diff --git a/ChangeLog.md b/ChangeLog.md index 608849fd..16e9886b 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,14 @@ # Changelog +## 3.1 STIG V3R13 25th Oct 2023 + +- RHEL_07_010310 - ruleid updated and INACTIVE var created +- RHEL_07_020020 - ruleid +- RHEL_07_020021 - ruleid +- RHEL_07_020023 - ruleid +- RHEL_07_020230 - ruleid +- RHEL_07_021700 - ruleid + ## 3.0 Stig V3R12 26th July 2023 - RHEL-07-010199 - pamd password and system auth rewrite and ruleid updated diff --git a/README.md b/README.md index f8a2adec..9d9c4d84 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL7 based system to be complaint with Disa STIG -This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on July 23, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R12_STIG.zip). +This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 13 released on October 23, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R13_STIG.zip). --- @@ -47,7 +47,7 @@ Configure a RHEL 7 system to be DISA STIG compliant. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `true`. -# Caution(s) +## Caution(s) This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. @@ -222,5 +222,7 @@ pre-commit run This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig) Massive thanks to the fantastic community and all its members. + This includes a huge thanks and credit to the original authors and maintainers. -Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell + +- Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell diff --git a/defaults/main.yml b/defaults/main.yml index 89b65ab1..3c6b0a42 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,7 +13,7 @@ python2_bin: /bin/python2.7 # audit variable found at the base benchmark: RHEL7-STIG ## metadata for Audit benchmark -benchmark_version: 'v3r12' +benchmark_version: 'v3r13' # Whether to skip the reboot rhel7stig_skip_reboot: true @@ -348,6 +348,9 @@ rhel7stig_smartcard: false # Configure your smartcard driver rhel7stig_smartcarddriver: cackey +# RHEL_07_010310 +# Must be 35 or less but not 0 or -1 +rhel_07_010310_inactive: 35 # RHEL_07_020020 # Set "selinux_change_users" false to disable this control's actions and just report results. # You will need to adjust the paths for installed HIPS/HBSS for this control. diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index a8dab97d..1ab19f04 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -1,4 +1,5 @@ --- + - name: "HIGH | RHEL-07-010010 | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." block: - name: "HIGH | RHEL-07-010010 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." @@ -306,7 +307,7 @@ - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204455r833106_rule + - SV-204455r928574_rule - V-204455 - systemctl diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 1ea2f6de..5d78599b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -756,7 +756,7 @@ ansible.builtin.lineinfile: path: /etc/default/useradd regexp: ^#?INACTIVE - line: INACTIVE=35 + line: "INACTIVE={{ rhel_07_010310_inactive }}" when: - rhel_07_010310 tags: @@ -1167,15 +1167,15 @@ # ############################## # This control should be manually implemented -- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." +- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." block: - - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Get SELinux authorized users" + - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Get SELinux authorized users" ansible.builtin.shell: semanage login -l changed_when: false failed_when: false register: rhel_07_020020_sel_auth_users - - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Show SELinux authorized users" + - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Show SELinux authorized users" ansible.builtin.debug: msg: - "Warning!! Below is your SELinux user/group list. Please review and make sure all of the following are met:" @@ -1184,7 +1184,7 @@ - "{{ rhel_07_020020_sel_auth_users.stdout_lines }}" when: rhel_07_020020_sel_auth_users.stdout | length > 0 - - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Warn that semanage is not installed" + - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Warn that semanage is not installed" ansible.builtin.debug: msg: - "Warning!! You do not have semanage installed! Please installed the needed packages" @@ -1197,7 +1197,7 @@ - CCI-002235 - CCI-002165 - SRG-OS-000324-GPOS-00125 - - SV-204444r754744_rule + - SV-204444r928571_rule - V-204444 - name: "MEDIUM | RHEL-07-020028 | PATCH | The Red Hat Enterprise Linux operating system must be configured to allow sending email notifications of configuration changes and adverse events to designated personnel." @@ -2307,7 +2307,7 @@ - CCI-001813 - CCI-000318 - SRG-OS-000364-GPOS-00151 - - SV-204501r603261_rule + - SV-204501r928576_rule - V-204501 - grub - bootloader @@ -4742,7 +4742,7 @@ - CCI-002165 - CCI-002235 - SRG-OS-000324-GPOS-00125 - - SV-250312r792843_rule + - SV-250312r928579_rule - V-250312 - name: "MEDIUM | RHEL-07-020022 | PATCH | The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH." @@ -4791,5 +4791,5 @@ - CCI-002165 - CCI-002235 - SRG-OS-000324-GPOS-00125 - - SV-250314r861076_rule + - SV-250314r877392_rule - V-250314