Merge pull request #6 from ansible-lockdown/georgenalen

Changes for RHEL8 STIG Release
Signed-off-by: George Nalen <[email protected]>

README.md

@@ -5,7 +5,7 @@ RHEL 8 DISA STIG
 
 Configure a RHEL 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`.
 
-This role is based on RHEL 8 DISA STIG: [Version 1, Rel .01 released on May 11, 2020](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R0-1_IDraftSTIG.zip).
+This role is based on RHEL 8 DISA STIG: [Version 1, Rel 1 released on  January 5, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R1_STIG.zip).
 
 Requirements
 ------------

defaults/main.yml

@@ -49,40 +49,41 @@ system_is_ec2: false
 # CAT 1 rules
 rhel_08_010000: true
 rhel_08_010020: true
-rhel_08_010030: true
 rhel_08_010140: true
 rhel_08_010150: true
-rhel_08_010170: true
 rhel_08_010370: true
-rhel_08_010450: true
+rhel_08_010371: true
 rhel_08_010460: true
 rhel_08_010470: true
 rhel_08_010820: true
-rhel_08_010830: true
 rhel_08_020330: true
 rhel_08_040000: true
 rhel_08_040010: true
 rhel_08_040060: true
 rhel_08_040170: true
-rhel_08_040180: true
+rhel_08_040171: true
+rhel_08_040172: true
 rhel_08_040190: true
 rhel_08_040200: true
-rhel_08_040340: true
 rhel_08_040360: true
 
 # CAT 2 rules
 rhel_08_010010: true
+rhel_08_010030: true
 rhel_08_010040: true
 rhel_08_010050: true
 rhel_08_010060: true
 rhel_08_010070: true
-rhel_08_010080: true
 rhel_08_010090: true
 rhel_08_010100: true
 rhel_08_010110: true
 rhel_08_010120: true
 rhel_08_010130: true
+rhel_08_010151: true
 rhel_08_010160: true
+rhel_08_010161: true
+rhel_08_010162: true
+rhel_08_010170: true
 rhel_08_010180: true
 rhel_08_010190: true
 rhel_08_010200: true
@@ -92,31 +93,45 @@ rhel_08_010230: true
 rhel_08_010240: true
 rhel_08_010250: true
 rhel_08_010260: true
-rhel_08_010270: true
-rhel_08_010280: true
 rhel_08_010290: true
+rhel_08_010291: true
+rhel_08_010293: true
+rhel_08_010294: true
+rhel_08_010295: true
 rhel_08_010300: true
 rhel_08_010310: true
 rhel_08_010320: true
 rhel_08_010330: true
 rhel_08_010340: true
 rhel_08_010350: true
 rhel_08_010360: true
-# !!!!!!!!!!!!!!!--------------!!!!!!!!!!!!!!!!!!CHANGE TO TRUE BEFORE FINALIZATION. SET TO FALSE TO PREVENT THE VAGRANT USER FROM AUTHENTICATING WHEN USING SUDO
+rhel_08_010372: true
+rhel_08_010373: true
+rhel_08_010374: true
+# !!!!!!!!!!!!!!!--------------!!!!!!!!!!!!!!!!!!CHANGE TO TRUE BEFORE FINALIZATION. SET TO FALSE TO PREVENT THE VAGRANT USER FROM AUTHENTICATING WHEN USING SUDO (380/381)
 rhel_08_010380: false
+rhel_08_010381: false
 rhel_08_010390: true
 rhel_08_010400: true
 rhel_08_010410: true
 rhel_08_010420: true
+rhel_08_010421: true
+rhel_08_010422: true
+rhel_08_010423: true
 rhel_08_010430: true
+rhel_08_010450: true
 rhel_08_010480: true
 rhel_08_010490: true
 rhel_08_010500: true
 rhel_08_010510: true
 rhel_08_010520: true
+rhel_08_010521: true
+rhel_08_010543: true
 rhel_08_010550: true
 rhel_08_010560: true
+rhel_08_010561: true
 rhel_08_010570: true
+rhel_08_010571: true
 rhel_08_010580: true
 rhel_08_010590: true
 rhel_08_010600: true
@@ -127,7 +142,12 @@ rhel_08_010640: true
 rhel_08_010650: true
 rhel_08_010660: true
 rhel_08_010670: true
-rhel_08_010680: false
+rhel_08_010671: true
+rhel_08_010672: true
+rhel_08_010673: true
+rhel_08_010674: true
+rhel_08_010675: true
+rhel_08_010680: true
 rhel_08_010690: true
 rhel_08_010700: true
 rhel_08_010710: true
@@ -140,11 +160,25 @@ rhel_08_010770: true
 rhel_08_010780: true
 rhel_08_010790: true
 rhel_08_010800: true
-rhel_08_010810: true
+rhel_08_010830: true
 rhel_08_020000: true
 rhel_08_020010: true
+rhel_08_020011: true
+rhel_08_020012: true
+rhel_08_020013: true
+rhel_08_020014: true
+rhel_08_020015: true
+rhel_08_020016: true
+rhel_08_020017: true
+rhel_08_020018: true
+rhel_08_020019: true
+rhel_08_020020: true
+rhel_08_020021: true
+rhel_08_020022: true
+rhel_08_020023: true
 rhel_08_020030: true
 rhel_08_020040: true
+rhel_08_020041: true
 rhel_08_020050: true
 rhel_08_020060: true
 rhel_08_020070: true
@@ -164,6 +198,7 @@ rhel_08_020200: true
 rhel_08_020210: true
 rhel_08_020220: true
 rhel_08_020230: true
+rhel_08_020231: true
 rhel_08_020240: true
 rhel_08_020250: true
 rhel_08_020260: true
@@ -174,25 +209,33 @@ rhel_08_020300: true
 rhel_08_020310: true
 rhel_08_020320: true
 rhel_08_020350: true
+rhel_08_020351: true
+rhel_08_020352: true
+rhel_08_020353: true
 rhel_08_030000: true
 rhel_08_030010: true
 rhel_08_030020: true
 rhel_08_030030: true
 rhel_08_030040: true
 rhel_08_030050: true
 rhel_08_030060: true
+rhel_08_030061: true
+rhel_08_030062: true
 rhel_08_030070: true
 rhel_08_030080: true
 rhel_08_030090: true
 rhel_08_030100: true
 rhel_08_030110: true
-### When logs folder is set to 600 per STIG auditd fails to start. Need to figure out perms
 rhel_08_030120: true
+rhel_08_030121: true
+rhel_08_030122: true
 rhel_08_030130: true
 rhel_08_030140: true
 rhel_08_030150: true
 rhel_08_030160: true
 rhel_08_030170: true
+rhel_08_030171: true
+rhel_08_030172: true
 rhel_08_030180: true
 rhel_08_030190: true
 rhel_08_030200: true
@@ -206,12 +249,26 @@ rhel_08_030270: true
 rhel_08_030280: true
 rhel_08_030290: true
 rhel_08_030300: true
+rhel_08_030301: true
+rhel_08_030302: true
 rhel_08_030310: true
+rhel_08_030311: true
+rhel_08_030312: true
+rhel_08_030313: true
+rhel_08_030314: true
+rhel_08_030315: true
+rhel_08_030316: true
+rhel_08_030317: true
 rhel_08_030320: true
 rhel_08_030330: true
 rhel_08_030340: true
 rhel_08_030350: true
 rhel_08_030360: true
+rhel_08_030361: true
+rhel_08_030362: true
+rhel_08_030363: true
+rhel_08_030364: true
+rhel_08_030365: true
 rhel_08_030370: true
 rhel_08_030380: true
 rhel_08_030390: true
@@ -240,7 +297,6 @@ rhel_08_030610: true
 rhel_08_030620: true
 rhel_08_030630: true
 rhel_08_030640: true
-# !!!!!!!!!---------- handlers are overwriting the config change for this item
 rhel_08_030650: true
 rhel_08_030660: true
 rhel_08_030670: true
@@ -251,45 +307,99 @@ rhel_08_030710: true
 rhel_08_030720: true
 rhel_08_030730: true
 rhel_08_030740: true
+rhel_08_040001: true
+rhel_08_040002: true
+rhel_08_040003: true
 rhel_08_040020: true
 rhel_08_040030: true
-rhel_08_040040: true
-rhel_08_040050: true
 rhel_08_040070: true
 rhel_08_040080: true
 rhel_08_040090: true
 rhel_08_040100: true
 rhel_08_040110: true
+rhel_08_040111: true
 rhel_08_040120: true
+rhel_08_040121: true
+rhel_08_040122: true
+rhel_08_040123: true
+rhel_08_040124: true
+rhel_08_040125: true
+rhel_08_040126: true
+rhel_08_040127: true
+rhel_08_040128: true
+rhel_08_040129: true
 rhel_08_040130: true
+rhel_08_040131: true
+rhel_08_040132: true
+rhel_08_040133: true
+rhel_08_040134: true
+rhel_08_040135: true
 rhel_08_040140: true
 rhel_08_040150: true
 rhel_08_040160: true
+rhel_08_040161: true
+rhel_08_040162: true
+rhel_08_040180: true
 rhel_08_040210: true
 rhel_08_040220: true
 rhel_08_040230: true
 rhel_08_040240: true
 rhel_08_040250: true
 rhel_08_040260: true
+rhel_08_040261: true
+rhel_08_040262: true
 rhel_08_040270: true
 rhel_08_040280: true
+rhel_08_040281: true
+rhel_08_040282: true
+rhel_08_040283: true
+rhel_08_040284: true
+rhel_08_040285: true
 rhel_08_040290: true
 rhel_08_040320: true
 rhel_08_040330: true
+rhel_08_040340: true
+rhel_08_040341: true
 rhel_08_040350: true
+rhel_08_040370: true
+rhel_08_040380: true
+rhel_08_040390: true
 
 # CAT 3 rules
+rhel_08_010171: true
+rhel_08_010292: true
+rhel_08_010375: true
+rhel_08_010376: true
 rhel_08_010440: true
-rhel_08_010530: true
+rhel_08_010471: true
 rhel_08_010540: true
-rhel_08_020020: true
+rhel_08_010541: true
+rhel_08_010542: true
+rhel_08_020024: true
+rhel_08_020042: true
 rhel_08_020340: true
+rhel_08_030063: true
+rhel_08_030601: true
+rhel_08_030602: true
+rhel_08_030603: true
+rhel_08_030741: true
+rhel_08_030742: true
+rhel_08_040004: true
+rhel_08_040021: true
+rhel_08_040022: true
+rhel_08_040023: true
+rhel_08_040024: true
+rhel_08_040025: true
+rhel_08_040026: true
 rhel_08_040300: true
 rhel_08_040310: true
 
 # Whether or not to run tasks related to auditing/patching the desktop environment
 rhel8stig_gui: false
 
+# Whether or not you need kdump. False will disable service and true will leave service
+rhel8stig_kdump_needed: false
+
 # Whether to configure dconf rules unconditionally (ignoring presence of dconf
 # or rhel8stig_gui)
 rhel8stig_always_configure_dconf: false
@@ -444,13 +554,15 @@ rhel8stig_pam_pwhistory:
     remember: 5
     retries: 3
 
-# RHEL-08-010320
-# RHEL-08-010330
+# RHEL-08-020010
+# RHEL-08-020011
+# RHEL-08-020012
+# RHEL-08-020013
 # pam_faillock settings - accounts must be locked for max time period after 3 unsuccessful attempts within 15 minutes.
 rhel8stig_pam_faillock:
     attempts: 3
     interval: 900
-    unlock_time: 900
+    unlock_time: 0
     fail_for_root: yes
 
 # RHEL-08-030670
@@ -493,7 +605,9 @@ rhel8stig_login_defaults:
     create_home: 'yes'
 
 # RHEL-08-030690 uncomment and set the value to a remote IP address that can receive audit logs
-rhel8stig_audisp_remote_server: 10.10.10.10
+rhel8stig_remotelog_server:
+    server: 10.10.10.10
+    port: 9999
 
 # RHEL-08-030020
 rhel8stig_auditd_mail_acct: root
@@ -531,8 +645,8 @@ rhel8stig_nfs_mounts_query: "[?starts_with(fstype, 'nfs')].mount"
 
 # RHEL-08-010680
 rhel8stig_dns_servers:
-    - 9.9.9.9
-    - 149.112.112.112
+    - 8.8.8.8
+    - 8.8.4.4
 
 rhel8stig_int_gid: 1000
 
@@ -569,4 +683,25 @@ rhel8stig_custom_firewall_zone: "new_fw_zone"
 rhel8stig_white_list_services:
     - http
     - https
-    - ssh
+    - ssh
+
+# RHEL-08-010290
+# RHEL-08-010290
+# This will be the MACs setting. It is a string that will be the entirety of the MAC's setting in the openssh.config file
+# to conform to STIG standard control RHEL-08-010290 this variable must include hmac-sha2-512,hmac-sha2-256
+# to conform to STIG standard control RHEL-08-010291 this variable must include aes256-ctr,aes192-ctr,aes128-ctr
+rhel8stig_ssh_macs_settings: "[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,hmac-sha2-512
+GSSAPIKeyExchange no"
+# This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting
+# to conform to STIG standard control RHEL-08-010290 this variable must contain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256 settings
+# to conform to STIG standard control RHEL-08-010291 this variable must cotnain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr
+rhel8stig_ssh_server_crypto_settings: "[email protected],aes256-ctr,aes192-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc [email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected] -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected] -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512"
+
+# RHEL-08-010295
+# This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions
+# to conform to STIG standards this variable must contain -VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0
+rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0"
+
+# RHEL-08-020070
+# This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less
+rhel8stig_tmux_lock_after_time: 900