From dd187dd199abf8186c58c9b8cbb685482c9234f7 Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Wed, 14 Feb 2024 16:54:58 +0000 Subject: [PATCH] devel to main update for release (#443) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Specify missing state parameter for package Signed-off-by: Anže Luzar * Correct with_items indentation for package Signed-off-by: Anže Luzar * Replace inline strings with module parameters Signed-off-by: Anže Luzar * updated link Signed-off-by: Mark Bolwell * lint updates Signed-off-by: Mark Bolwell * removed old Signed-off-by: Mark Bolwell * added new defined secrets file Signed-off-by: Mark Bolwell * added precommit Signed-off-by: Mark Bolwell * lint updates Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell * added pragma allow list Signed-off-by: Mark Bolwell * updated due to galaxy changes Signed-off-by: Mark Bolwell * moved file Signed-off-by: Mark Bolwell * updated path Signed-off-by: Mark Bolwell * removed quality badge since galaxy-ng Signed-off-by: Mark Bolwell * Adding additional condition for rhel7stig_grub2_user_cfg for task Signed-off-by: layluke * updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell * removed file Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell * lint update Signed-off-by: Mark Bolwell * fix typo Signed-off-by: Mark Bolwell * rhel7stig_boot_part variable now discovered Signed-off-by: Mark Bolwell * tidy up of rhel7stig_boot_part variable Signed-off-by: Mark Bolwell * changed logic on 20620 Signed-off-by: Mark Bolwell * updated logic for uuid Signed-off-by: Mark Bolwell * removed extra line Signed-off-by: Mark Bolwell * removed doc dir Signed-off-by: Mark Bolwell * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](https://github.com/gitleaks/gitleaks/compare/v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.21.1 → v6.22.2](https://github.com/ansible-community/ansible-lint/compare/v6.21.1...v6.22.2) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) * Issue #446 tag update to always - thanks to @prestonSeaman2 Signed-off-by: Mark Bolwell * conditional updated 021000 & 021010 #448 thanks @erosen03 Signed-off-by: Mark Bolwell --------- Signed-off-by: Anže Luzar Signed-off-by: Mark Bolwell Signed-off-by: layluke Co-authored-by: Anže Luzar Co-authored-by: layluke Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .config/.gitleaks-report.json | 1 - .config/.secrets.baseline | 79 +------------------ .../workflows/devel_pipeline_validation.yml | 20 ++--- .../workflows/main_pipeline_validation.yml | 18 ++--- .github/workflows/update_galaxy.yml | 14 ++-- .pre-commit-config.yaml | 9 +-- CONTRIBUTING.rst | 1 - ChangeLog.md | 4 +- README.md | 1 - ansible.cfg | 1 - collections/requirements.yml | 12 ++- defaults/main.yml | 4 +- doc/README.md | 8 -- handlers/main.yml | 4 +- tasks/fix-cat1.yml | 7 +- tasks/fix-cat2.yml | 56 +++++++------ tasks/main.yml | 24 +++--- tasks/pre_remediation_audit.yml | 3 +- tasks/prelim.yml | 32 +++----- templates/01-banner-message.j2 | 2 +- templates/ansible_vars_goss.yml.j2 | 4 +- templates/audit/99_auditd.rules.j2 | 2 +- templates/pam_pkcs11.conf.j2 | 14 ++-- vars/Centos.yml | 9 --- 24 files changed, 121 insertions(+), 208 deletions(-) delete mode 100644 .config/.gitleaks-report.json delete mode 100644 doc/README.md delete mode 100644 vars/Centos.yml diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json deleted file mode 100644 index fe51488c..00000000 --- a/.config/.gitleaks-report.json +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 522a6339..eab74d91 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -113,78 +109,11 @@ { "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ - ".config/.gitleaks-report.json" + ".config/.gitleaks-report.json", + "tasks/parse_etc_passwd.yml" ] } ], - "results": { - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 467, - "is_secret": false - } - ], - "tasks/fix-cat2.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/fix-cat2.yml", - "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859", - "is_verified": false, - "line_number": 1449, - "is_secret": false - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e", - "is_verified": false, - "line_number": 39, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 56, - "is_secret": false - } - ], - "tasks/parse_etc_passwd.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_passwd.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ], - "tasks/prelim.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/prelim.yml", - "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", - "is_verified": false, - "line_number": 228, - "is_secret": false - } - ], - "templates/pam_pkcs11.conf.j2": [ - { - "type": "Secret Keyword", - "filename": "templates/pam_pkcs11.conf.j2", - "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "is_verified": false, - "line_number": 173, - "is_secret": false - } - ] - }, - "generated_at": "2023-09-14T14:19:49Z" + "results": {}, + "generated_at": "2023-10-09T14:42:52Z" } diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index a4e7d48a..39af625a 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,9 +27,9 @@ repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -44,13 +44,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -74,7 +74,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -82,7 +82,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -90,7 +90,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -111,9 +111,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 0b149fb3..8ded7018 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,7 +18,7 @@ # that can run sequentially or in parallel jobs: - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -33,13 +33,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -63,7 +63,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -71,7 +71,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -79,7 +79,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -100,9 +100,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 951a53cb..f9352800 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,11 +1,7 @@ --- -# This is a basic workflow to help you get started with Actions - name: update galaxy -# Controls when the action will run. -# Triggers the workflow on merge request events to the main branch on: push: branches: @@ -14,8 +10,10 @@ jobs: update_role: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: robertdebock/galaxy-action@master + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} - git_branch: main + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 97c79434..43020660 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 + rev: v4.5.0 hooks: # Safety - id: detect-aws-credentials @@ -34,16 +34,15 @@ repos: hooks: - id: detect-secrets args: [ '--baseline', '.config/.secrets.baseline' ] - exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.17.0 + rev: v8.18.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.17.2 + rev: v6.22.2 hooks: - id: ansible-lint name: Ansible-lint @@ -62,6 +61,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag + rev: v1.33.0 # or higher tag hooks: - id: yamllint diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 2fa743d8..23ce2fb7 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -65,4 +65,3 @@ following text in your contribution commit message: This message can be entered manually, or if you have configured git with the correct `user.name` and `user.email`, you can use the `-s` option to `git commit` to automatically include the signoff message. - diff --git a/ChangeLog.md b/ChangeLog.md index 0859edd9..608849fd 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -115,14 +115,14 @@ README ## Release 1.9.0 -- RHEL-07-010271 - New Control Added +- RHEL-07-010271 - New Control Added - Update to STIG V3R9 Oct 27th 2022 - Changes Listed Below - RHEL-07-010342, RHEL-07-010343, RHEL- 07-020023, RHEL-07-030201 - Updated fix text. - RHEL-07-021040, RHEL-07-021700 - Updated check text command to eliminate false positives. - RHEL-07-030840 - Updated check and fix text. - RHEL-07-040160 - Updated check text. - RHEL-07-040310 - Corrected typo in the Vulnerability Discussion. - - RHEL-07-040360, RHEL-07-040530 - Updated CCI. + - RHEL-07-040360, RHEL-07-040530 - Updated CCI. - Update to README and requirements - RHEL-07-010010, RHEL-07-010020, RHEL-07-010291, RHEL-07-021030,RHEL-07-021040 - Updated Tag Information diff --git a/README.md b/README.md index 40081ffc..70be8088 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,6 @@ This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on July 23 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61792?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) diff --git a/ansible.cfg b/ansible.cfg index f0ab6836..c7c4ec86 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -23,4 +23,3 @@ transfer_method=scp [colors] [diff] - diff --git a/collections/requirements.yml b/collections/requirements.yml index 4a418efa..8ebc6180 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,8 +1,14 @@ --- collections: -- name: community.general + - name: community.general + source: https://github.com/ansible-collections/community.general + type: git -- name: community.crypto + - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git -- name: ansible.posix + - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git diff --git a/defaults/main.yml b/defaults/main.yml index 916abcca..89b65ab1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -464,7 +464,7 @@ rhel7stig_force_exact_packages: "{{ rhel7stig_disruption_high }}" # RHEL-07-010480 and RHEL-07-010490 # Password protect the boot loader -rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' +rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret rhel7stig_boot_superuser: root # RHEL-07-021700 set the value for correctly configured grub bootloader sequence @@ -693,7 +693,7 @@ rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1, rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}" -rhel7stig_boot_part: "{{ rhel_07_boot_part.stdout }}" +rhel7stig_boot_part: /boot rhel7stig_legacy_boot_path: '/boot/grub2/' rhel7stig_efi_boot_path: '/boot/efi/EFI/' diff --git a/doc/README.md b/doc/README.md deleted file mode 100644 index fb11aec8..00000000 --- a/doc/README.md +++ /dev/null @@ -1,8 +0,0 @@ -To generate the documentation on a RHEL/CentOS 7 system, take the following steps: -1. Install required packages: - * `yum install python3-pip python-sphinx` -2. Install the requirements: - * `sudo pip3 install -r requirements.txt` -3. Generate the documentation: - * `make singlehtml` - diff --git a/handlers/main.yml b/handlers/main.yml index c414bd4c..88fb8027 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -27,7 +27,7 @@ - name: make grub2 config ansible.builtin.shell: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_bootloader_path }}grub.cfg when: - - rhel7stig_grub2_user_cfg.stat.exists + - (rhel7stig_grub2_user_cfg is defined) and (rhel7stig_grub2_user_cfg.stat.exists) - not rhel7stig_skip_for_travis - not rhel7stig_system_is_container @@ -42,7 +42,7 @@ - grub.cfg - user.cfg when: - - rhel7stig_grub2_user_cfg.stat.exists + - (rhel7stig_grub2_user_cfg is defined) and (rhel7stig_grub2_user_cfg.stat.exists) - rhel7stig_workaround_for_disa_benchmark - not rhel7stig_skip_for_travis - not rhel7stig_system_is_container diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index a46c1f74..a8dab97d 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -456,6 +456,7 @@ insert: true when: - rhel7stig_boot_part not in ['/', ''] + - item.uuid is defined - not ansible_check_mode or rhel7_stig_grub_template is not changed notify: confirm grub2 user cfg @@ -474,9 +475,9 @@ - ansible_check_mode - rhel_07_021350_audit is failed failed_when: - - rhel_07_021350_audit is failed - - not ansible_check_mode or - rhel_07_021350_audit.rc > 1 + - rhel_07_021350_audit.rc not in [ 0, 1 ] + - not ansible_check_mode + when: - not ansible_check_mode or rhel7_stig_grub_template is not changed diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 694a304c..1ea2f6de 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1109,9 +1109,9 @@ ansible.builtin.package: name: "{{ item }}" state: present - with_items: - - pam_pkcs11 - - pcsc-lite-libs + with_items: + - pam_pkcs11 + - pcsc-lite-libs vars: ansible_python_interpreter: "{{ python2_bin }}" register: rhel_07_010500pkcs11install @@ -1368,7 +1368,7 @@ - name: | "MEDIUM | RHEL-07-020210 | PATCH | The Red Hat Enterprise Linux operating system must enable SELinux." "MEDIUM | RHEL-07-020220 | PATCH | The Red Hat Enterprise Linux operating system must enable SELinux targeted policy." - selinux: + ansible.posix.selinux: state: enforcing policy: targeted check_mode: "{{ ansible_check_mode or rhel7stig_system_is_chroot }}" @@ -1444,9 +1444,10 @@ - "{{ rhel7stig_unnecessary_accounts }}" - name: "MEDIUM | RHEL-07-020270 | AUDIT | Re-parse /etc/passwd since it changed." - include_tasks: parse_etc_passwd.yml # noqa: no-handler + ansible.builtin.include_tasks: + file: parse_etc_passwd.yml vars: - rhel7stig_passwd_tasks: "RHEL-07-020270" + rhel7stig_passwd_tasks: "RHEL-07-020270" # noqa: no-handler # pragma: allowlist secret when: rhel_07_020270_patch is changed when: - rhel_07_020270 @@ -1553,7 +1554,7 @@ label: "{{ rhel7stig_passwd_label }}" when: - rhel_07_020620 - - rhel7stig_interactive_uid_start | int <= item.uid + - item.uid >= rhel7stig_interactive_uid_start | int tags: - RHEL-07-020620 - CAT2 @@ -1754,7 +1755,7 @@ # set default ACLs so the homedir has an effective umask of 0027 - name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - acl: + ansible.posix.acl: path: "{{ item.0 }}" default: true state: present @@ -1925,7 +1926,8 @@ register: rhel_07_020730_perms_results - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." - include_tasks: audit_homedirinifiles.yml + ansible.builtin.include_tasks: + file: audit_homedirinifiles.yml loop: - "{{ rhel_07_stig_interactive_homedir_inifiles }}" loop_control: @@ -2040,7 +2042,7 @@ removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid] when: - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - - "'nosuid' not in home_mount.options" + - "'nosuid' not in removable_mount.options" - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." ansible.posix.mount: @@ -2053,7 +2055,7 @@ removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid] when: - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - - "'nosuid' not in home_mount.options" + - "'nosuid' not in removable_mount2.options" when: - rhel_07_021010 - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container) @@ -3405,7 +3407,7 @@ - ldap - name: "MEDIUM | RHEL-07-040201 | PATCH | The Red Hat Enterprise Linux operating system must implement virtual address space randomization." - sysctl: + ansible.posix.sysctl: name: kernel.randomize_va_space value: '2' state: present @@ -3918,7 +3920,7 @@ - firewall - name: "MEDIUM | RHEL-07-040610 | PATCH | The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.accept_source_route state: present value: '0' @@ -3936,7 +3938,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040611 | PATCH | The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.rp_filter value: '1' state: present @@ -3954,7 +3956,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040612 | PATCH | The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.rp_filter state: present value: '1' @@ -3972,7 +3974,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040620 | PATCH | The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.accept_source_route state: present value: '0' @@ -3990,7 +3992,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040630 | PATCH | The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." - sysctl: + ansible.posix.sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts state: present value: '1' @@ -4009,7 +4011,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040640 | PATCH | The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.accept_redirects state: present value: '0' @@ -4027,7 +4029,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040641 | PATCH | The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages" - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.accept_redirects state: present value: '0' @@ -4045,7 +4047,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040650 | PATCH | The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.send_redirects state: present value: '0' @@ -4063,7 +4065,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040660 | PATCH | The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.send_redirects state: present value: '0' @@ -4215,7 +4217,7 @@ - x11 - name: "MEDIUM | RHEL-07-040740 | PATCH | The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router." - sysctl: + ansible.posix.sysctl: name: net.ipv4.ip_forward state: present value: '0' @@ -4268,11 +4270,13 @@ - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." block: - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - include_tasks: audit_firewalld.yml + ansible.builtin.include_tasks: + file: audit_firewalld.yml when: rhel7stig_firewall_service == "firewalld" - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - include_tasks: audit_iptables.yml + ansible.builtin.include_tasks: + file: audit_iptables.yml when: rhel7stig_firewall_service != "firewalld" - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." @@ -4311,7 +4315,7 @@ - V-204629 - name: "MEDIUM | RHEL-07-040830 | PATCH | The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets." - sysctl: + ansible.posix.sysctl: name: net.ipv6.conf.all.accept_source_route state: present value: '0' @@ -4742,7 +4746,7 @@ - V-250312 - name: "MEDIUM | RHEL-07-020022 | PATCH | The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH." - seboolean: + ansible.posix.seboolean: name: ssh_sysadm_login persistent: true state: "{{ rhel7stig_ssh_sysadm_login_state }}" diff --git a/tasks/main.yml b/tasks/main.yml index 33a01a26..2041044a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -36,7 +36,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You a password set for the {{ ansible_env.SUDO_USER }}" vars: - sudo_password_rule: RHEL-07-010340 + sudo_password_rule: RHEL-07-010340 # pragma: allowlist secret when: - rhel_07_010340 - ansible_env.SUDO_USER is defined @@ -53,8 +53,8 @@ - name: Check rhel7stig_bootloader_password_hash variable has been changed ansible.builtin.assert: - that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' - msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'" + that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret + msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'" # pragma: allowlist secret when: - rhel_07_010481 or rhel_07_010482 or @@ -73,13 +73,15 @@ - always - name: include prelim tasks - ansible.builtin.import_tasks: prelim.yml + ansible.builtin.import_tasks: + file: prelim.yml tags: - prelim_tasks - run_audit - name: include pre-remediation audit - ansible.builtin.import_tasks: pre_remediation_audit.yml + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml when: - run_audit tags: @@ -92,21 +94,24 @@ - always - name: Include CAT I patches - ansible.builtin.import_tasks: fix-cat1.yml + ansible.builtin.import_tasks: + file: fix-cat1.yml when: rhel7stig_cat1_patch tags: - cat1 - high - name: Include CAT II patches - ansible.builtin.import_tasks: fix-cat2.yml + ansible.builtin.import_tasks: + file: fix-cat2.yml when: rhel7stig_cat2_patch tags: - cat2 - medium - name: Include CAT III patches - ansible.builtin.import_tasks: fix-cat3.yml + ansible.builtin.import_tasks: + file: fix-cat3.yml when: rhel7stig_cat3_patch tags: - cat3 @@ -133,7 +138,8 @@ - not rhel7stig_skip_reboot - name: include post-remediation audit - ansible.builtin.import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: + file: post_remediation_audit.yml when: - run_audit diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index e7b7319c..7b4d06f5 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,7 +1,8 @@ --- - name: Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml when: - setup_audit tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f1863acd..a4cdb913 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -55,6 +55,7 @@ - name: "PRELIM | Install dconf" ansible.builtin.package: name: dconf + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -148,6 +149,7 @@ - name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | Install grub2-tools." ansible.builtin.package: name: grub2-tools + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -157,13 +159,7 @@ rhel_07_010491 or rhel_07_021350 tags: - - cat1 - - high - - RHEL-07-010481 - - RHEL-07-010482 - - RHEL-07-010483 - - RHEL-07-010491 - - RHEL-07-021350 + - always - name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | RHEL-07-021700 | Check whether machine is UEFI-based" ansible.builtin.stat: @@ -210,6 +206,7 @@ - name: "PRELIM | ensure cronie is available" ansible.builtin.package: name: cronie + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -223,9 +220,10 @@ - RHEL-07-020040 - name: "PRELIM | RHEL-07-020600 | RHEL-07-020620 | RHEL-07-020630 | RHEL-07-020640 | RHEL-07-020650 | RHEL-07-020660 | RHEL-07-020690 | Parse /etc/passwd" - ansible.builtin.include_tasks: parse_etc_passwd.yml + ansible.builtin.include_tasks: + file: parse_etc_passwd.yml vars: - rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" + rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" # pragma: allowlist secret when: - rhel_07_020600 or rhel_07_020620 or @@ -282,6 +280,7 @@ - name: "PRELIM | RHEL-07-021100 | RHEL-07-031000 | RHEL-07-031010 | Ensure rsyslog is installed when required." ansible.builtin.package: name: rsyslog + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -295,21 +294,10 @@ - RHEL-07-031000 - RHEL-07-031010 -- name: "PRELIM | RHEL-07-021350 | Check if /boot or /boot/efi reside on separate partitions" - ansible.builtin.shell: df --output=target /boot | tail -n 1 - changed_when: false - check_mode: false - register: rhel_07_boot_part - when: - - rhel_07_021350 - tags: - - cat1 - - high - - RHEL-07-021350 - - name: "PRELIM | RHEL-07-030300 | RHEL-07-030310 | RHEL-07-030320 | RHEL-07-030321 | Install audit remote plugin." ansible.builtin.package: name: audispd-plugins + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -387,6 +375,7 @@ - libselinux-python - policycoreutils-python - selinux-policy-targeted + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -399,6 +388,7 @@ - name: "PRELIM | Install SSH" ansible.builtin.package: name: openssh-server + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" diff --git a/templates/01-banner-message.j2 b/templates/01-banner-message.j2 index 21e7c2b2..7d9c917b 100644 --- a/templates/01-banner-message.j2 +++ b/templates/01-banner-message.j2 @@ -1,4 +1,4 @@ -[org/gnome/login-screen] +[org/gnome/login-screen] banner-message-enable=true banner-message-text='{{ rhel7stig_logon_banner }}' diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 7e75ab30..8e562654 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -28,7 +28,7 @@ rhel7stig_cat1: {{ rhel7stig_cat1_patch }} rhel7stig_cat2: {{ rhel7stig_cat2_patch }} rhel7stig_cat3: {{ rhel7stig_cat3_patch }} -## CAT I +## CAT I RHEL_07_010010: {{ rhel_07_010010 }} RHEL_07_010020: {{ rhel_07_010020 }} RHEL_07_010290: {{ rhel_07_010290 }} @@ -337,7 +337,7 @@ rhel7stig_staff_u: # host intrision protection e.g. Mcafee HIPS rhel7stig_hip_enabled: false -rhel7stig_hip_pkg: +rhel7stig_hip_pkg: rhel7stig_hip_proc: # RHEL-07-010483 & RHEL-07-010492 diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 2b730902..445e5ef7 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -50,7 +50,7 @@ {% endif %} {% if rhel_07_030620 %} --w /var/log/lastlog -p wa -k logins +-w /var/log/lastlog -p wa -k logins {% endif %} {% if rhel_07_030630 %} diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2 index 7ca73675..9fac3d9f 100644 --- a/templates/pam_pkcs11.conf.j2 +++ b/templates/pam_pkcs11.conf.j2 @@ -9,7 +9,7 @@ pam_pkcs11 { nullok = true; # Enable debugging support. - debug = false; + debug = false; # If the smart card is inserted, only use it card_only = true; @@ -32,7 +32,7 @@ pam_pkcs11 { screen_savers = gnome-screensaver,xscreensaver,kscreensaver pkcs11_module {{ rhel07stig_smartcarddriver }} { - {% if rhel07stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel07stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} + {% if rhel07stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel07stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} module = /usr/lib64/libcackey.so; description = "{{ rhel07stig_smartcarddriver }}"; slot_num = 0; @@ -54,7 +54,7 @@ pam_pkcs11 { # you can mange the certs in this database with the certutil command in # the package nss-tools nss_dir = /etc/pki/nssdb; - + # Sets the Certificate Policy, (see above) cert_policy = ca, signature; } @@ -96,10 +96,10 @@ pam_pkcs11 { # When no absolute path or module info is provided, use this # value as module search path # TODO: - # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH + # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH mapper_search_path = /usr/$LIB/pam_pkcs11; - # + # # Generic certificate contents mapper mapper generic { debug = true; @@ -170,7 +170,7 @@ pam_pkcs11 { # DN to bind with. Must have read-access for user entries under "base" binddn = "cn=pam,o=example,c=com"; # Password for above DN - passwd = "test"; + passwd = "test"; # pragma: allowlist secret # Searchbase for user entries base = "ou=People,o=example,c=com"; # Attribute of user entry which contains the certificate @@ -194,7 +194,7 @@ pam_pkcs11 { module = internal; # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; # Declare mapfile or - # leave empty "" or "none" to use no map + # leave empty "" or "none" to use no map mapfile = file:///etc/pam_pkcs11/mail_mapping; # Some certs store email in uppercase. take care on this ignorecase = true; diff --git a/vars/Centos.yml b/vars/Centos.yml deleted file mode 100644 index 05e0e648..00000000 --- a/vars/Centos.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -gpg_keys: - - name: 'CentOS 7 Official Signing Key' - packager: "security@centos.org" - fingerprint: "6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5" - -gpg_package: centos-release -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7