From 993b87ff8af8421a09582a79697efc6196cc4be9 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 24 Aug 2021 11:24:05 -0400 Subject: [PATCH 01/11] Added the dir= back into pam.d settings but made it a var since control text is wrong Signed-off-by: George Nalen --- defaults/main.yml | 2 ++ tasks/fix-cat2.yml | 58 +++++++++++++++--------------- templates/ansible_vars_goss.yml.j2 | 1 + 3 files changed, 32 insertions(+), 29 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ce8ace4d..e8700ea9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -601,11 +601,13 @@ rhel8stig_pam_pwhistory: # RHEL-08-020012 # RHEL-08-020013 # pam_faillock settings - accounts must be locked for max time period after 3 unsuccessful attempts within 15 minutes. +# dir: is set to /var/run/faillock which does not match the control. We think the control is a typo since their path does not work with SELinux, so we variablized the value rhel8stig_pam_faillock: attempts: 3 interval: 900 unlock_time: 0 fail_for_root: yes + dir: /var/run/faillock # RHEL-08-030670 # rhel8stig_audisp_disk_full_action options are syslog, halt, and single to fit STIG standards diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 72a15a8b..c7bba365 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2211,7 +2211,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2222,7 +2222,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2256,7 +2256,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2267,7 +2267,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2307,7 +2307,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2318,7 +2318,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2352,7 +2352,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2363,7 +2363,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2406,7 +2406,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2417,7 +2417,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2451,7 +2451,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2462,7 +2462,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2505,7 +2505,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2516,7 +2516,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2550,7 +2550,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2561,7 +2561,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2583,7 +2583,7 @@ lineinfile: path: "/etc/security/faillock.conf" regexp: '^dir =|^\# dir =' - line: "dir = /var/log/faillock" + line: "dir = {{ rhel8stig_pam_faillock.dir }}" with_items: - system-auth - password-auth @@ -2604,7 +2604,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2615,7 +2615,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2649,7 +2649,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2660,7 +2660,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2703,7 +2703,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2714,7 +2714,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2748,7 +2748,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2759,7 +2759,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2802,7 +2802,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2813,7 +2813,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: @@ -2847,7 +2847,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2858,7 +2858,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd with_items: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index d30d1f75..67750aff 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -434,3 +434,4 @@ rhel8stig_remotelog_server: {{ rhel8stig_remotelog_server.server }} rhel8stig_remotelog_port: {{ rhel8stig_remotelog_server.port }} # RHEL_08_040260-62 +rhel8stig_system_is_router: {{ rhel8stig_system_is_router }} From 65db4824d21ae4e1b54518836577fae4b6a36700 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 24 Aug 2021 11:32:35 -0400 Subject: [PATCH 02/11] Updated goss vars file for new variable Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 2 +- templates/ansible_vars_goss.yml.j2 | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c7bba365..34431709 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2796,7 +2796,7 @@ - V-230343 - pamd -- name: "MEDIUM | RHEL-08-020022| PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." +- name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." block: - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" lineinfile: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 67750aff..f4e3ca28 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -435,3 +435,20 @@ rhel8stig_remotelog_port: {{ rhel8stig_remotelog_server.port }} # RHEL_08_040260-62 rhel8stig_system_is_router: {{ rhel8stig_system_is_router }} + +# RHEL-08-020010 +# RHEL-08-020011 +# RHEL-08-020012 +# RHEL-08-020013 +# RHEL-08-020014 +# RHEL-08-020015 +# RHEL-08-020016 +# RHEL-08-020017 +# RHEL-08-020018 +# RHEL-08-020019 +# RHEL-08-020020 +# RHEL-08-020021 +# RHEL-08-020022 +# RHEL-08-020023 +rhel8stig_pam_faillock: + dir: /var/run/faillock From 809df938a88ed1323b663f5cd45af7d9909fdc7f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 24 Aug 2021 11:36:34 -0400 Subject: [PATCH 03/11] Adjusted pam_faillock_dir var Signed-off-by: George Nalen --- templates/ansible_vars_goss.yml.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index f4e3ca28..ab334cee 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -450,5 +450,4 @@ rhel8stig_system_is_router: {{ rhel8stig_system_is_router }} # RHEL-08-020021 # RHEL-08-020022 # RHEL-08-020023 -rhel8stig_pam_faillock: - dir: /var/run/faillock +rhel8stig_pam_faillock_dir: {{ rhel8stig_pam_faillock.dir }} From ca301337d47f3146b323cbfbb346f3c3d00195da Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 24 Aug 2021 13:48:53 -0400 Subject: [PATCH 04/11] Updated pam_faillock dir var default value and updated 030590 to use the var Signed-off-by: George Nalen --- defaults/main.yml | 2 +- tasks/fix-cat2.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e8700ea9..7da7693c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -607,7 +607,7 @@ rhel8stig_pam_faillock: interval: 900 unlock_time: 0 fail_for_root: yes - dir: /var/run/faillock + dir: /var/log/faillock # RHEL-08-030670 # rhel8stig_audisp_disk_full_action options are syslog, halt, and single to fit STIG standards diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 34431709..882a8390 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5319,7 +5319,7 @@ - name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." lineinfile: path: /etc/audit/rules.d/audit.rules - line: -w /var/log/faillock -p wa -k logins + line: "-w {{ rhel8stig_pam_faillock.dir }} -p wa -k logins" notify: restart auditd when: - rhel_08_030590 From 74088c0f4d7c65bc8b4cbe6efed42286e1aaf35f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 24 Aug 2021 13:52:01 -0400 Subject: [PATCH 05/11] updated pam faillock var comments Signed-off-by: George Nalen --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7da7693c..69d1f899 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -601,7 +601,7 @@ rhel8stig_pam_pwhistory: # RHEL-08-020012 # RHEL-08-020013 # pam_faillock settings - accounts must be locked for max time period after 3 unsuccessful attempts within 15 minutes. -# dir: is set to /var/run/faillock which does not match the control. We think the control is a typo since their path does not work with SELinux, so we variablized the value +# dir: is set to /var/log/faillock which is the non-default folder. Control 020017 states to not use the standard directory which is /var/run/faillock rhel8stig_pam_faillock: attempts: 3 interval: 900 From ddb2560da6052ab398f8e1e845742422c15633f9 Mon Sep 17 00:00:00 2001 From: George Nalen <57152366+georgenalen@users.noreply.github.com> Date: Wed, 25 Aug 2021 06:24:26 -0700 Subject: [PATCH 06/11] Added issue templates Signed-off-by: George Nalen --- .github/ISSUE_TEMPLATE/bug_report.md | 32 +++++++++++++++++++ .../feature-request-or-enhancement.md | 21 ++++++++++++ .github/ISSUE_TEMPLATE/question.md | 17 ++++++++++ 3 files changed, 70 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md create mode 100644 .github/ISSUE_TEMPLATE/question.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 00000000..3a19c72b --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,32 @@ +--- +name: Report Issue +about: Create a bug issue ticket to help us improve +title: '' +labels: bug +assignees: '' + +--- + +**Describe the Issue** +A clear and concise description of what the bug is. + +**Expected Behavior** +A clear and concise description of what you expected to happen. + +**Actual Behavior** +A clear and concise description of what's happening. + +**Control(s) Affected** +What controls are being affected by the issue + +**Environment (please complete the following information):** + - Ansible Version: [e.g. 2.10] + - Host Python Version: [e.g. Python 3.7.6] + - Ansible Server Python Version: [e.g. Python 3.7.6] + - Additional Details: + +**Additional Notes** +Anything additional goes here + +**Possible Solution** +Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md new file mode 100644 index 00000000..bf457005 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md @@ -0,0 +1,21 @@ +--- +name: Feature Request or Enhancement +about: Suggest an idea for this project +title: '' +labels: enhancement +assignees: '' + +--- + +**Feature Request or Enhancement** + - Feature [] + - Enhancement [] + +**Summary of Request** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Suggested Code** +Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md new file mode 100644 index 00000000..cbab6e73 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/question.md @@ -0,0 +1,17 @@ +--- +name: Question +about: Ask away....... +title: '' +labels: question +assignees: '' + +--- + +**Question** +Pose question here. + +**Environment (please complete the following information):** + - Ansible Version: [e.g. 2.10] + - Host Python Version: [e.g. Python 3.7.6] + - Ansible Server Python Version: [e.g. Python 3.7.6] + - Additional Details: From 1cb6e1170534067ca90e1f5647c45bfce13d3d7c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 26 Aug 2021 15:14:34 -0400 Subject: [PATCH 07/11] Issue #46 fix to 010471 Signed-off-by: George Nalen --- tasks/fix-cat3.yml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 9047ba54..297fac70 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -125,10 +125,19 @@ - V-230281 - name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service." - systemd: - name: rngd.service - state: started - enabled: yes + block: + - name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service. | Check for the rng-tools package" + shell: rpm -q rng-tools + changed_when: false + failed_when: false + register: rhel_08_010471_rng_tools_status + + - name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service. | Enable and start service" + systemd: + name: rngd.service + state: started + enabled: yes + when: "'rng-tools-' in rhel_08_010471_rng_tools_status.stdout" when: - rhel_08_010471 tags: From 929428d0ec3506b3c33fe0c1436e32f7f58d728c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Aug 2021 11:55:51 +0100 Subject: [PATCH 08/11] 20017 prelim for faillock dir selinux context Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f682f16c..477794a4 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -408,3 +408,34 @@ msg: - "bootloader path set to {{ rhel8stig_bootloader_path }}" - "legacy boot equals {{ rhel8stig_legacy_boot }}" + +- name: "PRELIM | RHEL-08-020017 | If using selinux set up system prereqs" + block: + - name: "PRELIM | RHEL-08-020017 | Install policycoreutils-python-utils" + package: + name: policycoreutils-python-utils + state: present + when: "'policycoreutils-python-utils' not in ansible_facts.packages" + + - name: "PRELIM | RHEL-08-020017 | create faillock dir if rhel_08_020017" + file: + path: "{{ rhel8stig_pam_faillock.dir }}" + state: directory + mode: 0755 + owner: root + group: root + + - name: "PRELIM | RHEL-08-020017 | Set faillock directory context" + sefcontext: + target: "{{ rhel8stig_pam_faillock.dir }}" + ftype: d + setype: faillog_t + seuser: system_u # not really required added for continuity + state: present + register: faillock_dir_context + + - name: "PRELIM | RHEL-08-020017 | Set faillock directory selinux context immediately" + shell: "restorecon -irv {{ rhel8stig_pam_faillock.dir }}" + when: faillock_dir_context.changed + when: + - rhel_08_020017 From 422235e5f09c839e17df61a494facc1c0e2ce92f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Aug 2021 14:26:52 +0100 Subject: [PATCH 09/11] added prelim step for faillock directory Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 477794a4..bc36c967 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -424,18 +424,33 @@ mode: 0755 owner: root group: root + register: faillock_dir - - name: "PRELIM | RHEL-08-020017 | Set faillock directory context" + - name: "PRELIM | RHEL-08-020017 | Add permenant secontext" sefcontext: target: "{{ rhel8stig_pam_faillock.dir }}" ftype: d setype: faillog_t - seuser: system_u # not really required added for continuity state: present - register: faillock_dir_context + register: add_faillock_secontext + when: faillock_dir.changed - name: "PRELIM | RHEL-08-020017 | Set faillock directory selinux context immediately" shell: "restorecon -irv {{ rhel8stig_pam_faillock.dir }}" - when: faillock_dir_context.changed + + - name: "PRELIM | RHEL-08-020017 | Capture secontext" + shell: "ls -Zd {{ rhel8stig_pam_faillock.dir }}| grep -c faillog_t" + register: faillock_secontext + changed_when: false + failed_when: false + + - name: "PRELIM | RHEL-08-020017 | Modify context of not correct" + shell: "semanage fcontext -m -t faillog_t -s system_u {{ rhel8stig_pam_faillock.dir }}" + register: modify_secontext + when: faillock_secontext.stdout != '1' + + - name: "PRELIM | RHEL-08-020017 | Set {{ rhel8stig_pam_faillock.dir }} selinux context" + shell: "restorecon -irv {{ rhel8stig_pam_faillock.dir }}" + when: modify_secontext.changed when: - rhel_08_020017 From a41f4980e018bd415a5632a49a28486aa51c1159 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 27 Aug 2021 15:27:37 -0400 Subject: [PATCH 10/11] Adjusted 010471 to use prelime packages check Signed-off-by: George Nalen --- tasks/fix-cat3.yml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 297fac70..2e559b57 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -125,21 +125,13 @@ - V-230281 - name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service." - block: - - name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service. | Check for the rng-tools package" - shell: rpm -q rng-tools - changed_when: false - failed_when: false - register: rhel_08_010471_rng_tools_status - - - name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service. | Enable and start service" - systemd: - name: rngd.service - state: started - enabled: yes - when: "'rng-tools-' in rhel_08_010471_rng_tools_status.stdout" + systemd: + name: rngd.service + state: started + enabled: yes when: - rhel_08_010471 + - "'rng-tools' in ansible_facts.packages" tags: - RHEL-08-010471 - CAT3 From cab497414e29d151efa5ef7e08a86702ad5432db Mon Sep 17 00:00:00 2001 From: George Nalen <57152366+georgenalen@users.noreply.github.com> Date: Mon, 30 Aug 2021 12:24:39 -0700 Subject: [PATCH 11/11] Added PR Template Signed-off-by: George Nalen --- .github/pull_request_template.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .github/pull_request_template.md diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..3e628098 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,9 @@ +**Overall Review of Changes** +A general description of the changes made that are being requested for merge + +**Any Related Open Issues** +Please list any open issues this PR addresses + +**How as this been tested?** +Please give an overview of how these changes were tested. If they were not please use N/A +