEL-08-020200 + - CAT2 + - CCI-000199 + - SRG-OS-000076-GPOS-00044 + - SV-230366r646878_rule + - V-230366 + - login -# # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent -# - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Check for existing password history reuse settings" -# command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" -# check_mode: no -# changed_when: no -# failed_when: rhel_08_020220_pw_hist_settings.rc > 1 -# register: rhel_08_020220_pw_hist_settings -# with_items: -# - "system-auth" -# - "password-auth" +- name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime." + block: + - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users" + command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" + check_mode: no + changed_when: rhel_08_020210_users.stdout | length > 0 + register: rhel_08_020210_users + + - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user." + command: chage -d '-1 day' {{ item }} + check_mode: "{{ rhel8stig_disruptive_check_mode }}" + with_items: "{{ rhel_08_020210_users.stdout_lines }}" + + - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime" + command: chage -M 60 {{ item }} + check_mode: "{{ rhel8stig_disruptive_check_mode }}" + with_items: "{{ rhel_08_020210_users.stdout_lines }}" + when: + - rhel_08_020210 + - rhel8stig_disruption_high + tags: + - RHEL-08-020210 + - CAT2 + - CCI-000199 + - SRG-OS-000076-GPOS-00044 + - SV-230367r627750_rule + - V-230367 + - disruption-high + - password + +- name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations." + block: + - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" + pamd: + name: "{{ item }}" + state: before + type: password + control: sufficient + module_path: pam_unix.so + new_type: password + new_control: required + new_module_path: pam_pwhistory.so + with_items: + - "system-auth" + - "password-auth" -# # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. -# - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" -# pamd: -# name: "{{ item.item }}" -# state: updated -# type: password -# control: required -# module_path: pam_pwhistory.so -# module_arguments: -# - use_authtok -# - remember={{ rhel8stig_pam_pwhistory.remember | default(5) }} -# - retry={{ rhel8stig_pam_pwhistory.retries | default(3) }} -# with_items: "{{ rhel_08_020220_pw_hist_settings.results }}" -# when: item.rc == 1 -# when: -# - rhel_08_020220 -# tags: -# - RHEL-08-020220 -# - pamd + # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent + - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Check for existing password history reuse settings" + command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" + check_mode: no + changed_when: no + failed_when: rhel_08_020220_pw_hist_settings.rc > 1 + register: rhel_08_020220_pw_hist_settings + with_items: + - "system-auth" + - "password-auth" + + # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. + - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" + pamd: + name: "{{ item.item }}" + state: updated + type: password + control: required + module_path: pam_pwhistory.so + module_arguments: + - use_authtok + - remember={{ rhel8stig_pam_pwhistory.remember | default(5) }} + - retry={{ rhel8stig_pam_pwhistory.retries | default(3) }} + with_items: "{{ rhel_08_020220_pw_hist_settings.results }}" + when: item.rc == 1 + when: + - rhel_08_020220 + tags: + - RHEL-08-020220 + - CAT2 + - CCI-000200 + - SRG-OS-000077-GPOS-00045 + - SV-230368r627750_rule + - V-230368 + - pamd -# - name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: '^#?\s*minlen' -# line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" -# when: -# - rhel_08_020230 -# tags: -# - RHEL-08-020230 -# - pwquality +- name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*minlen' + line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" + when: + - rhel_08_020230 + tags: + - RHEL-08-020230 + - CCI-000205 + - SRG-OS-000078-GPOS-00046 + - SV-230369r627750_rule + - V-230369 + - pwquality -# - name: "MEDIUM | RHEL-08-020231 | PATCH | RHEL 8 passwords for new users must have a minimum of 15 characters." -# lineinfile: -# path: /etc/login.defs -# regexp: '^PASS_MIN_LEN|^#PASS_MIN_LEN' -# line: "PASS_MIN_LEN 15" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020231 -# tags: -# - RHEL-08-020231 -# - passwords +- name: "MEDIUM | RHEL-08-020231 | PATCH | RHEL 8 passwords for new users must have a minimum of 15 characters." + lineinfile: + path: /etc/login.defs + regexp: '^PASS_MIN_LEN|^#PASS_MIN_LEN' + line: "PASS_MIN_LEN 15" + owner: root + group: root + mode: 0644 + when: + - rhel_08_020231 + tags: + - RHEL-08-020231 + - CAT2 + - CCI-000205 + - SRG-OS-000078-GPOS-00046 + - SV-230370r627750_rule + -V-230370 + - passwords # - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." # block: From 4969ec99572ed3f36779f51141cc3641d6ab5e6c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 13:39:13 -0400 Subject: [PATCH 039/110] Updated cat2 131-140 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 494 +++++++++++++++++++++++++-------------------- 1 file changed, 274 insertions(+), 220 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index f2d89cef..65a6d7bd 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3486,6 +3486,7 @@ - rhel_08_020230 tags: - RHEL-08-020230 + - CAT2 - CCI-000205 - SRG-OS-000078-GPOS-00046 - SV-230369r627750_rule @@ -3508,242 +3509,295 @@ - CCI-000205 - SRG-OS-000078-GPOS-00046 - SV-230370r627750_rule - -V-230370 + - V-230370 - passwords -# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." -# block: -# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users" -# command: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd -# changed_when: false -# failed_when: false -# register: rhel_08_020240_duplicate_uid_users +- name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." + block: + - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users" + command: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd + changed_when: false + failed_when: false + register: rhel_08_020240_duplicate_uid_users -# - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" -# debug: -# msg: -# - "ALERT!!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" -# - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" -# when: -# - rhel_08_020240 -# tags: -# - RHEL-08-020240 + - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" + debug: + msg: + - "ALERT!!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" + - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" + when: + - rhel_08_020240 + tags: + - RHEL-08-020240 + - CAT2 + - CCI-000764 + - SRG-OS-000104-GPOS-00051 + - SV-230371r627750_rule + - V-230371 + - user -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts." -# block: -# - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth" -# shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth -# changed_when: false -# failed_when: false -# register: rhel_08_020250_sc_auth_sss +- name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts." + block: + - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth" + shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth + changed_when: false + failed_when: false + register: rhel_08_020250_sc_auth_sss -# - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth" -# shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth -# changed_when: false -# failed_when: false -# register: rhel_08_020250_system_auth_sss + - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth" + shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth + changed_when: false + failed_when: false + register: rhel_08_020250_system_auth_sss -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" -# lineinfile: -# path: "{{ rhel8stig_sssd_conf }}" -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# owner: root -# group: root -# mode: 0640 -# notify: restart sssd -# with_items: -# - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } -# - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' } + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" + lineinfile: + path: "{{ rhel8stig_sssd_conf }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + owner: root + group: root + mode: 0640 + notify: restart sssd + with_items: + - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } + - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' } -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth" -# lineinfile: -# path: /etc/pam.d/smartcard-auth -# line: auth sufficient pam_sss.so try_cert_auth -# owner: root -# group: root -# mode: 0644 -# notify: restart sssd -# when: rhel_08_020250_sc_auth_sss.stdout | length == 0 - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth" -# pamd: -# name: /etc/pam.d/smartcard-auth -# state: updated -# type: auth -# control: sufficient -# module_path: pam_sss.so -# module_arguments: 'try_cert_auth' -# notify: restart sssd -# when: rhel_08_020250_sc_auth_sss.stdout | length > 0 - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth" -# pamd: -# name: /etc/pam.d/system-auth -# state: after -# type: auth -# control: required -# module_path: pam_env.so -# new_type: auth -# new_control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' -# new_module_path: pam_sss.so -# module_arguments: try_cert_auth -# notify: restart sssd -# when: rhel_08_020250_system_auth_sss.stdout | length == 0 - -# - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth" -# pamd: -# name: /etc/pam.d/system-auth -# state: updated -# type: auth -# control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' -# module_path: pam_env.so -# module_arguments: try_cert_auth -# notify: restart sssd -# when: rhel_08_020250_system_auth_sss.stdout | length > 0 -# when: -# - "'sssd' in ansible_facts.packages" -# - rhel8stig_sssd_conf_present.stat.exists -# - rhel_08_020250 -# tags: -# - RHEL-08-020250 -# - pamd - -# - name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity." -# command: useradd -D -f 35 -# when: -# - rhel_08_020260 -# tags: -# - RHEL-08-020260 -# - useradd - -# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." -# block: -# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." -# command: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" -# changed_when: false -# failed_when: false -# register: rhel_08_020270_system_users + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth" + lineinfile: + path: /etc/pam.d/smartcard-auth + line: auth sufficient pam_sss.so try_cert_auth + owner: root + group: root + mode: 0644 + notify: restart sssd + when: rhel_08_020250_sc_auth_sss.stdout | length == 0 -# - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." -# debug: -# msg: -# - "WARNING!!!Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" -# - "{{ rhel_08_020270_system_users.stdout_lines }}" -# when: -# - rhel_08_020270 -# tags: -# - RHEL-08-020270 + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth" + pamd: + name: /etc/pam.d/smartcard-auth + state: updated + type: auth + control: sufficient + module_path: pam_sss.so + module_arguments: 'try_cert_auth' + notify: restart sssd + when: rhel_08_020250_sc_auth_sss.stdout | length > 0 -# - name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# regexp: '^#?\s*ocredit' -# line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020280 -# tags: -# - RHEL-08-020280 -# - pwquality + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth" + pamd: + name: /etc/pam.d/system-auth + state: after + type: auth + control: required + module_path: pam_env.so + new_type: auth + new_control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' + new_module_path: pam_sss.so + module_arguments: try_cert_auth + notify: restart sssd + when: rhel_08_020250_system_auth_sss.stdout | length == 0 -# - name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." -# lineinfile: -# path: "{{ rhel8stig_sssd_conf }}" -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# owner: root -# group: root -# mode: 0640 -# with_items: -# - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } -# - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } -# when: -# - "'sssd' in ansible_facts.packages" -# - rhel8stig_sssd_conf_present.stat.exists -# - rhel_08_020290 -# tags: -# - RHEL-08-020290 -# - sssd + - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth" + pamd: + name: /etc/pam.d/system-auth + state: updated + type: auth + control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]' + module_path: pam_env.so + module_arguments: try_cert_auth + notify: restart sssd + when: rhel_08_020250_system_auth_sss.stdout | length > 0 + when: + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists + - rhel_08_020250 + tags: + - RHEL-08-020250 + - CAT2 + - CCI-000765 + - SRG-OS-000105-GPOS-00052 + - SV-230372r627750_rule + - V-230372 + - pamd -# - name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords." -# lineinfile: -# path: /etc/security/pwquality.conf -# create: yes -# regexp: '^#?\s*dictcheck' -# line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020300 -# tags: -# - RHEL-08-020300 -# - pwquality +- name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity." + command: useradd -D -f 35 + when: + - rhel_08_020260 + tags: + - RHEL-08-020260 + - CAT2 + - CCI-000795 + - SRG-OS-000118-GPOS-00060 + - SV-230373r627750_rule + - V-230373 + - useradd -# - name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." -# lineinfile: -# dest: /etc/login.defs -# regexp: ^#?FAIL_DELAY -# line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020310 -# tags: -# - RHEL-08-020310 -# - login +- name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + block: + - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + command: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" + changed_when: false + failed_when: false + register: rhel_08_020270_system_users -# - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts." -# block: -# - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts" -# command: "grep '^{{ item }}:' /etc/passwd" -# check_mode: no -# failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1 -# changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0 -# register: rhel_08_020320_unnecessary_accounts_found -# with_items: "{{ rhel8stig_unnecessary_accounts }}" + - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + debug: + msg: + - "WARNING!!!Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" + - "{{ rhel_08_020270_system_users.stdout_lines }}" + when: + - rhel_08_020270 + tags: + - RHEL-08-020270 + - CAT2 + - CCI-001682 + - SRG-OS-000123-GPOS-00064 + - SV-230374r627750_rule + - V-230374 + - user -# - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts" -# user: -# name: "{{ item }}" -# state: absent -# remove: "{{ rhel8stig_remove_unnecessary_user_files }}" -# register: rhel_08_020320_accounts_removed -# with_items: "{{ rhel8stig_unnecessary_accounts }}" +- name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + regexp: '^#?\s*ocredit' + line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}" + owner: root + group: root + mode: 0644 + when: + - rhel_08_020280 + tags: + - RHEL-08-020280 + - CAT2 + - CCI-001619 + - SRG-OS-000266-GPOS-00101 + - SV-230375r627750_rule + - V-230375 + - pwquality -# - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" -# include_tasks: parse_etc_passwd.yml -# vars: -# rhel8stig_passwd_tasks: "RHEL-08-020320" -# when: rhel_08_020320_accounts_removed is changed -# when: -# - rhel_08_020320 -# tags: -# - RHEL-08-020320 +- name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." + lineinfile: + path: "{{ rhel8stig_sssd_conf }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + owner: root + group: root + mode: 0640 + with_items: + - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } + - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } + when: + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists + - rhel_08_020290 + tags: + - RHEL-08-020290 + - CAT2 + - CCI-002007 + - SRG-OS-000383-GPOS-00166 + - SV-230376r627750_rule + - V-230376 + - sssd -# - name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." -# lineinfile: -# dest: /etc/ssh/sshd_config -# regexp: '(?i)^#?PrintLastLog' -# line: 'PrintLastLog yes' -# validate: /usr/sbin/sshd -t -f %s -# owner: root -# group: root -# mode: 0644 -# notify: restart sshd -# when: -# - rhel_08_020350 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-020350 -# - ssh +- name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + regexp: '^#?\s*dictcheck' + line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" + owner: root + group: root + mode: 0644 + when: + - rhel_08_020300 + tags: + - RHEL-08-020300 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00225 + - SV-230377r627750_rule + - V-230377 + - pwquality + +- name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." + lineinfile: + dest: /etc/login.defs + regexp: ^#?FAIL_DELAY + line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" + owner: root + group: root + mode: 0644 + when: + - rhel_08_020310 + tags: + - RHEL-08-020310 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00226 + - SV-230378r627750_rule + - V-230378 + - login + +- name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts." + block: + - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts" + command: "grep '^{{ item }}:' /etc/passwd" + check_mode: no + failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1 + changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0 + register: rhel_08_020320_unnecessary_accounts_found + with_items: "{{ rhel8stig_unnecessary_accounts }}" + + - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts" + user: + name: "{{ item }}" + state: absent + remove: "{{ rhel8stig_remove_unnecessary_user_files }}" + register: rhel_08_020320_accounts_removed + with_items: "{{ rhel8stig_unnecessary_accounts }}" + + - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" + include_tasks: parse_etc_passwd.yml + vars: + rhel8stig_passwd_tasks: "RHEL-08-020320" + when: rhel_08_020320_accounts_removed is changed + when: + - rhel_08_020320 + tags: + - RHEL-08-020320 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230379r627750_rule + - V-230379 + - accounts + +- name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." + lineinfile: + dest: /etc/ssh/sshd_config + regexp: '(?i)^#?PrintLastLog' + line: 'PrintLastLog yes' + validate: /usr/sbin/sshd -t -f %s + owner: root + group: root + mode: 0644 + notify: restart sshd + when: + - rhel_08_020350 + - rhel8stig_ssh_required + tags: + - RHEL-08-020350 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230382r627750_rule + - V-230382 + - ssh # - name: "MEDIUM | RHEL-08-020351 | PATCH | RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." # lineinfile: From 6d6a0869d91cd89a778a1e44e1d498a1c96f3040 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 13:50:50 -0400 Subject: [PATCH 040/110] Updated cat2 141-150 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 317 ++++++++++++++++++++++++++------------------- 1 file changed, 184 insertions(+), 133 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 65a6d7bd..924f29b6 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3799,148 +3799,199 @@ - V-230382 - ssh -# - name: "MEDIUM | RHEL-08-020351 | PATCH | RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." -# lineinfile: -# path: /etc/login.defs -# regexp: ^#?UMASK.* -# line: "UMASK {{ rhel8stig_login_defaults.umask | default('077') }}" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_020351 -# tags: -# - RHEL-08-020351 +- name: "MEDIUM | RHEL-08-020351 | PATCH | RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." + lineinfile: + path: /etc/login.defs + regexp: ^#?UMASK.* + line: "UMASK {{ rhel8stig_login_defaults.umask | default('077') }}" + owner: root + group: root + mode: 0644 + when: + - rhel_08_020351 + tags: + - RHEL-08-020351 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00228 + - SV-230383r627750_rule + - V-230383 + - login + - umask -# - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts." -# block: -# - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Find umask files" -# find: -# paths: /home -# patterns: '^\.' -# contains: 'umask' -# recurse: yes -# hidden: yes -# use_regex: yes -# register: rhel8stig_020352_files - -# - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" -# lineinfile: -# path: "{{ item.path }}" -# regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})" -# state: absent -# with_items: -# - "{{ rhel8stig_020352_files.files }}" -# when: rhel8stig_020352_files.matched > 0 -# when: -# - rhel_08_020352 -# tags: -# - RHEL-08-020352 -# - umask +- name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts." + block: + - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Find umask files" + find: + paths: /home + patterns: '^\.' + contains: 'umask' + recurse: yes + hidden: yes + use_regex: yes + register: rhel8stig_020352_files -# - name: "MEDIUM | RHEL-08-020353 | PATCH | RHEL 8 must define default permissions for logon and non-logon shells." -# replace: -# path: "{{ item }}" -# regexp: 'umask\s\d\d\d' -# replace: "umask {{ rhel8stig_login_defaults.umask | default('077') }}" -# with_items: -# - /etc/bashrc -# - /etc/csh.cshrc -# when: -# - rhel_08_020353 -# tags: -# - RHEL-08-020353 -# - umask + - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" + lineinfile: + path: "{{ item.path }}" + regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})" + state: absent + with_items: + - "{{ rhel8stig_020352_files.files }}" + when: rhel8stig_020352_files.matched > 0 + when: + - rhel_08_020352 + tags: + - RHEL-08-020352 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00228 + - SV-230384r627750_rule + - V-230384 + - umask -# - name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv' } -# - { regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv' } -# - { regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv' } -# - { regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv' } -# notify: restart auditd -# when: -# - rhel_08_030000 -# tags: -# - RHEL-08-030000 -# - auditd +- name: "MEDIUM | RHEL-08-020353 | PATCH | RHEL 8 must define default permissions for logon and non-logon shells." + replace: + path: "{{ item }}" + regexp: 'umask\s\d\d\d' + replace: "umask {{ rhel8stig_login_defaults.umask | default('077') }}" + with_items: + - /etc/bashrc + - /etc/csh.cshrc + when: + - rhel_08_020353 + tags: + - RHEL-08-020353 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230385r627750_rule + - V-230385 + - umask -# - name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8." -# lineinfile: -# path: /etc/rsyslog.conf -# regexp: '^cron.*' -# line: 'cron.* /var/log/cron' -# when: -# - rhel_08_030010 -# tags: -# - RHEL-08-030010 -# - cron +- name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv' } + - { regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv' } + - { regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv' } + - { regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv' } + notify: restart auditd + when: + - rhel_08_030000 + tags: + - RHEL-08-030000 + - CAT2 + - CCI-002233 + - SRG-OS-000326-GPOS-00126 + - SV-230386r627750_rule + - V-230386 + - auditd -# - name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^action_mail_acct =' -# line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}" -# register: rhel_08_030020_action_mail_acct_result -# failed_when: -# - rhel_08_030020_action_mail_acct_result is failed -# - rhel_08_030020_action_mail_acct_result.rc != 257 -# when: -# - rhel_08_030020 -# tags: -# - RHEL-08-030020 -# - auditd +- name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8." + lineinfile: + path: /etc/rsyslog.conf + regexp: '^cron.*' + line: 'cron.* /var/log/cron' + when: + - rhel_08_030010 + tags: + - RHEL-08-030010 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230387r627750_rule + - V-230387 + - cron -# - name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure." -# lineinfile: -# path: /etc/aliases -# regexp: '^postmaster:' -# line: 'postmaster: root' -# when: -# - rhel_08_030030 -# tags: -# - RHEL-08-030030 -# - aliases +- name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^action_mail_acct =' + line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}" + register: rhel_08_030020_action_mail_acct_result + failed_when: + - rhel_08_030020_action_mail_acct_result is failed + - rhel_08_030020_action_mail_acct_result.rc != 257 + when: + - rhel_08_030020 + tags: + - RHEL-08-030020 + - CAT2 + - CCI-000139 + - SRG-OS-000046-GPOS-00022 + - SV-230388r627750_rule + - V-230388 + - auditd -# - name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^disk_error_action =' -# line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}" -# when: -# - rhel_08_030040 -# tags: -# - RHEL-08-030040 -# - auditd +- name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure." + lineinfile: + path: /etc/aliases + regexp: '^postmaster:' + line: 'postmaster: root' + when: + - rhel_08_030030 + tags: + - RHEL-08-030030 + - CAT2 + - CCI-000139 + - SRG-OS-000046-GPOS-00022 + - SV-230389r627750_rule + - V-230389 + - aliases -# - name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^max_log_file_action =' -# line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" -# when: -# - rhel_08_030050 -# tags: -# - RHEL-08-030050 -# - auditd +- name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^disk_error_action =' + line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}" + when: + - rhel_08_030040 + tags: + - RHEL-08-030040 + - CAT2 + - CCI-000140 + - SRG-OS-000047-GPOS-00023 + - SV-230390r627750_rule + - V-230390 + - auditd -# - name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^disk_full_action =' -# line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_030060 -# tags: -# - RHEL-08-030060 -# - auditd +- name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^max_log_file_action =' + line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" + when: + - rhel_08_030050 + tags: + - RHEL-08-030050 + - CAT2 + - CCI-000140 + - SRG-OS-000047-GPOS-00023 + - SV-230391r627750_rule + - V-230391 + - auditd + +- name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^disk_full_action =' + line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" + owner: root + group: root + mode: 0644 + when: + - rhel_08_030060 + tags: + - RHEL-08-030060 + - CAT2 + - SRG-OS-000047-GPOS-00023 + - SV-230392r627750_rule + - V-230392 + - auditd # - name: "MEDIUM | RHEL-08-030061 | PATCH | The RHEL 8 audit system must audit local events." # lineinfile: From 5bbca439a6d9d5fcd9b30f500c857ef524c7f194 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 14:02:30 -0400 Subject: [PATCH 041/110] Updated cat2 151-160 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 336 +++++++++++++++++++++++++++------------------ 1 file changed, 199 insertions(+), 137 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 924f29b6..e022ddba 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3993,156 +3993,218 @@ - V-230392 - auditd -# - name: "MEDIUM | RHEL-08-030061 | PATCH | The RHEL 8 audit system must audit local events." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^local_events =' -# line: "local_events = yes" -# owner: root -# group: root -# mode: 0644 -# when: -# - rhel_08_030061 -# tags: -# - RHEL-08-030061 -# - auditd +- name: "MEDIUM | RHEL-08-030061 | PATCH | The RHEL 8 audit system must audit local events." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^local_events =' + line: "local_events = yes" + owner: root + group: root + mode: 0644 + when: + - rhel_08_030061 + tags: + - RHEL-08-030061 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230393r627750_rule + - V-230393 + - auditd -# - name: "MEDIUM | RHEL-08-030062 | PATCH | RHEL 8 must label all off-loaded audit logs before sending them to the central log server." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^name_format =' -# line: "name_format = hostname" -# notify: restart auditd -# when: -# - rhel_08_030062 -# tags: -# - RHEL-08-030062 -# - auditd +- name: "MEDIUM | RHEL-08-030062 | PATCH | RHEL 8 must label all off-loaded audit logs before sending them to the central log server." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^name_format =' + line: "name_format = hostname" + notify: restart auditd + when: + - rhel_08_030062 + tags: + - RHEL-08-030062 + - CAT2 + - CCI-001851 + - SRG-OS-000342-GPOS-00133 + - SV-230394r627750_rule + - V-230394 + - auditd -# - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^log_group =' -# line: "log_group = root" -# mode: 0600 -# when: -# - rhel_08_030070 -# tags: -# - RHEL-08-030070 +- name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^log_group =' + line: "log_group = root" + mode: 0600 + when: + - rhel_08_030070 + tags: + - RHEL-08-030070 + - CAT2 + - CCI-000162 + - SRG-OS-000057-GPOS-00027 + - SV-230396r627750_rule + - V-230396 + - permissions + - log -# - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." -# block: -# - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file" -# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " -# changed_when: false -# failed_when: false -# register: rhel8stig_030080_audit_log_file +- name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." + block: + - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file" + shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " + changed_when: false + failed_when: false + register: rhel8stig_030080_audit_log_file -# - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner" -# file: -# path: "{{ rhel8stig_030080_audit_log_file.stdout }}" -# owner: root -# when: rhel8stig_030080_audit_log_file.stdout | length > 0 -# when: -# - rhel_08_030080 -# tags: -# - RHEL-08-030080 + - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner" + file: + path: "{{ rhel8stig_030080_audit_log_file.stdout }}" + owner: root + when: rhel8stig_030080_audit_log_file.stdout | length > 0 + when: + - rhel_08_030080 + tags: + - RHEL-08-030080 + - CAT2 + - CCI-000162 + - SRG-OS-000057-GPOS-00027 + - SV-230397r627750_rule + - V-230397 + - permissions + - log -# - name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access. | Set audit log group" -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^log_group' -# line: "log_group = root" -# when: -# - rhel_08_030090 -# tags: -# - RHEL-08-030090 +- name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^log_group' + line: "log_group = root" + when: + - rhel_08_030090 + tags: + - RHEL-08-030090 + - CAT2 + - CCI-000162 + - SRG-OS-000057-GPOS-00027 + - SV-230398r627750_rule + - V-230398 + - permissions + - log -# - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." -# block: -# - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory" -# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' -# changed_when: false -# failed_when: false -# register: rhel_08_030100_audit_log_dir +- name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." + block: + - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory" + shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + changed_when: false + failed_when: false + register: rhel_08_030100_audit_log_dir -# - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner" -# file: -# path: "{{ rhel_08_030100_audit_log_dir.stdout }}" -# owner: root -# state: directory -# when: rhel_08_030100_audit_log_dir.stdout | length > 0 -# tags: -# - skip_ansible_lint -# when: -# - rhel_08_030100 -# tags: -# - RHEL-08-030100 + - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner" + file: + path: "{{ rhel_08_030100_audit_log_dir.stdout }}" + owner: root + state: directory + when: rhel_08_030100_audit_log_dir.stdout | length > 0 + tags: + - skip_ansible_lint + when: + - rhel_08_030100 + tags: + - RHEL-08-030100 + - CAT2 + - CCI-000162 + - SRG-OS-000057-GPOS-00027 + - SV-230399r627750_rule + - V-230399 + - permissions + - log -# - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." -# block: -# - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" -# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel_08_030110_audit_log_dir +- name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." + block: + - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" + shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + args: + warn: no + changed_when: false + failed_when: false + register: rhel_08_030110_audit_log_dir -# - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group" -# file: -# path: "{{ rhel_08_030110_audit_log_dir.stdout }}" -# group: root -# state: directory -# when: rhel_08_030110_audit_log_dir.stdout | length > 0 -# tags: -# - skip_ansible_lint -# when: -# - rhel_08_030110 -# tags: -# - skip_ansible_lint -# - RHEL-08-030110 + - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group" + file: + path: "{{ rhel_08_030110_audit_log_dir.stdout }}" + group: root + state: directory + when: rhel_08_030110_audit_log_dir.stdout | length > 0 + tags: + - skip_ansible_lint + when: + - rhel_08_030110 + tags: + - skip_ansible_lint + - RHEL-08-030110 + - CAT2 + - CCI-000162 + - SRG-OS-000057-GPOS-00027 + - SV-230400r627750_rule + - V-230400 + - permissions + - log -# - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access." -# block: -# - name: "MEDIUM | RHEL-08-030120 | AUDIT | RHEL 8 audit log directories must have a mode of 700 or less permissive to prevent unauthorized read access. | Get audit log directory" -# shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' -# changed_when: false -# failed_when: false -# register: rhel_08_030120_audit_log_dir +- name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access." + block: + - name: "MEDIUM | RHEL-08-030120 | AUDIT | RHEL 8 audit log directories must have a mode of 700 or less permissive to prevent unauthorized read access. | Get audit log directory" + shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + changed_when: false + failed_when: false + register: rhel_08_030120_audit_log_dir -# - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" -# file: -# path: "{{ rhel_08_030120_audit_log_dir.stdout }}" -# mode: 0700 -# state: directory -# when: rhel_08_030120_audit_log_dir.stdout | length > 0 -# when: -# - rhel_08_030120 -# tags: -# - RHEL-08-030120 + - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" + file: + path: "{{ rhel_08_030120_audit_log_dir.stdout }}" + mode: 0700 + state: directory + when: rhel_08_030120_audit_log_dir.stdout | length > 0 + when: + - rhel_08_030120 + tags: + - RHEL-08-030120 + - CAT2 + - CCI-000162 + - SRG-OS-000057-GPOS-00027 + - SV-230401r627750_rule + - V-230401 + - permissions + - log -# - name: "MEDIUM | RHEL-08-030121 | PATCH | RHEL 8 audit system must protect auditing rules from unauthorized change." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-e ' -# line: "-e 2" -# when: -# - rhel_08_030121 -# tags: -# - RHEL-08-030121 -# - auditd +- name: "MEDIUM | RHEL-08-030121 | PATCH | RHEL 8 audit system must protect auditing rules from unauthorized change." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-e ' + line: "-e 2" + when: + - rhel_08_030121 + tags: + - RHEL-08-030121 + - CAT2 + - CCI-000162 + - SRG-OS-000057-GPOS-00027 + - SV-230402r627750_rule + - V-230402 + - auditd -# - name: "MEDIUM | RHEL-08-030122 | PATCH | RHEL 8 audit system must protect logon UIDs from unauthorized change." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^--loginuid-' -# line: "--loginuid-immutable" -# when: -# - rhel_08_030122 -# tags: -# - RHEL-08-030122 -# - auditd +- name: "MEDIUM | RHEL-08-030122 | PATCH | RHEL 8 audit system must protect logon UIDs from unauthorized change." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^--loginuid-' + line: "--loginuid-immutable" + when: + - rhel_08_030122 + tags: + - RHEL-08-030122 + - CAT2 + - CCI-000162 + - SRG-OS-000057-GPOS-00027 + - SV-230403r627750_rule + - V-230403 + - auditd # - name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." # lineinfile: From 10685e072bde7365281182177493bcec771f347c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 14:17:42 -0400 Subject: [PATCH 042/110] Updated cat2 161-170 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 290 ++++++++++++++++++++++++++------------------- 1 file changed, 170 insertions(+), 120 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e022ddba..3f00c4dc 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4206,136 +4206,186 @@ - V-230403 - auditd -# - name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/shadow' -# line: '-w /etc/shadow -p wa -k identity' -# notify: restart auditd -# when: -# - rhel_08_030130 -# tags: -# - RHEL-08-030130 -# - auditd +- name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/shadow' + line: '-w /etc/shadow -p wa -k identity' + notify: restart auditd + when: + - rhel_08_030130 + tags: + - RHEL-08-030130 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230404r627750_rule + - V-230404 + - auditd -# - name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/security/opasswd' -# line: -w /etc/security/opasswd -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030140 -# tags: -# - RHEL-08-030140 -# - auditd +- name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/security/opasswd' + line: -w /etc/security/opasswd -p wa -k identity + notify: restart auditd + when: + - rhel_08_030140 + tags: + - RHEL-08-030140 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230405r627750_rule + - V-230405 + - auditd -# - name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/passwd' -# line: -w /etc/passwd -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030150 -# tags: -# - RHEL-08-030150 -# - auditd +- name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/passwd' + line: -w /etc/passwd -p wa -k identity + notify: restart auditd + when: + - rhel_08_030150 + tags: + - RHEL-08-030150 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230406r627750_rule + - V-230406 + - auditd -# - name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/gshadow' -# line: -w /etc/gshadow -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030160 -# tags: -# - RHEL-08-030160 -# - auditd +- name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/gshadow' + line: -w /etc/gshadow -p wa -k identity + notify: restart auditd + when: + - rhel_08_030160 + tags: + - RHEL-08-030160 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230407r627750_rule + - V-230407 + - auditd -# - name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/group' -# line: -w /etc/group -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030170 -# tags: -# - RHEL-08-030170 -# - auditd +- name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/group' + line: -w /etc/group -p wa -k identity + notify: restart auditd + when: + - rhel_08_030170 + tags: + - RHEL-08-030170 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230408r627750_rule + - V-230408 + - auditd -# - name: "MEDIUM | RHEL-08-030171 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/sudoers ' -# line: -w /etc/sudoers -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030171 -# tags: -# - RHEL-08-030171 -# - auditd +- name: "MEDIUM | RHEL-08-030171 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/sudoers ' + line: -w /etc/sudoers -p wa -k identity + notify: restart auditd + when: + - rhel_08_030171 + tags: + - RHEL-08-030171 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230409r627750_rule + - V-230409 + - auditd -# - name: "MEDIUM | RHEL-08-030172 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-w /etc/sudoers.d/' -# line: -w /etc/sudoers.d/ -p wa -k identity -# notify: restart auditd -# when: -# - rhel_08_030172 -# tags: -# - RHEL-08-030172 -# - auditd +- name: "MEDIUM | RHEL-08-030172 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-w /etc/sudoers.d/' + line: -w /etc/sudoers.d/ -p wa -k identity + notify: restart auditd + when: + - rhel_08_030172 + tags: + - RHEL-08-030172 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230410r627750_rule + - V-230410 + - auditd -# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." -# block: -# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Install audit" -# dnf: -# name: audit -# state: present +- name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." + block: + - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Install audit" + dnf: + name: audit + state: present -# - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Enable and start service" -# service: -# name: auditd -# enabled: yes -# state: started -# when: -# - rhel_08_030180 -# tags: -# - rhel_08_030180 -# - dnf -# - auditd + - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Enable and start service" + service: + name: auditd + enabled: yes + state: started + when: + - rhel_08_030180 + tags: + - rhel_08_030180 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230411r646881_rule + - V-230411 + - dnf + - auditd -# - name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# regexp: '^-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' -# line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' -# notify: restart auditd -# when: -# - rhel_08_030190 -# tags: -# - RHEL-08-030190 -# - auditd +- name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + regexp: '^-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' + line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' + notify: restart auditd + when: + - rhel_08_030190 + tags: + - RHEL-08-030190 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230412r627750_rule + - V-230412 + - auditd -# - name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030200 -# tags: -# - RHEL-08-030200 -# - auditd +- name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030200 + tags: + - RHEL-08-030200 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230413r627750_rule + - V-230413 + - auditd # - name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." # lineinfile: From cc43291f98612681cfd313fed01568e372fc534e Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 14:30:20 -0400 Subject: [PATCH 043/110] Updated cat2 171-180 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 320 ++++++++++++++++++++++++++------------------- 1 file changed, 187 insertions(+), 133 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3f00c4dc..d6dcfb6d 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4387,148 +4387,202 @@ - V-230413 - auditd -# - name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030210 -# tags: -# - RHEL-08-030210 -# - auditd +- name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030210 + tags: + - RHEL-08-030210 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230414r627750_rule + - V-230414 + - auditd -# - name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030220 -# tags: -# - RHEL-08-030220 -# - auditd +- name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030220 + tags: + - RHEL-08-030220 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230415r627750_rule + - V-230415 + - auditd -# - name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030230 -# tags: -# - RHEL-08-030230 -# - auditd +- name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030230 + tags: + - RHEL-08-030230 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230416r627750_rule + - V-230416 + - auditd -# - name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030240 -# tags: -# - RHEL-08-030240 -# - auditd +- name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030240 + tags: + - RHEL-08-030240 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230417r627750_rule + - V-230417 + - auditd -# - name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage -# notify: restart auditd -# when: -# - rhel_08_030250 -# tags: -# - RHEL-08-030250 -# - auditd +- name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage + notify: restart auditd + when: + - rhel_08_030250 + tags: + - RHEL-08-030250 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230418r627750_rule + - V-230418 + - auditd -# - name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030260 -# tags: -# - RHEL-08-030260 -# - auditd +- name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030260 + tags: + - RHEL-08-030260 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230419r627750_rule + - V-230419 + - auditd -# - name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod -# - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030270 -# tags: -# - RHEL-08-030270 -# - auditd +- name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod + notify: restart auditd + when: + - rhel_08_030270 + tags: + - RHEL-08-030270 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230420r627750_rule + - V-230420 + - auditd -# - name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh -# notify: restart auditd -# when: -# - rhel_08_030280 -# tags: -# - RHEL-08-030280 -# - auditd +- name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh + notify: restart auditd + when: + - rhel_08_030280 + tags: + - RHEL-08-030280 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230421r627750_rule + - V-230421 + - auditd -# - name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd -# notify: restart auditd -# when: -# - rhel_08_030290 -# tags: -# - RHEL-08-030290 -# - auditd +- name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd + notify: restart auditd + when: + - rhel_08_030290 + tags: + - RHEL-08-030290 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230422r627750_rule + - V-230422 + - auditd -# - name: | -# "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." -# "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount -# - -a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount -# - -a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount -# notify: restart auditd -# when: -# - rhel_08_030300 or -# rhel_08_030302 -# tags: -# - RHEL-08-030300 -# - RHEL-08-030302 -# - auditd +- name: | + "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." + "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount + - -a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount + - -a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount + notify: restart auditd + when: + - rhel_08_030300 or + rhel_08_030302 + tags: + - CAT2 + - RHEL-08-030300 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230423r627750_rule + - V-230423 + - RHEL-08-030302 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230425r627750_rule + - V-230425 + - auditd # - name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." # lineinfile: From 6d0dd990a67a53a1d229b86f9423f58c58e0f172 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 14:37:42 -0400 Subject: [PATCH 044/110] Updated cat2 181-190 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 225 +++++++++++++++++++++++++++------------------ 1 file changed, 135 insertions(+), 90 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index d6dcfb6d..e0b1e2c5 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4584,104 +4584,149 @@ - V-230425 - auditd -# - name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount -# notify: restart auditd -# when: -# - rhel_08_030301 -# tags: -# - RHEL-08-030301 -# - auditd +- name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount + notify: restart auditd + when: + - rhel_08_030301 + tags: + - RHEL-08-030301 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230424r627750_rule + - V-230424 + - auditd -# - name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030310 -# tags: -# - RHEL-08-030310 -# - auditd +- name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030310 + tags: + - RHEL-08-030310 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230426r627750_rule + - V-230426 + - auditd -# - name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030311 -# tags: -# - RHEL-08-030311 -# - auditd +- name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030311 + tags: + - RHEL-08-030311 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230427r627750_rule + - V-230427 + - auditd -# - name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030312 -# tags: -# - RHEL-08-030312 -# - auditd +- name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030312 + tags: + - RHEL-08-030312 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230428r627750_rule + - V-230428 + - auditd -# - name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030313 -# tags: -# - RHEL-08-030313 -# - auditd +- name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030313 + tags: + - RHEL-08-030313 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230429r627750_rule + - V-230429 + - auditd -# - name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030314 -# tags: -# - RHEL-08-030314 -# - auditd +- name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030314 + tags: + - RHEL-08-030314 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230430r627750_rule + - V-230430 + - auditd -# - name: "MEDIUM | RHEL-08-03015 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030315 -# tags: -# - RHEL-08-030315 -# - auditd +- name: "MEDIUM | RHEL-08-03015 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030315 + tags: + - RHEL-08-030315 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230431r627750_rule + - V-230431 + - auditd -# - name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030316 -# tags: -# - RHEL-08-030316 -# - auditd +- name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030316 + tags: + - RHEL-08-030316 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230432r627750_rule + - V-230432 + - auditd -# - name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update -# notify: restart auditd -# when: -# - rhel_08_030317 -# tags: -# - RHEL-08-030317 -# - auditd +- name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update + notify: restart auditd + when: + - rhel_08_030317 + tags: + - RHEL-08-030317 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230433r627750_rule + - V-230433 + - auditd # - name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." # lineinfile: From 7550d874cd8d1c23e92720998de268bbd6ccd2c0 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 14:46:38 -0400 Subject: [PATCH 045/110] Updated cat2 191-200 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 286 ++++++++++++++++++++++++++------------------- 1 file changed, 168 insertions(+), 118 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e0b1e2c5..f101294f 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4728,133 +4728,183 @@ - V-230433 - auditd -# - name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh -# notify: restart auditd -# when: -# - rhel_08_030320 -# tags: -# - RHEL-08-030320 -# - auditd +- name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh + notify: restart auditd + when: + - rhel_08_030320 + tags: + - RHEL-08-030320 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230434r627750_rule + - V-230434 + - auditd -# - name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030330 -# tags: -# - RHEL-08-030330 -# - auditd +- name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030330 + tags: + - RHEL-08-030330 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230435r627750_rule + - V-230435 + - auditd -# - name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check -# notify: restart auditd -# when: -# - rhel_08_030340 -# tags: -# - RHEL-08-030340 -# - auditd +- name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check + notify: restart auditd + when: + - rhel_08_030340 + tags: + - RHEL-08-030340 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230436r627750_rule + - V-230436 + - auditd -# - name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd -# notify: restart auditd -# when: -# - rhel_08_030350 -# tags: -# - RHEL-08-030350 -# - auditd +- name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd + notify: restart auditd + when: + - rhel_08_030350 + tags: + - RHEL-08-030350 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230437r627750_rule + - V-230437 + - auditd -# - name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# - -a always,exit -F arch=b64 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# notify: restart auditd -# when: -# - rhel_08_030360 -# tags: -# - RHEL-08-030360 -# - auditd +- name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + - -a always,exit -F arch=b64 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + notify: restart auditd + when: + - rhel_08_030360 + tags: + - RHEL-08-030360 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230438r627750_rule + - V-230438 + - auditd -# - name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# - -a always,exit -F arch=b64 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# notify: restart auditd -# when: -# - rhel_08_030361 -# tags: -# - RHEL-08-030361 -# - auditd +- name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030361 + tags: + - RHEL-08-030361 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230439r627750_rule + - V-230439 + - auditd -# - name: "MEDIUM | RHEL-0-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# - -a always,exit -F arch=b64 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# notify: restart auditd -# when: -# - rhel_08_030362 -# tags: -# - RHEL-08-030362 -# - auditd +- name: "MEDIUM | RHEL-0-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030362 + tags: + - RHEL-08-030362 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230440r627750_rule + - V-230440 + - auditd -# - name: "MEDIUM | RHEL-08-030363 | PATCH | Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# - -a always,exit -F arch=b64 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# notify: restart auditd -# when: -# - rhel_08_030363 -# tags: -# - RHEL-08-030363 -# - auditd +- name: "MEDIUM | RHEL-08-030363 | PATCH | Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030363 + tags: + - RHEL-08-030363 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230441r627750_rule + - V-230441 + - auditd -# - name: "MEDIUM | RHEL-08-030364 | PATCH | Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# - -a always,exit -F arch=b64 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# notify: restart auditd -# when: -# - rhel_08_030364 -# tags: -# - RHEL-08-030364 -# - auditd +- name: "MEDIUM | RHEL-08-030364 | PATCH | Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030364 + tags: + - RHEL-08-030364 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230442r627750_rule + - V-230442 + - auditd -# - name: "MEDIUM | RHEL-08-030365 | PATCH | Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# - -a always,exit -F arch=b64 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete -# notify: restart auditd -# when: -# - rhel_08_030365 -# tags: -# - RHEL-08-030365 -# - auditd +- name: "MEDIUM | RHEL-08-030365 | PATCH | Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + - -a always,exit -F arch=b64 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete + notify: restart auditd + when: + - rhel_08_030365 + tags: + - RHEL-08-030365 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230443r627750_rule + - V-230443 + - auditd # - name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." # lineinfile: From 527e23fd2f52f47e7fdcf9cb3c2d488a24ba12b9 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 14:55:31 -0400 Subject: [PATCH 046/110] Updated cat2 201-210 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 277 ++++++++++++++++++++++++++------------------- 1 file changed, 161 insertions(+), 116 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index f101294f..5e94df95 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4906,130 +4906,175 @@ - V-230443 - auditd -# - name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd -# notify: restart auditd -# when: -# - rhel_08_030370 -# tags: -# - RHEL-08-030370 -# - auditd +- name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd + notify: restart auditd + when: + - rhel_08_030370 + tags: + - RHEL-08-030370 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230444r627750_rule + - V-230444 + - auditd -# - name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# notify: restart auditd -# when: -# - rhel_08_030380 -# tags: -# - RHEL-08-030380 -# - auditd +- name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + notify: restart auditd + when: + - rhel_08_030380 + tags: + - RHEL-08-030380 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230445r627750_rule + - V-230445 + - auditd -# - name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# - -a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng -# notify: restart auditd -# when: -# - rhel_08_030390 -# tags: -# - RHEL-08-030390 -# - auditd +- name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + - -a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng + notify: restart auditd + when: + - rhel_08_030390 + tags: + - RHEL-08-030390 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230446r627750_rule + - V-230446 + - auditd -# - name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab -# notify: restart auditd -# when: -# - rhel_08_030400 -# tags: -# - RHEL-08-030400 -# - auditd +- name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab + notify: restart auditd + when: + - rhel_08_030400 + tags: + - RHEL-08-030400 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230447r627750_rule + - V-230447 + - auditd -# - name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd -# notify: restart auditd -# when: -# - rhel_08_030410 -# tags: -# - RHEL-08-030410 -# - auditd +- name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd + notify: restart auditd + when: + - rhel_08_030410 + tags: + - RHEL-08-030410 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230448r627750_rule + - V-230448 + - auditd -# - name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030420 -# tags: -# - RHEL-08-030420 -# - auditd +- name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030420 + tags: + - RHEL-08-030420 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230449r627750_rule + - V-230449 + - auditd -# - name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030430 -# tags: -# - RHEL-08-030430 -# - auditd +- name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030430 + tags: + - RHEL-08-030430 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230450r627750_rule + - V-230450 + - auditd -# - name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030440 -# tags: -# - RHEL-08-030440 -# - auditd +- name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030440 + tags: + - RHEL-08-030440 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230451r627750_rule + - V-230451 + - auditd -# - name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030450 -# tags: -# - RHEL-08-030450 -# - auditd +- name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030450 + tags: + - RHEL-08-030450 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230452r627750_rule + - V-230452 + - auditd # - name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." # lineinfile: From 436bec07d6ac870000ca5f903748600c7d40b594 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 15:03:29 -0400 Subject: [PATCH 047/110] Updated cat2 211-220 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 337 ++++++++++++++++++++++++++------------------- 1 file changed, 196 insertions(+), 141 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5e94df95..9d103a87 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5076,157 +5076,212 @@ - V-230452 - auditd -# - name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030460 -# tags: -# - RHEL-08-030460 -# - auditd +- name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030460 + tags: + - RHEL-08-030460 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230453r627750_rule + - V-230453 + - auditd -# - name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access -# notify: restart auditd -# when: -# - rhel_08_030470 -# tags: -# - RHEL-08-030470 -# - auditd +- name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access + notify: restart auditd + when: + - rhel_08_030470 + tags: + - RHEL-08-030470 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230454r627750_rule + - V-230454 + - auditd -# - name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030480 -# tags: -# - RHEL-08-030480 -# - auditd +- name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030480 + tags: + - RHEL-08-030480 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230455r627750_rule + - V-230455 + - auditd -# - name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030490 -# tags: -# - RHEL-08-030490 -# - auditd +- name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030490 + tags: + - RHEL-08-030490 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230456r627750_rule + - V-230456 + - auditd -# - name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030500 -# tags: -# - RHEL-08-030500 -# - auditd +- name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030500 + tags: + - RHEL-08-030500 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230457r627750_rule + - V-230457 + - auditd -# - name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030510 -# tags: -# - RHEL-08-030510 -# - auditd +- name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030510 + tags: + - RHEL-08-030510 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230458r627750_rule + - V-230458 + - auditd -# - name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod -# notify: restart auditd -# when: -# - rhel_08_030520 -# tags: -# - RHEL-08-030520 -# - auditd +- name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + notify: restart auditd + when: + - rhel_08_030520 + tags: + - RHEL-08-030520 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230459r627750_rule + - V-230459 + - auditd -# - name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030530 -# tags: -# - RHEL-08-030530 -# - auditd +- name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030530 + tags: + - RHEL-08-030530 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230460r627750_rule + - V-230460 + - auditd -# - name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: "{{ item }}" -# with_items: -# - -a always,exit -F arch=b32 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# - -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030540 -# tags: -# - RHEL-08-030540 -# - auditd +- name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: "{{ item }}" + with_items: + - -a always,exit -F arch=b32 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030540 + tags: + - RHEL-08-030540 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230461r627750_rule + - V-230461 + - auditd -# - name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd -# notify: restart auditd -# when: -# - rhel_08_030550 -# tags: -# - RHEL-08-030550 -# - auditd +- name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd + notify: restart auditd + when: + - rhel_08_030550 + tags: + - RHEL-08-030550 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230462r627750_rule + - V-230462 + - auditd -# - name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod -# notify: restart auditd -# when: -# - rhel_08_030560 -# tags: -# - RHEL-08-030560 -# - auditd +- name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod + notify: restart auditd + when: + - rhel_08_030560 + tags: + - RHEL-08-030560 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230463r627750_rule + - V-230463 + - auditd # - name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." # lineinfile: From 094208eeef66df7737422854e7a34b3a9d23de1c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 15:13:13 -0400 Subject: [PATCH 048/110] Updated cat2 221-230 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 351 ++++++++++++++++++++++++++------------------- 1 file changed, 201 insertions(+), 150 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 9d103a87..1fad5a04 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5283,168 +5283,219 @@ - V-230463 - auditd -# - name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng -# notify: restart auditd -# when: -# - rhel_08_030570 -# tags: -# - RHEL-08-030570 -# - auditd +- name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + notify: restart auditd + when: + - rhel_08_030570 + tags: + - RHEL-08-030570 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230464r627750_rule + - V-230464 + - auditd -# - name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules -# notify: restart auditd -# when: -# - rhel_08_030580 -# tags: -# - RHEL-08-030580 -# - auditd +- name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules + notify: restart auditd + when: + - rhel_08_030580 + tags: + - RHEL-08-030580 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230465r627750_rule + - V-230465 + - auditd -# - name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -w /var/log/faillock -p wa -k logins -# notify: restart auditd -# when: -# - rhel_08_030590 -# tags: -# - RHEL-08-030590 -# - auditd +- name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -w /var/log/faillock -p wa -k logins + notify: restart auditd + when: + - rhel_08_030590 + tags: + - RHEL-08-030590 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230466r627750_rule + - V-230466 + - auditd -# - name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." -# lineinfile: -# path: /etc/audit/rules.d/audit.rules -# line: -w /var/log/lastlog -p wa -k logins -# notify: restart auditd -# when: -# - rhel_08_030600 -# tags: -# - RHEL-08-030600 -# - auditd +- name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." + lineinfile: + path: /etc/audit/rules.d/audit.rules + line: -w /var/log/lastlog -p wa -k logins + notify: restart auditd + when: + - rhel_08_030600 + tags: + - RHEL-08-030600 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230467r627750_rule + - V-230467 + - auditd -# - name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." -# file: -# path: "{{ item }}" -# mode: 0640 -# with_items: -# - /etc/audit/rules.d/audit.rules -# - /etc/audit/auditd.conf -# when: -# - rhel_08_030610 -# tags: -# - RHEL-08-030610 -# - permissions +- name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." + file: + path: "{{ item }}" + mode: 0640 + with_items: + - /etc/audit/rules.d/audit.rules + - /etc/audit/auditd.conf + when: + - rhel_08_030610 + tags: + - RHEL-08-030610 + - CAT2 + - CCI-000171 + - SRG-OS-000063-GPOS-00032 + - SV-230471r627750_rule + - V-230471 + - permissions -# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." -# block: -# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms" -# shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " -# changed_when: false -# failed_when: false -# register: rhel_08_030620_tools +- name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." + block: + - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms" + shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " + changed_when: false + failed_when: false + register: rhel_08_030620_tools -# - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" -# file: -# path: "{{ item }}" -# mode: 0755 -# with_items: -# - "{{ rhel_08_030620_tools.stdout_lines }}" -# when: -# - rhel_08_030620 -# tags: -# - RHEL-08-030620 -# - permissions + - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" + file: + path: "{{ item }}" + mode: 0755 + with_items: + - "{{ rhel_08_030620_tools.stdout_lines }}" + when: + - rhel_08_030620 + tags: + - RHEL-08-030620 + - CAT2 + - CCI-001493 + - SRG-OS-000256-GPOS-00097 + - SV-230472r627750_rule + - V-230472 + - permissions -# - name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." -# file: -# path: "{{ item }}" -# owner: root -# with_items: -# - /sbin/auditctl -# - /sbin/aureport -# - /sbin/ausearch -# - /sbin/autrace -# - /sbin/auditd -# - /sbin/audisp-remote -# - /sbin/audisp-syslog -# - /sbin/augenrules -# when: -# - rhel_08_030630 -# tags: -# - RHEL-08-030630 -# - permissions +- name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." + file: + path: "{{ item }}" + owner: root + with_items: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/audisp-remote + - /sbin/audisp-syslog + - /sbin/augenrules + when: + - rhel_08_030630 + tags: + - RHEL-08-030630 + - CAT2 + - CCI-001493 + - SRG-OS-000256-GPOS-00097 + - SV-230473r627750_rule + - V-230473 + - permissions -# - name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." -# file: -# path: "{{ item }}" -# owner: root -# with_items: -# - /sbin/auditctl -# - /sbin/aureport -# - /sbin/ausearch -# - /sbin/autrace -# - /sbin/auditd -# - /sbin/audisp-remote -# - /sbin/audisp-syslog -# - /sbin/augenrules -# when: -# - rhel_08_030640 -# tags: -# - RHEL-08-030640 -# - permissions +- name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." + file: + path: "{{ item }}" + owner: root + with_items: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/audisp-remote + - /sbin/audisp-syslog + - /sbin/augenrules + when: + - rhel_08_030640 + tags: + - RHEL-08-030640 + - CAT2 + - CCI-00149 + - SRG-OS-000256-GPOS-00097 + - SV-230474r627750_rule + - V-230474 + - permissions -# - name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." -# lineinfile: -# path: /etc/aide.conf -# line: "{{ item }}" -# owner: root -# group: root -# mode: 0600 -# with_items: -# - "# Audit Tools" -# - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 -# - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 -# when: -# - rhel_08_030650 -# tags: -# - RHEL-08-030650 -# - aide +- name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." + lineinfile: + path: /etc/aide.conf + line: "{{ item }}" + owner: root + group: root + mode: 0600 + with_items: + - "# Audit Tools" + - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + when: + - rhel_08_030650 + tags: + - RHEL-08-030650 + - CAT2 + - CCI-001496 + - SRG-OS-000278-GPOS-00108 + - SV-230475r627750_rule + - V-230475 + - aide -# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility." -# block: -# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition" -# shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' -# changed_when: false -# failed_when: false -# register: rhel_08_030660_audit_log_path +- name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility." + block: + - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition" + shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' + changed_when: false + failed_when: false + register: rhel_08_030660_audit_log_path -# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition" -# shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" -# changed_when: false -# failed_when: false -# register: rhel_08_030660_audit_log_partition + - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition" + shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" + changed_when: false + failed_when: false + register: rhel_08_030660_audit_log_partition -# - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" -# debug: -# msg: -# - "ALERT!!!Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" -# - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" -# - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}" -# when: -# - rhel_08_030660 -# tags: -# - RHEL-08-030660 + - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" + debug: + msg: + - "ALERT!!!Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" + - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" + - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}" + when: + - rhel_08_030660 + tags: + - RHEL-08-030660 + - CAT2 + - CCI-001849 + - SRG-OS-000341-GPOS-00132 + - SV-230476r627750_rule + - V-230476 + - auditd # - name: "MEDIUM | RHEL-08-030670 | PATCH | RHEL 8 must have the packages required for offloading audit logs installed." # dnf: From ced06d13dfd779cc42bbb35fdf2f1cbeb9b7cf77 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 15:22:01 -0400 Subject: [PATCH 049/110] Updated cat2 231-240 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 276 ++++++++++++++++++++++++++------------------- 1 file changed, 163 insertions(+), 113 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 1fad5a04..e1b6d4b0 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5497,127 +5497,177 @@ - V-230476 - auditd -# - name: "MEDIUM | RHEL-08-030670 | PATCH | RHEL 8 must have the packages required for offloading audit logs installed." -# dnf: -# name: rsyslog -# state: present -# when: -# - rhel_08_030670 -# tags: -# - RHEL-08-030670 -# - rsyslog +- name: "MEDIUM | RHEL-08-030670 | PATCH | RHEL 8 must have the packages required for offloading audit logs installed." + dnf: + name: rsyslog + state: present + when: + - rhel_08_030670 + tags: + - RHEL-08-030670 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230477r627750_rule + - V-230477 + - rsyslog -# - name: "MEDIUM | RHEL-08-030680 | PATCH | RHEL 8 must have the packages required for encrypting offloaded audit logs installed." -# dnf: -# name: gnutls -# state: present -# when: -# - rhel_08_030680 -# tags: -# - RHEL-08-030680 -# - gnutls +- name: "MEDIUM | RHEL-08-030680 | PATCH | RHEL 8 must have the packages required for encrypting offloaded audit logs installed." + dnf: + name: gnutls + state: present + when: + - rhel_08_030680 + tags: + - RHEL-08-030680 + - CAT2 + - CCI-00036 + - SRG-OS-000480-GPOS-00227 + - SV-230478r627750_rule + - V-230478 + - gnutls -# - name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." -# lineinfile: -# path: /etc/rsyslog.conf -# regexp: '^.*\@\@' -# line: "*.* @@{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" -# when: -# - rhel_08_030690 -# tags: -# - RHEL-08-030690 -# - auditd +- name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." + lineinfile: + path: /etc/rsyslog.conf + regexp: '^.*\@\@' + line: "*.* @@{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" + when: + - rhel_08_030690 + tags: + - RHEL-08-030690 + - CAT2 + - CCI-001851 + - SRG-OS-000342-GPOS-00133 + - SV-230479r627750_rule + - V-230479 + - auditd -# - name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: '^overflow_action =' -# line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}' -# notify: restart auditd -# when: -# - rhel_08_030700 -# tags: -# - RHEL-08-030700 -# - auditd +- name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^overflow_action =' + line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}' + notify: restart auditd + when: + - rhel_08_030700 + tags: + - RHEL-08-030700 + - CAT2 + - CCI-001851 + - SRG-OS-000342-GPOS-00133 + - SV-230480r627750_rule + - V-230480 + - auditd -# - name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." -# lineinfile: -# path: /etc/rsyslog.conf -# create: yes -# owner: root -# group: root -# mode: 0644 -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^\$DefaultNetstreamDriver', line: '$DefaultNetstreamDriver gtls' } -# - { regexp: '^\$ActionSendStreamDriverMode', line: '$ActionSendStreamDriverMode 1' } -# when: -# - rhel_08_030710 -# tags: -# - RHEL-08-030710 -# - auditd +- name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." + lineinfile: + path: /etc/rsyslog.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^\$DefaultNetstreamDriver', line: '$DefaultNetstreamDriver gtls' } + - { regexp: '^\$ActionSendStreamDriverMode', line: '$ActionSendStreamDriverMode 1' } + when: + - rhel_08_030710 + tags: + - RHEL-08-030710 + - CAT2 + - CCI-001851 + - SRG-OS-000342-GPOS-00133 + - SV-230481r627750_rule + - V-230481 + - auditd -# - name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must authenticate the remote logging server for off-loading audit logs." -# lineinfile: -# path: /etc/rsyslog.conf -# regexp: '^\$ActionSendStreamDriverAuthMode' -# line: "$ActionSendStreamDriverAuthMode x509/name" -# notify: restart auditd -# when: -# - rhel_08_030720 -# tags: -# - rhel_08_030720 -# - auditd +- name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must authenticate the remote logging server for off-loading audit logs." + lineinfile: + path: /etc/rsyslog.conf + regexp: '^\$ActionSendStreamDriverAuthMode' + line: "$ActionSendStreamDriverAuthMode x509/name" + notify: restart auditd + when: + - rhel_08_030720 + tags: + - rhel_08_030720 + - CAT2 + - CCI-001851 + - SRG-OS-000342-GPOS-00133 + - SV-230482r627750_rule + - V-230482 + - auditd -# - name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." -# lineinfile: -# path: /etc/audit/auditd.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^space_left =', line: 'space_left = 25%' } -# - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } -# when: -# - rhel_08_030730 -# tags: -# - RHEL-08-030730 -# - auditd +- name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." + lineinfile: + path: /etc/audit/auditd.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^space_left =', line: 'space_left = 25%' } + - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } + when: + - rhel_08_030730 + tags: + - RHEL-08-030730 + - CAT2 + - CCI-001855 + - SRG-OS-000343-GPOS-00134 + - SV-230483r627750_rule + - V-230483 + - auditd -# - name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." -# lineinfile: -# path: /etc/chrony.conf -# regexp: '^server' -# line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16' -# notify: restart {{ rhel8stig_time_service }} -# when: -# - rhel_08_030740 -# tags: -# - RHEL-08-030740 -# - chronyd - -# - name: "MEDIUM | RHEL-08-040001 | PATCH | RHEL 8 must not have any automated bug reporting tools installed." -# shell: dnf remove abrt* -# failed_when: false -# args: -# warn: false -# when: -# - rhel_08_040001 -# tags: -# - RHEL-08-040001 -# - dnf -# - abrt +- name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." + lineinfile: + path: /etc/chrony.conf + regexp: '^server' + line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16' + notify: restart {{ rhel8stig_time_service }} + when: + - rhel_08_030740 + tags: + - RHEL-08-030740 + - CAT2 + - CCI-001891 + - SRG-OS-000355-GPOS-00143 + - SV-230484r627750_rule + - V-230484 + - chronyd -# - name: "MEDIUM | RHEL-08-040002 | PATCH | RHEL 8 must not have the sendmail package installed." -# dnf: -# name: sendmail -# state: absent -# when: -# - rhel_08_040002 -# tags: -# - RHEL-08-040002 -# - dnf -# - sendmail +- name: "MEDIUM | RHEL-08-040001 | PATCH | RHEL 8 must not have any automated bug reporting tools installed." + shell: dnf remove abrt* + failed_when: false + args: + warn: false + when: + - rhel_08_040001 + tags: + - RHEL-08-040001 + - CAT2 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230488r627750_rule + - V-230488 + - dnf + - abrt + +- name: "MEDIUM | RHEL-08-040002 | PATCH | RHEL 8 must not have the sendmail package installed." + dnf: + name: sendmail + state: absent + when: + - rhel_08_040002 + tags: + - RHEL-08-040002 + - CAT2 + - CCI-00038 + - SRG-OS-000095-GPOS-00049 + - SV-230489r627750_rule + - V-230489 + - dnf + - sendmail # - name: | # "MEDIUM | RHEL-08-040003 | PATCH | RHEL 8 must not have the gssproxy package installed." From 90473f5d78b9922be2f342fc07167460322a11b7 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 15:33:03 -0400 Subject: [PATCH 050/110] Updated cat2 241-251 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 607 ++++++++++++++++++++++++--------------------- 1 file changed, 330 insertions(+), 277 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e1b6d4b0..739d7b8c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5684,298 +5684,351 @@ # - dnf # - gssproxy -# - name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." -# lineinfile: -# path: /etc/modprobe.d/blacklist.conf -# create: yes -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# owner: root -# group: root -# mode: 0640 -# insertafter: "{{ item.insertafter }}" -# notify: reboot system -# with_items: -# - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } -# - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } -# when: -# - rhel_08_040020 -# tags: -# - RHEL-08-040020 -# - camera +- name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." + lineinfile: + path: /etc/modprobe.d/blacklist.conf + create: yes + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + owner: root + group: root + mode: 0640 + insertafter: "{{ item.insertafter }}" + notify: reboot system + with_items: + - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } + - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } + when: + - rhel_08_040020 + tags: + - RHEL-08-040020 + - CAT2 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-230493r627750_rule + - V-230493 + - camera -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." -# block: -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block" -# block: -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld" -# shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u -# register: rhel8stig_PPSM_CLSA_check_firewalld -# changed_when: false -# failed_when: false -# check_mode: no -# when: -# - rhel_08_040030 -# tags: -# - RHEL-08-040030 -# - firewall - -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" -# debug: -# msg: -# - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." -# - "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}" -# changed_when: true -# when: -# - rhel_08_040030 -# - rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines is defined -# tags: -# - RHEL-08-040030 -# - firewall -# when: -# - rhel_08_040030 -# - not rhel8stig_system_is_chroot -# - not rhel8stig_system_is_container -# - rhel8stig_firewall_service == "firewalld" -# - rhel8stig_start_firewall_service -# tags: -# - RHEL-08-040030 -# - firewall - -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block" -# block: -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables" -# shell: iptables-save | grep -i accept | grep -i input -# register: rhel8stig_PPSM_CLSA_check_iptables -# changed_when: false -# failed_when: false -# check_mode: no -# when: rhel_08_040030 -# tags: -# - RHEL-08-040030 -# - firewall - -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" -# debug: -# msg: -# - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}." -# - "{{ rhel8stig_PPSM_CLSA_check_iptables.stdout_lines }}" -# changed_when: true -# when: -# - rhel_08_040030 -# - rhel8stig_PPSM_CLSA_check_iptables.stdout_lines is defined -# tags: -# - RHEL-08-040030 -# - firewall -# when: -# - rhel_08_040030 -# - not rhel8stig_system_is_chroot -# - not rhel8stig_system_is_container -# - rhel8stig_firewall_service == "iptables" -# - rhel8stig_start_firewall_service -# tags: -# - RHEL-08-040030 -# - firewall - -# - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use" -# debug: -# msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." -# changed_when: true -# when: -# - rhel_08_040030 -# - not rhel8stig_start_firewall_service -# tags: -# - RHEL-08-040030 -# - firewall -# when: -# - rhel_08_040030 -# - not rhel8stig_system_is_chroot -# - not rhel8stig_system_is_container -# - rhel8stig_disruptive -# tags: -# - RHEL-08-040030 -# - firewall +- name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." + block: + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block" + block: + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld" + shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u + register: rhel8stig_PPSM_CLSA_check_firewalld + changed_when: false + failed_when: false + check_mode: no + when: + - rhel_08_040030 + tags: + - RHEL-08-040030 + - firewall + + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" + debug: + msg: + - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." + - "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}" + changed_when: true + when: + - rhel_08_040030 + - rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines is defined + tags: + - RHEL-08-040030 + - firewall + when: + - rhel_08_040030 + - not rhel8stig_system_is_chroot + - not rhel8stig_system_is_container + - rhel8stig_firewall_service == "firewalld" + - rhel8stig_start_firewall_service + tags: + - RHEL-08-040030 + - firewall + + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block" + block: + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables" + shell: iptables-save | grep -i accept | grep -i input + register: rhel8stig_PPSM_CLSA_check_iptables + changed_when: false + failed_when: false + check_mode: no + when: rhel_08_040030 + tags: + - RHEL-08-040030 + - firewall + + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" + debug: + msg: + - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}." + - "{{ rhel8stig_PPSM_CLSA_check_iptables.stdout_lines }}" + changed_when: true + when: + - rhel_08_040030 + - rhel8stig_PPSM_CLSA_check_iptables.stdout_lines is defined + tags: + - RHEL-08-040030 + - firewall + when: + - rhel_08_040030 + - not rhel8stig_system_is_chroot + - not rhel8stig_system_is_container + - rhel8stig_firewall_service == "iptables" + - rhel8stig_start_firewall_service + tags: + - RHEL-08-040030 + - firewall -# - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required." -# block: -# - name: "MEDIUM | RHEL-08-040070 | AUDIT | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error" -# shell: "systemctl show autofs | grep LoadState | cut -d= -f2" -# changed_when: false -# failed_when: false -# register: rhel_08_040070_autofs_status + - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use" + debug: + msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." + changed_when: true + when: + - rhel_08_040030 + - not rhel8stig_start_firewall_service + tags: + - RHEL-08-040030 + - firewall + when: + - rhel_08_040030 + - not rhel8stig_system_is_chroot + - not rhel8stig_system_is_container + - rhel8stig_disruptive + tags: + - RHEL-08-040030 + - CAT2 + - CCI-000382 + - SRG-OS-000096-GPOS-00050 + - SV-230500r627750_rule + - V-230500 + - firewall -# - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists" -# service: -# name: autofs -# state: stopped -# enabled: no -# when: rhel_08_040070_autofs_status.stdout == "loaded" -# when: -# - rhel_08_040070 -# tags: -# - RHEL-08-040070 -# - autofs +- name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required." + block: + - name: "MEDIUM | RHEL-08-040070 | AUDIT | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error" + shell: "systemctl show autofs | grep LoadState | cut -d= -f2" + changed_when: false + failed_when: false + register: rhel_08_040070_autofs_status -# - name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." -# lineinfile: -# path: "{{ item.path }}" -# create: yes -# owner: root -# group: root -# mode: 0640 -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# with_items: -# - { path: /etc/modprobe.d/usb-storage.conf, regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } -# - { path: /etc/modprobe.d/blacklist.conf, regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} -# when: -# - rhel_08_040080 -# tags: -# - RHEL-08-040080 -# - usb_devices + - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists" + service: + name: autofs + state: stopped + enabled: no + when: rhel_08_040070_autofs_status.stdout == "loaded" + when: + - rhel_08_040070 + tags: + - RHEL-08-040070 + - CAT2 + - CCI-000778 + - SRG-OS-000114-GPOS-00059 + - SV-230502r627750_rule + - V-230502 + - autofs -# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." -# block: -# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" -# dnf: -# name: firewalld -# state: present -# when: rhel8stig_firewall_service == "firewalld" +- name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." + lineinfile: + path: "{{ item.path }}" + create: yes + owner: root + group: root + mode: 0640 + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + with_items: + - { path: /etc/modprobe.d/usb-storage.conf, regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } + - { path: /etc/modprobe.d/blacklist.conf, regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} + when: + - rhel_08_040080 + tags: + - RHEL-08-040080 + - CAT2 + - CCI-000778 + - SRG-OS-000114-GPOS-00059 + - SV-230503r627750_rule + - V-230503 + - usb_devices -# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" -# dnf: -# name: iptables-services -# state: present -# when: rhel8stig_firewall_service == "iptables" +- name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." + block: + - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" + dnf: + name: firewalld + state: present + when: rhel8stig_firewall_service == "firewalld" -# - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" -# service: -# name: "{{ rhel8stig_firewall_service }}" -# state: started -# enabled: yes -# when: -# - rhel_08_040100 -# tags: -# - RHEL-08-040100 -# - firewall -# - "{{ rhel8stig_firewall_service }}" + - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" + dnf: + name: iptables-services + state: present + when: rhel8stig_firewall_service == "iptables" -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." -# block: -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" -# firewalld: -# zone: "{{ rhel8stig_custom_firewall_zone }}" -# permanent: true -# state: present + - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" + service: + name: "{{ rhel8stig_firewall_service }}" + state: started + enabled: yes + when: + - rhel_08_040100 + tags: + - RHEL-08-040100 + - CAT2 + - CCI-002314 + - SRG-OS-000297-GPOS-00115 + - SV-230505r627750_rule + - V-230505 + - firewall + - "{{ rhel8stig_firewall_service }}" -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" -# firewalld: -# zone: "{{ rhel8stig_custom_firewall_zone }}" -# permanent: true -# state: enabled -# service: "{{ item }}" -# with_items: -# - "{{ rhel8stig_white_list_services }}" - -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" -# command: firewall-cmd --reload -# changed_when: rhel_08_040090_zone_reload.rc == 0 -# failed_when: rhel_08_040090_zone_reload.rc >= 2 -# register: rhel_08_040090_zone_reload - -# - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default" -# command: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" -# changed_when: rhel_08_040090_default_zone_set.rc == 0 -# failed_when: rhel_08_040090_default_zone_set.rc >= 2 -# register: rhel_08_040090_default_zone_set -# when: -# - rhel_08_040090 -# tags: -# - RHEL-08-040090 -# - firewall +- name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." + block: + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" + firewalld: + zone: "{{ rhel8stig_custom_firewall_zone }}" + permanent: true + state: present -# - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." -# block: -# - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" -# command: rpm -q NetworkManager -# args: -# warn: no -# check_mode: no -# changed_when: no -# register: rhel_08_nmcli_available -# failed_when: no + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" + firewalld: + zone: "{{ rhel8stig_custom_firewall_zone }}" + permanent: true + state: enabled + service: "{{ item }}" + with_items: + - "{{ rhel8stig_white_list_services }}" -# - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" -# command: nmcli radio wifi -# args: -# warn: no -# register: rhel_08_wifi_enabled -# check_mode: no -# changed_when: rhel_08_wifi_enabled.stdout != "disabled" -# when: rhel_08_nmcli_available.rc == 0 + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" + command: firewall-cmd --reload + changed_when: rhel_08_040090_zone_reload.rc == 0 + failed_when: rhel_08_040090_zone_reload.rc >= 2 + register: rhel_08_040090_zone_reload -# - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" -# command: nmcli radio wifi off -# when: rhel_08_wifi_enabled is changed -# when: -# - rhel_08_040110 -# tags: -# - RHEL-08-040110 -# - wifi + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default" + command: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" + changed_when: rhel_08_040090_default_zone_set.rc == 0 + failed_when: rhel_08_040090_default_zone_set.rc >= 2 + register: rhel_08_040090_default_zone_set + when: + - rhel_08_040090 + tags: + - RHEL-08-040090 + - CAT2 + - CCI-002314 + - SRG-OS-000297-GPOS-00115 + - SV-230504r627750_rule + - V-230504 + - firewall -# - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled." -# lineinfile: -# path: /etc/modprobe.d/bluetooth.conf -# regexp: '^install bluetooth ' -# line: "install bluetooth /bin/true" -# create: yes -# owner: root -# group: root -# mode: 0640 -# notify: reboot system -# when: -# - rhel_08_040111 -# tags: -# - RHEL-08-040111 -# - bluetooth +- name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." + block: + - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" + command: rpm -q NetworkManager + args: + warn: no + check_mode: no + changed_when: no + register: rhel_08_nmcli_available + failed_when: no -# - name: | -# "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." -# "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." -# "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." -# block: -# - name: | -# "MEDIUM | RHEL-08-040120 | AUDIT | RHEL 8 must mount /dev/shm with the nodev option." -# "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option." -# "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option." -# shell: mount | grep /dev/shm -# args: -# warn: no -# changed_when: false -# failed_when: false -# register: rhel8stig_040120_dev_shm_status + - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" + command: nmcli radio wifi + args: + warn: no + register: rhel_08_wifi_enabled + check_mode: no + changed_when: rhel_08_wifi_enabled.stdout != "disabled" + when: rhel_08_nmcli_available.rc == 0 -# - name: | -# "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." -# "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." -# "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." -# mount: -# path: /dev/shm -# state: mounted -# src: tmpfs -# fstype: tmpfs -# opts: "defaults{{ rhel_08_040120 | ternary (',nodev', '') }}{{ rhel_08_040121 | ternary (',nosuid', '') }}{{ rhel_08_040122 | ternary (',noexec', '') }}" -# when: rhel8stig_040120_dev_shm_status.stdout | length > 0 -# when: -# - rhel_08_040120 or -# rhel_08_040121 or -# rhel_08_040122 -# tags: -# - RHEL-08-040120 -# - RHEL-08-040121 -# - RHEL-08-040122 -# - mounts + - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" + command: nmcli radio wifi off + when: rhel_08_wifi_enabled is changed + when: + - rhel_08_040110 + tags: + - RHEL-08-040110 + - CAT2 + - CCI-001444 + - SRG-OS-000299-GPOS-00117 + - SV-230506r627750_rule + - V-23050 + - wifi + +- name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled." + lineinfile: + path: /etc/modprobe.d/bluetooth.conf + regexp: '^install bluetooth ' + line: "install bluetooth /bin/true" + create: yes + owner: root + group: root + mode: 0640 + notify: reboot system + when: + - rhel_08_040111 + tags: + - RHEL-08-040111 + - CAT2 + - CCI-001443 + - SRG-OS-000300-GPOS-00118 + - SV-230507r627750_rule + - V-230507 + - bluetooth + +- name: | + "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." + "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." + "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." + block: + - name: | + "MEDIUM | RHEL-08-040120 | AUDIT | RHEL 8 must mount /dev/shm with the nodev option." + "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option." + "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option." + shell: mount | grep /dev/shm + args: + warn: no + changed_when: false + failed_when: false + register: rhel8stig_040120_dev_shm_status + + - name: | + "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." + "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." + "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." + mount: + path: /dev/shm + state: mounted + src: tmpfs + fstype: tmpfs + opts: "defaults{{ rhel_08_040120 | ternary (',nodev', '') }}{{ rhel_08_040121 | ternary (',nosuid', '') }}{{ rhel_08_040122 | ternary (',noexec', '') }}" + when: rhel8stig_040120_dev_shm_status.stdout | length > 0 + when: + - rhel_08_040120 or + rhel_08_040121 or + rhel_08_040122 + tags: + - CAT2 + - RHEL-08-040120 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-230508r627750_rule + - V-230508 + - RHEL-08-040121 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-230509r627750_rule + - V-230509 + - RHEL-08-040122 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-230510r627750_rule + - V-230510 + - mounts # - name: | # "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." From 26f83edbc09f9a3b9cbefbf3fc227e29644b7c22 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 15:40:04 -0400 Subject: [PATCH 051/110] Updated cat2 252-260 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 249 ++++++++++++++++++++++++++------------------- 1 file changed, 144 insertions(+), 105 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 739d7b8c..3d8bde5f 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6030,117 +6030,156 @@ - V-230510 - mounts -# - name: | -# "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." -# "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." -# "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." -# block: -# - name: | -# "MEDIUM | RHEL-08-040123 | AUDIT | RHEL 8 must mount /tmp with the nodev option." -# "MEDIUM | RHEL-08-040124 | AUDIT | RHEL 8 must mount /tmp with the nosuid option." -# "MEDIUM | RHEL-08-040125 | AUDIT | RHEL 8 must mount /tmp with the noexec option." -# shell: mount | grep /tmp -# changed_when: false -# failed_when: false -# register: rhel8stig_040123_dev_status +- name: | + "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." + "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." + "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." + block: + - name: | + "MEDIUM | RHEL-08-040123 | AUDIT | RHEL 8 must mount /tmp with the nodev option." + "MEDIUM | RHEL-08-040124 | AUDIT | RHEL 8 must mount /tmp with the nosuid option." + "MEDIUM | RHEL-08-040125 | AUDIT | RHEL 8 must mount /tmp with the noexec option." + shell: mount | grep /tmp + changed_when: false + failed_when: false + register: rhel8stig_040123_dev_status -# - name: | -# "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." -# "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." -# "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." -# mount: -# path: /tmp -# state: mounted -# src: "{{ tmp_mount.device }}" -# fstype: xfs -# opts: "defaults{{ rhel_08_040123 | ternary (',nodev', '') }}{{ rhel_08_040124 | ternary (',nosuid', '') }}{{ rhel_08_040125 | ternary (',noexec', '') }}" -# vars: -# tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/tmp`] | [0]') }}" -# when: rhel8stig_040123_dev_status.stdout | length > 0 + - name: | + "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." + "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." + "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." + mount: + path: /tmp + state: mounted + src: "{{ tmp_mount.device }}" + fstype: xfs + opts: "defaults{{ rhel_08_040123 | ternary (',nodev', '') }}{{ rhel_08_040124 | ternary (',nosuid', '') }}{{ rhel_08_040125 | ternary (',noexec', '') }}" + vars: + tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/tmp`] | [0]') }}" + when: rhel8stig_040123_dev_status.stdout | length > 0 -# when: -# - rhel_08_040123 or -# rhel_08_040124 or -# rhel_08_040125 -# tags: -# - RHEL-08-040123 -# - RHEL-08-040124 -# - RHEL-08-04125 -# - mounts + when: + - rhel_08_040123 or + rhel_08_040124 or + rhel_08_040125 + tags: + - CAT2 + - RHEL-08-040123 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-230511r627750_rule + - V-230511 + - RHEL-08-040124 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-230512r627750_rule + - V-230512 + - RHEL-08-04125 + - CCI-00176 + - SRG-OS-000368-GPOS-00154 + - SV-230513r627750_rule + - V-230513 + - mounts -# - name: | -# "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." -# "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." -# "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." -# block: -# - name: | -# "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." -# "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." -# "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." -# shell: mount | grep /var/log -# changed_when: false -# failed_when: false -# register: rhel8stig_040126_var_log_status +- name: | + "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." + "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." + "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." + block: + - name: | + "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." + "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." + "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." + shell: mount | grep /var/log + changed_when: false + failed_when: false + register: rhel8stig_040126_var_log_status -# - name: | -# "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." -# "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." -# "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." -# mount: -# path: /var/log -# state: mounted -# src: "{{ var_log_mount.device }}" -# fstype: xfs -# opts: "defaults{{ rhel_08_040126 | ternary (',nodev', '') }}{{ rhel_08_040127 | ternary (',nosuid', '') }}{{ rhel_08_040128 | ternary (',noexec', '') }}" -# vars: -# var_log_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log`] | [0]') }}" -# when: rhel8stig_040126_var_log_status.stdout | length > 0 -# when: -# - rhel_08_040126 or -# rhel_08_040127 or -# rhel_08_040128 -# tags: -# - RHEL-08-040126 -# - RHEL-08-040127 -# - RHEL-08-040128 -# - mounts + - name: | + "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." + "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." + "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." + mount: + path: /var/log + state: mounted + src: "{{ var_log_mount.device }}" + fstype: xfs + opts: "defaults{{ rhel_08_040126 | ternary (',nodev', '') }}{{ rhel_08_040127 | ternary (',nosuid', '') }}{{ rhel_08_040128 | ternary (',noexec', '') }}" + vars: + var_log_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log`] | [0]') }}" + when: rhel8stig_040126_var_log_status.stdout | length > 0 + when: + - rhel_08_040126 or + rhel_08_040127 or + rhel_08_040128 + tags: + - CAT2 + - RHEL-08-040126 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-230514r627750_rule + - V-230514 + - RHEL-08-040127 + - V-230514 + - SRG-OS-000368-GPOS-00154 + - SV-230515r627750_rule + - V-230515 + - RHEL-08-040128 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-230516r627750_rule + - V-230516 + - mounts -# - name: | -# "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." -# "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." -# "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." -# block: -# - name: | -# "MEDIUM | RHEL-08-040129 | AUDIT | RHEL 8 must mount /var/log/audit with the nodev option." -# "MEDIUM | RHEL-08-040130 | AUDIT | RHEL 8 must mount /var/log/audit with the nosuid option." -# "MEDIUM | RHEL-08-040131 | AUDIT | RHEL 8 must mount /var/log/audit with the noexec option." -# shell: mount | grep /var/log/audit -# changed_when: false -# failed_when: false -# register: rhel8stig_040129_var_log_audit_status +- name: | + "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." + "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." + "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." + block: + - name: | + "MEDIUM | RHEL-08-040129 | AUDIT | RHEL 8 must mount /var/log/audit with the nodev option." + "MEDIUM | RHEL-08-040130 | AUDIT | RHEL 8 must mount /var/log/audit with the nosuid option." + "MEDIUM | RHEL-08-040131 | AUDIT | RHEL 8 must mount /var/log/audit with the noexec option." + shell: mount | grep /var/log/audit + changed_when: false + failed_when: false + register: rhel8stig_040129_var_log_audit_status -# - name: | -# "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." -# "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." -# "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." -# mount: -# path: /var/log/audit -# state: mounted -# src: "{{ audit_mount.device }}" -# fstype: xfs -# opts: "defaults{{ rhel_08_040129 | ternary (',nodev', '') }}{{ rhel_08_040130 | ternary (',nosuid', '') }}{{ rhel_08_040131 | ternary (',noexec', '') }}" -# vars: -# audit_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log/audit`] | [0]') }}" -# when: rhel8stig_040129_var_log_audit_status.stdout | length > 0 -# when: -# - rhel_08_040129 or -# rhel_08_040130 or -# rhel_08_040131 -# tags: -# - RHEL-08-040129 -# - RHEL-08-040130 -# - RHEL-08-040131 -# - mounts + - name: | + "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." + "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." + "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." + mount: + path: /var/log/audit + state: mounted + src: "{{ audit_mount.device }}" + fstype: xfs + opts: "defaults{{ rhel_08_040129 | ternary (',nodev', '') }}{{ rhel_08_040130 | ternary (',nosuid', '') }}{{ rhel_08_040131 | ternary (',noexec', '') }}" + vars: + audit_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log/audit`] | [0]') }}" + when: rhel8stig_040129_var_log_audit_status.stdout | length > 0 + when: + - rhel_08_040129 or + rhel_08_040130 or + rhel_08_040131 + tags: + - CAT2 + - RHEL-08-040129 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-230517r627750_rule + - V-230517 + - RHEL-08-040130 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-230518r627750_rule + - V-230518 + - RHEL-08-040131 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-230519r627750_rule + - V-230519 + - mounts # - name: | # "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" From 0324f72ebe60efb82a491c4de722b96314feb029 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 15:48:26 -0400 Subject: [PATCH 052/110] Updated cat2 261-270 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 360 +++++++++++++++++++++++++-------------------- 1 file changed, 204 insertions(+), 156 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3d8bde5f..f8cb14bf 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6181,176 +6181,224 @@ - V-230519 - mounts -# - name: | -# "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" -# "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." -# "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." -# block: -# - name: | -# "MEDIUM | RHEL-08-040132 | AUDIT | RHEL 8 must mount /var/tmp with the nodev option" -# "MEDIUM | RHEL-08-040133 | AUDIT | RHEL 8 must mount /var/tmp with the nosuid option." -# "MEDIUM | RHEL-08-040134 | AUDIT | RHEL 8 must mount /var/tmp with the noexec option." -# shell: mount | grep /var/tmp -# changed_when: false -# failed_when: false -# register: rhel8stig_040132_var_tmp_status - -# - name: | -# "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" -# "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." -# "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." -# mount: -# path: /var/tmp -# state: mounted -# src: "{{ var_tmp_mount.device }}" -# fstype: xfs -# opts: "defaults{{ rhel_08_040132 | ternary (',nodev', '') }}{{ rhel_08_040133 | ternary (',nosuid', '') }}{{ rhel_08_040134 | ternary (',noexec', '') }}" -# vars: -# var_tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/var/tmp`] | [0]') }}" -# when: rhel8stig_040132_var_tmp_status.stdout | length > 0 -# when: -# - rhel_08_040132 or -# rhel_08_040133 or -# rhel_08_040134 -# tags: -# - RHEL-08-040132 -# - RHEL-08-040133 -# - RHEL-08-040134 -# - mounts +- name: | + "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" + "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." + "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." + block: + - name: | + "MEDIUM | RHEL-08-040132 | AUDIT | RHEL 8 must mount /var/tmp with the nodev option" + "MEDIUM | RHEL-08-040133 | AUDIT | RHEL 8 must mount /var/tmp with the nosuid option." + "MEDIUM | RHEL-08-040134 | AUDIT | RHEL 8 must mount /var/tmp with the noexec option." + shell: mount | grep /var/tmp + changed_when: false + failed_when: false + register: rhel8stig_040132_var_tmp_status -# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." -# block: -# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" -# dnf: -# name: fapolicyd -# state: present + - name: | + "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" + "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." + "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." + mount: + path: /var/tmp + state: mounted + src: "{{ var_tmp_mount.device }}" + fstype: xfs + opts: "defaults{{ rhel_08_040132 | ternary (',nodev', '') }}{{ rhel_08_040133 | ternary (',nosuid', '') }}{{ rhel_08_040134 | ternary (',noexec', '') }}" + vars: + var_tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/var/tmp`] | [0]') }}" + when: rhel8stig_040132_var_tmp_status.stdout | length > 0 + when: + - rhel_08_040132 or + rhel_08_040133 or + rhel_08_040134 + tags: + - CAT2 + - RHEL-08-040132 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-230520r627750_rule + - V-230520 + - RHEL-08-040133 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-230521r627750_rule + - V-230521 + - RHEL-08-040134 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-230522r627750_rule + - V-230522 + - mounts -# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" -# shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts -# changed_when: false -# failed_when: false +- name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." + block: + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" + dnf: + name: fapolicyd + state: present -# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" -# service: -# name: fapolicyd -# state: started -# enabled: yes + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" + shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts + changed_when: false + failed_when: false -# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " -# lineinfile: -# path: /etc/fapolicyd/fapolicyd.rules -# line: "{{ item }}" -# with_items: -# - "{{ rhel8stig_fapolicy_white_list }}" + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" + service: + name: fapolicyd + state: started + enabled: yes -# - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" -# lineinfile: -# path: /etc/fapolicyd/fapolicyd.conf -# regexp: '^permissive =' -# line: 'permissive = 0' -# when: -# - rhel_08_040135 -# tags: -# - RHEL-08-040135 -# - fapolicyd + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " + lineinfile: + path: /etc/fapolicyd/fapolicyd.rules + line: "{{ item }}" + with_items: + - "{{ rhel8stig_fapolicy_white_list }}" -# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." -# block: -# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Install usbguard" -# dnf: -# name: usbguard -# state: present + - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" + lineinfile: + path: /etc/fapolicyd/fapolicyd.conf + regexp: '^permissive =' + line: 'permissive = 0' + when: + - rhel_08_040135 + tags: + - RHEL-08-040135 + - CAT2 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-230523r627750_rule + - V-230523 + - fapolicyd -# - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Start/Enable service" -# service: -# name: usbguard -# state: started -# enabled: yes -# when: -# - rhel_08_040140 -# tags: -# - RHEL-08-040140 -# - usbguard +- name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." + block: + - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Install usbguard" + dnf: + name: usbguard + state: present -# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." -# block: -# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" -# dnf: -# name: nftables -# state: present + - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Start/Enable service" + service: + name: usbguard + state: started + enabled: yes + when: + - rhel_08_040140 + tags: + - RHEL-08-040140 + - CAT2 + - CCI-001958 + - SRG-OS-000378-GPOS-00163 + - SV-230524r627750_rule + - V-230524 + - usbguard -# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" -# service: -# name: nftables -# state: started -# enabled: yes +- name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." + block: + - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" + dnf: + name: nftables + state: present -# - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" -# lineinfile: -# path: /etc/firewalld/firewalld.conf -# regexp: '^FirewallBackend=' -# line: 'FirewallBackend=nftables' -# when: -# - rhel_08_040150 -# tags: -# - RHEL-08-040150 -# - firewall -# - nftables + - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" + service: + name: nftables + state: started + enabled: yes -# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." -# block: -# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Install openssh-server" -# dnf: -# name: openssh-server -# state: present + - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" + lineinfile: + path: /etc/firewalld/firewalld.conf + regexp: '^FirewallBackend=' + line: 'FirewallBackend=nftables' + when: + - rhel_08_040150 + tags: + - RHEL-08-040150 + - CAT2 + - CCI-002385 + - SRG-OS-000420-GPOS-00186 + - SV-230525r627750_rule + - V-230525 + - firewall + - nftables -# - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" -# service: -# name: sshd -# state: started -# enabled: yes -# when: -# - rhel_08_040160 -# tags: -# - rhel_08_040160 -# - ssh +- name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." + block: + - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Install openssh-server" + dnf: + name: openssh-server + state: present -# - name: "MEDIUM | RHEL-0-040161 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?RekeyLimit' -# line: 'RekeyLimit 1G 1h' -# notify: restart sshd -# when: -# - rhel_08_040161 -# tags: -# - RHEL-08-040161 -# - sshd + - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" + service: + name: sshd + state: started + enabled: yes + when: + - rhel_08_040160 + tags: + - rhel_08_040160 + - CAT2 + - CCI-002418 + - SRG-OS-000423-GPOS-00187 + - SV-230526r627750_rule + - V-230526 + - ssh -# - name: "MEDIUM | RHEL-08-040162 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections by the client." -# lineinfile: -# path: /etc/ssh/ssh_config -# regexp: '(?i)^#?RekeyLimit' -# line: 'RekeyLimit 1G 1h' -# notify: restart sshd -# when: -# - rhel_08_040162 -# tags: -# - RHEL-08-040162 -# - sshd - -# - name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." -# systemd: -# name: debug-shell.service -# state: stopped -# enabled: no -# masked: yes -# daemon_reload: yes -# when: -# - rhel_08_040180 -# tags: -# - RHEL-08-040180 -# - debug-shell +- name: "MEDIUM | RHEL-0-040161 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?RekeyLimit' + line: 'RekeyLimit 1G 1h' + notify: restart sshd + when: + - rhel_08_040161 + tags: + - RHEL-08-040161 + - CAT2 + - CCI-000068 + - RG-OS-000033-GPOS-00014 + - SV-230527r627750_rule + - V-230527 + - sshd + +- name: "MEDIUM | RHEL-08-040162 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections by the client." + lineinfile: + path: /etc/ssh/ssh_config + regexp: '(?i)^#?RekeyLimit' + line: 'RekeyLimit 1G 1h' + notify: restart sshd + when: + - rhel_08_040162 + tags: + - RHEL-08-040162 + - CAT2 + - CCI-000068 + - SRG-OS-000033-GPOS-00014 + - SV-230528r627750_rule + - V-230528 + - sshd + +- name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." + systemd: + name: debug-shell.service + state: stopped + enabled: no + masked: yes + daemon_reload: yes + when: + - rhel_08_040180 + tags: + - RHEL-08-040180 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230532r627750_rule + - V-230532 + - debug-shell # - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted." # block: From 2e1e607a1d2156f7d2b7ca2edb974387a7b7f7fd Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 15:57:02 -0400 Subject: [PATCH 053/110] Updated cat2 271-280 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 496 +++++++++++++++++++++++++-------------------- 1 file changed, 273 insertions(+), 223 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index f8cb14bf..8372b190 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6400,239 +6400,289 @@ - V-230532 - debug-shell -# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted." -# block: -# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.conf.default.accept_redirects -# - net.ipv6.conf.default.accept_redirects - -# - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } -# - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } -# when: -# - rhel_08_040210 -# tags: -# - RHEL-08-040210 -# - icmp +- name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted." + block: + - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + with_items: + - net.ipv4.conf.default.accept_redirects + - net.ipv6.conf.default.accept_redirects -# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." -# block: -# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects in sysctl" -# sysctl: -# name: net.ipv4.conf.all.send_redirects -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" - -# - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects default value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^net.ipv4.conf.all.send_redirects' -# line: 'net.ipv4.conf.all.send_redirects=0' -# when: -# - rhel_08_040220 -# tags: -# - RHEL-08-040220 -# - icmp + - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } + - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } + when: + - rhel_08_040210 + tags: + - RHEL-08-040210 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230535r627750_rule + - V-230535 + - icmp -# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." -# block: -# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast in sysctl" -# sysctl: -# name: net.ipv4.icmp_echo_ignore_broadcasts -# state: present -# value: '1' -# reload: "{{ rhel8stig_sysctl_reload }}" - -# - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast default value to 1" -# lineinfile: -# name: /etc/sysctl.conf -# regexp: '^net.ipv4.icmp_echo_ignore_broadcasts' -# line: 'net.ipv4.icmp_echo_ignore_broadcasts=1' -# when: -# - rhel_08_040230 -# tags: -# - RHEL-08-040230 -# - icmp +- name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." + block: + - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects in sysctl" + sysctl: + name: net.ipv4.conf.all.send_redirects + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" -# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets." -# block: -# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.conf.all.accept_source_route -# - net.ipv6.conf.all.accept_source_route - -# - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route default value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } -# - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } -# when: -# - rhel_08_040240 -# tags: -# - RHEL-08-040240 -# - icmp + - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects default value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.all.send_redirects' + line: 'net.ipv4.conf.all.send_redirects=0' + when: + - rhel_08_040220 + tags: + - RHEL-08-040220 + - CAT2 + - CCI-00036 + - SRG-OS-000480-GPOS-00227 + - SV-230536r627750_rule + - V-230536 + - icmp -# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default." -# block: -# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.conf.default.accept_source_route -# - net.ipv6.conf.default.accept_source_route - -# - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } -# - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } -# when: -# - rhel_08_040250 -# tags: -# - RHEL-08-040250 -# - icmp +- name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." + block: + - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast in sysctl" + sysctl: + name: net.ipv4.icmp_echo_ignore_broadcasts + state: present + value: '1' + reload: "{{ rhel8stig_sysctl_reload }}" -# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router." -# block: -# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.ip_forward -# - net.ipv6.conf.all.forwarding - -# - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.ip_forward', line: 'net.ipv4.ip_forward=0' } -# - { regexp: '^net.ipv6.conf.all.forwarding', line: 'net.ipv6.conf.all.forwarding=0' } + - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast default value to 1" + lineinfile: + name: /etc/sysctl.conf + regexp: '^net.ipv4.icmp_echo_ignore_broadcasts' + line: 'net.ipv4.icmp_echo_ignore_broadcasts=1' + when: + - rhel_08_040230 + tags: + - RHEL-08-040230 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230537r627750_rule + - V-230537 + - icmp -# when: -# - rhel_08_040260 -# - not rhel8stig_system_is_router -# tags: -# - RHEL-08-040260 -# - icmp +- name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets." + block: + - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + with_items: + - net.ipv4.conf.all.accept_source_route + - net.ipv6.conf.all.accept_source_route -# - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces." -# block: -# - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra in sysctl" -# sysctl: -# name: net.ipv6.conf.all.accept_ra -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" - -# - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^net.ipv6.conf.all.accept_ra' -# line: 'net.ipv6.conf.all.accept_ra=0' -# when: -# - rhel_08_040261 -# - not rhel8stig_system_is_router -# tags: -# - RHEL-08-040261 -# - icmp + - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route default value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } + - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } + when: + - rhel_08_040240 + tags: + - RHEL-08-040240 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230538r627750_rule + - V-230538 + - icmp -# - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default." -# block: -# - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra in sysctl" -# sysctl: -# name: net.ipv6.conf.default.accept_ra -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" - -# - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra to value 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^net.ipv6.conf.default.accept_ra' -# line: 'net.ipv6.conf.default.accept_ra=0' -# when: -# - rhel_08_040262 -# - not rhel8stig_system_is_router -# tags: -# - RHEL-08-040262 -# - icmp +- name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default." + block: + - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + with_items: + - net.ipv4.conf.default.accept_source_route + - net.ipv6.conf.default.accept_source_route -# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." -# block: -# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects in sysctl" -# sysctl: -# name: net.ipv4.conf.default.send_redirects -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" - -# - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^net.ipv4.conf.default.send_redirects' -# line: 'net.ipv4.conf.default.send_redirects=0' -# when: -# - rhel_08_040270 -# tags: -# - RHEL-08-040270 -# - icmp + - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } + - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } + when: + - rhel_08_040250 + tags: + - RHEL-08-040250 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230539r627750_rule + - V-230539 + - icmp -# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." -# block: -# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" -# sysctl: -# name: "{{ item }}" -# state: present -# value: '0' -# reload: "{{ rhel8stig_sysctl_reload }}" -# with_items: -# - net.ipv4.conf.all.accept_redirects -# - net.ipv6.conf.all.accept_redirects - -# - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# with_items: -# - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } -# - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } -# when: -# - rhel_08_040280 -# tags: -# - RHEL-08-040280 -# - icmp +- name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router." + block: + - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + with_items: + - net.ipv4.ip_forward + - net.ipv6.conf.all.forwarding + + - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^net.ipv4.ip_forward', line: 'net.ipv4.ip_forward=0' } + - { regexp: '^net.ipv6.conf.all.forwarding', line: 'net.ipv6.conf.all.forwarding=0' } + + when: + - rhel_08_040260 + - not rhel8stig_system_is_router + tags: + - RHEL-08-0402606 + - CAT2 + - CCI-00036 + - SRG-OS-000480-GPOS-00227 + - SV-230540r627750_rule + - V-230540 + - icmp + +- name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces." + block: + - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra in sysctl" + sysctl: + name: net.ipv6.conf.all.accept_ra + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + + - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv6.conf.all.accept_ra' + line: 'net.ipv6.conf.all.accept_ra=0' + when: + - rhel_08_040261 + - not rhel8stig_system_is_router + tags: + - RHEL-08-040261 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230541r627750_rule + - V-230541 + - icmp + +- name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default." + block: + - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra in sysctl" + sysctl: + name: net.ipv6.conf.default.accept_ra + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + + - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra to value 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv6.conf.default.accept_ra' + line: 'net.ipv6.conf.default.accept_ra=0' + when: + - rhel_08_040262 + - not rhel8stig_system_is_router + tags: + - RHEL-08-040262 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230542r627750_rule + - V-230542 + - icmp + +- name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." + block: + - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects in sysctl" + sysctl: + name: net.ipv4.conf.default.send_redirects + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + + - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.default.send_redirects' + line: 'net.ipv4.conf.default.send_redirects=0' + when: + - rhel_08_040270 + tags: + - RHEL-08-040270 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230543r627750_rule + - V-230543 + - icmp + +- name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." + block: + - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" + sysctl: + name: "{{ item }}" + state: present + value: '0' + reload: "{{ rhel8stig_sysctl_reload }}" + with_items: + - net.ipv4.conf.all.accept_redirects + - net.ipv6.conf.all.accept_redirects + + - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" + lineinfile: + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } + - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } + when: + - rhel_08_040280 + tags: + - RHEL-08-040280 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230544r627750_rule + - V-230544 + - icmp # - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." # lineinfile: From 29284084ac790ac19019cf5bd4232de3450480e5 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 16:05:49 -0400 Subject: [PATCH 054/110] Updated cat2 281-290 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 316 ++++++++++++++++++++++++++------------------- 1 file changed, 185 insertions(+), 131 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8372b190..247f7b97 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6684,144 +6684,198 @@ - V-230544 - icmp -# - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^kernel.unprivileged_bpf_disabled' -# line: 'kernel.unprivileged_bpf_disabled = 1' -# owner: root -# group: root -# mode: 0640 -# notify: sysctl system -# when: -# - rhel_08_040281 -# tags: -# - RHEL-08-040281 -# - sysctl +- name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.unprivileged_bpf_disabled' + line: 'kernel.unprivileged_bpf_disabled = 1' + owner: root + group: root + mode: 0640 + notify: sysctl system + when: + - rhel_08_040281 + tags: + - RHEL-08-040281 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230545r627750_rule + - V-230545 + - sysctl -# - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^kernel.yama.ptrace_scope' -# line: 'kernel.yama.ptrace_scope = 1' -# notify: sysctl system -# when: -# - rhel_08_040282 -# tags: -# - RHEL-08-040282 -# - sysctl +- name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.yama.ptrace_scope' + line: 'kernel.yama.ptrace_scope = 1' + notify: sysctl system + when: + - rhel_08_040282 + tags: + - RHEL-08-040282 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230546r627750_rule + - V-230546 + - sysctl -# - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access." -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^kernel.kptr_restrict' -# line: 'kernel.kptr_restrict = 1' -# owner: root -# group: root -# mode: 0640 -# notify: sysctl system -# when: -# - rhel_08_040283 -# tags: -# - RHEL-08-040283 -# - sysctl +- name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^kernel.kptr_restrict' + line: 'kernel.kptr_restrict = 1' + owner: root + group: root + mode: 0640 + notify: sysctl system + when: + - rhel_08_040283 + tags: + - RHEL-08-040283 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230547r627750_rule + - V-230547 + - sysctl -# - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces." -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^user.max_user_namespaces' -# line: 'user.max_user_namespaces = 0' -# notify: sysctl system -# when: -# - rhel_08_040284 -# tags: -# - RHEL-08-040284 -# - sysctl +- name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^user.max_user_namespaces' + line: 'user.max_user_namespaces = 0' + notify: sysctl system + when: + - rhel_08_040284 + tags: + - RHEL-08-040284 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230548r627750_rule + - V-230548 + - sysctl -# - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces." -# lineinfile: -# path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" -# regexp: '^net.ipv4.conf.all.rp_filter' -# line: 'net.ipv4.conf.all.rp_filter = 1' -# notify: sysctl system -# when: -# - rhel_08_040285 -# tags: -# - RHEL-08-040285 -# - sysctl - -# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying." -# block: -# - name: "MEDIUM | RHEL-08-040290 | AUDIT | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Check if postfix is installed." -# command: rpm -q postfix -# failed_when: no -# check_mode: no -# changed_when: no -# register: rhel_08_040290_rpm_audit - -# - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" -# command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" -# check_mode: no -# when: '"postfix-" in rhel_08_040290_rpm_audit.stdout' -# when: -# - rhel_08_040290 -# tags: -# - RHEL-08-040290 +- name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces." + lineinfile: + path: "{{ rhel8stig_sysctlconf_filename.files[0].path }}" + regexp: '^net.ipv4.conf.all.rp_filter' + line: 'net.ipv4.conf.all.rp_filter = 1' + notify: sysctl system + when: + - rhel_08_040285 + tags: + - RHEL-08-040285 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230549r627750_rule + - V-230549 + - sysctl -# - name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." -# package: -# name: xorg-x11-server-common -# state: absent -# when: -# - rhel_08_040320 -# - not rhel8stig_gui - -# - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." -# block: -# - name: "MEDIUM | RHEL-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" -# shell: "ip link | grep -i promisc | cut -d ':' -f 2" -# check_mode: no -# failed_when: no -# changed_when: rhel_08_040670_promisc_check.stdout != '' -# ignore_errors: yes -# register: rhel_08_040670_promisc_check - -# - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" -# shell: "ip link set dev {{ item }} promisc off" -# with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" -# when: -# - rhel_08_040330 -# - not rhel8stig_net_promisc_mode_required -# tags: -# - RHEL-08-040330 +- name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying." + block: + - name: "MEDIUM | RHEL-08-040290 | AUDIT | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Check if postfix is installed." + command: rpm -q postfix + failed_when: no + check_mode: no + changed_when: no + register: rhel_08_040290_rpm_audit -# - name: "MEDIUM | RHEL-08-040340 | PATCH | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?X11Forwarding' -# line: 'X11Forwarding no' -# create: yes -# owner: root -# group: root -# mode: 0640 -# notify: restart sshd -# when: -# - rhel_08_040340 -# - rhel8stig_ssh_required -# tags: -# - RHEL-08-040340 -# - ssh + - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" + command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" + check_mode: no + when: '"postfix-" in rhel_08_040290_rpm_audit.stdout' + when: + - rhel_08_040290 + tags: + - RHEL-08-040290 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230550r627750_rule + - V-230550 + - mail -# - name: "MEDIUM | RHEL-08-040341 | PATCH | The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display." -# lineinfile: -# path: /etc/ssh/sshd_config -# regexp: '(?i)^#?X11UseLocalhost' -# line: 'X11UseLocalhost yes' -# when: -# - rhel_08_040341 -# tags: -# - RHEL-08-040341 -# - ssh +- name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." + package: + name: xorg-x11-server-common + state: absent + when: + - rhel_08_040320 + - not rhel8stig_gui + tags: + - RHEL-08-040320 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230553r646886_rule + - V-230553 + - gui + +- name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." + block: + - name: "MEDIUM | RHEL-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" + shell: "ip link | grep -i promisc | cut -d ':' -f 2" + check_mode: no + failed_when: no + changed_when: rhel_08_040670_promisc_check.stdout != '' + ignore_errors: yes + register: rhel_08_040670_promisc_check + + - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" + shell: "ip link set dev {{ item }} promisc off" + with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" + when: + - rhel_08_040330 + - not rhel8stig_net_promisc_mode_required + tags: + - RHEL-08-040330 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230554r627750_rule + - V-230554 + - network + +- name: "MEDIUM | RHEL-08-040340 | PATCH | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?X11Forwarding' + line: 'X11Forwarding no' + create: yes + owner: root + group: root + mode: 0640 + notify: restart sshd + when: + - rhel_08_040340 + - rhel8stig_ssh_required + tags: + - RHEL-08-040340 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230555r627750_rule + - V-230555 + - ssh + +- name: "MEDIUM | RHEL-08-040341 | PATCH | The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?X11UseLocalhost' + line: 'X11UseLocalhost yes' + when: + - rhel_08_040341 + tags: + - RHEL-08-040341 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230556r627750_rule + - ssh # - name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." # lineinfile: From a01b78f4cc7a2de05102415eca688373f60b0552 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 11 Aug 2021 16:29:32 -0400 Subject: [PATCH 055/110] Updated cat2 291-298 Signed-off-by: George Nalen --- defaults/main.yml | 8 ++ tasks/fix-cat2.yml | 274 ++++++++++++++++++++++++++++++++++++--------- 2 files changed, 230 insertions(+), 52 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index de042050..aca69451 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -109,6 +109,7 @@ rhel_08_010151: true rhel_08_010160: true rhel_08_010161: true rhel_08_010162: true +rhel_08_010163: true rhel_08_010170: true rhel_08_010180: true rhel_08_010190: true @@ -136,6 +137,8 @@ rhel_08_010373: true rhel_08_010374: true rhel_08_010380: true rhel_08_010381: true +rhel_08_010382: true +rhel_08_010383: true rhel_08_010390: true rhel_08_010400: true rhel_08_010410: true @@ -751,6 +754,11 @@ rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1 # This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less rhel8stig_tmux_lock_after_time: 900 +# RHEL-08-010384 +# The value given to Defaults timestamp timeout= in the sudo file. +# Value must be greater than 0 to conform to STIG standards +rhel8stig_sudo_timestamp_timeout: 1 + #### Goss Configuration Settings #### ### Goss binary settings ### diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 247f7b97..a46336f2 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5669,20 +5669,21 @@ - dnf - sendmail -# - name: | -# "MEDIUM | RHEL-08-040003 | PATCH | RHEL 8 must not have the gssproxy package installed." -# "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." -# dnf: -# name: gssproxy -# state: absent -# when: -# - rhel_08_040003 or -# rhel_08_040370 -# tags: -# - RHEL-08-040003 -# - RHEL-08-040370 -# - dnf -# - gssproxy +- name: "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." + dnf: + name: gssproxy + state: absent + when: + -rhel_08_040370 + tags: + - RHEL-08-040370 + - CAT2 + - CCI-000381 + - SRG-OS-000480-GPOS-00227 + - SV-230559r646887_rule + - V-230559 + - dnf + - gssproxy - name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." lineinfile: @@ -6877,41 +6878,210 @@ - SV-230556r627750_rule - ssh -# - name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." -# lineinfile: -# path: /etc/xinetd.d/tftp -# regexp: "(?i)^.*server_args.*=" -# line: "\tserver_args\t\t= -s /var/lib/tftpboot" -# insertafter: "\tserver\t\t\t=" -# state: present -# register: result -# failed_when: -# - result is failed -# - result.rc != 257 -# when: -# - rhel_08_040350 -# - rhel8stig_tftp_required -# tags: -# - skip_ansible_lint -# - RHEL-08-040350 -# - tftp - -# - name: "MEDIUM | RHEL-08-040380 | PATCH | The iprutils package must not be installed unless mission essential on RHEL 8." -# dnf: -# name: iprutils -# state: absent -# when: -# - rhel_08_040380 -# tags: -# - RHEL-08-040380 -# - iprutils - -# - name: "MEDIUM | RHEL-08-040390 | PATCH | The tuned package must not be installed unless mission essential on RHEL 8." -# dnf: -# name: tuned -# state: absent -# when: -# - rhel_08_040390 -# tags: -# - RHEL-08-040390 -# - tuned +- name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." + lineinfile: + path: /etc/xinetd.d/tftp + regexp: "(?i)^.*server_args.*=" + line: "\tserver_args\t\t= -s /var/lib/tftpboot" + insertafter: "\tserver\t\t\t=" + state: present + register: result + failed_when: + - result is failed + - result.rc != 257 + when: + - rhel_08_040350 + - rhel8stig_tftp_required + tags: + - skip_ansible_lint + - RHEL-08-040350 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230557r627750_rule + - V-230557 + - tftp + +- name: "MEDIUM | RHEL-08-040380 | PATCH | The iprutils package must not be installed unless mission essential on RHEL 8." + dnf: + name: iprutils + state: absent + when: + - rhel_08_040380 + tags: + - RHEL-08-040380 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230560r627750_rule + - V-230560 + - iprutils + +- name: "MEDIUM | RHEL-08-040390 | PATCH | The tuned package must not be installed unless mission essential on RHEL 8." + dnf: + name: tuned + state: absent + when: + - rhel_08_040390 + tags: + - RHEL-08-040390 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-230561r627750_rule + - -230561 + - tuned + +- name: "MEDIUM | RHEL-08-010163 | PATCH | The krb5-server package must not be installed on RHEL 8." + dnf: + name: krb5-server + state: absent + when: + - rhel_08_010163 + tags: + - RHEL-08-010163 + - CAT2 + - CCI-000803 + - SRG-OS-000120-GPOS-00061 + - SV-237640r646890_rule + - V-237640 + - krb5 + +- name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel." + block: + - name: "MEDIUM | RHEL-08-010382 | AUDIT | RHEL 8 must restrict privilege elevation to authorized personnel. | Get ALL settings" + shell: grep -iws 'ALL' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + changed_when: false + failed_when: false + register: rhel_08_010382_sudoers_all + + - name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel. | Remove format 1" + lineinfile: + path: "{{ item }}" + regexp: 'ALL ALL=(ALL) ALL' + state: absent + validate: '/usr/sbin/visudo -cf %s' + with_items: + - "{{ rhel_08_010382_sudoers_all.stdout_lines }}" + when: rhel_08_010382_sudoers_all.stdout | length > 0 + + - name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel. | Remove format 2" + lineinfile: + path: "{{ item }}" + regexp: 'ALL ALL=(ALL:ALL) ALL' + state: absent + validate: '/usr/sbin/visudo -cf %s' + with_items: + - "{{ rhel_08_010382_sudoers_all.stdout_lines }}" + when: rhel_08_010382_sudoers_all.stdout | length > 0 + when: + - rhel_08_010382 + - rhel8stig_disruption_high + tags: + - RHEL-08-010382 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-237641r646893_rule + - V-237641 + - sudo + +- name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using "sudo"." + block: + - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". | Get privilege escalation" + shell: egrep -is '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d":" -f1 | sort --unique + changed_when: false + failed_when: false + register: rhel_08_010383_priv_escalation + + - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". | Set privilege escalation for no findings" + lineinfile: + path: /etc/sudoers + line: "{{ item }}" + validate: '/usr/sbin/visudo -cf %s' + with_items: + - Defaults !targetpw + - Defaults !rootpw + - Defaults !runaspw + when: rhel_08_010383_priv_escalation.stdout | length == 0 + + - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". | Set privilege escalation for targetpw with findings" + lineinfile: + path: "{{ item }}" + regexp: 'Defaults !targetpw' + line: 'Defaults !targetpw' + validate: '/usr/sbin/visudo -cf %s' + with_items: + - "{{ rhel_08_010383_priv_escalation.stdout_lines }}" + when: + - rhel_08_010383_priv_escalation.stdout | length > 0 + + - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". | Set privilege escalation for rootpw with findings" + lineinfile: + path: "{{ item }}" + regexp: 'Defaults !rootpw' + line: 'Defaults !rootpw' + validate: '/usr/sbin/visudo -cf %s' + with_items: + - "{{ rhel_08_010383_priv_escalation.stdout_lines }}" + when: + - rhel_08_010383_priv_escalation.stdout | length > 0 + + - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". | Set privilege escalation for runaspw with findings" + lineinfile: + path: "{{ item }}" + regexp: 'Defaults !runaspw' + line: 'Defaults !runaspw' + validate: '/usr/sbin/visudo -cf %s' + with_items: + - "{{ rhel_08_010383_priv_escalation.stdout_lines }}" + when: + - rhel_08_010383_priv_escalation.stdout | length > 0 + when: + - rhel_08_010383 + - rhel8stig_disruption_high + tags: + - RHEL-08-010383 + - CAT2 + - CCI-002227 + - SRG-OS-000480-GPOS-00227 + - SV-237642r646896_rule + - V-237642 + - sudo + +- name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the "sudo" command." + block: + - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the "sudo" command. | Get files with timeout set" + shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + changed_when: false + failed_when: false + register: rhel_08_010384_timeout_files + + - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the "sudo" command. | Set value if no results" + lineinfile: + path: /etc/sudoers + regexp: 'Defaults timestamp_timeout=' + line: "Defaults timestamp_timeout={{ rhel8stig_sudo_timestamp_timeout }}" + validate: '/usr/sbin/visudo -cf %s' + when: rhel_08_010384_timeout_files.stdout | length == 0 + + - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the "sudo" command. | Set value if has results" + lineinfile: + path: "{{ item }}" + regexp: 'Defaults timestamp_timeout=' + line: "Defaults timestamp_timeout={{ rhel8stig_sudo_timestamp_timeout }}" + validate: '/usr/sbin/visudo -cf %s' + with_items: + - "{{ rhel_08_010384_timeout_files.stdout_lines }}" + when: rhel_08_010384_timeout_files.stdout | length > 0 + when: + - rhel_08_010384 + - rhel8stig_disruption_high + tags: + - RHEL-08-010384 + - CAT2 + - CCI-002038 + - SRG-OS-000373-GPOS-00156 + - SV-237643r646899_rule + - V-237643 + - sudo From 0f3d37eb1fe056d546a8b10faa00f19c55f69547 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Aug 2021 08:59:13 +0100 Subject: [PATCH 056/110] fixed typo Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index a46336f2..af987cd2 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6986,15 +6986,15 @@ - V-237641 - sudo -- name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using "sudo"." +- name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo." block: - - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". | Get privilege escalation" - shell: egrep -is '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d":" -f1 | sort --unique + - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Get privilege escalation" + shell: egrep -is '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d ':' -f1 | sort --uniq changed_when: false failed_when: false register: rhel_08_010383_priv_escalation - - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". | Set privilege escalation for no findings" + - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for no findings" lineinfile: path: /etc/sudoers line: "{{ item }}" @@ -7005,7 +7005,7 @@ - Defaults !runaspw when: rhel_08_010383_priv_escalation.stdout | length == 0 - - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". | Set privilege escalation for targetpw with findings" + - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for targetpw with findings" lineinfile: path: "{{ item }}" regexp: 'Defaults !targetpw' @@ -7016,7 +7016,7 @@ when: - rhel_08_010383_priv_escalation.stdout | length > 0 - - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". | Set privilege escalation for rootpw with findings" + - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for rootpw with findings" lineinfile: path: "{{ item }}" regexp: 'Defaults !rootpw' @@ -7027,7 +7027,7 @@ when: - rhel_08_010383_priv_escalation.stdout | length > 0 - - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". | Set privilege escalation for runaspw with findings" + - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for runaspw with findings" lineinfile: path: "{{ item }}" regexp: 'Defaults !runaspw' @@ -7049,15 +7049,15 @@ - V-237642 - sudo -- name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the "sudo" command." +- name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command." block: - - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the "sudo" command. | Get files with timeout set" + - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command. | Get files with timeout set" shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false register: rhel_08_010384_timeout_files - - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the "sudo" command. | Set value if no results" + - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command. | Set value if no results" lineinfile: path: /etc/sudoers regexp: 'Defaults timestamp_timeout=' @@ -7065,7 +7065,7 @@ validate: '/usr/sbin/visudo -cf %s' when: rhel_08_010384_timeout_files.stdout | length == 0 - - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the "sudo" command. | Set value if has results" + - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command. | Set value if has results" lineinfile: path: "{{ item }}" regexp: 'Defaults timestamp_timeout=' From 1ff56aa667a1c15bec1695496c4028d4774d85cd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Aug 2021 10:02:55 +0100 Subject: [PATCH 057/110] added 010384 control Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index aca69451..d678e4c8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -139,6 +139,7 @@ rhel_08_010380: true rhel_08_010381: true rhel_08_010382: true rhel_08_010383: true +rhel_08_010384: true rhel_08_010390: true rhel_08_010400: true rhel_08_010410: true From 4738ac1d3338fccb02d35d57e16e2fe21e88517e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Aug 2021 10:03:06 +0100 Subject: [PATCH 058/110] fixed typo Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index ffcd81b6..ee36c135 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -126,7 +126,7 @@ msg: "Post-run OpenSCAP score is {{ rhel8stig_postscanresults.Benchmark.TestResult.score['#text'] }}" when: rhel8stig_oscap_scan -- name: Reboot system +- name: reboot system reboot: when: - not rhel8stig_skip_reboot From ab1a9ec83bab1289c79ace599653116de0c98ae9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Aug 2021 10:03:18 +0100 Subject: [PATCH 059/110] fixed tags Signed-off-by: Mark Bolwell --- tasks/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 0712c727..e2b92362 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -58,7 +58,10 @@ - import_tasks: pre_remediation_audit.yml when: - - run_audit + - run_audit + - setup_audit + tags: + - run_audit - name: Include CAT I patches import_tasks: cat_1/main.yml From 9a01f9404e7bd3950344a4bb62c3c654a5cf21d8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Aug 2021 10:03:44 +0100 Subject: [PATCH 060/110] added options updates new controls Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 1948b59e..696272bc 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -8,7 +8,8 @@ rhel8stig_benchmark: rhel8stig_os_distribution: {{ ansible_distribution | lower }} -rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' -%}false{% else -%}true{% endif -%} +rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %} + # Some tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact also ability to set a timeout if taking too long @@ -29,6 +30,14 @@ rhel8stig_gui: false # system acts or requires router networking options rhel8stig_system_is_router: {{ rhel8stig_system_is_router }} +# Discovered items to assist with skips some audit checks +skip_sssd_check: {% if 'sssd' not in ansible_facts.packages %}True{% else %}False{% endif %} + +skip_postfix_check: {% if 'postfix' not in ansible_facts.packages %}True{% else %}False{% endif %} + +skip_tftp_check: {% if rhel8stig_tftp_required %}False{% else %}True{% endif %} + + # Sets up the system dependant on bootloader legacy_boot: {{ rhel8stig_legacy_boot }} rhel8stig_bootloader_path: {{ rhel8stig_bootloader_path }} @@ -98,9 +107,9 @@ RHEL_08_010373: {{ rhel_08_010373 }} RHEL_08_010374: {{ rhel_08_010374 }} RHEL_08_010380: {{ rhel_08_010380 }} RHEL_08_010381: {{ rhel_08_010380 }} -RHEL_08_010382: {{ rhel_08_010380 }} ### to be fixed as not yet written for V1r2 -RHEL_08_010383: {{ rhel_08_010380 }} ### to be fixed as not yet written for V1r2 -RHEL_08_010384: {{ rhel_08_010380 }} ### to be fixed as not yet written for V1r2 +RHEL_08_010382: {{ rhel_08_010382 }} +RHEL_08_010383: {{ rhel_08_010383 }} +RHEL_08_010384: {{ rhel_08_010384 }} RHEL_08_010390: {{ rhel_08_010390 }} RHEL_08_010400: {{ rhel_08_010400 }} RHEL_08_010410: {{ rhel_08_010410 }} @@ -393,7 +402,6 @@ rhel8stig_boot_superuser: {{ rhel8stig_boot_superuser }} rhel8stig_banner_file: /etc/issue rhel8stig_logon_banner: '[You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions\: \-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. \-At any time, the USG may inspect and seize data stored on this IS. \-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests\--not for your personal benefit or privacy. \-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.]' - # RHEL_08_010680 to change if using hostfile only - seperate checks rhel8stig_uses_dns: true From 34a7f982a17b77175558bd24657e4c0c301ca2bd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Aug 2021 10:06:32 +0100 Subject: [PATCH 061/110] improved postfix logic check Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index af987cd2..c9e2d64c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6776,20 +6776,10 @@ - V-230549 - sysctl -- name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying." - block: - - name: "MEDIUM | RHEL-08-040290 | AUDIT | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Check if postfix is installed." - command: rpm -q postfix - failed_when: no - check_mode: no - changed_when: no - register: rhel_08_040290_rpm_audit - - - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" - command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" - check_mode: no - when: '"postfix-" in rhel_08_040290_rpm_audit.stdout' +- name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" + command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" when: + - "'postfix' in ansible_facts.packages" - rhel_08_040290 tags: - RHEL-08-040290 From e545b30bc3a26d0f6e322215f0365a53049c045f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 12 Aug 2021 11:37:23 -0400 Subject: [PATCH 062/110] Updated 010070 to better conform to STIG implementation Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c9e2d64c..61c97b70 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -108,15 +108,12 @@ - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." lineinfile: - path: /etc/rsyslog.d/50-default.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + path: /etc/rsyslog.conf + # regexp: "{{ item.regexp }}" + line: "auth.*;authpriv.*;daemon.* /var/log/secure" create: yes mode: '0644' notify: restart rsyslog - with_items: - - { regexp: '^auth.*', line: 'auth.*,authpriv.* /var/log/secure' } - - { regexp: '^daemon.*', line: 'daemon.* /var/log/messages' } when: - rhel_08_010070 tags: From 2e5b7d21265f3ede22a12cede5ea8512dce8b9b8 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 12 Aug 2021 15:54:32 -0400 Subject: [PATCH 063/110] Updated 030260 and 030330 for new benchmark updates Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 61c97b70..6a9125a2 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4487,7 +4487,7 @@ - name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." lineinfile: path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod notify: restart auditd when: - rhel_08_030260 @@ -4744,7 +4744,7 @@ - name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." lineinfile: path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod notify: restart auditd when: - rhel_08_030330 From 610039039776d1e4f217edf14f60ec0b5460275e Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 12 Aug 2021 15:55:45 -0400 Subject: [PATCH 064/110] Updated 030480 for new benchmark updates Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 6a9125a2..5a64e494 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5120,8 +5120,8 @@ path: /etc/audit/rules.d/audit.rules line: "{{ item }}" with_items: - - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod notify: restart auditd when: - rhel_08_030480 From c8fb518a7eb70b1a1dc7667a73b5bfb21c6e1fb2 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 12 Aug 2021 15:56:25 -0400 Subject: [PATCH 065/110] Updated 030490 for new benchmark updates Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5a64e494..c803b636 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5139,8 +5139,8 @@ path: /etc/audit/rules.d/audit.rules line: "{{ item }}" with_items: - - -a always,exit -F arch=b32 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b32 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod notify: restart auditd when: - rhel_08_030490 From e0f254b77eb2e932a06e42eb746169470bc06a49 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 12 Aug 2021 15:57:04 -0400 Subject: [PATCH 066/110] Updated 030500 for new benchmark updates Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c803b636..808e3024 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5158,8 +5158,8 @@ path: /etc/audit/rules.d/audit.rules line: "{{ item }}" with_items: - - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod notify: restart auditd when: - rhel_08_030500 From c5c7cf3a974f05b610f96ca378b8bf890615a871 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 12 Aug 2021 15:57:49 -0400 Subject: [PATCH 067/110] Updated 030510 for new benchmark updates Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 808e3024..57501b15 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5177,8 +5177,8 @@ path: /etc/audit/rules.d/audit.rules line: "{{ item }}" with_items: - - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod notify: restart auditd when: - rhel_08_030510 From 480f4c7d2ee71812a127a63097486876c924c5d0 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 12 Aug 2021 15:58:32 -0400 Subject: [PATCH 068/110] Updated 030530 for new benchmark updates Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 57501b15..8d567021 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5215,8 +5215,8 @@ path: /etc/audit/rules.d/audit.rules line: "{{ item }}" with_items: - - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod notify: restart auditd when: - rhel_08_030530 From 28228024c294de84fce700285913add1142599ce Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 12 Aug 2021 15:59:18 -0400 Subject: [PATCH 069/110] Updated 030540 for new benchmark updates Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8d567021..a3fb5960 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5234,8 +5234,8 @@ path: /etc/audit/rules.d/audit.rules line: "{{ item }}" with_items: - - -a always,exit -F arch=b32 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng - - -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + - -a always,exit -F arch=b32 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod + - -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod notify: restart auditd when: - rhel_08_030540 From fc5e6c5666920563c8148837fb10b9718752e4dd Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 12 Aug 2021 16:00:01 -0400 Subject: [PATCH 070/110] Updated 030570 for new benchmark updates Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index a3fb5960..494fa207 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5283,7 +5283,7 @@ - name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." lineinfile: path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_chng + line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod notify: restart auditd when: - rhel_08_030570 From e74d818fb970ed21b80a7cec33388bc014130ecc Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 12 Aug 2021 16:11:02 -0400 Subject: [PATCH 071/110] Updated 010295 benchmark updates Signed-off-by: George Nalen --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d678e4c8..b71347d4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -748,8 +748,8 @@ rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-gcm@openssh.com,aes256-c # RHEL-08-010295 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions -# to conform to STIG standards this variable must contain -VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 -rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" +# to conform to STIG standards this variable must contain +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 +rhel8stig_gnutls_encryption: "+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" # RHEL-08-020070 # This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less From 00aa471556bd1f2ad8719566afd81ecbf45e23f0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Aug 2021 08:46:25 +0100 Subject: [PATCH 072/110] updated control as per #30 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 494fa207..4ca3998c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1404,7 +1404,7 @@ state: mounted src: "{{ home_mount.device }}" fstype: "{{ home_mount.fstype }}" - opts: "{{ home_mount.options }},noexec" + opts: "{{ home_mount.options }},{% if rhel_08_010570 is sameas true %}nosuid,{% endif %}noexec" when: - rhel_08_010590 - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 From 9d2eb6132fdf3caf01eda6df3a71b861221897d8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Aug 2021 10:50:38 +0100 Subject: [PATCH 073/110] improved idempotence logic Signed-off-by: Mark Bolwell --- tasks/fix-cat3.yml | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index d1aa4943..899515f9 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -297,10 +297,17 @@ failed_when: false register: rhel8stig_030601_grub_cmdline_linux + - name: "LOW | RHEL-08-030601 | AUDIT | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Get GRUB active settings" + shell: grub2-editenv -- list | grep -c audit=1 + changed_when: false + failed_when: false + register: rhel8stig_030601_grub_active + - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit to 1 as active" shell: grubby --update-kernel=ALL --args="audit=1" args: warn: no + when: rhel8stig_030601_grub_active.stdout != '1' - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if doesnt exist" lineinfile: @@ -334,10 +341,17 @@ failed_when: false register: rhel8stig_030602_grub_cmdline_linux + - name: "LOW | RHEL-08-030602 | AUDIT | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Get grub active settings" + shell: grub2-editenv -- list | grep -c audit_backlog_limit=8192 + changed_when: false + failed_when: false + register: rhel8stig_030602_grub_active + - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | set audit_backlog_limit active" shell: grubby --update-kernel=ALL --args="audit_backlog_limit=8192" args: warn: no + when: rhel8stig_030602_grub_active.stdout != '1' - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if doesn't exist" lineinfile: @@ -416,32 +430,41 @@ - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities." block: - - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + - name: "LOW | RHEL-08-040004 | AUDIT | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get active grub settings" + shell: grub2-editenv -- list | grep -c pti=on args: warn: no changed_when: false failed_when: false - register: rhel8stig_040004_grub_cmdline_linux - + register: rhel8stig_040004_grub_active + - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti=on active" shell: grubby --update-kernel=ALL --args="pti=on" args: warn: no + when: rhel8stig_040004_grub_active.stdout != '1' + + - name: "LOW | RHEL-08-040004 | AUDIT | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get GRUB_CMDLINE_LINUX settings" + shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + args: + warn: no + changed_when: false + failed_when: false + register: rhel8stig_040004_grub_cmdline_linux - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti if doesn't exist" lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_040004_grub_cmdline_linux.stdout }} pti=on"' - when: '"pti=" not in rhel8stig_040004_grub_cmdline_linux.stdout' + when: '"pti=on" not in rhel8stig_040004_grub_cmdline_linux.stdout' - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti exists" replace: path: /etc/default/grub regexp: 'pti=([^\s|"])+' replace: "pti=on" - when: '"pti=" in rhel8stig_040004_grub_cmdline_linux.stdout' + when: '"pti=on" in rhel8stig_040004_grub_cmdline_linux.stdout' when: - rhel_08_040004 tags: From 20fc9b816b8b43950094cd05736294f87429baf9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Aug 2021 10:50:48 +0100 Subject: [PATCH 074/110] idempotence Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4ca3998c..ed5c51eb 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3776,8 +3776,8 @@ - name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." lineinfile: - dest: /etc/ssh/sshd_config - regexp: '(?i)^#?PrintLastLog' + dest: /etc/ssh/sshd_config1 + regexp: '(?i)^(#PrintLastLog yes?|^#?.rintLastLog no)' line: 'PrintLastLog yes' validate: /usr/sbin/sshd -t -f %s owner: root @@ -6301,7 +6301,7 @@ state: present - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" - service: + systemd: name: nftables state: started enabled: yes From 214641ee56fee041fa1fb71260d06b5a655057c6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Aug 2021 10:51:03 +0100 Subject: [PATCH 075/110] idempotence Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 37ee395e..290d9df7 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -16,8 +16,12 @@ - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." block: + - name: RHEL-08-010020 | HIGH | AUDIT | Check if fips is active in grub" + shell: grub2-editenv -- list | grep -Ec 'fips=1|^fips=0' + register: rhel_08_010020_fips_active + - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." - dnf: + package: name: dracut-fips state: present notify: rebuild initramfs @@ -30,6 +34,7 @@ changed_when: rhel_08_010020_kernel_fips_enable.rc == 0 when: - not ansible_fips + - rhel_08_010020_fips_active.stdout != '1' - name: "RHEL-08-010020 | HIGH | AUDIT | Check if prelink package is installed" command: rpm -q prelink From 9ea3e68893ac6712e63861077a6ea4c191e6b7b4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Aug 2021 10:55:31 +0100 Subject: [PATCH 076/110] added conditional and changed Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 290d9df7..940a5c29 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -19,6 +19,9 @@ - name: RHEL-08-010020 | HIGH | AUDIT | Check if fips is active in grub" shell: grub2-editenv -- list | grep -Ec 'fips=1|^fips=0' register: rhel_08_010020_fips_active + changed_when: false + when: + - not ansible_fips - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." package: From bb2c09d4522b538f088c1b9000f8d14c9cb6ac17 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Aug 2021 12:01:40 +0100 Subject: [PATCH 077/110] efficiency use setup module vars Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 27 +++++---------------------- tasks/fix-cat2.yml | 4 +++- tasks/fix-cat3.yml | 27 ++++----------------------- 3 files changed, 12 insertions(+), 46 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 940a5c29..03384477 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -16,44 +16,27 @@ - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." block: - - name: RHEL-08-010020 | HIGH | AUDIT | Check if fips is active in grub" - shell: grub2-editenv -- list | grep -Ec 'fips=1|^fips=0' - register: rhel_08_010020_fips_active - changed_when: false - when: - - not ansible_fips - - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." + - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | install FIPS" package: name: dracut-fips state: present notify: rebuild initramfs - when: - - not ansible_fips + when: "'dracut-fips' not in ansible_facts.packages" - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" command: fips-mode-setup --enable register: rhel_08_010020_kernel_fips_enable changed_when: rhel_08_010020_kernel_fips_enable.rc == 0 when: - - not ansible_fips - - rhel_08_010020_fips_active.stdout != '1' - - - name: "RHEL-08-010020 | HIGH | AUDIT | Check if prelink package is installed" - command: rpm -q prelink - args: - warn: no - changed_when: no - failed_when: no - check_mode: no - register: rhel_08_010020_prelink_installed + - ansible_proc_cmdline.fips != '1' - name: "RHEL-08-010020 | HIGH | PATCH | Disable prelinking." lineinfile: dest: /etc/sysconfig/prelink regexp: ^#?PRELINKING line: PRELINKING=no - when: rhel_08_010020_prelink_installed.rc == 0 + when: "'prelink' in ansible_facts.packages" notify: undo existing prelinking - name: "RHEL-08-010020 | HIGH | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" @@ -336,7 +319,7 @@ state: absent when: - rhel_08_040000 - - - "'telnet-server' in ansible_facts.packages" + - "'telnet-server' in ansible_facts.packages" tags: - RHEL-08-040000 - CAT1 diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index ed5c51eb..f6c31d11 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1009,6 +1009,7 @@ - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active" shell: grubby --update-kernel=ALL --args="vsyscall=none" + when: ansible_proc_cmdline.vsyscall != 'none' - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist" lineinfile: @@ -1045,6 +1046,7 @@ - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active" shell: grubby --update-kernel=ALL --args="slub_debug=P" + when: ansible_proc_cmdline.slub_debug != 'P' - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist" lineinfile: @@ -3776,7 +3778,7 @@ - name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." lineinfile: - dest: /etc/ssh/sshd_config1 + dest: /etc/ssh/sshd_config regexp: '(?i)^(#PrintLastLog yes?|^#?.rintLastLog no)' line: 'PrintLastLog yes' validate: /usr/sbin/sshd -t -f %s diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 899515f9..428af727 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -297,17 +297,11 @@ failed_when: false register: rhel8stig_030601_grub_cmdline_linux - - name: "LOW | RHEL-08-030601 | AUDIT | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Get GRUB active settings" - shell: grub2-editenv -- list | grep -c audit=1 - changed_when: false - failed_when: false - register: rhel8stig_030601_grub_active - - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit to 1 as active" shell: grubby --update-kernel=ALL --args="audit=1" args: warn: no - when: rhel8stig_030601_grub_active.stdout != '1' + when: ansible_proc_cmdline.audit != '1' - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if doesnt exist" lineinfile: @@ -341,17 +335,11 @@ failed_when: false register: rhel8stig_030602_grub_cmdline_linux - - name: "LOW | RHEL-08-030602 | AUDIT | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Get grub active settings" - shell: grub2-editenv -- list | grep -c audit_backlog_limit=8192 - changed_when: false - failed_when: false - register: rhel8stig_030602_grub_active - - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | set audit_backlog_limit active" shell: grubby --update-kernel=ALL --args="audit_backlog_limit=8192" args: warn: no - when: rhel8stig_030602_grub_active.stdout != '1' + when: ansible_proc_cmdline.audit_backlog_limit != '8192' - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if doesn't exist" lineinfile: @@ -430,19 +418,12 @@ - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities." block: - - name: "LOW | RHEL-08-040004 | AUDIT | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get active grub settings" - shell: grub2-editenv -- list | grep -c pti=on - args: - warn: no - changed_when: false - failed_when: false - register: rhel8stig_040004_grub_active - + - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti=on active" shell: grubby --update-kernel=ALL --args="pti=on" args: warn: no - when: rhel8stig_040004_grub_active.stdout != '1' + when: ansible_proc_cmdline.pti != 'on' - name: "LOW | RHEL-08-040004 | AUDIT | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get GRUB_CMDLINE_LINUX settings" shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' From c2199b6e1daa7f6dc8237f0c411bea031b50d82c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Aug 2021 14:36:21 +0100 Subject: [PATCH 078/110] improved logic Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 8 ++++++-- tasks/fix-cat3.yml | 3 ++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index f6c31d11..c94b1d02 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1009,7 +1009,9 @@ - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active" shell: grubby --update-kernel=ALL --args="vsyscall=none" - when: ansible_proc_cmdline.vsyscall != 'none' + when: + - (ansible_proc_cmdline.vsyscall is defined and ansible_proc_cmdline.vsyscall != 'none') or + (ansible_proc_cmdline.vsyscall is not defined) - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist" lineinfile: @@ -1046,7 +1048,9 @@ - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active" shell: grubby --update-kernel=ALL --args="slub_debug=P" - when: ansible_proc_cmdline.slub_debug != 'P' + when: + - (ansible_proc_cmdline.slub_debug is defined and ansible_proc_cmdline.slub_debug != 'P') or + (ansible_proc_cmdline.slub_debug is not defined) - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist" lineinfile: diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 428af727..f2049d92 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -301,7 +301,8 @@ shell: grubby --update-kernel=ALL --args="audit=1" args: warn: no - when: ansible_proc_cmdline.audit != '1' + when: (ansible_proc_cmdline.audit is defined and ansible_proc_cmdline.audit != '1') or + (ansible_proc_cmdline is not defined) - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if doesnt exist" lineinfile: From 143df6bc95f83f3ed83df631b4d8cd7a182b0f30 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Aug 2021 15:51:57 +0100 Subject: [PATCH 079/110] fixed invalid value for skip_reboot Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4286e932..f3697be4 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,7 @@ Role Variables | `rhel8stig_dns_servers` | `8.8.8.8 and 8.8.4.4` | To conform to STIG standards you need two DNS servers, parameter is in list form | | `rhel8stig_nfs_mounts` | `vars` | NFS file system mounts pull automatcially with prelim task | | `rhel8stig_nfs_mounts_query` | `[?starts_with(fstype, 'nfs')].mount` | The query for mounts | -| `rhel8stig_skip_reboot` | `false` | Whether or not to skip the reboot | +| `rhel8stig_skip_reboot` | `true` | Whether or not to skip the reboot | Example Playbook From ae5012dd83a257d64cccbc311b02b6b1b3a2340c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Aug 2021 15:52:36 +0100 Subject: [PATCH 080/110] improvemenst using pkg facts Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 4e32340f..8def0d9e 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -152,6 +152,7 @@ when: - rhel_08_010070 or rhel_08_030010 + - "'rsyslog' not in ansible_facts.packages" tags: - cat2 - medium @@ -180,6 +181,7 @@ rhel_08_030630 or rhel_08_030640 or rhel_08_030650 + - "'audispd-plugins' not in ansible_facts.packages" tags: - cat2 - medium @@ -217,6 +219,8 @@ name: aide state: present notify: "{{ rhel8stig_aide_handler }}" + when: + - "'aide' not in ansible_facts.packages" - name: "PRELIM | RHEL-08-010360 | RHEL-08-010380 | RHEL-08-040310 | Check for existing AIDE database" stat: @@ -226,7 +230,6 @@ changed_when: not rhel8stig_aide_db_status.stat.exists notify: "{{ rhel8stig_aide_handler }}" when: - - "'aide' not in ansible_facts.packages" - rhel_08_010360 or rhel_08_010380 or rhel_08_040310 From d3678e0af483caaf763758f083c94c0ae2a5231d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Aug 2021 15:53:50 +0100 Subject: [PATCH 081/110] updated reboot option & logic Signed-off-by: Mark Bolwell --- handlers/main.yml | 7 +++---- tasks/fix-cat2.yml | 27 ++++++++++++++++++--------- tasks/fix-cat3.yml | 20 +++++++++++--------- tasks/main.yml | 16 ++++++++++++++++ 4 files changed, 48 insertions(+), 22 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index ee36c135..9ad8d918 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -126,7 +126,6 @@ msg: "Post-run OpenSCAP score is {{ rhel8stig_postscanresults.Benchmark.TestResult.score['#text'] }}" when: rhel8stig_oscap_scan -- name: reboot system - reboot: - when: - - not rhel8stig_skip_reboot +- name: change_requires_reboot + set_fact: + change_requires_reboot: true diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c94b1d02..5fe48021 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -336,7 +336,7 @@ state: enforcing policy: targeted check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" - notify: reboot system + notify: change_requires_reboot when: - rhel_08_010170 or rhel_08_010450 - not rhel8stig_system_is_container @@ -509,7 +509,7 @@ "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Enable FIPS" command: fips-mode-setup --enable register: rhel_08_010290_fips_enable - notify: reboot system + notify: change_requires_reboot when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' - name: | @@ -519,7 +519,7 @@ path: "{{ item.path }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" - notify: reboot system + notify: change_requires_reboot with_items: - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^MACs', line: "MACs {{ rhel8stig_ssh_macs_settings }}" } - { path: /etc/crypto-policies/back-ends/opensshserver.config, regexp: '^CRYPTO_POLICY=', line: "CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" } @@ -551,7 +551,7 @@ - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" command: fips-mode-setup --enable register: rhel_08_010290_fips_enable - notify: reboot system + notify: change_requires_reboot when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' when: - rhel_08_010293 @@ -569,7 +569,7 @@ path: /etc/crypto-policies/back-ends/opensslcnf.config regexp: '^MinProtocol =' line: "MinProtocol = TLSv1.2" - notify: reboot system + notify: change_requires_reboot when: - rhel_08_010294 tags: @@ -591,7 +591,7 @@ owner: root group: root mode: 0640 - notify: reboot system + notify: change_requires_reboot when: - rhel_08_010295 tags: @@ -884,6 +884,7 @@ state: present when: - rhel_08_010390 + - "'openssl-pkcs11' not in ansible_facts.packages" tags: - RHEL-08-010390 - CAT2 @@ -5506,6 +5507,7 @@ state: present when: - rhel_08_030670 + - "'rsyslog' not in ansible_facts.packages" tags: - RHEL-08-030670 - CAT2 @@ -5521,6 +5523,7 @@ state: present when: - rhel_08_030680 + - "'gnutls' not in ansible_facts.packages" tags: - RHEL-08-030680 - CAT2 @@ -5662,6 +5665,7 @@ state: absent when: - rhel_08_040002 + - "'sendmail' in ansible_facts.packages" tags: - RHEL-08-040002 - CAT2 @@ -5677,7 +5681,8 @@ name: gssproxy state: absent when: - -rhel_08_040370 + - rhel_08_040370 + - "'gssproxy' in ansible_facts.packages" tags: - RHEL-08-040370 - CAT2 @@ -5698,7 +5703,7 @@ group: root mode: 0640 insertafter: "{{ item.insertafter }}" - notify: reboot system + notify: change_requires_reboot with_items: - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } @@ -5972,7 +5977,7 @@ owner: root group: root mode: 0640 - notify: reboot system + notify: change_requires_reboot when: - rhel_08_040111 tags: @@ -6800,6 +6805,7 @@ when: - rhel_08_040320 - not rhel8stig_gui + - "'xorg-x11-server-common' in ansible_facts.packages" tags: - RHEL-08-040320 - CAT2 @@ -6901,6 +6907,7 @@ state: absent when: - rhel_08_040380 + - "'iprutils' not ansible_facts.packages" tags: - RHEL-08-040380 - CAT2 @@ -6916,6 +6923,7 @@ state: absent when: - rhel_08_040390 + - "'tuned' in ansible_facts.packages" tags: - RHEL-08-040390 - CAT2 @@ -6931,6 +6939,7 @@ state: absent when: - rhel_08_010163 + - "'krb5-server' in ansible_facts.packages" tags: - RHEL-08-010163 - CAT2 diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index f2049d92..ce293e58 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -302,7 +302,7 @@ args: warn: no when: (ansible_proc_cmdline.audit is defined and ansible_proc_cmdline.audit != '1') or - (ansible_proc_cmdline is not defined) + (ansible_proc_cmdline.audit is not defined) - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if doesnt exist" lineinfile: @@ -340,7 +340,8 @@ shell: grubby --update-kernel=ALL --args="audit_backlog_limit=8192" args: warn: no - when: ansible_proc_cmdline.audit_backlog_limit != '8192' + when: (ansible_proc_cmdline.audit_backlog_limit is defined and ansible_proc_cmdline.audit_backlog_limit != '8192') or + (ansible_proc_cmdline.audit_backlog_limit is not defined) - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if doesn't exist" lineinfile: @@ -424,7 +425,8 @@ shell: grubby --update-kernel=ALL --args="pti=on" args: warn: no - when: ansible_proc_cmdline.pti != 'on' + when: (ansible_proc_cmdline.pti is defined and ansible_proc_cmdline.pti != 'on') or + (ansible_proc_cmdline.pti is not defined ) - name: "LOW | RHEL-08-040004 | AUDIT | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get GRUB_CMDLINE_LINUX settings" shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' @@ -468,7 +470,7 @@ owner: root group: root mode: 0640 - notify: reboot system + notify: change_requires_reboot with_items: - { regexp: '^install ATM', line: 'install ATM /bin/true', insertafter: 'EOF' } - { regexp: '^blacklist ATM', line: 'blacklist ATM', insertafter: '^install ATM /bin/true' } @@ -494,7 +496,7 @@ owner: root group: root mode: 0640 - notify: reboot system + notify: change_requires_reboot with_items: - { regexp: '^install CAN', line: 'install CAN /bin/true', insertafter: 'EOF' } - { regexp: 'blacklist CAN', line: 'blacklist CAN', insertafter: '^install CAN /bin/true' } @@ -520,7 +522,7 @@ owner: root group: root mode: 0640 - notify: reboot system + notify: change_requires_reboot with_items: - { regexp: '^install SCTP', line: 'install SCTP /bin/true', insertafter: 'EOF' } - { regexp: '^blacklist SCTP', line: 'blacklist SCTP', insertafter: '^install SCTP' } @@ -546,7 +548,7 @@ owner: root group: root mode: 0640 - notify: reboot system + notify: change_requires_reboot with_items: - { regexp: '^install TIPC', line: 'install TIPC /bin/true', insertafter: 'EOF' } - { regexp: '^blacklist TIPC', line: 'blacklist TIPC', insertafter: '^install TIPC' } @@ -572,7 +574,7 @@ owner: root group: root mode: 0640 - notify: reboot system + notify: change_requires_reboot with_items: - { regexp: '^install cramfs', line: 'install cramfs /bin/true', insertafter: 'EOF' } - { regexp: 'blacklist cramfs', line: 'blacklist cramfs', insertafter: '^install cramfs' } @@ -598,7 +600,7 @@ owner: root group: root mode: 0640 - notify: reboot system + notify: change_requires_reboot with_items: - { regexp: '^install firewire-core', line: 'install firewire-core /bin/true', insertafter: 'EOF' } - { regexp: '^blacklist firewire-core', line: 'blacklist firewire-core', insertafter: '^install firewire-core' } diff --git a/tasks/main.yml b/tasks/main.yml index e2b92362..aa8e2a6c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -84,6 +84,22 @@ - cat3 - low +- name: reboot system if changes require it and not skipped + block: + - name: reboot system if changes require it and not skipped + reboot: + when: + - change_requires_reboot is defined + - rhel8stig_skip_reboot + - not rhel8stig_skip_reboot + + - name: Warning a reboot required but skip option set + debug: + msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + changed_when: true + when: + - rhel8stig_skip_reboot + - name: flush handlers meta: flush_handlers From 8af0aa0b708c746e83a8226136bf4e755a0fe243 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Aug 2021 15:54:04 +0100 Subject: [PATCH 082/110] layout fix Signed-off-by: Mark Bolwell --- tasks/pre_remediation_audit.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index e44584d0..06769a56 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -29,11 +29,11 @@ ansible_python_interpreter: "{{ python2_bin }}" when: ansible_distribution_major_version == 7 - - name: Pre Audit Setup | retrieve audit content files from git - git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" +- name: Pre Audit Setup | retrieve audit content files from git + git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - audit_content == 'git' From 0ac478f61185948727be3f8b9d07331113954b1d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Aug 2021 17:46:40 +0100 Subject: [PATCH 083/110] fixed typo Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5fe48021..5efa5aca 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6907,7 +6907,7 @@ state: absent when: - rhel_08_040380 - - "'iprutils' not ansible_facts.packages" + - "'iprutils' in ansible_facts.packages" tags: - RHEL-08-040380 - CAT2 From 328644e7c35a74616b62460af23d88c24755ef97 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Aug 2021 17:47:05 +0100 Subject: [PATCH 084/110] add tags and moved handler flush Signed-off-by: Mark Bolwell --- tasks/main.yml | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index aa8e2a6c..16f4e928 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -67,30 +67,36 @@ import_tasks: cat_1/main.yml when: rhel8stig_cat1_patch tags: - - cat1 + - CAT1 - high - name: Include CAT II patches import_tasks: fix-cat2.yml when: rhel8stig_cat2_patch tags: - - cat2 + - CAT2 - medium - name: Include CAT III patches import_tasks: fix-cat3.yml when: rhel8stig_cat3_patch | bool tags: - - cat3 + - CAT3 - low +- name: flush handlers + meta: flush_handlers + tags: + - CAT1 + - CAT2 + - CAT3 + - name: reboot system if changes require it and not skipped block: - name: reboot system if changes require it and not skipped reboot: when: - - change_requires_reboot is defined - - rhel8stig_skip_reboot + - change_requires_reboot | bool - not rhel8stig_skip_reboot - name: Warning a reboot required but skip option set @@ -99,9 +105,10 @@ changed_when: true when: - rhel8stig_skip_reboot - -- name: flush handlers - meta: flush_handlers + tags: + - CAT1 + - CAT2 + - CAT3 - import_tasks: post_remediation_audit.yml when: From 8607cb54e51914cdfe79522972561a90e2aa1112 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 16 Aug 2021 13:07:11 -0400 Subject: [PATCH 085/110] fixed title typo in 030362 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5efa5aca..8b0eeb02 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4834,7 +4834,7 @@ - V-230439 - auditd -- name: "MEDIUM | RHEL-0-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." +- name: "MEDIUM | RHEL-08-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." lineinfile: path: /etc/audit/rules.d/audit.rules line: "{{ item }}" From b5c26c154456cac24446aca323130e9bb38fe094 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 16 Aug 2021 13:26:07 -0400 Subject: [PATCH 086/110] updated 020022 typo found by @JSurf Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8b0eeb02..7b746e2a 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1129,6 +1129,8 @@ - V-230286 - ssh +# This control asks for permissions to be set to 0640. However that is the incorrect permission for that file and will cause issues. +# The title is left to match the incorrect value in the STIG but the actual value set is adjusted to correct permissions - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." block: - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Find files" @@ -1145,7 +1147,7 @@ - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" file: path: "{{ item.path }}" - mode: '0640' + mode: '0600' with_items: - "{{ rhel_08_010490_private_host_key_files.files }}" notify: restart sshd @@ -2800,7 +2802,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}sfail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: From 12ae2cbab202a8473fa5bf722ab8d1e918552715 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 16 Aug 2021 13:35:38 -0400 Subject: [PATCH 087/110] Adjusted pamd controls to use default faillock suggested by @JSurf Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 56 +++++++++++++++++++++++----------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 7b746e2a..047906d2 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2211,7 +2211,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2222,7 +2222,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2256,7 +2256,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2267,7 +2267,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2307,7 +2307,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2318,7 +2318,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2352,7 +2352,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2363,7 +2363,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2406,7 +2406,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2417,7 +2417,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2451,7 +2451,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2462,7 +2462,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2505,7 +2505,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2516,7 +2516,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2550,7 +2550,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2561,7 +2561,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2604,7 +2604,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2615,7 +2615,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2649,7 +2649,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2660,7 +2660,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2703,7 +2703,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2714,7 +2714,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2748,7 +2748,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2759,7 +2759,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2802,7 +2802,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2813,7 +2813,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2847,7 +2847,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2858,7 +2858,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: From 725bd513791ff51ebb12949601f669fb40a0ac2b Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 16 Aug 2021 14:00:14 -0400 Subject: [PATCH 088/110] Addressed issue #26 related to IPv6 sysctl reloads Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 047906d2..ac291787 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6418,7 +6418,8 @@ name: "{{ item }}" state: present value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" + # reload: "{{ rhel8stig_sysctl_reload }}" + notify: change_requires_reboot with_items: - net.ipv4.conf.default.accept_redirects - net.ipv6.conf.default.accept_redirects @@ -6449,7 +6450,8 @@ name: net.ipv4.conf.all.send_redirects state: present value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" + # reload: "{{ rhel8stig_sysctl_reload }}" + notify: change_requires_reboot - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects default value to 0" lineinfile: @@ -6474,7 +6476,8 @@ name: net.ipv4.icmp_echo_ignore_broadcasts state: present value: '1' - reload: "{{ rhel8stig_sysctl_reload }}" + # reload: "{{ rhel8stig_sysctl_reload }}" + notify: change_requires_reboot - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast default value to 1" lineinfile: @@ -6499,7 +6502,8 @@ name: "{{ item }}" state: present value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" + # reload: "{{ rhel8stig_sysctl_reload }}" + notify: change_requires_reboot with_items: - net.ipv4.conf.all.accept_source_route - net.ipv6.conf.all.accept_source_route @@ -6530,7 +6534,8 @@ name: "{{ item }}" state: present value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" + # reload: "{{ rhel8stig_sysctl_reload }}" + notify: change_requires_reboot with_items: - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.default.accept_source_route @@ -6561,7 +6566,8 @@ name: "{{ item }}" state: present value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" + # reload: "{{ rhel8stig_sysctl_reload }}" + notify: change_requires_reboot with_items: - net.ipv4.ip_forward - net.ipv6.conf.all.forwarding @@ -6594,7 +6600,8 @@ name: net.ipv6.conf.all.accept_ra state: present value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" + # reload: "{{ rhel8stig_sysctl_reload }}" + notify: change_requires_reboot - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra value to 0" lineinfile: @@ -6620,7 +6627,8 @@ name: net.ipv6.conf.default.accept_ra state: present value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" + # reload: "{{ rhel8stig_sysctl_reload }}" + notify: change_requires_reboot - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra to value 0" lineinfile: @@ -6646,7 +6654,8 @@ name: net.ipv4.conf.default.send_redirects state: present value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" + # reload: "{{ rhel8stig_sysctl_reload }}" + notify: change_requires_reboot - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" lineinfile: @@ -6671,7 +6680,8 @@ name: "{{ item }}" state: present value: '0' - reload: "{{ rhel8stig_sysctl_reload }}" + # reload: "{{ rhel8stig_sysctl_reload }}" + notify: change_requires_reboot with_items: - net.ipv4.conf.all.accept_redirects - net.ipv6.conf.all.accept_redirects From aeb29b112d73cdbf3c05e2beebc42f5a1203210c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 16 Aug 2021 14:13:46 -0400 Subject: [PATCH 089/110] fixed 040161 title typo Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index ac291787..3f9ff385 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6359,7 +6359,7 @@ - V-230526 - ssh -- name: "MEDIUM | RHEL-0-040161 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server." +- name: "MEDIUM | RHEL-08-040161 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server." lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?RekeyLimit' @@ -6418,7 +6418,6 @@ name: "{{ item }}" state: present value: '0' - # reload: "{{ rhel8stig_sysctl_reload }}" notify: change_requires_reboot with_items: - net.ipv4.conf.default.accept_redirects @@ -6450,7 +6449,6 @@ name: net.ipv4.conf.all.send_redirects state: present value: '0' - # reload: "{{ rhel8stig_sysctl_reload }}" notify: change_requires_reboot - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Set send_redirects default value to 0" @@ -6476,7 +6474,6 @@ name: net.ipv4.icmp_echo_ignore_broadcasts state: present value: '1' - # reload: "{{ rhel8stig_sysctl_reload }}" notify: change_requires_reboot - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Set echo_ignore_broadcast default value to 1" @@ -6502,7 +6499,6 @@ name: "{{ item }}" state: present value: '0' - # reload: "{{ rhel8stig_sysctl_reload }}" notify: change_requires_reboot with_items: - net.ipv4.conf.all.accept_source_route @@ -6534,7 +6530,6 @@ name: "{{ item }}" state: present value: '0' - # reload: "{{ rhel8stig_sysctl_reload }}" notify: change_requires_reboot with_items: - net.ipv4.conf.default.accept_source_route @@ -6566,7 +6561,6 @@ name: "{{ item }}" state: present value: '0' - # reload: "{{ rhel8stig_sysctl_reload }}" notify: change_requires_reboot with_items: - net.ipv4.ip_forward @@ -6600,7 +6594,6 @@ name: net.ipv6.conf.all.accept_ra state: present value: '0' - # reload: "{{ rhel8stig_sysctl_reload }}" notify: change_requires_reboot - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Set accept_ra value to 0" @@ -6627,7 +6620,6 @@ name: net.ipv6.conf.default.accept_ra state: present value: '0' - # reload: "{{ rhel8stig_sysctl_reload }}" notify: change_requires_reboot - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Set accept_ra to value 0" @@ -6654,7 +6646,6 @@ name: net.ipv4.conf.default.send_redirects state: present value: '0' - # reload: "{{ rhel8stig_sysctl_reload }}" notify: change_requires_reboot - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" @@ -6680,7 +6671,6 @@ name: "{{ item }}" state: present value: '0' - # reload: "{{ rhel8stig_sysctl_reload }}" notify: change_requires_reboot with_items: - net.ipv4.conf.all.accept_redirects From 8e1c961d03dabca0baff7453fec27db84c9be68c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 16 Aug 2021 14:16:47 -0400 Subject: [PATCH 090/110] fixed missing 08 typos in titles Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3f9ff385..855e21ee 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6242,32 +6242,32 @@ - V-230522 - mounts -- name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." +- name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." block: - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" + - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" dnf: name: fapolicyd state: present - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" + - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts changed_when: false failed_when: false - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" + - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" service: name: fapolicyd state: started enabled: yes - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " + - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " lineinfile: path: /etc/fapolicyd/fapolicyd.rules line: "{{ item }}" with_items: - "{{ rhel8stig_fapolicy_white_list }}" - - name: "MEDIUM | RHEL-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" + - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" lineinfile: path: /etc/fapolicyd/fapolicyd.conf regexp: '^permissive =' @@ -6639,16 +6639,16 @@ - V-230542 - icmp -- name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." +- name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." block: - - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects in sysctl" + - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects in sysctl" sysctl: name: net.ipv4.conf.default.send_redirects state: present value: '0' notify: change_requires_reboot - - name: "MEDIUM | RHEL-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" + - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Set default.send_redirects value to 0" lineinfile: path: /etc/sysctl.conf regexp: '^net.ipv4.conf.default.send_redirects' @@ -6664,9 +6664,9 @@ - V-230543 - icmp -- name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." +- name: "MEDIUM | RHEL-08-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." block: - - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" + - name: "MEDIUM | RHEL-08-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" sysctl: name: "{{ item }}" state: present @@ -6676,7 +6676,7 @@ - net.ipv4.conf.all.accept_redirects - net.ipv6.conf.all.accept_redirects - - name: "MEDIUM | RHEL-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" + - name: "MEDIUM | RHEL-08-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" lineinfile: path: /etc/sysctl.conf regexp: "{{ item.regexp }}" @@ -6817,9 +6817,9 @@ - V-230553 - gui -- name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." +- name: "MEDIUM | RHEL-08-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." block: - - name: "MEDIUM | RHEL-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" + - name: "MEDIUM | RHEL-08-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" shell: "ip link | grep -i promisc | cut -d ':' -f 2" check_mode: no failed_when: no @@ -6827,7 +6827,7 @@ ignore_errors: yes register: rhel_08_040670_promisc_check - - name: "MEDIUM | RHEL-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" + - name: "MEDIUM | RHEL-08-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" shell: "ip link set dev {{ item }} promisc off" with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" when: From 517f8a59a83cb8c89d2c00d720f469b9e30a2fc1 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 16 Aug 2021 14:22:55 -0400 Subject: [PATCH 091/110] fixed missing 08 typos in titles part 2 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 128 ++++++++++++++++++++++----------------------- 1 file changed, 64 insertions(+), 64 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 855e21ee..d30af421 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2205,9 +2205,9 @@ - V-230331 - accounts -- name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." +- name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." block: - - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" + - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' @@ -2218,7 +2218,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" + - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' @@ -2229,7 +2229,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" + - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' @@ -2250,9 +2250,9 @@ - V-230332 - pamd -- name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." +- name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." block: - - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" + - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' @@ -2263,7 +2263,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" + - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' @@ -2274,7 +2274,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" + - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' @@ -2285,7 +2285,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" + - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^deny =|^\# deny =' @@ -2301,9 +2301,9 @@ - V-230333 - pamd -- name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." +- name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." block: - - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' @@ -2314,7 +2314,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' @@ -2325,7 +2325,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' @@ -2346,9 +2346,9 @@ - V-230334 - pamd -- name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." +- name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." block: - - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' @@ -2359,7 +2359,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' @@ -2370,7 +2370,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' @@ -2381,7 +2381,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" + - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^fail_interval =|^\# fail_interval =' @@ -2400,9 +2400,9 @@ - V-230335 - pamd -- name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." +- name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." block: - - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' @@ -2413,7 +2413,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' @@ -2424,7 +2424,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' @@ -2445,9 +2445,9 @@ - V-230336 - pamd -- name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." +- name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." block: - - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' @@ -2458,7 +2458,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + - name: "MEDIUM | RHEL-08-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' @@ -2469,7 +2469,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' @@ -2480,7 +2480,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" + - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^unlock_time =|^\# unlock_time =' @@ -2499,9 +2499,9 @@ - V-230337 - pamd -- name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist." +- name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist." block: - - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist.| Set preauth" + - name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist.| Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' @@ -2512,7 +2512,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" + - name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' @@ -2523,7 +2523,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" + - name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' @@ -2544,9 +2544,9 @@ - V-230338 - pamd -- name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist." +- name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist." block: - - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" + - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' @@ -2557,7 +2557,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" + - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' @@ -2568,7 +2568,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" + - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' @@ -2579,7 +2579,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" + - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^dir =|^\# dir =' @@ -2598,9 +2598,9 @@ - V-230339 - pamd -- name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." +- name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." block: - - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth" + - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' @@ -2611,7 +2611,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" + - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' @@ -2622,7 +2622,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" + - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' @@ -2643,9 +2643,9 @@ - V-230340 - pamd -- name: "MEDIUM | RHEL-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." +- name: "MEDIUM | RHEL-08-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." block: - - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" + - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' @@ -2656,7 +2656,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" + - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' @@ -2667,7 +2667,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" + - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' @@ -2678,7 +2678,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" + - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^silent|^\# silent' @@ -2697,9 +2697,9 @@ - V-230341 - pamd -- name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." +- name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." block: - - name: "MEDIUM | RHEL-020018 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" + - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' @@ -2710,7 +2710,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" + - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' @@ -2721,7 +2721,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" + - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' @@ -2742,9 +2742,9 @@ - V-230342 - pamd -- name: "MEDIUM | RHEL-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." +- name: "MEDIUM | RHEL-08-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." block: - - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" + - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' @@ -2755,7 +2755,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" + - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' @@ -2766,7 +2766,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" + - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' @@ -2777,7 +2777,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" + - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^audit|^\# audit' @@ -2796,9 +2796,9 @@ - V-230343 - pamd -- name: "MEDIUM | RHEL-020022| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." +- name: "MEDIUM | RHEL-08-020022| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." block: - - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' @@ -2809,7 +2809,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' @@ -2820,7 +2820,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' @@ -2841,9 +2841,9 @@ - V-230344 - pamd -- name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." +- name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." block: - - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' @@ -2854,7 +2854,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' @@ -2865,7 +2865,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' @@ -2876,7 +2876,7 @@ - system-auth - password-auth - - name: "MEDIUM | RHEL-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" + - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^even_deny_root|^\# even_deny_root' @@ -3275,7 +3275,7 @@ - V-230360 - pwquality -- name: "MEDIUM | RHEL-020150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." +- name: "MEDIUM | RHEL-08-20150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." lineinfile: path: /etc/security/pwquality.conf create: yes From 8fddbc9da8181e1bf05d758c2150da97edd139cb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Aug 2021 11:17:07 +0100 Subject: [PATCH 092/110] fixed dod banner check Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 696272bc..d0307025 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -400,7 +400,14 @@ rhel8stig_boot_superuser: {{ rhel8stig_boot_superuser }} # RHEL_08_010040-010050-010060 rhel8stig_banner_file: /etc/issue -rhel8stig_logon_banner: '[You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions\: \-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. \-At any time, the USG may inspect and seize data stored on this IS. \-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests\--not for your personal benefit or privacy. \-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.]' +rhel8stig_logon_banner: +- 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.' +- 'By using this IS (which includes any device attached to this IS), you consent to the following conditions:' +- '-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.' +- '-At any time, the USG may inspect and seize data stored on this IS.' +- '-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.' +- '-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.' +- '-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.' # RHEL_08_010680 to change if using hostfile only - seperate checks rhel8stig_uses_dns: true From 58cb782618ca12c0fc24bb8d9bce0d2c90770093 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Aug 2021 17:47:01 +0100 Subject: [PATCH 093/110] fixed sssd logic Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 8 ++++---- templates/ansible_vars_goss.yml.j2 | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index d30af421..568a4f6e 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -905,7 +905,7 @@ - no_verification notify: restart sssd when: - - "'sssd' in ansible_facts.packages" + - "'sssd-common' in ansible_facts.packages" - rhel8stig_sssd_conf_present.stat.exists - rhel_08_010400 tags: @@ -3160,7 +3160,7 @@ - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains }}' } notify: restart sssd when: - - "'sssd' in ansible_facts.packages" + - "'sssd-common' in ansible_facts.packages" - rhel8stig_sssd_conf_present.stat.exists - rhel_08_020090 tags: @@ -3616,7 +3616,7 @@ notify: restart sssd when: rhel_08_020250_system_auth_sss.stdout | length > 0 when: - - "'sssd' in ansible_facts.packages" + - "'sssd-common' in ansible_facts.packages" - rhel8stig_sssd_conf_present.stat.exists - rhel_08_020250 tags: @@ -3698,7 +3698,7 @@ - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } when: - - "'sssd' in ansible_facts.packages" + - "'sssd-common' in ansible_facts.packages" - rhel8stig_sssd_conf_present.stat.exists - rhel_08_020290 tags: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index d0307025..6966381c 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -31,7 +31,7 @@ rhel8stig_gui: false rhel8stig_system_is_router: {{ rhel8stig_system_is_router }} # Discovered items to assist with skips some audit checks -skip_sssd_check: {% if 'sssd' not in ansible_facts.packages %}True{% else %}False{% endif %} +skip_sssd_check: {% if 'sssd-common' not in ansible_facts.packages %}True{% else %}False{% endif %} skip_postfix_check: {% if 'postfix' not in ansible_facts.packages %}True{% else %}False{% endif %} From e369afbefdc0d4b38242380c3b4ed650a758ebec Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Aug 2021 09:57:42 +0100 Subject: [PATCH 094/110] #40 sssd improvements thanks to jsurf Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 21 +++++++++------------ tasks/prelim.yml | 9 --------- 2 files changed, 9 insertions(+), 21 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 568a4f6e..3835a83c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -897,15 +897,15 @@ - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." lineinfile: path: '{{ rhel8stig_sssd_conf }}' - regexp: '^certificate_verification = {{ item }}' - state: absent + regexp: '^certificate_verification = {{ item.regexp }}' + state: "{{ item.state }}" with_items: - - 'no_ocsp, no_verification' - - no_ocsp - - no_verification + - { regexp: 'no_ocsp, no_verification', state: absent } + - { regexp: 'no_ocsp', state: absent } + - { regexp: 'no_verification', state: absent } + - { regexp: 'ocsp_dgst=sha1', state: present } notify: restart sssd when: - - "'sssd-common' in ansible_facts.packages" - rhel8stig_sssd_conf_present.stat.exists - rhel_08_010400 tags: @@ -3152,7 +3152,7 @@ line: "{{ item.line }}" owner: root group: root - mode: 0640 + mode: 0600 with_items: - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } @@ -3160,7 +3160,6 @@ - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains }}' } notify: restart sssd when: - - "'sssd-common' in ansible_facts.packages" - rhel8stig_sssd_conf_present.stat.exists - rhel_08_020090 tags: @@ -3564,7 +3563,7 @@ insertafter: "{{ item.insertafter }}" owner: root group: root - mode: 0640 + mode: 0600 notify: restart sssd with_items: - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } @@ -3616,7 +3615,6 @@ notify: restart sssd when: rhel_08_020250_system_auth_sss.stdout | length > 0 when: - - "'sssd-common' in ansible_facts.packages" - rhel8stig_sssd_conf_present.stat.exists - rhel_08_020250 tags: @@ -3693,12 +3691,11 @@ insertafter: "{{ item.insertafter }}" owner: root group: root - mode: 0640 + mode: 0600 with_items: - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } when: - - "'sssd-common' in ansible_facts.packages" - rhel8stig_sssd_conf_present.stat.exists - rhel_08_020290 tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8def0d9e..35cbc387 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -315,25 +315,16 @@ path: "{{ rhel8stig_sssd_conf }}" register: rhel8stig_sssd_conf_present when: - - "'sssd' in ansible_facts.packages" - rhel_08_010400 or rhel_08_020090 or rhel_08_020250 or rhel_08_020290 - - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | sssd install status | Warning if not found" - debug: - msg: "Warning!! The package sssd is found not be be installed, some items will skip" - changed_when: true - when: - - "'sssd' not in ansible_facts.packages" - - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found" debug: msg: "Warning!! The configured sssd config file {{ rhel8stig_sssd_conf }} has not been found, some items will skip" changed_when: true when: - - "'sssd' in ansible_facts.packages" - not rhel8stig_sssd_conf_present.stat.exists - name: "PRELIM | Gather interactive user ID min" From 5a2318b1534986b179cd45b24a2e1a55899f0afe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Aug 2021 09:58:29 +0100 Subject: [PATCH 095/110] improved sssd check Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 6966381c..964e21bf 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -31,7 +31,7 @@ rhel8stig_gui: false rhel8stig_system_is_router: {{ rhel8stig_system_is_router }} # Discovered items to assist with skips some audit checks -skip_sssd_check: {% if 'sssd-common' not in ansible_facts.packages %}True{% else %}False{% endif %} +skip_sssd_check: {% if rhel8stig_sssd_conf_present.stat.exists %}False{% else %}True{% endif %} skip_postfix_check: {% if 'postfix' not in ansible_facts.packages %}True{% else %}False{% endif %} From 1569ba9625c0eee8301aed67b065a4ad1b890d67 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Aug 2021 10:20:20 +0100 Subject: [PATCH 096/110] increased default timeout Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index b71347d4..446a27f3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -63,7 +63,7 @@ run_audit: false # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system audit_run_heavy_tests: true # Timeout for those cmds that take longer to run where timeout set -audit_cmd_timeout: 30000 +audit_cmd_timeout: 60000 ### End Goss enablements #### #### Detailed settings found at the end of this document #### From cda0ff7888ace6e2ad6266f10f5b7d982aaa0f57 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Aug 2021 10:20:31 +0100 Subject: [PATCH 097/110] fixed title typo Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3835a83c..06ed3c7d 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4683,7 +4683,7 @@ - V-230430 - auditd -- name: "MEDIUM | RHEL-08-03015 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." +- name: "MEDIUM | RHEL-08-030315 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." lineinfile: path: /etc/audit/rules.d/audit.rules line: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update From 98e565980540c3994da2a82408d3abd65aba6f47 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Aug 2021 16:43:44 +0100 Subject: [PATCH 098/110] uid facts in prelim update Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/prelim.yml | 14 +++++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 446a27f3..675f8963 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -710,7 +710,7 @@ rhel8stig_path_to_sshkey: "/root/.ssh/" # rhel8stig_sshd_compression to meet STIG requirements needs to be set to "no" or "delayed" rhel8stig_sshd_compression: "no" -# !!!!!!!!!!------------ I added a prelim task to grab the MIN_UID value but I can't use it in some tasks. Review and fix +# now in prelim rhel8stig_interactive_uid_start: 1000 # RHEL-08-030740 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 35cbc387..346cf147 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -330,13 +330,21 @@ - name: "PRELIM | Gather interactive user ID min" block: - name: "PRELIM | Gather interactive user ID min" - shell: grep UID_MIN /etc/login.defs | grep -v SYS_UID_MIN | awk '{ print $2}' + shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' changed_when: false failed_when: false - register: rhel8stig_interactive + register: rhel8stig_min_uid + + - name: "PRELIM | Gather interactive user ID max" + shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: rhel8stig_max_uid + - name: "PRELIM | Setting the fact" set_fact: - rhel8stig_interactive_uid_min: "{{ rhel8stig_interactive.stdout | int }}" + rhel8stig_interactive_uid_start: "{{ rhel8stig_min_uid.stdout | str }}" + rhel8stig_interactive_uid_stop: "{{ rhel8stig_max_uid.stdout | str }}" - name: "PRELIM | Find sysctl config file name | RHEL-08-010372 | RHEL-08-010373 | RHEL-08-010374 | RHEL-08-010375 | RHEL-08-010376" find: From a95b152fc050be3fac7ae107f82b23b460fdaf95 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Aug 2021 16:44:52 +0100 Subject: [PATCH 099/110] fix conditional logic Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 06ed3c7d..ea383d8b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2027,7 +2027,7 @@ label: "{{ rhel8stig_passwd_label }}" when: - rhel_08_010740 - - item.uid >= rhel8stig_interactive_uid_start + - (item.uid >= rhel8stig_interactive_uid_start|int) tags: - skip_ansible_lint - RHEL-08-010740 @@ -2047,7 +2047,7 @@ label: "{{ rhel8stig_passwd_label }}" when: - rhel_08_010750 - - item.uid >= rhel8stig_interactive_uid_start + - (item.uid >= rhel8stig_interactive_uid_start|int) tags: - skip_ansible_lint - RHEL-08-010750 From a62f0ae4107032237f22c6de320afaa67cad0c8a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Aug 2021 16:45:08 +0100 Subject: [PATCH 100/110] Added setting to template Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 964e21bf..d30d1f75 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -398,6 +398,11 @@ RHEL_08_040310: {{ rhel_08_040310 }} rhel8stig_password_hash: {{ rhel8stig_bootloader_password_hash }} rhel8stig_boot_superuser: {{ rhel8stig_boot_superuser }} +# RHEL_08_101120 & Auditd controls +MIN_UID: {{ rhel8stig_interactive_uid_start }} +MAX_UID: {{ rhel8stig_interactive_uid_stop }} + + # RHEL_08_010040-010050-010060 rhel8stig_banner_file: /etc/issue rhel8stig_logon_banner: From 474cf0fdda390582aad963dbb9ff4e64144bed3f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 18 Aug 2021 13:02:04 -0400 Subject: [PATCH 101/110] changed dnf to package module, addressed 040140 and 020340 issues Signed-off-by: George Nalen --- defaults/main.yml | 5 ++--- tasks/fix-cat1.yml | 9 ++++----- tasks/fix-cat2.yml | 43 +++++++++++++++++++++++-------------------- tasks/fix-cat3.yml | 26 +++++--------------------- 4 files changed, 34 insertions(+), 49 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 446a27f3..835ada22 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -739,12 +739,11 @@ rhel8stig_white_list_services: # This will be the MACs setting. It is a string that will be the entirety of the MAC's setting in the openssh.config file # to conform to STIG standard control RHEL-08-010290 this variable must include hmac-sha2-512,hmac-sha2-256 # to conform to STIG standard control RHEL-08-010291 this variable must include aes256-ctr,aes192-ctr,aes128-ctr -rhel8stig_ssh_macs_settings: "hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -GSSAPIKeyExchange no" +rhel8stig_ssh_macs_settings: "hmac-sha2-512,hmac-sha2-256" # This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting # to conform to STIG standard control RHEL-08-010290 this variable must contain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256 settings # to conform to STIG standard control RHEL-08-010291 this variable must cotnain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512" +rhel8stig_ssh_server_crypto_settings: "oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256" # RHEL-08-010295 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 03384477..2fa3ed7c 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -16,7 +16,6 @@ - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." block: - - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | install FIPS" package: name: dracut-fips @@ -314,7 +313,7 @@ - disruption_high - name: "RHEL-08-040000 | HIGH | PATCH | RHEL 8 must not have the telnet-server package installed." - dnf: + package: name: telnet-server state: absent when: @@ -329,7 +328,7 @@ - V-230487 - name: "RHEL-08-040010 | HIGH | PATCH | RHEL 8 must not have the rsh-server package installed." - dnf: + package: name: rsh-server state: absent when: @@ -424,7 +423,7 @@ - V-230531 - name: "RHEL-08-040190 | HIGH | PATCH | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support." - dnf: + package: name: tftp-server state: absent when: @@ -473,7 +472,7 @@ - disruption_high - name: "RHEL-08-040360 | HIGH | PATCH | A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8." - dnf: + package: name: vsftpd state: absent when: diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 06ed3c7d..4c87e86c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1,7 +1,7 @@ --- - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." - dnf: + package: name: "*" state: latest when: @@ -315,7 +315,7 @@ - kerberos - name: "MEDIUM | RHEL-08-010162 | PATCH | The krb5-workstation package must not be installed on RHEL 8." - dnf: + package: name: krb5-workstation state: absent when: @@ -873,13 +873,13 @@ - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." block: - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" - dnf: + package: name: esc state: present when: rhel8stig_gui - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" - dnf: + package: name: openssl-pkcs11 state: present when: @@ -918,7 +918,7 @@ - multifactor - name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." - dnf: + package: name: opensc state: present when: @@ -2942,7 +2942,7 @@ - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." block: - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" - dnf: + package: name: tmux state: present @@ -4331,7 +4331,7 @@ - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." block: - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Install audit" - dnf: + package: name: audit state: present @@ -5501,7 +5501,7 @@ - auditd - name: "MEDIUM | RHEL-08-030670 | PATCH | RHEL 8 must have the packages required for offloading audit logs installed." - dnf: + package: name: rsyslog state: present when: @@ -5517,7 +5517,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-030680 | PATCH | RHEL 8 must have the packages required for encrypting offloaded audit logs installed." - dnf: + package: name: gnutls state: present when: @@ -5659,7 +5659,7 @@ - abrt - name: "MEDIUM | RHEL-08-040002 | PATCH | RHEL 8 must not have the sendmail package installed." - dnf: + package: name: sendmail state: absent when: @@ -5676,7 +5676,7 @@ - sendmail - name: "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." - dnf: + package: name: gssproxy state: absent when: @@ -5866,13 +5866,13 @@ - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." block: - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" - dnf: + package: name: firewalld state: present when: rhel8stig_firewall_service == "firewalld" - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" - dnf: + package: name: iptables-services state: present when: rhel8stig_firewall_service == "iptables" @@ -6242,7 +6242,7 @@ - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." block: - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" - dnf: + package: name: fapolicyd state: present @@ -6283,10 +6283,13 @@ - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." block: - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Install usbguard" - dnf: + package: name: usbguard state: present + - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | generate policy" + shell: usbguard generate-policy > /etc/usbguard/rules.conf + - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Start/Enable service" service: name: usbguard @@ -6306,7 +6309,7 @@ - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." block: - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" - dnf: + package: name: nftables state: present @@ -6336,7 +6339,7 @@ - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." block: - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Install openssh-server" - dnf: + package: name: openssh-server state: present @@ -6901,7 +6904,7 @@ - tftp - name: "MEDIUM | RHEL-08-040380 | PATCH | The iprutils package must not be installed unless mission essential on RHEL 8." - dnf: + package: name: iprutils state: absent when: @@ -6917,7 +6920,7 @@ - iprutils - name: "MEDIUM | RHEL-08-040390 | PATCH | The tuned package must not be installed unless mission essential on RHEL 8." - dnf: + package: name: tuned state: absent when: @@ -6933,7 +6936,7 @@ - tuned - name: "MEDIUM | RHEL-08-010163 | PATCH | The krb5-server package must not be installed on RHEL 8." - dnf: + package: name: krb5-server state: absent when: diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index ce293e58..b5161fab 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -241,27 +241,11 @@ - tmux - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon." - block: - - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon. | Set session required for pam_lastlog.so" - pamd: - name: postlogin - type: session - control: optional - new_control: required - module_path: pam_lastlog.so - state: updated - - - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon. | Remove default=1 and optional control" - pamd: - name: postlogin - type: session - state: args_absent - control: "{{ item }}" - module_path: pam_lastlog.so - module_arguments: silent - with_items: - - '[default=1]' - - required + lineinfile: + path: /etc/pam.d/postlogin + regexp: 'session.*required.*pam_lastlog\.so.*showfailed' + line: "session required pam_lastlog.so showfailed" + insertbefore: BOF when: - rhel_08_020340 tags: From 50bf6b0cfba34fdb0c467ac400b58609940e9f3c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 18 Aug 2021 13:58:13 -0400 Subject: [PATCH 102/110] Updated some elements after testing Signed-off-by: George Nalen --- defaults/main.yml | 2 +- tasks/prelim.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e1086aed..eaca4c32 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -743,7 +743,7 @@ rhel8stig_ssh_macs_settings: "hmac-sha2-512,hmac-sha2-256" # This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting # to conform to STIG standard control RHEL-08-010290 this variable must contain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256 settings # to conform to STIG standard control RHEL-08-010291 this variable must cotnain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -rhel8stig_ssh_server_crypto_settings: "oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256" +rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256" # RHEL-08-010295 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 346cf147..33c3e385 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -343,8 +343,8 @@ - name: "PRELIM | Setting the fact" set_fact: - rhel8stig_interactive_uid_start: "{{ rhel8stig_min_uid.stdout | str }}" - rhel8stig_interactive_uid_stop: "{{ rhel8stig_max_uid.stdout | str }}" + rhel8stig_interactive_uid_start: "{{ rhel8stig_min_uid.stdout | string }}" + rhel8stig_interactive_uid_stop: "{{ rhel8stig_max_uid.stdout | string }}" - name: "PRELIM | Find sysctl config file name | RHEL-08-010372 | RHEL-08-010373 | RHEL-08-010374 | RHEL-08-010375 | RHEL-08-010376" find: From dae0e6f9e54ac682a6b51e2847f3a083047f277a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Aug 2021 10:35:08 +0100 Subject: [PATCH 103/110] fixed ciphers Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/fix-cat2.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index eaca4c32..59bb18f9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -739,7 +739,7 @@ rhel8stig_white_list_services: # This will be the MACs setting. It is a string that will be the entirety of the MAC's setting in the openssh.config file # to conform to STIG standard control RHEL-08-010290 this variable must include hmac-sha2-512,hmac-sha2-256 # to conform to STIG standard control RHEL-08-010291 this variable must include aes256-ctr,aes192-ctr,aes128-ctr -rhel8stig_ssh_macs_settings: "hmac-sha2-512,hmac-sha2-256" +rhel8stig_ssh_cipher_settings: "aes256-ctr,aes192-ctr,aes128-ctr" # This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting # to conform to STIG standard control RHEL-08-010290 this variable must contain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256 settings # to conform to STIG standard control RHEL-08-010291 this variable must cotnain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index e0680f81..065816b0 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -521,7 +521,7 @@ line: "{{ item.line }}" notify: change_requires_reboot with_items: - - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^MACs', line: "MACs {{ rhel8stig_ssh_macs_settings }}" } + - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^Ciphers', line: "Ciphers {{ rhel8stig_ssh_cipher_settings }}" } - { path: /etc/crypto-policies/back-ends/opensshserver.config, regexp: '^CRYPTO_POLICY=', line: "CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" } when: - rhel_08_010290 or From df47c3fbb4a318608b221f11a8186ab3d0a13dc2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Aug 2021 12:31:03 +0100 Subject: [PATCH 104/110] linting Signed-off-by: Mark Bolwell --- handlers/main.yml | 12 +-- tasks/fix-cat2.yml | 16 ++-- tasks/fix-cat3.yml | 1 - tasks/main.yml | 44 +++++------ tasks/pre_remediation_audit.yml | 130 ++++++++++++++++---------------- tasks/prelim.yml | 68 ++++++++--------- 6 files changed, 134 insertions(+), 137 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 9ad8d918..ddeddfbd 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -17,7 +17,7 @@ name: sssd state: restarted when: - - "'sssd' in ansible_facts.packages" + - "'sssd' in ansible_facts.packages" - name: restart snmpd service: @@ -112,10 +112,10 @@ - name: dconf update command: dconf update - when: - - "'dconf' in ansible_facts.packages" - - rhel8stig_always_configure_dconf - + when: + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + - name: prereport score debug: msg: "Pre-run OpenSCAP score is {{ rhel8stig_prescanresults.Benchmark.TestResult.score['#text'] }}" @@ -128,4 +128,4 @@ - name: change_requires_reboot set_fact: - change_requires_reboot: true + change_requires_reboot: true diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 065816b0..72a15a8b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1010,9 +1010,9 @@ - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active" shell: grubby --update-kernel=ALL --args="vsyscall=none" - when: - - (ansible_proc_cmdline.vsyscall is defined and ansible_proc_cmdline.vsyscall != 'none') or - (ansible_proc_cmdline.vsyscall is not defined) + when: + - (ansible_proc_cmdline.vsyscall is defined and ansible_proc_cmdline.vsyscall != 'none') or + (ansible_proc_cmdline.vsyscall is not defined) - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist" lineinfile: @@ -1049,9 +1049,9 @@ - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active" shell: grubby --update-kernel=ALL --args="slub_debug=P" - when: - - (ansible_proc_cmdline.slub_debug is defined and ansible_proc_cmdline.slub_debug != 'P') or - (ansible_proc_cmdline.slub_debug is not defined) + when: + - (ansible_proc_cmdline.slub_debug is defined and ansible_proc_cmdline.slub_debug != 'P') or + (ansible_proc_cmdline.slub_debug is not defined) - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist" lineinfile: @@ -2929,7 +2929,6 @@ - rhel_08_020030 - "'dconf' in ansible_facts.packages" - rhel8stig_always_configure_dconf - tags: - RHEL-08-020030 - CAT2 @@ -3086,7 +3085,6 @@ - rhel_08_020060 - "'dconf' in ansible_facts.packages" - rhel8stig_always_configure_dconf - tags: - RHEL-08-020060 - CAT2 @@ -4067,7 +4065,7 @@ - rhel_08_030080 tags: - RHEL-08-030080 - - CAT2 + - CAT2 - CCI-000162 - SRG-OS-000057-GPOS-00027 - SV-230397r627750_rule diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index b5161fab..9047ba54 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -404,7 +404,6 @@ - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities." block: - - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti=on active" shell: grubby --update-kernel=ALL --args="pti=on" args: diff --git a/tasks/main.yml b/tasks/main.yml index 16f4e928..61349b0a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -46,9 +46,9 @@ - name: Gather the package facts package_facts: - manager: auto + manager: auto tags: - - always + - always - import_tasks: prelim.yml become: yes @@ -87,35 +87,35 @@ - name: flush handlers meta: flush_handlers tags: - - CAT1 - - CAT2 - - CAT3 + - CAT1 + - CAT2 + - CAT3 - name: reboot system if changes require it and not skipped block: - - name: reboot system if changes require it and not skipped - reboot: - when: - - change_requires_reboot | bool - - not rhel8stig_skip_reboot - - - name: Warning a reboot required but skip option set - debug: - msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" - changed_when: true - when: - - rhel8stig_skip_reboot + - name: reboot system if changes require it and not skipped + reboot: + when: + - change_requires_reboot | bool + - not rhel8stig_skip_reboot + + - name: Warning a reboot required but skip option set + debug: + msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + changed_when: true + when: + - rhel8stig_skip_reboot tags: - - CAT1 - - CAT2 - - CAT3 + - CAT1 + - CAT2 + - CAT3 - import_tasks: post_remediation_audit.yml when: - - run_audit + - run_audit - name: Show Audit Summary debug: msg: "{{ audit_results.split('\n') }}" when: - - run_audit \ No newline at end of file + - run_audit diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 06769a56..8f0994ab 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -3,80 +3,80 @@ - name: Pre Audit Setup | Setup the LE audit include_tasks: LE_audit_setup.yml when: - - setup_audit + - setup_audit tags: - - setup_audit + - setup_audit - name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" file: - path: "{{ audit_conf_dir }}" - state: directory - mode: '0755' + path: "{{ audit_conf_dir }}" + state: directory + mode: '0755' - name: Pre Audit Setup | If using git for content set up block: - - name: Install git (rh8 python3) - package: - name: git - state: present - when: ansible_distribution_major_version == 8 - - - name: Pre Audit Setup | Install git (rh7 python2) - package: - name: git - state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == 7 + - name: Install git (rh8 python3) + package: + name: git + state: present + when: ansible_distribution_major_version == 8 + + - name: Pre Audit Setup | Install git (rh7 python2) + package: + name: git + state: present + vars: + ansible_python_interpreter: "{{ python2_bin }}" + when: ansible_distribution_major_version == 7 - name: Pre Audit Setup | retrieve audit content files from git git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - - audit_content == 'git' + - audit_content == 'git' - name: Pre Audit Setup | copy to audit content files to server copy: - src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dir }}" - mode: 0644 + src: "{{ audit_local_copy }}" + dest: "{{ audit_conf_dir }}" + mode: 0644 when: - - audit_content == 'copy' + - audit_content == 'copy' - name: Pre Audit Setup | get audit content from url get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" + url: "{{ audit_files_url }}" + dest: "{{ audit_conf_dir }}" when: - - audit_content == 'get_url' + - audit_content == 'get_url' - name: Pre Audit Setup | Check Goss is available block: - - name: Pre Audit Setup | Check for goss file - stat: - path: "{{ audit_bin }}" - register: goss_available - - - name: Pre Audit Setup | If audit ensure goss is available - assert: - msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - not goss_available.stat.exists + - name: Pre Audit Setup | Check for goss file + stat: + path: "{{ audit_bin }}" + register: goss_available + + - name: Pre Audit Setup | If audit ensure goss is available + assert: + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" + when: + - not goss_available.stat.exists when: - - run_audit + - run_audit - name: Pre Audit Setup | Copy ansible default vars values to test audit template: - src: ansible_vars_goss.yml.j2 - dest: "{{ audit_vars_path }}" - mode: 0600 + src: ansible_vars_goss.yml.j2 + dest: "{{ audit_vars_path }}" + mode: 0600 when: - - run_audit + - run_audit tags: - - goss_template - + - goss_template + - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" goss: goss_path: "{{ audit_bin }}" @@ -90,28 +90,28 @@ - name: Pre Audit | Capture audit data if json format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - command: "cat {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false - - - name: Pre Audit | Capture pre-audit result - set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}" - vars: - summary: 'summary."summary-line"' + - name: "Pre Audit | capture data {{ pre_audit_outfile }}" + command: "cat {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false + + - name: Pre Audit | Capture pre-audit result + set_fact: + pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}" + vars: + summary: 'summary."summary-line"' when: - - audit_format == "json" + - audit_format == "json" - name: Pre Audit | Capture audit data if documentation format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - command: "tail -2 {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false + - name: "Pre Audit | capture data {{ pre_audit_outfile }}" + command: "tail -2 {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false - - name: Pre Audit | Capture pre-audit result - set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" + - name: Pre Audit | Capture pre-audit result + set_fact: + pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: - - audit_format == "documentation" + - audit_format == "documentation" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 33c3e385..f682f16c 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -258,7 +258,7 @@ name: openssh-server state: present when: - - "'openssh-server' not in ansible_facts.packages" + - "'openssh-server' not in ansible_facts.packages" - name: PRELIM | Start SSH service: @@ -311,7 +311,7 @@ - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | set sssd.conf location" block: - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location" - stat: + stat: path: "{{ rhel8stig_sssd_conf }}" register: rhel8stig_sssd_conf_present when: @@ -325,7 +325,7 @@ msg: "Warning!! The configured sssd config file {{ rhel8stig_sssd_conf }} has not been found, some items will skip" changed_when: true when: - - not rhel8stig_sssd_conf_present.stat.exists + - not rhel8stig_sssd_conf_present.stat.exists - name: "PRELIM | Gather interactive user ID min" block: @@ -368,43 +368,43 @@ - name: Gather the package facts package_facts: - manager: auto + manager: auto tags: - - always + - always - name: "PRELIM | Check whether machine is UEFI-based" stat: - path: /sys/firmware/efi + path: /sys/firmware/efi register: rhel8_efi_boot tags: - - goss_template + - goss_template - name: PRELIM | set bootloader type block: - - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" - set_fact: - rhel8stig_bootloader_path: /boot/efi/EFI/redhat - rhel8stig_legacy_boot: false - when: - - rhel8_efi_boot.stat.exists - - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path - - - name: "PRELIM | set fact if UEFI boot | CentOS " - set_fact: - rhel8stig_bootloader_path: /boot/efi/EFI/centos - rhel8stig_legacy_boot: false - when: - - rhel8_efi_boot.stat.exists - - ansible_distribution == 'CentOS' - - - name: "PRELIM | set if not UEFI boot" - set_fact: - rhel8stig_bootloader_path: /boot/grub2/ - rhel8stig_legacy_boot: true - when: not rhel8_efi_boot.stat.exists - - - name: PRELIM | output bootloader and efi state - debug: - msg: - - "bootloader path set to {{ rhel8stig_bootloader_path }}" - - "legacy boot equals {{ rhel8stig_legacy_boot }}" + - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" + set_fact: + rhel8stig_bootloader_path: /boot/efi/EFI/redhat + rhel8stig_legacy_boot: false + when: + - rhel8_efi_boot.stat.exists + - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path + + - name: "PRELIM | set fact if UEFI boot | CentOS " + set_fact: + rhel8stig_bootloader_path: /boot/efi/EFI/centos + rhel8stig_legacy_boot: false + when: + - rhel8_efi_boot.stat.exists + - ansible_distribution == 'CentOS' + + - name: "PRELIM | set if not UEFI boot" + set_fact: + rhel8stig_bootloader_path: /boot/grub2/ + rhel8stig_legacy_boot: true + when: not rhel8_efi_boot.stat.exists + + - name: PRELIM | output bootloader and efi state + debug: + msg: + - "bootloader path set to {{ rhel8stig_bootloader_path }}" + - "legacy boot equals {{ rhel8stig_legacy_boot }}" From a6c1db7deed8c35c96baeba41af13e8f914699cc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Aug 2021 13:47:45 +0100 Subject: [PATCH 105/110] removed files no longer needed Signed-off-by: Mark Bolwell --- tasks/Cat_1/RHEL-08-010000.yml | 17 ---- tasks/Cat_1/RHEL-08-010020.yml | 127 -------------------------- tasks/Cat_1/RHEL-08-010140_010150.yml | 44 --------- tasks/Cat_1/RHEL-08-010370.yml | 37 -------- tasks/Cat_1/RHEL-08-010371.yml | 17 ---- tasks/Cat_1/RHEL-08-010460.yml | 16 ---- tasks/Cat_1/RHEL-08-010470.yml | 27 ------ tasks/Cat_1/RHEL-08-010820.yml | 18 ---- tasks/Cat_1/RHEL-08-020330.yml | 30 ------ tasks/Cat_1/RHEL-08-040000.yml | 16 ---- tasks/Cat_1/RHEL-08-040010.yml | 16 ---- tasks/Cat_1/RHEL-08-040170.yml | 25 ----- tasks/Cat_1/RHEL-08-040171.yml | 42 --------- tasks/Cat_1/RHEL-08-040172.yml | 17 ---- tasks/Cat_1/RHEL-08-040190.yml | 18 ---- tasks/Cat_1/RHEL-08-040200.yml | 33 ------- tasks/Cat_1/RHEL-08-040360.yml | 17 ---- tasks/Cat_1/main.yml | 20 ---- tasks/main.old | 79 ---------------- 19 files changed, 616 deletions(-) delete mode 100644 tasks/Cat_1/RHEL-08-010000.yml delete mode 100644 tasks/Cat_1/RHEL-08-010020.yml delete mode 100644 tasks/Cat_1/RHEL-08-010140_010150.yml delete mode 100644 tasks/Cat_1/RHEL-08-010370.yml delete mode 100644 tasks/Cat_1/RHEL-08-010371.yml delete mode 100644 tasks/Cat_1/RHEL-08-010460.yml delete mode 100644 tasks/Cat_1/RHEL-08-010470.yml delete mode 100644 tasks/Cat_1/RHEL-08-010820.yml delete mode 100644 tasks/Cat_1/RHEL-08-020330.yml delete mode 100644 tasks/Cat_1/RHEL-08-040000.yml delete mode 100644 tasks/Cat_1/RHEL-08-040010.yml delete mode 100644 tasks/Cat_1/RHEL-08-040170.yml delete mode 100644 tasks/Cat_1/RHEL-08-040171.yml delete mode 100644 tasks/Cat_1/RHEL-08-040172.yml delete mode 100644 tasks/Cat_1/RHEL-08-040190.yml delete mode 100644 tasks/Cat_1/RHEL-08-040200.yml delete mode 100644 tasks/Cat_1/RHEL-08-040360.yml delete mode 100644 tasks/Cat_1/main.yml delete mode 100644 tasks/main.old diff --git a/tasks/Cat_1/RHEL-08-010000.yml b/tasks/Cat_1/RHEL-08-010000.yml deleted file mode 100644 index 5b0c9548..00000000 --- a/tasks/Cat_1/RHEL-08-010000.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "RHEL-08-010000 | HIGH | AUDIT | The RHEL 8 must be a vendor-supported release." - debug: - msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} - changed_when: ansible_distribution_version is not version_compare(rhel8stig_min_supported_os_ver[ansible_distribution], '>=') - when: - - rhel_08_010000 - tags: - - RHEL-08-010000 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230221r627750_rule - - V-230221 - - diff --git a/tasks/Cat_1/RHEL-08-010020.yml b/tasks/Cat_1/RHEL-08-010020.yml deleted file mode 100644 index 0e4cd73d..00000000 --- a/tasks/Cat_1/RHEL-08-010020.yml +++ /dev/null @@ -1,127 +0,0 @@ ---- - -- name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." - block: - - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." - dnf: - name: dracut-fips - state: present - notify: rebuild initramfs - when: - - not ansible_fips - - - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" - command: fips-mode-setup --enable - register: rhel_08_010020_kernel_fips_enable - changed_when: rhel_08_010020_kernel_fips_enable.rc == 0 - when: - - not ansible_fips - - - name: "RHEL-08-010020 | HIGH | AUDIT | Check if prelink package is installed" - command: rpm -q prelink - args: - warn: no - changed_when: no - failed_when: no - check_mode: no - register: rhel_08_010020_prelink_installed - - - name: "RHEL-08-010020 | HIGH | PATCH | Disable prelinking." - lineinfile: - dest: /etc/sysconfig/prelink - regexp: ^#?PRELINKING - line: PRELINKING=no - when: rhel_08_010020_prelink_installed.rc == 0 - notify: undo existing prelinking - - - name: "RHEL-08-010020 | HIGH | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" - command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub - check_mode: no - failed_when: no - changed_when: rhel_08_010020_default_grub_missing_audit.rc > 0 - register: rhel_08_010020_default_grub_missing_audit - - - name: "RHEL-08-010020 | HIGH | AUDIT | parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" - command: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline - check_mode: no - changed_when: no - failed_when: rhel_08_010020_grub_cmdline_linux_audit.rc > 1 - when: rhel_08_010020_default_grub_missing_audit is changed - register: rhel_08_010020_grub_cmdline_linux_audit - - - name: "RHEL-08-010020 | HIGH | PATCH | Copy over a sane /etc/default/grub" - template: - src: etc_default_grub.j2 - dest: /etc/default/grub - owner: root - group: root - mode: 0644 - vars: - grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}" - when: rhel_08_010020_default_grub_missing_audit is changed - - - name: "RHEL-08-010020 | HIGH | PATCH | fips=1 must be in /etc/default/grub" - replace: - path: /etc/default/grub - regexp: "{{ rhel8stig_regexp_quoted_params }}" - replace: "{{ rhel8stig_replace_quoted_params }}" - vars: - key: GRUB_CMDLINE_LINUX - param: fips - value: 1 - append: yes # this is the default - when: - - not ansible_check_mode or - rhel_08_010020_default_grub_missing_audit is not changed - notify: - - confirm grub2 user cfg - - - name: "RHEL-08-010020 | HIGH | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." - replace: - path: /etc/default/grub - regexp: "{{ rhel8stig_regexp_quoted_params }}" - replace: "{{ rhel8stig_replace_quoted_params }}" - with_items: - - "{{ ansible_mounts | json_query(query) }}" - vars: - query: "[?mount=='{{ rhel8stig_boot_part }}'] | [0]" - key: GRUB_CMDLINE_LINUX - param: boot - value: UUID={{ item.uuid }} - insert: yes - when: - - rhel8stig_boot_part not in ['/', ''] - - not ansible_check_mode or - rhel_08_010020_default_grub_missing_audit is not changed - notify: confirm grub2 user cfg - register: result - - - name: "RHEL-08-010020 | HIGH | AUDIT | Verify kernel parameters in /etc/default/grub" - command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub - check_mode: no - with_items: - - fips=1 - - boot=UUID={{ ansible_mounts | json_query(query) }} - vars: - query: "[?mount=='{{ rhel8stig_boot_part }}'].uuid | [0]" - register: rhel_08_010020_audit - when: - - not ansible_check_mode or - rhel_08_010020_default_grub_missing_audit is not changed - - rhel8stig_boot_part not in ['/', ''] or - 'boot=' not in item - changed_when: - - ansible_check_mode - - rhel_08_010020_audit is failed - failed_when: - - rhel_08_010020_audit is failed - - not ansible_check_mode or - rhel_08_010020_audit.rc > 1 - when: rhel_08_010020 - tags: - - RHEL-08-010020 - - CAT1 - - CCI-000068 - - SRG-OS-000033-GPOS-00014 - - SV-230223r627750_rule - - V-230223 diff --git a/tasks/Cat_1/RHEL-08-010140_010150.yml b/tasks/Cat_1/RHEL-08-010140_010150.yml deleted file mode 100644 index 2ffb41c4..00000000 --- a/tasks/Cat_1/RHEL-08-010140_010150.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- - -- name: | - "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance." - "RHEL-08-010150 | HIGH |PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes." - block: - - name: | - "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set Grub Password" - "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set Grub Password" - lineinfile: - path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg" - create: yes - regexp: ^GRUB2_PASSWORD= - line: "GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}" - owner: root - group: root - mode: 0640 - notify: confirm grub2 user cfg - - - name: | - "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set UEFI superusers" - "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set UEFI superusers" - lineinfile: - dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg" - regexp: '^set superusers' - line: 'set superusers="{{ rhel8stig_boot_superuser }}"' - insertafter: '### BEGIN /etc/grub.d/01_users ###' - notify: confirm grub2 user cfg - when: - - not system_is_ec2 - - rhel_08_010140 or - rhel_08_010150 - tags: - - RHEL-08-010140 - - RHEL-08-010150 - - CAT1 - - CCI-000213 - - SRG-OS-000080-GPOS-00048 - - SV-230234r627750_rule - - SV-230235r627750_rule - - V-230234 - - V-230235 - - grub - - bootloader diff --git a/tasks/Cat_1/RHEL-08-010370.yml b/tasks/Cat_1/RHEL-08-010370.yml deleted file mode 100644 index 1e5ce8ab..00000000 --- a/tasks/Cat_1/RHEL-08-010370.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- - -- name: "RHEL-08-010370 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." - block: - - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Dnf Default" - lineinfile: - path: /etc/dnf/dnf.conf - regexp: '^gpgcheck=' - line: gpgcheck=1 - - - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Gather Repos" - find: - paths: /etc/yum.repos.d - pattern: '*.repo' - register: rhel_08_010370_repos_files_list_full - - - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Flatten result" - set_fact: - rhel_08_010370_repos_files_list: "{{ rhel_08_010370_repos_files_list_full.files | map(attribute='path') | flatten }}" - - - name: "RHEL-08-010370 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Set gpgcheck" - lineinfile: - path: "{{ item }}" - regexp: '^gpgcheck' - line: gpgcheck=1 - with_items: - - "{{ rhel_08_010370_repos_files_list }}" - when: - - rhel_08_010370 - tags: - - RHEL-08-010370 - - CAT1 - - CCI-001749 - - SRG-OS-000366-GPOS-00153 - - SV-230264r627750_rule - - V-230264 - - yum diff --git a/tasks/Cat_1/RHEL-08-010371.yml b/tasks/Cat_1/RHEL-08-010371.yml deleted file mode 100644 index c6d8118d..00000000 --- a/tasks/Cat_1/RHEL-08-010371.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "RHEL-08-010371 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." - lineinfile: - path: /etc/dnf/dnf.conf - regexp: '^localpkg_gpgcheck=' - line: localpkg_gpgcheck=True - when: - - rhel_08_010371 - tags: - - RHEL-08-010371 - - CAT1 - - CCI-001749 - - SRG-OS-000366-GPOS-00153 - - SV-230265r627750_rule - - V-230265 - - dnf diff --git a/tasks/Cat_1/RHEL-08-010460.yml b/tasks/Cat_1/RHEL-08-010460.yml deleted file mode 100644 index 6f0beb01..00000000 --- a/tasks/Cat_1/RHEL-08-010460.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- name: "RHEL-08-010460 | HIGH | PATCH | There must be no shosts.equiv files on the RHEL 8 operating system." - file: - path: /etc/ssh/shosts.equiv - state: absent - when: - - rhel_08_010460 - tags: - - RHEL-08-010460 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230283r627750_rule - - V-230283 - - shosts diff --git a/tasks/Cat_1/RHEL-08-010470.yml b/tasks/Cat_1/RHEL-08-010470.yml deleted file mode 100644 index 1b0a82b3..00000000 --- a/tasks/Cat_1/RHEL-08-010470.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system." - block: - - name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Find .shosts files" - find: - path: '/' - recurse: yes - patterns: '*.shosts' - register: rhel_08_010470_shost_files - - - name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Remove .shosts files" - file: - path: "{{ item.path }}" - state: absent - with_items: - - "{{ rhel_08_010470_shost_files.files }}" - when: - - rhel_08_010470 - tags: - - RHEL-08-010470 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230284r627750_rule - - V-230284 - - shosts diff --git a/tasks/Cat_1/RHEL-08-010820.yml b/tasks/Cat_1/RHEL-08-010820.yml deleted file mode 100644 index d091092d..00000000 --- a/tasks/Cat_1/RHEL-08-010820.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -- name: "RHEL-08-010820 | HIGH | PATCH | Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed." - lineinfile: - path: /etc/gdm/custom.conf - regexp: (?i)automaticloginenable - line: AutomaticLoginEnable=false - insertafter: '\[daemon\]' - when: - - rhel8stig_gui - - rhel_08_010820 - tags: - - RHEL-08-010820 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00229 - - SV-230329r627750_rule - - V-230329 diff --git a/tasks/Cat_1/RHEL-08-020330.yml b/tasks/Cat_1/RHEL-08-020330.yml deleted file mode 100644 index 51e7088e..00000000 --- a/tasks/Cat_1/RHEL-08-020330.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- - -- name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords." - block: - - name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Remove nullok" - replace: - path: "{{ item }}" - regexp: ' nullok' - replace: '' - with_items: - - /etc/pam.d/system-auth - - /etc/pam.d/password-auth - - - name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Set PermitEmptyPasswords to no" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?PermitEmptyPasswords' - line: 'PermitEmptyPasswords no' - notify: restart sshd - when: - - rhel_08_020330 - - rhel8stig_disruption_high - tags: - - RHEL-08-020330 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230380r627750_rule - - V-230380 - - disruption_high diff --git a/tasks/Cat_1/RHEL-08-040000.yml b/tasks/Cat_1/RHEL-08-040000.yml deleted file mode 100644 index 9e4e3f90..00000000 --- a/tasks/Cat_1/RHEL-08-040000.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- name: "RHEL-08-040000 | HIGH | PATCH | RHEL 8 must not have the telnet-server package installed." - dnf: - name: telnet-server - state: absent - when: - - rhel_08_040000 - - - "'telnet-server' in ansible_facts.packages" - tags: - - RHEL-08-040000 - - CAT1 - - CCI-000381 - - SRG-OS-000095-GPOS-00049 - - SV-230487r627750_rule - - V-230487 diff --git a/tasks/Cat_1/RHEL-08-040010.yml b/tasks/Cat_1/RHEL-08-040010.yml deleted file mode 100644 index 74e2aa18..00000000 --- a/tasks/Cat_1/RHEL-08-040010.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- name: "RHEL-08-040010 | HIGH | PATCH | RHEL 8 must not have the rsh-server package installed." - dnf: - name: rsh-server - state: absent - when: - - rhel_08_040010 - - "'rsh-server' in ansible_facts.packages" - tags: - - RHEL-08-040010 - - CAT1 - - CCI-000381 - - SRG-OS-000095-GPOS-00049 - - SV-230492r627750_rule - - V-230492 diff --git a/tasks/Cat_1/RHEL-08-040170.yml b/tasks/Cat_1/RHEL-08-040170.yml deleted file mode 100644 index 27ad2996..00000000 --- a/tasks/Cat_1/RHEL-08-040170.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: "RHEL-08-040170 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8." - block: - - name: "RHEL-08-040170 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Mask ctrl-alt-del.target" - systemd: - name: ctrl-alt-del.target - masked: yes - notify: systemctl daemon-reload - - - name: "RHEL-08-040170 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Create symlink to /dev/null" - file: - src: /dev/null - dest: /etc/systemd/system/ctrl-alt-del.target - state: link - notify: systemctl daemon-reload - when: - - rhel_08_040170 - tags: - - RHEL-08-040170 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230529r627750_rule - - V-230529 diff --git a/tasks/Cat_1/RHEL-08-040171.yml b/tasks/Cat_1/RHEL-08-040171.yml deleted file mode 100644 index cbff5791..00000000 --- a/tasks/Cat_1/RHEL-08-040171.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- - -- name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed." - block: - - name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Check for setting existing" - command: grep -s logout /etc/dconf/db/local.d/* - changed_when: false - failed_when: false - register: rhel_08_040171_logout_settings_status - - - name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Add if missing" - lineinfile: - path: /etc/dconf/db/local.d/00-disable-CAD - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: yes - owner: root - group: root - mode: 0644 - with_items: - - { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' } - - { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' } - when: rhel_08_040171_logout_settings_status.stdout | length == 0 - - - name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Edit if exists" - replace: - path: "{{ rhel_08_040171_logout_settings_status.stdout }}" - regexp: '^[L|l]ogout=.*' - replace: "logout=''" - when: rhel_08_040171_logout_settings_status.stdout | length > 0 - when: - - rhel_08_040171 - - "'gnome-desktop' in ansible_facts.packages" - tags: - - RHEL-08-040171 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230530r646883_rule - - V-230530 - diff --git a/tasks/Cat_1/RHEL-08-040172.yml b/tasks/Cat_1/RHEL-08-040172.yml deleted file mode 100644 index 2353879d..00000000 --- a/tasks/Cat_1/RHEL-08-040172.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "RHEL-08-040172 | HIGH | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled." - lineinfile: - path: /etc/systemd/system.conf - regexp: '^CtrlAltDelBurstAction=|^#CtrlAltDelBurstAction=' - line: CtrlAltDelBurstAction=none - notify: systemctl daemon-reload - when: - - rhel_08_040172 - tags: - - RHEL-08-040172 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230531r627750_rule - - V-230531 diff --git a/tasks/Cat_1/RHEL-08-040190.yml b/tasks/Cat_1/RHEL-08-040190.yml deleted file mode 100644 index 0e0fb3b0..00000000 --- a/tasks/Cat_1/RHEL-08-040190.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -- name: "RHEL-08-040190 | HIGH | PATCH | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support." - dnf: - name: tftp-server - state: absent - when: - - rhel_08_040190 - - "'tftp-server' in ansible_facts.packages" - - not rhel8stig_tftp_required - tags: - - RHEL-08-040190 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230533r627750_rule - - V-230533 - - tftp diff --git a/tasks/Cat_1/RHEL-08-040200.yml b/tasks/Cat_1/RHEL-08-040200.yml deleted file mode 100644 index 07f02c2b..00000000 --- a/tasks/Cat_1/RHEL-08-040200.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- - -- name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system." - block: - - name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Get list of non-root accounts with UID of 0" - shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" - changed_when: false - failed_when: false - register: rhel_08_040200_nonroot_uid - - - name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Lock non-root account with UID of 0" - command: "passwd -l {{ item }}" - with_items: - - "{{ rhel_08_040200_nonroot_uid.stdout_lines }}" - when: rhel_08_040200_nonroot_uid.stdout | length > 0 - - - name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Display accounts that were locked" - debug: - msg: - - "WARNING!! The following accounts were locked since they had UID of 0 and were not the root user" - - " {{ rhel_08_040200_nonroot_uid.stdout_lines }}" - when: rhel_08_040200_nonroot_uid.stdout | length > 0 - when: - - rhel_08_040200 - - rhel8stig_disruption_high - tags: - - RHEL-08-040200 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230534r627750_rule - - V-230534 - - disruption_high diff --git a/tasks/Cat_1/RHEL-08-040360.yml b/tasks/Cat_1/RHEL-08-040360.yml deleted file mode 100644 index 1fc4f9c9..00000000 --- a/tasks/Cat_1/RHEL-08-040360.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "RHEL-08-040360 | HIGH | PATCH | A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8." - dnf: - name: vsftpd - state: absent - when: - - rhel_08_040360 - - "'vsftpd' in ansible_facts.packages" - tags: - - RHEL-08-040360 - - CAT1 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230558r627750_rule - - V-230558 - - ftp diff --git a/tasks/Cat_1/main.yml b/tasks/Cat_1/main.yml deleted file mode 100644 index 91ffabee..00000000 --- a/tasks/Cat_1/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: Include Cat 1 tasks - include: RHEL-08-010000.yml -- include: RHEL-08-010020.yml -- include: RHEL-08-010140_010150.yml -- include: RHEL-08-010370.yml -- include: RHEL-08-010371.yml -- include: RHEL-08-010460.yml -- include: RHEL-08-010470.yml -- include: RHEL-08-010820.yml -- include: RHEL-08-020330.yml -- include: RHEL-08-040000.yml -- include: RHEL-08-040010.yml -- include: RHEL-08-040170.yml -- include: RHEL-08-040171.yml -- include: RHEL-08-040172.yml -- include: RHEL-08-040190.yml -- include: RHEL-08-040200.yml -- include: RHEL-08-040360.yml diff --git a/tasks/main.old b/tasks/main.old deleted file mode 100644 index 9086f6cf..00000000 --- a/tasks/main.old +++ /dev/null @@ -1,79 +0,0 @@ ---- -- name: Gather distribution info - setup: - gather_subset: distribution,!all,!min - when: - - ansible_distribution is not defined - tags: - - always - -- name: Check OS version and family - assert: - that: ansible_os_family == 'RedHat' and ansible_distribution_major_version is version_compare('8', '==') - msg: "This role can only be run against RHEL/CENTOS 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." - tags: - - always - -- name: Check ansible version - assert: - that: ansible_version.full is version_compare(rhel8stig_min_ansible_version, '>=') - msg: You must use Ansible {{ rhel8stig_min_ansible_version }} or greater - tags: - - always - -- name: Check if using resolv.conf template settings are changed - assert: - that: - - rhel8_stig_resolv_domain != 'example.com' - - rhel8_stig_resolv_search | length > 0 - msg: "You are set to change your resolv.conf file this can be very disruptive if not configured correctly" - - when: - - rhel8_stig_use_resolv_template - - rhel_08_010680 - tags: - - always - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - always - -# - name: Install OpenSCAP and run a report -# import_tasks: audit_oscap_scan_before.yml -# when: rhel8stig_oscap_scan -# tags: -# - oscapreport - -- import_tasks: prelim.yml - become: yes - tags: - - prelim_tasks - -- name: Include CAT I patches - import_tasks: fix-cat1.yml - when: rhel8stig_cat1_patch | bool - tags: - - cat1 - - high - -- name: Include CAT II patches - import_tasks: fix-cat2.yml - when: rhel8stig_cat2_patch | bool - tags: - - cat2 - - medium - -- name: Include CAT III patches - import_tasks: fix-cat3.yml - when: rhel8stig_cat3_patch | bool - tags: - - cat3 - - low - -# - name: run the OpenSCAP reporting tool again -# import_tasks: audit_oscap_scan_after.yml -# when: rhel8stig_oscap_scan -# tags: -# - oscapreport From 4e8ab72c30133ad8cde10be1124f915eb2b07320 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Aug 2021 15:31:51 +0100 Subject: [PATCH 106/110] updated path Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 61349b0a..807303b9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -64,7 +64,7 @@ - run_audit - name: Include CAT I patches - import_tasks: cat_1/main.yml + import_tasks: fix-cat1.yml when: rhel8stig_cat1_patch tags: - CAT1 From 782c14e126b40ccf4814872969387d77e7e9141d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Aug 2021 16:23:50 +0100 Subject: [PATCH 107/110] updated 010020 conditional & notify Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 2fa3ed7c..84de205f 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -20,15 +20,19 @@ package: name: dracut-fips state: present - notify: rebuild initramfs + notify: + - rebuild initramfs + - change_requires_reboot when: "'dracut-fips' not in ansible_facts.packages" - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" command: fips-mode-setup --enable register: rhel_08_010020_kernel_fips_enable changed_when: rhel_08_010020_kernel_fips_enable.rc == 0 + notify: change_requires_reboot when: - - ansible_proc_cmdline.fips != '1' + - ansible_proc_cmdline.fips is not defined or + (ansible_proc_cmdline.fips is defined and ansible_proc_cmdline.fips != '1') - name: "RHEL-08-010020 | HIGH | PATCH | Disable prelinking." lineinfile: @@ -79,6 +83,7 @@ rhel_08_010020_default_grub_missing_audit is not changed notify: - confirm grub2 user cfg + - change_requires_reboot - name: "RHEL-08-010020 | HIGH | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." replace: From b5d587a7a51b57da78b134f88da9edc57b0a9905 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Aug 2021 16:24:09 +0100 Subject: [PATCH 108/110] added default reboot to false & conditional logic Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ tasks/main.yml | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 59bb18f9..ce8ace4d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -45,6 +45,9 @@ system_is_ec2: false # Whether to skip the reboot rhel8stig_skip_reboot: true +# Defined will change if control requires +change_requires_reboot: false + ### Goss is required on the remote host setup_audit: false diff --git a/tasks/main.yml b/tasks/main.yml index 807303b9..2d9830ca 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -96,7 +96,7 @@ - name: reboot system if changes require it and not skipped reboot: when: - - change_requires_reboot | bool + - change_requires_reboot - not rhel8stig_skip_reboot - name: Warning a reboot required but skip option set @@ -104,6 +104,7 @@ msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true when: + - change_requires_reboot - rhel8stig_skip_reboot tags: - CAT1 From ee2d4e97d55c9ffde782d6ec047cd91ab84bc4f0 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 19 Aug 2021 12:27:29 -0400 Subject: [PATCH 109/110] updated readme Signed-off-by: George Nalen --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f3697be4..9cbbfb9d 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,13 @@ RHEL 8 DISA STIG ================ -[![pipeline status](https://gitlab.com/mindpointgroup/lockdown-enterprise/rhel-8-stig/badges/master/pipeline.svg)](https://gitlab.com/mindpointgroup/lockdown-enterprise/rhel-8-stig/commits/master) +![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL8-STIG/CommunityToDevel?label=Devel%20Build%20Status&style=plastic) +![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL8-STIG/DevelToMain?label=Main%20Build%20Status&style=plastic) +![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL8-STIG?style=plastic) Configure a RHEL 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`. -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 1 released on January 5, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R1_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 2 released on April 23, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R2_STIG.zip). Requirements ------------ From 0bf53e5734bc628bfdaf1daf60b129ac69c8ee09 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 19 Aug 2021 13:27:30 -0400 Subject: [PATCH 110/110] Updated to finalized README Signed-off-by: George Nalen --- README.md | 157 ++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 98 insertions(+), 59 deletions(-) diff --git a/README.md b/README.md index 9cbbfb9d..9907b1d6 100644 --- a/README.md +++ b/README.md @@ -9,10 +9,52 @@ Configure a RHEL 8 system to be DISA STIG compliant. All findings will be audite This role is based on RHEL 8 DISA STIG: [Version 1, Rel 2 released on April 23, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R2_STIG.zip). +Updating +-------- + +Coming from a previous release. + +As with all releases and updates, It is suggested to test and align controls. +This contains rewrites and ID reference changes as per STIG documentation. + +Auditing (new) +-------------- + +This can be turned on or off within the defaults/main.yml file with the variable rhel8stig_run_audit. The value is false by default, please refer to the wiki for more details. + +This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. + +A new form of auditing has been develeoped, by using a small (12MB) go binary called [goss](https://github.com/aelsabbahy/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. +This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. + +Refer to [RHEL8-STIG-Audit](https://github.com/ansible-lockdown/RHEL8-STIG-Audit). + Requirements ------------ RHEL 8 or CentOS 8 - Other versions are not supported. +Access to download or add the goss binary and content to the system if using auditing. options are available on how to get the content to the system. + +**General:** + +- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible + + - [Main Ansible documentation page](https://docs.ansible.com) + - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) + - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) + - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) +- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/RHEL8-STIG/wiki/Main-Variables). + +Documentation +------------- + +- [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL8-STIG/) +- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown) +- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise) +- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration) +- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise) +- [Wiki](https://github.com/ansible-lockdown/RHEL8-STIG/wiki) Dependencies ------------ @@ -29,62 +71,59 @@ Package 'python-xmltodict' is required if you enable the OpenSCAP tool installat Role Variables -------------- -- some found below -- please refer to defaults/main.yml for a full breakdown - -| Name | Default Value | Description | -|-------------------|---------------------|----------------------| -| `rhel8stig_oscap_scan` | `no` | Install and run an OpenSCAP report before and after the application of this role | -| `rhel8stig_cat1_patch` | `yes` | Correct CAT I findings | -| `rhel8stig_cat2_patch` | `yes` | Correct CAT II findings | -| `rhel8stig_cat3_patch` | `yes` | Correct CAT III findings | -| `rhel_08_######` | [see defaults/main.yml](./defaults/main.yml) | Individual variables to enable/disable each STIG ID. | -| `rhel8stig_gui` | `no` | Whether or not to run tasks related to auditing/patching the desktop environment | -| `rhel8stig_system_is_router` | `no` | Run tasks that disable router functions. | -| `rhel8stig_time_service` | `chronyd` | Set to `ntpd` or `chronyd`. | -| `rhel8stig_firewall_service` | `firewalld` | Set to `firewalld` or `iptables`. | -| `rhel8stig_tftp_required` | `no` | If set to `no`, remove `tftp` client and server packages. | -| `rhel8stig_bootloader_password` | `Boot1tUp!` | GRUB2 bootloader password. This should be stored in an Ansible Vault. | -| `rhel8stig_boot_superuser` | `root` | Used to set the boot superuser in the GRUB2 config. | -| `rhel8stig_aide_cron` | [see defaults/main.yml](./defaults/main.yml) | AIDE Cron settings | -| `rhel8stig_maxlogins` | `10` | Set maximum number of simultaneous system logins (RHEL-07-040000) | -| `rhel8stig_logon_banner` | [see defaults/main.yml](./defaults/main.yml) | Logon banner displayed when logging in to the system. Defaults to nicely formatted standard logon banner. | -| `rhel8stig_password_complexity` | see below for specific settings | Dictionary of password complexity settings | -| `rhel8stig_password_complexity.ucredit` | `-1` | Minimum number of upper-case characters to be set in a new password - expressed as a negative number. | -| `rhel8stig_password_complexity.lcredit` | `-1` | Minimum number of lower-case characters to be set in a new password - expressed as a negative number. | -| `rhel8stig_password_complexity.dcredit` | `-1` | Minimum number of numeric characters to be set in a new password - expressed as a negative number. | -| `rhel8stig_password_complexity.ocredit` | `-1` | Minimum number of special characters to be set in a new password - expressed as a negative number. | -| `rhel8stig_password_complexity.difok` | `8` | Minimum number of characters in new password that must not be present in the old password. | -| `rhel8stig_password_complexity.minclass` | `4` | Minimum number of required classes of characters for the new password. (digits, upper, lower, other) | -| `rhel8stig_password_complexity.maxrepeat` | `3` | Maximum number of allowed same consecutive characters in a new password. | -| `rhel8stig_password_complexity.maxclassrepeat` | `4` | Maximum number of allowed same consecutive characters in the same **class** in the new password. | -| `rhel8stig_password_complexity.minlen` | `15` | Minimum number of characters in a new password. | -| `rhel8stig_sssd_conf` | [see defaults/main.yml](./defaults/main.yml) | Default location for sssd.conf | -| `rhel8stig_sssd_domain` | testing.test | Domain to be used in sssd | -| `rhel8stig_sssd.certmap` | certmap/{{ rhel8stig_sssd_domain }}/rule_name | certmap rule for sssd | -| `rhel8stig_sssd.matchrule` | =.*EDIPI@mil | match rule in relationship to domain e.g. CN etc | -| `rhel8stig_sssd.maprule` | (userCertificate;binary={cert!bin}) | map cert auth requirements into sssd rule | -| `rhel8stig_sssd.domains` | testing.test | comma seperated list of domains using sssd | -| `rhel8stig_shell_session_timeout` | `file: /etc/profile` `timeout: 600` | Dictionary of session timeout setting and file (TMOUT setting can be set in multiple files) | -| `rhel8stig_interactive_uid_start` | `1000` | Interactive user start point (UID_MIN) from /etc/login.defs | -| `rhel8stig_ntp_server_name: server.name` | `server.name` | The NTP Server Name | -| `rhel8stig_custom_firewall_zone` | `new_fw_zone` | The name of the new firewalld zone created to meet STIG requirements | -| `rhel8stig_fapolicy_white_list` | `LIST` | This is a list of the whitelist for the fapolicy controls, must end with deny all all | -| `rhel8stig_sshd_compression` | `no` | The Compression parameter in /etc/ssh/sshd_config needs to be set to no or delayed | -| `rhel8stig_path_to_sshkey` | `/root/.ssh/` | Custom path to the ssh key | -| `rhel8stig_hashing_rounds` | `5000` | The rounds parameter goes into pamd configs and needs to be set to now lower than 5000 | -| `rhel8stig_dns_servers` | `8.8.8.8 and 8.8.4.4` | To conform to STIG standards you need two DNS servers, parameter is in list form | -| `rhel8stig_nfs_mounts` | `vars` | NFS file system mounts pull automatcially with prelim task | -| `rhel8stig_nfs_mounts_query` | `[?starts_with(fstype, 'nfs')].mount` | The query for mounts | -| `rhel8stig_skip_reboot` | `true` | Whether or not to skip the reboot | - - -Example Playbook ----------------- - - - hosts: servers - roles: - - role: rhel-8-stig - when: - - ansible_os_family == 'RedHat' - - ansible_distribution_major_version | version_compare('8', '=') +This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/RHEL8-STIG/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions. + +Tags +---- + +There are many tags available for added control precision. Each control has it's own set of tags noting the control number as well as what parts of the system that control addresses. + +Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag ssh, this task will be skipped. The +opposite can also happen where you run only controls tagged with ssh. + +```sh +tags: + - RHEL-08-010050 + - ssh + - dod_logon_banner +``` + +Example Audit Summary +--------------------- + +This is based on a vagrant image with selections enabled. e.g. No Gui or firewall. +Note: More tests are run during audit as we check config and running state. + +```sh +ok: [rhel8test] => { + "msg": [ + "The pre remediation results are: Count: 308, Failed: 156, Duration: 44.108s.", + "The post remediation results are: Count: 308, Failed: 14, Duration: 37.647s.", + "Full breakdown can be found in /var/tmp", + "" + ] +} + ] +} +PLAY RECAP **************************************************************************************************************** +rhel8test : ok=369 changed=192 unreachable=0 failed=0 skipped=125 rescued=0 ignored=0 +``` + +Branches +------- + +- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch +- **main** - This is the release branch +- **reports** - This is a protected branch for our scoring reports, no code should ever go here +- **gh_pages** - github pages +- **all other branches** - Individual community member branches + +Community Contribution +---------------------- + +We encourage you (the community) to contribute to this role. Please read the rules below. + +- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. +- All community Pull Requests are pulled into the devel branch +- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release.