Merge pull request #30 from ansible-lockdown/v3r14_updates

V3r14 updates
ansible-lockdown · Apr 15, 2024 · 637c2c1 · 637c2c1
2 parents 1169e2f + a2398c0
commit 637c2c1
Show file tree

Hide file tree

Showing 47 changed files with 102 additions and 91 deletions.
diff --git a/Cat_1/RHEL-07-010290.yml b/Cat_1/RHEL-07-010290.yml
@@ -1,10 +1,10 @@
 {{ if .Vars.RHEL_07_010290 }}
 command:
-  check_nullok:
+  check_nullok_pam:
     title: RHEL_07_010290 | The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.
     exec: "grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth"
     exit-status: 1
-    stdout: 
+    stdout:
     - '!/./'
     meta:
       Cat: 1

diff --git a/Cat_1/RHEL-07-010291.yml b/Cat_1/RHEL-07-010291.yml
@@ -1,10 +1,10 @@
 {{ if .Vars.RHEL_07_010291 }}
 command:
-  check_nullok:
+  check_nullok_shadow:
     title: RHEL_07_010291 | The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.
     exec: "awk -F: '!$2 {print $1}' /etc/shadow"
     exit-status: 0
-    stdout: 
+    stdout:
     - '!/./'
     meta:
       Cat: 1

diff --git a/Cat_1/RHEL-07-010440.yml b/Cat_1/RHEL-07-010440.yml
@@ -4,7 +4,7 @@ file:
   /etc/gdm/custom.conf:
   title: RHEL_07_010440 | Must not allow an unattended or automatic logon to the system via a graphical user interface.
   exists: true
-  contains:
+  contents:
   - '/^[aA]uto[mM]atic[lL]ogin[eE]nable=false/'
   - '!/^[aA]uto[mM]atic[lL]ogin[eE]nable=true/'
   meta:

diff --git a/Cat_1/RHEL-07-010450.yml b/Cat_1/RHEL-07-010450.yml
@@ -4,7 +4,7 @@ file:
   /etc/gdm/custom.conf:
   title: RHEL-07-010450 | Must not allow an unrestricted logon to the system.
   exists: true
-  contains:
+  contents:
   - '/^[[tT]imed[lL]ogin[eE]nable=false'
   - '!/^[[tT]imed[lL]ogin[eE]nable=true'
   meta:

diff --git a/Cat_1/RHEL-07-010482.yml b/Cat_1/RHEL-07-010482.yml
@@ -5,7 +5,7 @@ file:
   /boot/grub2/user.cfg:
     title: RHEL-07-010482 | Require authentication upon booting into single-user and maintenance modes. | BIOS | (>=RHEL7.3)
     exists: true
-    contains:
+    contents:
     - '/^GRUB2_PASSWORD=grub.pbkdf2.sha512.*/'
     meta:
       Cat: 1

diff --git a/Cat_1/RHEL-07-010490.yml b/Cat_1/RHEL-07-010490.yml
@@ -1,11 +1,11 @@
-{{ if .Vars.rhel7stig_legacyOS }} 
+{{ if .Vars.rhel7stig_legacyOS }}
   {{ if not .Vars.rhel7stig_legacy_boot }}
 file:
   /boot/efi/EFI/redhat/grub.cfg:
     {{ if .Vars.RHEL_07_010490 }}
     title: RHEL-07-010490 | Require authentication upon booting into single-user and maintenance modes. | UEFI | (<= RHEL7.1)
     exists: true
-    contains:
+    contents:
     - '/^password_pbkdf2\sroot\s.*/'
     meta:
       Cat: 1

diff --git a/Cat_1/RHEL-07-010491.yml b/Cat_1/RHEL-07-010491.yml
@@ -1,11 +1,11 @@
-{{ if not .Vars.rhel7stig_legacyOS }} 
+{{ if not .Vars.rhel7stig_legacyOS }}
   {{ if not .Vars.rhel7stig_legacy_boot }}
     {{ if .Vars.RHEL_07_010491 }}
 file:
   /boot/efi/EFI/redhat/user.cfg:
     title: RHEL-07-010491 | Require authentication upon booting into single-user and maintenance modes. | UEFI | user.cfg | (>=RHEL7.3)
     exists: true
-    contains:
+    contents:
     - '/^GRUB2_PASSWORD=grub.pbkdf2.sha512.*/'
     meta:
       Cat: 1

diff --git a/Cat_1/RHEL-07-020230.yml b/Cat_1/RHEL-07-020230.yml
@@ -8,7 +8,7 @@ service:
       Cat: 1
       CCI: CCI-000366
       Group_Title: SRG-OS-000480-GPOS-00227
-      Rule_ID: SV-204455r833106_rule
+      Rule_ID: SV-204455r928574_rule
       STIG_ID: RHEL-07-020230
       Vul_ID: V-204455
 file:

diff --git a/Cat_1/RHEL-07-020231.yml b/Cat_1/RHEL-07-020231.yml
@@ -4,7 +4,7 @@ file:
   /etc/dconf/db/local.d/00-disable-CAD:
   title: RHEL_07_020231 | Must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.
   exists: true
-  contains:
+  contents:
   - '/[org/gnome/settings-daemon/plugins/media-keys]/'
   - '^logout="'
   meta:

diff --git a/Cat_1/RHEL-07-020250.yml b/Cat_1/RHEL-07-020250.yml
@@ -4,7 +4,7 @@ file:
   /etc/redhat-release:
     title: RHEL_07_020250 | The Red Hat Enterprise Linux operating system must be a vendor supported release. | Not EUS
     exists: true
-    contains:
+    contents:
     - '/^Red Hat Enterprise Linux Server release 7.\b([9]|1[0-2])\b/'
     meta:
       Cat: 1

diff --git a/Cat_1/RHEL-07-040800.yml b/Cat_1/RHEL-07-040800.yml
@@ -3,7 +3,7 @@ file:
   /etc/snmp/snmpd.conf:
     title: RHEL_07_040800 | SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.
     exists: true
-    contains:
+    contents:
     - '!/^%\ssnmp.*public.*$/'
     - '!/^%\ssnmp.*private.*$/'
     meta:

diff --git a/Cat_2/RHEL-07-010050.yml b/Cat_2/RHEL-07-010050.yml
@@ -3,7 +3,7 @@ file:
   /etc/issue:
     title: RHEL-07-010050 | Must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
     exists: true
-    contains:
+    contents:
     {{ if .Vars.rhel7stig_use_disa_banner}}
     - '/{{ .Vars.rhel7stig_disa_logon_banner }}/'
     {{ end }}

diff --git a/Cat_2/RHEL-07-010063.yml b/Cat_2/RHEL-07-010063.yml
@@ -18,7 +18,7 @@ file:
   /etc/dconf/profile/gdm:
     title: RHEL-07-010063 | Must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
     exists: true
-    contains:
+    contents:
     - '/^user-db:user/'
     - '/^system-db:gdm/'
     - '/^file-db:/usr/share/gdm/greeter-dconf-defaults/'

diff --git a/Cat_2/RHEL-07-010199.yml b/Cat_2/RHEL-07-010199.yml
@@ -1,5 +1,5 @@
 {{ if .Vars.RHEL_07_010199 }}
-file: 
+file:
   /etc/pam.d/password-auth:
     title: RHEL-07-010199 | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility | passwd-auth-local.
     exists: true
@@ -30,7 +30,7 @@ file:
     owner: root
     group: root
     filetype: file
-    contains:
+    contents:
     - '/^auth\s+required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900/'
     - '/^auth\s+include password-auth-ac/'
     - '/^auth\s+sufficient pam_unix.so try_first_pass/'
@@ -55,8 +55,7 @@ file:
     owner: root
     group: root
     filetype: file
-    contains:
-    contains:
+    contents:
     - '/^auth\s+required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900/'
     - '/^auth\s+include system-auth-ac/'
     - '/^auth\s+sufficient pam_unix.so try_first_pass/'

diff --git a/Cat_2/RHEL-07-010310.yml b/Cat_2/RHEL-07-010310.yml
@@ -12,7 +12,7 @@ command:
       Cat: 2
       CCI: CCI-000795
       Group_Title: SRG-OS-000118-GPOS-00060
-      Rule_ID: SV-204426r809190_rule
+      Rule_ID: SV-204426r928568_rule
       STIG_ID: RHEL-07-010310
       Vul_ID: V-204426
 {{ end }}
diff --git a/Cat_2/RHEL-07-010500.yml b/Cat_2/RHEL-07-010500.yml
@@ -4,7 +4,7 @@ file:
   /etc/pam_pkcs11/pkcs_eventmgr.conf:
     title: RHEL-07-010500 | Must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
     exists: true
-    contains:
+    contents:
     - '/^usr/X11R6/bin/xscreensaver-command -lock/'
     - '/^use_pkcs11_module = cackey;/'
     meta:

diff --git a/Cat_2/RHEL-07-020019.yml b/Cat_2/RHEL-07-020019.yml
@@ -8,7 +8,7 @@ package:
       Cat: 2
       CCI: CCI-001263
       Group_Title: SRG-OS-000480-GPOS-00227
-      Rule_ID: SV-214800r754751_rule
+      Rule_ID: SV-214800r942888_rule
       STIG_ID: RHEL-07-020019
       Vul_ID: V-214800
 process:
@@ -19,7 +19,7 @@ process:
       Cat: 2
       CCI: CCI-001263
       Group_Title: SRG-OS-000480-GPOS-00227
-      Rule_ID: SV-214800r754751_rule
+      Rule_ID: SV-214800r942888_rule
       STIG_ID: RHEL-07-020019
       Vul_ID: V-214800
   {{ end }}

diff --git a/Cat_2/RHEL-07-020020.yml b/Cat_2/RHEL-07-020020.yml
@@ -12,7 +12,7 @@ command:
       - CCI-002235
       - CCI-002165
       Group_Title: SRG-OS-000324-GPOS-00125
-      Rule_ID: SV-204444r792826_rule
+      Rule_ID: SV-204444r928571_rule
       STIG_ID: RHEL-07-020020
       Vul_ID: V-204444
   semanage_sysadm_u_check:
@@ -29,7 +29,7 @@ command:
       - CCI-002235
       - CCI-002165
       Group_Title: SRG-OS-000324-GPOS-00125
-      Rule_ID: SV-204444r792826_rule
+      Rule_ID: SV-204444r928571_rule
       STIG_ID: RHEL-07-020020
       Vul_ID: V-204444
   semanage_staff_u_check:
@@ -46,7 +46,7 @@ command:
       - CCI-002235
       - CCI-002165
       Group_Title: SRG-OS-000324-GPOS-00125
-      Rule_ID: SV-204444r754744_rule
+      Rule_ID: SV-204444r928571_rule
       STIG_ID: RHEL-07-020020
       Vul_ID: V-204444
 {{ end }}
diff --git a/Cat_2/RHEL-07-020021.yml b/Cat_2/RHEL-07-020021.yml
@@ -13,7 +13,7 @@ command:
       - CCI-002235
       - CCI-002165
       Group_Title: SRG-OS-000324-GPOS-00125
-      Rule_ID: SV-250312r792843_rule
+      Rule_ID: SV-250312r928579_rule
       STIG_ID: RHEL-07-020021
       Vul_ID: V-250312
 {{ end }}
diff --git a/Cat_2/RHEL-07-020022.yml b/Cat_2/RHEL-07-020022.yml
@@ -12,7 +12,7 @@ command:
       - CCI-002165
       - CCI-002235
       Group_Title: SRG-OS-000324-GPOS-00125
-      Rule_ID: SV-250313r792846_rule
+      Rule_ID: SV-250313r942891_rule
       STIG_ID: RHEL-07-020022
       Vul_ID: V-250313
 {{ end }}
diff --git a/Cat_2/RHEL-07-020023.yml b/Cat_2/RHEL-07-020023.yml
@@ -15,7 +15,7 @@ command:
       - CCI-002165
       - CCI-002235
       Group_Title: SRG-OS-000324-GPOS-00125
-      Rule_ID: SV-250314r861076_rule
+      Rule_ID: SV-250314r928582_rule
       STIG_ID: RHEL-07-020023
       Vul_ID: V-250314
   selinux_sudo_context_count:
@@ -30,7 +30,7 @@ command:
       - CCI-002165
       - CCI-002235
       Group_Title: SRG-OS-000324-GPOS-00125
-      Rule_ID: SV-250314r861076_rule
+      Rule_ID: SV-250314r928582_rule
       STIG_ID: RHEL-07-020023
       Vul_ID: V-250314
 {{ end }}
diff --git a/Cat_2/RHEL-07-020029.yml b/Cat_2/RHEL-07-020029.yml
@@ -1,7 +1,8 @@
 {{ if .Vars.RHEL_07_020029 }}
 package:
-  aide:
+  aide_installed:
     title: RHEL-07-020029 | Must use a file integrity tool to verify correct operation of all security functions | package
+    name: aide
     installed: true
     meta:
       Cat: 2

diff --git a/Cat_2/RHEL-07-020100.yml b/Cat_2/RHEL-07-020100.yml
@@ -5,16 +5,16 @@ command:
     exec: grep usb-storage /etc/modprobe.d/usb-storage.conf
     exit-status: 0
     stdout:
-    - '/^install usb-storage /bin/true/'
-    - '!/^#install usb-storage /bin/true/'
+    - '/^install usb-storage /bin/false/'
+    - '!/^install usb-storage /bin/true/'
     meta:
       Cat: 2
       CCI:
       - CCI-001958
       - CCI-000778
       - CCI-000366
       Group_Title: SRG-OS-000114-GPOS-00059
-      Rule_ID: SV-204449r603261_rule
+      Rule_ID: SV-204449r942894_rule
       STIG_ID: RHEL-07-020100
       Vul_ID: V-204449
   usb_storage_blacklist:
@@ -23,30 +23,29 @@ command:
     exit-status: 0
     stdout:
     - '/^blacklist usb-storage/'
-    - '!/^#blacklist usb-storage/'
     meta:
       Cat: 2
       CCI:
       - CCI-001958
       - CCI-000778
       - CCI-000366
       Group_Title: SRG-OS-000114-GPOS-00059
-      Rule_ID: SV-204449r603261_rule
+      Rule_ID: SV-204449r942894_rule
       STIG_ID: RHEL-07-020100
       Vul_ID: V-204449
   modprobe_usb-storage:
     title: RHEL-07-020100 | Must be configured to disable USB mass storage. | running
     exit-status: 0
     exec: 'modprobe -n -v usb-storage'
-    stdout: ['install /bin/true']
+    stdout: ['install /bin/false']
     meta:
       Cat: 2
       CCI:
       - CCI-001958
       - CCI-000778
       - CCI-000366
       Group_Title: SRG-OS-000114-GPOS-00059
-      Rule_ID: SV-204449r603261_rule
+      Rule_ID: SV-204449r942894_rule
       STIG_ID: RHEL-07-020100
       Vul_ID: V-204449
 {{ end }}
diff --git a/Cat_2/RHEL-07-020101.yml b/Cat_2/RHEL-07-020101.yml
@@ -1,17 +1,17 @@
 {{ if .Vars.RHEL_07_020101 }}
 command:
-  modprobe_dccp:
+  modprobe_dccp_module:
     title: RHEL-07-020101 | Must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.
     exec: grep dccp /etc/modprobe.d/dccp.conf
     exit-status: 0
     stdout:
-    - '/^install dccp /bin/true/'
-    - '!/^#install dccp /bin/true/'
+    - '/^install dccp /bin/false/'
+    - '!/^install dccp /bin/true/'
     meta:
       Cat: 2
       CCI: CCI-001958
       Group_Title: SRG-OS-000378-GPOS-00163
-      Rule_ID: SV-204450r603261_rule
+      Rule_ID: SV-204450r942897_rule
       STIG_ID: RHEL-07-020101
       Vul_ID: V-204450
   dccp_blacklist:
@@ -20,24 +20,23 @@ command:
     exit-status: 0
     stdout:
     - '/^blacklist dccp/'
-    - '!/^#blacklist dccp/'
     meta:
       Cat: 2
       CCI: CCI-001958
       Group_Title: SRG-OS-000378-GPOS-00163
-      Rule_ID: SV-204450r603261_rule
+      Rule_ID: SV-204450r942897_rule
       STIG_ID: RHEL-07-020101
       Vul_ID: V-204450
-  modprobe_dccp:
+  modprobe_dccp_loaded:
     title: RHEL-07-020101 | Must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required. | running
     exit-status: 0
     exec: 'modprobe -n -v dccp'
-    stdout: ['install /bin/true']
+    stdout: ['install /bin/false']
     meta:
       Cat: 2
       CCI: CCI-001958
       Group_Title: SRG-OS-000378-GPOS-00163
-      Rule_ID: SV-204450r603261_rule
+      Rule_ID: SV-204450r942897_rule
       STIG_ID: RHEL-07-020101
       Vul_ID: V-204450
 {{ end }}
diff --git a/Cat_2/RHEL-07-020111.yml b/Cat_2/RHEL-07-020111.yml
@@ -1,10 +1,10 @@
 {{ if .Vars.rhel7stig_gui }}
   {{ if .Vars.RHEL_07_020111 }}
-file: 
+file:
   /etc/dconf/db/local.d/00-No-Automount:
     title: RHEL-07-020111 | Must disable the graphical user interface automounter unless required.
     exists: true
-    contains:
+    contents:
     - '/^automount=false/'
     - '/^automount-open=false/'
     - '/^autorun-never=true/'