From aa000e8c31a227501a657baa3ec7327a6e776a60 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:39:15 +0100 Subject: [PATCH 1/7] lint updates Signed-off-by: Mark Bolwell --- CONTRIBUTING.rst | 1 - ChangeLog.md | 4 ++-- ansible.cfg | 1 - doc/README.md | 1 - templates/01-banner-message.j2 | 2 +- templates/ansible_vars_goss.yml.j2 | 4 ++-- templates/audit/99_auditd.rules.j2 | 2 +- templates/pam_pkcs11.conf.j2 | 12 ++++++------ 8 files changed, 12 insertions(+), 15 deletions(-) diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 2fa743d8..23ce2fb7 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -65,4 +65,3 @@ following text in your contribution commit message: This message can be entered manually, or if you have configured git with the correct `user.name` and `user.email`, you can use the `-s` option to `git commit` to automatically include the signoff message. - diff --git a/ChangeLog.md b/ChangeLog.md index 0859edd9..608849fd 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -115,14 +115,14 @@ README ## Release 1.9.0 -- RHEL-07-010271 - New Control Added +- RHEL-07-010271 - New Control Added - Update to STIG V3R9 Oct 27th 2022 - Changes Listed Below - RHEL-07-010342, RHEL-07-010343, RHEL- 07-020023, RHEL-07-030201 - Updated fix text. - RHEL-07-021040, RHEL-07-021700 - Updated check text command to eliminate false positives. - RHEL-07-030840 - Updated check and fix text. - RHEL-07-040160 - Updated check text. - RHEL-07-040310 - Corrected typo in the Vulnerability Discussion. - - RHEL-07-040360, RHEL-07-040530 - Updated CCI. + - RHEL-07-040360, RHEL-07-040530 - Updated CCI. - Update to README and requirements - RHEL-07-010010, RHEL-07-010020, RHEL-07-010291, RHEL-07-021030,RHEL-07-021040 - Updated Tag Information diff --git a/ansible.cfg b/ansible.cfg index f0ab6836..c7c4ec86 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -23,4 +23,3 @@ transfer_method=scp [colors] [diff] - diff --git a/doc/README.md b/doc/README.md index fb11aec8..923de017 100644 --- a/doc/README.md +++ b/doc/README.md @@ -5,4 +5,3 @@ To generate the documentation on a RHEL/CentOS 7 system, take the following step * `sudo pip3 install -r requirements.txt` 3. Generate the documentation: * `make singlehtml` - diff --git a/templates/01-banner-message.j2 b/templates/01-banner-message.j2 index 21e7c2b2..7d9c917b 100644 --- a/templates/01-banner-message.j2 +++ b/templates/01-banner-message.j2 @@ -1,4 +1,4 @@ -[org/gnome/login-screen] +[org/gnome/login-screen] banner-message-enable=true banner-message-text='{{ rhel7stig_logon_banner }}' diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 7e75ab30..8e562654 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -28,7 +28,7 @@ rhel7stig_cat1: {{ rhel7stig_cat1_patch }} rhel7stig_cat2: {{ rhel7stig_cat2_patch }} rhel7stig_cat3: {{ rhel7stig_cat3_patch }} -## CAT I +## CAT I RHEL_07_010010: {{ rhel_07_010010 }} RHEL_07_010020: {{ rhel_07_010020 }} RHEL_07_010290: {{ rhel_07_010290 }} @@ -337,7 +337,7 @@ rhel7stig_staff_u: # host intrision protection e.g. Mcafee HIPS rhel7stig_hip_enabled: false -rhel7stig_hip_pkg: +rhel7stig_hip_pkg: rhel7stig_hip_proc: # RHEL-07-010483 & RHEL-07-010492 diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 2b730902..445e5ef7 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -50,7 +50,7 @@ {% endif %} {% if rhel_07_030620 %} --w /var/log/lastlog -p wa -k logins +-w /var/log/lastlog -p wa -k logins {% endif %} {% if rhel_07_030630 %} diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2 index 7ca73675..657b9931 100644 --- a/templates/pam_pkcs11.conf.j2 +++ b/templates/pam_pkcs11.conf.j2 @@ -9,7 +9,7 @@ pam_pkcs11 { nullok = true; # Enable debugging support. - debug = false; + debug = false; # If the smart card is inserted, only use it card_only = true; @@ -32,7 +32,7 @@ pam_pkcs11 { screen_savers = gnome-screensaver,xscreensaver,kscreensaver pkcs11_module {{ rhel07stig_smartcarddriver }} { - {% if rhel07stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel07stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} + {% if rhel07stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel07stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} module = /usr/lib64/libcackey.so; description = "{{ rhel07stig_smartcarddriver }}"; slot_num = 0; @@ -54,7 +54,7 @@ pam_pkcs11 { # you can mange the certs in this database with the certutil command in # the package nss-tools nss_dir = /etc/pki/nssdb; - + # Sets the Certificate Policy, (see above) cert_policy = ca, signature; } @@ -96,10 +96,10 @@ pam_pkcs11 { # When no absolute path or module info is provided, use this # value as module search path # TODO: - # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH + # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH mapper_search_path = /usr/$LIB/pam_pkcs11; - # + # # Generic certificate contents mapper mapper generic { debug = true; @@ -194,7 +194,7 @@ pam_pkcs11 { module = internal; # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; # Declare mapfile or - # leave empty "" or "none" to use no map + # leave empty "" or "none" to use no map mapfile = file:///etc/pam_pkcs11/mail_mapping; # Some certs store email in uppercase. take care on this ignorecase = true; From d14af2e9be8c479f3d429fb03b6b1b89865533cd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:39:26 +0100 Subject: [PATCH 2/7] updated Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 47521f1c..a363f314 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -113,7 +109,8 @@ { "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ - ".config/.gitleaks-report.json" + ".config/.gitleaks-report.json", + "tasks/parse_etc_password.yml" ] } ], @@ -124,8 +121,7 @@ "filename": "defaults/main.yml", "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", "is_verified": false, - "line_number": 467, - "is_secret": false + "line_number": 467 } ], "tasks/fix-cat2.yml": [ @@ -134,8 +130,7 @@ "filename": "tasks/fix-cat2.yml", "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859", "is_verified": false, - "line_number": 1450, - "is_secret": false + "line_number": 1450 } ], "tasks/main.yml": [ @@ -144,16 +139,14 @@ "filename": "tasks/main.yml", "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e", "is_verified": false, - "line_number": 39, - "is_secret": false + "line_number": 39 }, { "type": "Secret Keyword", "filename": "tasks/main.yml", "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", "is_verified": false, - "line_number": 56, - "is_secret": false + "line_number": 56 } ], "tasks/parse_etc_passwd.yml": [ @@ -171,8 +164,7 @@ "filename": "tasks/prelim.yml", "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", "is_verified": false, - "line_number": 232, - "is_secret": false + "line_number": 232 } ], "templates/pam_pkcs11.conf.j2": [ @@ -181,10 +173,9 @@ "filename": "templates/pam_pkcs11.conf.j2", "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", "is_verified": false, - "line_number": 173, - "is_secret": false + "line_number": 173 } ] }, - "generated_at": "2023-09-15T16:02:38Z" + "generated_at": "2023-10-09T14:38:05Z" } From 1dc0f9b6af888b6f8dd40358ec27a6b0cadc0cba Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:43:48 +0100 Subject: [PATCH 3/7] added pragma allow list Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 68 ++---------------------------------- defaults/main.yml | 2 +- tasks/fix-cat2.yml | 2 +- tasks/main.yml | 6 ++-- tasks/prelim.yml | 2 +- templates/pam_pkcs11.conf.j2 | 2 +- 6 files changed, 10 insertions(+), 72 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index a363f314..eab74d91 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -110,72 +110,10 @@ "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ ".config/.gitleaks-report.json", - "tasks/parse_etc_password.yml" + "tasks/parse_etc_passwd.yml" ] } ], - "results": { - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 467 - } - ], - "tasks/fix-cat2.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/fix-cat2.yml", - "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859", - "is_verified": false, - "line_number": 1450 - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e", - "is_verified": false, - "line_number": 39 - }, - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 56 - } - ], - "tasks/parse_etc_passwd.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_passwd.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ], - "tasks/prelim.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/prelim.yml", - "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", - "is_verified": false, - "line_number": 232 - } - ], - "templates/pam_pkcs11.conf.j2": [ - { - "type": "Secret Keyword", - "filename": "templates/pam_pkcs11.conf.j2", - "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "is_verified": false, - "line_number": 173 - } - ] - }, - "generated_at": "2023-10-09T14:38:05Z" + "results": {}, + "generated_at": "2023-10-09T14:42:52Z" } diff --git a/defaults/main.yml b/defaults/main.yml index 916abcca..5310cee1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -464,7 +464,7 @@ rhel7stig_force_exact_packages: "{{ rhel7stig_disruption_high }}" # RHEL-07-010480 and RHEL-07-010490 # Password protect the boot loader -rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' +rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret rhel7stig_boot_superuser: root # RHEL-07-021700 set the value for correctly configured grub bootloader sequence diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index de38a195..0355d7a5 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1447,7 +1447,7 @@ ansible.builtin.include_tasks: file: parse_etc_passwd.yml vars: - rhel7stig_passwd_tasks: "RHEL-07-020270" # noqa: no-handler + rhel7stig_passwd_tasks: "RHEL-07-020270" # noqa: no-handler # pragma: allowlist secret when: rhel_07_020270_patch is changed when: - rhel_07_020270 diff --git a/tasks/main.yml b/tasks/main.yml index e807f16e..2041044a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -36,7 +36,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You a password set for the {{ ansible_env.SUDO_USER }}" vars: - sudo_password_rule: RHEL-07-010340 + sudo_password_rule: RHEL-07-010340 # pragma: allowlist secret when: - rhel_07_010340 - ansible_env.SUDO_USER is defined @@ -53,8 +53,8 @@ - name: Check rhel7stig_bootloader_password_hash variable has been changed ansible.builtin.assert: - that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' - msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'" + that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret + msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'" # pragma: allowlist secret when: - rhel_07_010481 or rhel_07_010482 or diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 84373abd..8bfaf00b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -229,7 +229,7 @@ ansible.builtin.include_tasks: file: parse_etc_passwd.yml vars: - rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" + rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" # pragma: allowlist secret when: - rhel_07_020600 or rhel_07_020620 or diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2 index 657b9931..9fac3d9f 100644 --- a/templates/pam_pkcs11.conf.j2 +++ b/templates/pam_pkcs11.conf.j2 @@ -170,7 +170,7 @@ pam_pkcs11 { # DN to bind with. Must have read-access for user entries under "base" binddn = "cn=pam,o=example,c=com"; # Password for above DN - passwd = "test"; + passwd = "test"; # pragma: allowlist secret # Searchbase for user entries base = "ou=People,o=example,c=com"; # Attribute of user entry which contains the certificate From 6098b0256fc2e5c233e3b4ae9fd6d91e5d2d3788 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 16:03:42 +0100 Subject: [PATCH 4/7] updated due to galaxy changes Signed-off-by: Mark Bolwell --- collections/requirements.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/collections/requirements.yml b/collections/requirements.yml index 4a418efa..8ebc6180 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,8 +1,14 @@ --- collections: -- name: community.general + - name: community.general + source: https://github.com/ansible-collections/community.general + type: git -- name: community.crypto + - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git -- name: ansible.posix + - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git From 197f96149baf54fdf668d9e96ba9dba9e2a4c0ed Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 16:06:34 +0100 Subject: [PATCH 5/7] moved file Signed-off-by: Mark Bolwell --- {vars => tasks}/CentOS.yml | 0 vars/Centos.yml | 9 --------- 2 files changed, 9 deletions(-) rename {vars => tasks}/CentOS.yml (100%) delete mode 100644 vars/Centos.yml diff --git a/vars/CentOS.yml b/tasks/CentOS.yml similarity index 100% rename from vars/CentOS.yml rename to tasks/CentOS.yml diff --git a/vars/Centos.yml b/vars/Centos.yml deleted file mode 100644 index 05e0e648..00000000 --- a/vars/Centos.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -gpg_keys: - - name: 'CentOS 7 Official Signing Key' - packager: "security@centos.org" - fingerprint: "6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5" - -gpg_package: centos-release -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 From d49469b0b69672411a59f4c9d703ba3e318f0b0b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 16:06:55 +0100 Subject: [PATCH 6/7] updated path Signed-off-by: Mark Bolwell --- {tasks => vars}/CentOS.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {tasks => vars}/CentOS.yml (100%) diff --git a/tasks/CentOS.yml b/vars/CentOS.yml similarity index 100% rename from tasks/CentOS.yml rename to vars/CentOS.yml From 5aae574e522fc3ae91f62d6dff6e97dbfc0d9049 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 16:24:50 +0100 Subject: [PATCH 7/7] removed quality badge since galaxy-ng Signed-off-by: Mark Bolwell --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 40081ffc..70be8088 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,6 @@ This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on July 23 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61792?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)