Merge pull request #34 from ansible-lockdown/devel

Devel to main Signed-off-by: George Nalen <[email protected]>
ansible-lockdown · Jul 12, 2021 · fe50d2a · fe50d2a
2 parents cf84c5c + ed4dc79
commit fe50d2a
Show file tree

Hide file tree

Showing 16 changed files with 600 additions and 219 deletions.
diff --git a/.ansible-lint b/.ansible-lint
@@ -0,0 +1,11 @@
+parseable: true
+quiet: true
+skip_list:
+  - '204'
+  - '305'
+  - '303'
+  - '403'
+  - '306'
+  - '602'
+use_default_rules: true
+verbosity: 0
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,7 @@
 .env
 *.log
 *.retry
+.cache
 .vagrant
 tests/*redhat-subscription
 tests/Dockerfile

diff --git a/.yamllint b/.yamllint
@@ -0,0 +1,24 @@
+---
+ignore: |
+  tests/
+  molecule/
+  .github/
+  .gitlab-ci.yml
+  *molecule.yml
+
+extends: default
+
+rules:
+  indentation:
+    # Requiring 4 space indentation
+    spaces: 4
+    # Requiring consistent indentation within a file, either indented or not
+    indent-sequences: consistent
+  truthy: disable
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  line-length: disable
diff --git a/README.md b/README.md
@@ -12,7 +12,6 @@ Requirements
 
 RHEL 8 or CentOS 8 - Other versions are not supported.
 
-
 Dependencies
 ------------
 
@@ -25,10 +24,12 @@ The following packages must be installed on the controlling host/host where ansi
 
 Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible.
 
-
 Role Variables
 --------------
 
+- some found below
+- please refer to defaults/main.yml for a full breakdown
+
 | Name              | Default Value       | Description          |
 |-------------------|---------------------|----------------------|
 | `rhel8stig_oscap_scan` | `no` | Install and run an OpenSCAP report before and after the application of this role        |
@@ -56,6 +57,12 @@ Role Variables
 | `rhel8stig_password_complexity.maxrepeat` | `3` | Maximum number of allowed same consecutive characters in a new password. |
 | `rhel8stig_password_complexity.maxclassrepeat` | `4` | Maximum number of allowed same consecutive characters in the same **class** in the new password. |
 | `rhel8stig_password_complexity.minlen` | `15` | Minimum number of characters in a new password. |
+| `rhel8stig_sssd_conf` | [see defaults/main.yml](./defaults/main.yml)  | Default location for sssd.conf |
+| `rhel8stig_sssd_domain` | testing.test | Domain to be used in sssd |
+| `rhel8stig_sssd.certmap` | certmap/{{ rhel8stig_sssd_domain }}/rule_name | certmap rule for sssd |
+| `rhel8stig_sssd.matchrule` | =.*EDIPI@mil | match rule in relationship to domain e.g. CN etc |
+| `rhel8stig_sssd.maprule` | (userCertificate;binary={cert!bin}) | map cert auth requirements into sssd rule |
+| `rhel8stig_sssd.domains` | testing.test | comma seperated list of domains using sssd |
 | `rhel8stig_shell_session_timeout` | `file: /etc/profile` `timeout: 600` | Dictionary of session timeout setting and file (TMOUT setting can be set in multiple files) |
 | `rhel8stig_interactive_uid_start` | `1000` | Interactive user start point (UID_MIN) from /etc/login.defs |
 | `rhel8stig_ntp_server_name: server.name` | `server.name` | The NTP Server Name |
@@ -64,9 +71,10 @@ Role Variables
 | `rhel8stig_sshd_compression` | `no` | The Compression parameter in /etc/ssh/sshd_config needs to be set to no or delayed |
 | `rhel8stig_path_to_sshkey` | `/root/.ssh/` | Custom path to the ssh key |
 | `rhel8stig_hashing_rounds` | `5000` | The rounds parameter goes into pamd configs and needs to be set to now lower than 5000 |
-| `rhel8stig_dns_servers` | `9.9.9.9 and 149.112.112.112` | To conform to STIG standards you need two DNS servers, parameter is in list form |
+| `rhel8stig_dns_servers` | `8.8.8.8 and 8.8.4.4` | To conform to STIG standards you need two DNS servers, parameter is in list form |
 | `rhel8stig_nfs_mounts` | `vars` | NFS file system mounts pull automatcially with prelim task |
 | `rhel8stig_nfs_mounts_query` | `[?starts_with(fstype, 'nfs')].mount` | The query for mounts |
+| `rhel8stig_skip_reboot` | `false` | Whether or not to skip the reboot |
 
 
 Example Playbook
@@ -78,4 +86,3 @@ Example Playbook
             when:
                 - ansible_os_family == 'RedHat'
                 - ansible_distribution_major_version | version_compare('8', '=')
-
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -38,6 +38,9 @@ rhel8stig_system_is_container: false
 # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
 system_is_ec2: false
 
+# Whether to skip the reboot
+rhel8stig_skip_reboot: false
+
 # These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.
 # PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group
 # in order for the variables below to take effect.
@@ -515,6 +518,15 @@ rhel8stig_password_complexity:
     minlen: 15
     dictcheck: 1
 
+# rhel_08_010400 or rhel_08_020090 or rhel_08_020250 or rhel_08_020290
+rhel8stig_sssd_conf: /etc/sssd/sssd.conf
+rhel8stig_sssd_domain: testing.test
+rhel8stig_sssd:
+    certmap: "certmap/{{ rhel8stig_sssd_domain }}/rule_name"
+    matchrule: "=.*EDIPI@mil"
+    maprule: (userCertificate;binary={cert!bin})
+    domains: "{{ rhel8stig_sssd_domain }}"
+
 # RHEL-08-020070
 # Session timeout setting file (TMOUT setting can be set in multiple files)
 # Timeout value is in seconds. (60 seconds * 10 = 600)
@@ -567,7 +579,7 @@ rhel8stig_audisp_disk_full_action: single
 # rhel8stig_audisp_network_failure_action optoins are syslog, halt, and single
 rhel8stig_audisp_network_failure_action: single
 
-# RHEL-08-030060 
+# RHEL-08-030060
 # rhel8stig_auditd_disk_full_action options are SYSLOG, HALT, and SINGLE to fit STIG standards
 rhel8stig_auditd_disk_full_action: HALT
 
@@ -625,7 +637,7 @@ rhel8stig_auditd_failure_flag: "{{ rhel8stig_availability_override | ternary(1,
 # REHL-08-010020
 rhel8stig_boot_part: "{{ rhel_08_boot_part.stdout }}"
 
-# 
+#
 rhel8stig_machine_uses_uefi: "{{ rhel_08_sys_firmware_efi.stat.exists }}"
 rhel8stig_grub_cfg_path: "{{ rhel8stig_machine_uses_uefi | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}"
 rhel8stig_grub_cfg_path_invalid: "{{ (not rhel8stig_machine_uses_uefi) | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}"
@@ -638,15 +650,25 @@ rhel8stig_nfs_mounts: "{{ ansible_mounts | to_json | from_json | json_query(rhel
 rhel8stig_nfs_mounts_query: "[?starts_with(fstype, 'nfs')].mount"
 
 # RHEL-08-010680
-rhel8stig_dns_servers:
+# This can be managed using a template ensure settings are correct
+rhel8_stig_use_resolv_template: false
+rhel8_stig_resolv_domain: example.com
+rhel8_stig_resolv_search:
+#    - 'example.com'
+#    - 'blah'
+rhel8_stig_resolv_options:
+#    - 'rotate 2'
+#    - 'timeout:1'
+
+rhel8stig_dns_servers:  # The order needs to be set as expected. If you have 3 you will need to amend playbook (not ideal)
     - 8.8.8.8
     - 8.8.4.4
 
 rhel8stig_int_gid: 1000
 
 # RHEL-08-010130
 # The rounds parameter goes into the password sufficient pam_unix.so element of the password-auth and system-auth files. The value shoudl be set no lower than 5000
-rhel8stig_hashing_rounds: 5000 
+rhel8stig_hashing_rounds: 5000
 
 # RHEL-08-010100
 rhel8stig_path_to_sshkey: "/root/.ssh/"
@@ -673,7 +695,7 @@ rhel8stig_custom_firewall_zone: "new_fw_zone"
 
 # RHEL-08-040090
 # rhel8stig_white_list_services is the services that you want to allow through initially for teh new firewall zone
-# http and ssh need to be enabled for the role to run. 
+# http and ssh need to be enabled for the role to run.
 rhel8stig_white_list_services:
     - http
     - https
@@ -698,4 +720,4 @@ rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1
 
 # RHEL-08-020070
 # This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less
-rhel8stig_tmux_lock_after_time: 900
+rhel8stig_tmux_lock_after_time: 900
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -16,6 +16,8 @@
   service:
       name: sssd
       state: restarted
+  when:
+      - "'sssd' in ansible_facts.packages" 
 
 - name: restart snmpd
   service:
@@ -48,6 +50,9 @@
       src: "{{ rhel8stig_grub_cfg_path | dirname }}/{{ item }}"
       dest: "{{ rhel8stig_grub_cfg_path_invalid | dirname }}/{{ item }}"
       remote_src: yes
+      owner: root
+      group: root
+      mode: 0755
   with_items:
       - grub.cfg
       - user.cfg
@@ -107,7 +112,10 @@
 
 - name: dconf update
   command: dconf update
-  when: rhel8stig_has_dconf_command
+  when: 
+  - "'dconf' in ansible_facts.packages"
+  - rhel8stig_always_configure_dconf
+
 
 - name: prereport score
   debug:
@@ -122,4 +130,5 @@
 - name: reboot system
   shell: sleep 3; reboot
   async: 15
-  poll: 0
+  poll: 0
+  when: not rhel8stig_skip_reboot
diff --git a/meta/main.yml b/meta/main.yml
@@ -1,20 +1,18 @@
 ---
 galaxy_info:
-    author: "Sam Doran, Josh Springer, Daniel Shepherd, James Cassell, Mike Renfro, DFed, George Nalen"
+    author: "Sam Doran, Josh Springer, Daniel Shepherd, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell"
     description: "Apply the DISA RHEL 8 STIG"
     company: "MindPoint Group"
     license: MIT
-    min_ansible_version: 2.8.0
-
+    role_name: rhel8_stig
+    min_ansible_version: 2.9.0
     platforms:
         - name: EL
           versions:
               - 8
-
     galaxy_tags:
         - system
         - security
         - stig
         - hardening
-
 dependencies: []
diff --git a/site.yml b/site.yml
@@ -8,4 +8,4 @@
       - role: "{{ playbook_dir }}"
         rhel8cis_system_is_container: "{{ is_container | default(false) }}"
         rhel8cis_skip_for_travis: false
-        rhel8cis_oscap_scan: yes
+        rhel8cis_oscap_scan: yes
diff --git a/tasks/audit_oscap_scan_after.yml b/tasks/audit_oscap_scan_after.yml
@@ -11,6 +11,8 @@
   ignore_errors: true
   changed_when: false
   failed_when: false
+  tags:
+      - skip_ansible_lint
 
 - name: Get the second scan result from the XML
   slurp:

diff --git a/tasks/audit_oscap_scan_before.yml b/tasks/audit_oscap_scan_before.yml
@@ -39,6 +39,8 @@
   ignore_errors: true
   changed_when: false
   failed_when: false
+  tags:
+      - skip_ansible_lint
 
 - name: Get the scan result from the XML
   slurp:

diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml
@@ -129,12 +129,14 @@
         "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance."
         "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes."
   block:
-  # the createuser.cfg task is a workaround for the the ansible bug https://github.com/ansible/ansible/pull/59823
+      # the createuser.cfg task is a workaround for the the ansible bug https://github.com/ansible/ansible/pull/59823
       - name: |
               "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Create user.cfg"
               "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Create user.cfg"
         shell: test -f {{ file_q }} && echo exists || {{ create_cmd }}
-        check_mode: ansible_check_mode is not defined
+        args:
+            warn: no
+        check_mode: "{{ ansible_check_mode is not defined }}"
         register: rhel8stig_create_grub_user_cfg
         changed_when:
             - rhel8stig_create_grub_user_cfg.stdout == "created"
@@ -153,6 +155,9 @@
             create: yes
             regexp: ^GRUB2_PASSWORD=
             line: GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}
+            owner: root
+            group: root
+            mode: 0640
         notify: confirm grub2 user cfg
 
       - name: |
@@ -258,7 +263,7 @@
       - name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Remove nullok"
         replace:
             path: "{{ item }}"
-            regexp: 'nullok '
+            regexp: ' nullok'
             replace: ''
         with_items:
             - /etc/pam.d/system-auth
@@ -267,7 +272,7 @@
       - name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Set PermitEmptyPasswords to no"
         lineinfile:
             path: /etc/ssh/sshd_config
-            regexp: '^.*PermitEmptyPasswords'
+            regexp: '(?i)^#?PermitEmptyPasswords'
             line: 'PermitEmptyPasswords no'
         notify: restart sshd
   when:
@@ -342,17 +347,20 @@
             line: "{{ item.line }}"
             insertafter: "{{ item.insertafter }}"
             create: yes
+            owner: root
+            group: root
+            mode: 0644
         with_items:
             - { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' }
             - { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' }
-        when: rhel_08_040171_logout_settings_status.stdout == ""
+        when: rhel_08_040171_logout_settings_status.stdout | length == 0
 
       - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Edit if exists"
         replace:
             path: "{{ rhel_08_040171_logout_settings_status.stdout }}"
             regexp: '^[L|l]ogout=.*'
             replace: "logout=''"
-        when: rhel_08_040171_logout_settings_status.stdout != ""
+        when: rhel_08_040171_logout_settings_status.stdout | length > 0
   when:
       - rhel_08_040171
   tags:
@@ -387,19 +395,19 @@
         changed_when: false
         failed_when: false
         register: rhel_08_040200_nonroot_uid
-      
+
       - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Lock non-root account with UID of 0"
         command: "passwd -l {{ item }}"
         with_items:
             - "{{ rhel_08_040200_nonroot_uid.stdout_lines }}"
-        when: rhel_08_040200_nonroot_uid.stdout != ""
+        when: rhel_08_040200_nonroot_uid.stdout | length > 0
 
       - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Display accounts that were locked"
         debug:
             msg:
                 - "WARNING!! The following accounts were locked since they had UID of 0 and were not the root user"
                 - " {{ rhel_08_040200_nonroot_uid.stdout_lines }}"
-        when: rhel_08_040200_nonroot_uid.stdout != ""
+        when: rhel_08_040200_nonroot_uid.stdout | length > 0
   when:
       - rhel_08_040200
       - rhel8stig_disruption_high