diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index e02fe1f0..c9328cbc 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ jobs: # This will create messages for first time contributers and direct them to the Discord server welcome: - runs-on: self-hosted + runs-on: ubuntu-latest steps: - uses: actions/first-interaction@main @@ -70,7 +70,6 @@ echo IAC_BRANCH=main >> $GITHUB_ENV fi - # Pull in terraform code for linux servers - name: Clone GitHub IaC plan uses: actions/checkout@v4 diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 4a5adc9c..ab11c37b 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -23,18 +23,6 @@ # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: self-hosted - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on diff --git a/ChangeLog.md b/ChangeLog.md index d362e9f2..86a695a3 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,12 +1,19 @@ # Changelog -## 3.2 STIG V3R13 25th Oct 2023 - -- updated workflow to use new methods - - new ami being used as old obsolete -- Updated the audit layout -- New options if using CentOS to update repo files to vaulted.repo - - rhel7stig_add_updated_repo +## 3.2 STIG v3R14 24th Jan 2024 + +- Audit updated + - moved audit into prelim + - updates to audit logic for copy and archive options + +- RHEL-07-020019 - title and ruleid update +- RHEL-07-020022 - ruleid update +- RHEL-07-020210 - ruleid update +- RHEL-07-020220 - ruleid update +- RHEL-07-020100 - ruleid update and bin/false +- RHEL-07-020101 - ruleid update and bin/false +- RHEL-07-040180 - ruleid update and bin/false +- RHEL-07-040190 - ruleid update and bin/false ## 3.1 STIG V3R13 25th Oct 2023 diff --git a/README.md b/README.md index 9d9c4d84..dddbdb35 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL7 based system to be complaint with Disa STIG -This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 13 released on October 23, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R13_STIG.zip). +This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 14 released on January 24, 2024 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R14_STIG.zip). --- diff --git a/defaults/main.yml b/defaults/main.yml index f4841b9f..7850f265 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,7 +13,7 @@ python2_bin: /bin/python2.7 # audit variable found at the base benchmark: RHEL7-STIG ## metadata for Audit benchmark -benchmark_version: 'v3r13' +benchmark_version: 'v3r14' # Whether to skip the reboot rhel7stig_skip_reboot: true @@ -23,10 +23,6 @@ rhel7stig_skip_reboot: true # It will add the new vaulted location where it is possible to get updates and package rhel7stig_add_updated_repo: false -### -### Settings for associated Audit role using Goss -### - ########################################### ### Goss is required on the remote host ### ### vars/auditd.yml for other settings ### @@ -77,6 +73,7 @@ audit_log_dir: '/opt' ### Goss Settings ## ####### END ######## + #### Detailed settings found at the end of this document #### # We've defined complexity-high to mean that we cannot automatically remediate @@ -375,8 +372,8 @@ rhel_07_040000: true rhel_07_040530: true rhel_07_040600: true -# Whether or not to run tasks related to auditing/patching the desktop environment -rhel7stig_gui: false +# Whether or not to run tasks related to auditing/patching the desktop environment - is discovered if using gnome +rhel7stig_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" # Whether to configure dconf rules unconditionally (ignoring presence of dconf # or rhel7stig_gui) @@ -692,10 +689,6 @@ update_audit_template: false # RHEL-07-030300 uncomment and set the value to a remote IP address that can receive audit logs # rhel7stig_audisp_remote_server: 10.10.10.10 -# RHEL-07-030330: set this to 25% of the free space in /var/log/audit (measured in megabytes) -rhel7stig_auditd_space_left: "{{ ( ansible_mounts | json_query(rhel7stig_audit_disk_size_query) | int / 4 / 1024 / 1024 ) | int + 1 }}" -rhel7stig_audit_disk_size_query: "[?mount=='{{ rhel7stig_audit_part }}'].size_total | [0]" - # RHEL-07-030350 rhel7stig_audit_daemon: auditd rhel7stig_auditd_mail_acct: root @@ -749,12 +742,6 @@ rhel7stig_efi_boot_path: '/boot/efi/EFI/' rhel7stig_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" -rhel7stig_local_mounts: "{{ ansible_mounts | to_json | from_json | json_query(rhel7stig_local_mounts_query) }}" -rhel7stig_local_mounts_query: "[?starts_with(device, '/dev/')].mount" - -rhel7stig_nfs_mounts: "{{ ansible_mounts | to_json | from_json | json_query(rhel7stig_nfs_mounts_query) }}" -rhel7stig_nfs_mounts_query: "[?starts_with(fstype, 'nfs')].mount" - # DNS Servers to configure, you need two to conform to STIG standards rhel_07_040600_dns_servers: - 9.9.9.9 diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 84ca19f8..19e0272f 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -574,7 +574,7 @@ - name: "HIGH | RHEL-07-040540 | The Red Hat Enterprise Linux operating system must not contain .shosts files." block: - name: "HIGH | RHEL-07-040540 | AUDIT | The Red Hat Enterprise Linux operating system must not contain .shosts files." - ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -name '.shosts' + ansible.builtin.shell: find / -xdev -not -fstype nfs -name '.shosts' check_mode: false changed_when: false register: rhel_07_040540_audit @@ -599,7 +599,7 @@ - name: "HIGH | RHEL-07-040550 | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." block: - name: "HIGH | RHEL-07-040550 | AUDIT | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." - ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -name 'shosts.equiv' + ansible.builtin.shell: find / -xdev -not -fstype nfs -name 'shosts.equiv' check_mode: false changed_when: false register: rhel_07_040550_audit diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index d95cc5e3..b1752277 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1051,6 +1051,7 @@ path: /etc/grub.d/01_users regexp: "{{ item.regexp }}" line: "{{ item.line }}" + create: true notify: - make grub2 config with_items: @@ -1292,7 +1293,7 @@ - file: /etc/modprobe.d/usb-storage.conf insertafter: "^#install usb-storage" regexp: "^install usb-storage" - line: install usb-storage /bin/true + line: install usb-storage /bin/false when: - rhel_07_020100 tags: @@ -1302,7 +1303,7 @@ - CCI-000778 - CCI-000366 - SRG-OS-000114-GPOS-00059 - - SV-204449r603261_rule + - SV-204449r942894_rule - V-204449 - usb_devices @@ -1324,7 +1325,7 @@ - file: /etc/modprobe.d/dccp.conf insertafter: ^#install dccp regexp: "^install dccp " - line: install dccp /bin/true + line: install dccp /bin/false when: - rhel_07_020101 tags: @@ -1332,7 +1333,7 @@ - CAT2 - CCI-001958 - SRG-OS-000378-GPOS-00163 - - SV-204450r603261_rule + - SV-204450r942897_rule - V-204450 - dccp @@ -1382,7 +1383,7 @@ - CCI-002696 - CCI-002165 - SRG-OS-000445-GPOS-00199 - - SV-204453r754746_rule + - SV-204453r942900_rule - V-204453 - RHEL-07-020220 - SV-204454r754748_rule @@ -1463,18 +1464,17 @@ - name: "MEDIUM | RHEL-07-020320 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." block: - name: "MEDIUM | RHEL-07-020320 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." - ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser + ansible.builtin.shell: find "{{ item }}" -xdev -nouser check_mode: false failed_when: false changed_when: false register: rhel_07_020320_audit with_items: - - "{{ ansible_mounts }}" - when: item['device'].startswith('/dev') and not 'bind' in item['options'] + - "{{ prelim_local_mount_names }}" - name: "MEDIUM | RHEL-07-020320 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." ansible.builtin.debug: - msg: "Warning!! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + msg: "Warning!! Manual intervention is required -- missing owner on items in {{ item.stdout_lines }}" changed_when: rhel7stig_audit_complex with_items: - "{{ rhel_07_020320_audit.results }}" @@ -1496,18 +1496,17 @@ - name: "MEDIUM | RHEL-07-020330 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." block: - name: "MEDIUM | RHEL-07-020330 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." - ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup + ansible.builtin.shell: find "{{ item }}" -xdev -nogroup check_mode: false failed_when: false changed_when: false register: rhel_07_020330_audit with_items: - - "{{ ansible_mounts }}" - when: item['device'].startswith('/dev') and not 'bind' in item['options'] + - "{{ prelim_local_mount_names }}" - name: "MEDIUM | RHEL-07-020330 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." ansible.builtin.debug: - msg: "Warning!! Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + msg: "Warning!! Manual intervention is required -- missing group on items in {{ item.stdout_lines }}" changed_when: rhel7stig_audit_complex with_items: - "{{ rhel_07_020330_audit.results }}" @@ -1880,7 +1879,7 @@ - name: "MEDIUM | RHEL-07-020720 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory." block: - name: "MEDIUM | RHEL-07-020720 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory." - ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath + ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath with_items: "{{ rhel_07_stig_interactive_homedir_results }}" changed_when: false failed_when: false @@ -1920,7 +1919,7 @@ block: # Let's find any progerams with world-writable permissions. - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." - ansible.builtin.shell: find / -xdev -perm -002 -type f -exec ls -ld {} \; | awk '{print $9}' + ansible.builtin.shell: find / -xdev -not -fstype nfs -perm -002 -type f -exec ls -ld {} \; | awk '{print $9}' failed_when: false changed_when: false register: rhel_07_020730_perms_results @@ -1981,7 +1980,7 @@ - name: "MEDIUM | RHEL-07-020900 | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification." block: - name: "MEDIUM | RHEL-07-020900 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification." - ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -context *:device_t:* -o -context *:unlabeled_t:* -type c -o -type b -printf '%p %Z\n' + ansible.builtin.shell: find / -xdev -not -fstype nfs -context *:device_t:* -o -context *:unlabeled_t:* -type c -o -type b -printf '%p %Z\n' changed_when: false check_mode: false register: rhel_07_020900_audit @@ -2012,15 +2011,16 @@ ansible.posix.mount: path: /home state: mounted - src: "{{ home_mount.device }}" - fstype: "{{ home_mount.fstype }}" - opts: "{{ home_mount.options }},nosuid" - vars: - home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" # noqa: jinja[invalid] + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + opts: "{{ item.options }},nosuid" + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" when: - rhel_07_021000 - - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 - - "'nosuid' not in home_mount.options" + - item.mount == "/home" + - "'nosuid' not in item.options" tags: - RHEL-07-021000 - CAT2 @@ -2035,27 +2035,29 @@ ansible.posix.mount: path: /media state: mounted - src: "{{ removable_mount.device }}" - fstype: "{{ removable_mount.fstype }}" - opts: "{{ removable_mount.options }},nosuid" - vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid] + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + opts: "{{ item.options }},nosuid" + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" when: - - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - - "'nosuid' not in removable_mount.options" + - item.mount == "/media" + - "'nosuid' not in item.options" - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." ansible.posix.mount: path: /mnt state: mounted - src: "{{ removable_mount2.device }}" - fstype: "{{ removable_mount2.fstype }}" - opts: "{{ removable_mount2.options }},nosuid" - vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid] + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + opts: "{{ item.options }},nosuid" + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" when: - - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - - "'nosuid' not in removable_mount2.options" + - item.mount == "/mnt" + - "'nosuid' not in item.options" when: - rhel_07_021010 - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container) @@ -2070,19 +2072,15 @@ - name: "MEDIUM | RHEL-07-021020 | PATCH | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)." ansible.posix.mount: path: "{{ item }}" - src: "{{ ansible_mounts | json_query(device_query) }}" - fstype: "{{ ansible_mounts | json_query(fstype_query) }}" - opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" + src: "{{ item.src }}" + fstype: "{{ aitem.fstype }}" + opts: "{{ item.opts,nosuid }}" state: mounted - vars: - device_query: '[?mount == `{{ item }}`] | [0].device' # noqa: jinja[invalid] - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' # noqa: jinja[invalid] - options_query: '[?mount == `{{ item }}`] | [0].options' # noqa: jinja[invalid] with_items: - - "{{ rhel7stig_nfs_mounts }}" + - "{{ prelim_nfs_mount_names }}" when: - rhel_07_021020 - - "'nosuid' not in (ansible_mounts | json_query(options_query))" + - "'nosuid' not in item" tags: - RHEL-07-021020 - CAT2 @@ -2095,19 +2093,15 @@ - name: "MEDIUM | RHEL-07-021021 | PATCH | The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)." ansible.posix.mount: path: "{{ item }}" - src: "{{ ansible_mounts | json_query(device_query) }}" - fstype: "{{ ansible_mounts | json_query(fstype_query) }}" - opts: "{{ ansible_mounts | json_query(options_query) }},noexec" + src: "{{ item.src }}" + fstype: "{{ aitem.fstype }}" + opts: "{{ item.opts,noexec }}" state: mounted - vars: - device_query: '[?mount == `{{ item }}`] | [0].device' # noqa: jinja[invalid] - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' # noqa: jinja[invalid] - options_query: '[?mount == `{{ item }}`] | [0].options' # noqa: jinja[invalid] with_items: - - "{{ rhel7stig_nfs_mounts }}" + - "{{ prelim_nfs_mount_names }}" when: - rhel_07_021021 - - "'noexec' not in (ansible_mounts | json_query(options_query))" + - "'noexec' not in item" tags: - RHEL-07-021021 - CAT2 @@ -2120,7 +2114,7 @@ - name: "MEDIUM | RHEL-07-021030 | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group." block: - name: "MEDIUM | RHEL-07-021030 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group." - ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -type d -perm -002 -gid +999 + ansible.builtin.shell: find / -xdev -not -fstype nfs -type d -perm -002 -gid +999 changed_when: rhel_07_021030_audit.stdout != "" check_mode: false register: rhel_07_021030_audit @@ -2498,7 +2492,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^space_left += - line: "space_left = {{ [rhel7stig_auditd_space_left | int, 51] | max }}" + line: "space_left = 25%" when: - rhel_07_030330 tags: @@ -3399,10 +3393,10 @@ - SV-204581r603261_rule - V-204581 - RHEL-07-040190 - - SV-204582r603261_rule + - SV-204582r942909_rule - V-204582 - RHEL-07-040200 - - SV-204583r603261_rule + - SV-204583r942912_rule - V-204583 - ldap @@ -4198,9 +4192,7 @@ - name: "MEDIUM | RHEL-07-040730 | PATCH | The Red Hat Enterprise Linux operating system must not have an X Windows display manager installed unless approved." ansible.builtin.package: - name: - - "@x11" - - xorg-x11-server-common + name: "{{ rhel7stig_gui_pkgs }}" state: absent vars: ansible_python_interpreter: "{{ python2_bin }}" @@ -4419,16 +4411,35 @@ - name: "MEDIUM | RHEL-07-041010 | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled." block: + - name: "MEDIUM | RHEL-07-041010 | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled. | Discover if wirelss adapter on system" + ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless + changed_when: false + failed_when: discovered_wireless_adapters.rc not in [ 0, 1 ] + register: discovered_wireless_adapters + + - name: "MEDIUM | RHEL-07-041010 | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled. | if wireless adapter present" + ansible.builtin.package: + name: NetworkManager + state: present + when: + - discovered_wireless_adapters.rc == 0 + - "'NetworkManager' not in ansible_facts.packages" + - name: "MEDIUM | RHEL-07-041010 | AUDIT | check if wifi is enabled" ansible.builtin.shell: nmcli radio wifi changed_when: false check_mode: false + failed_when: rhel_07_wifi_enabled.rc not in [ 0, 1 ] register: rhel_07_wifi_enabled + when: + - discovered_wireless_adapters.rc == 0 - name: "MEDIUM | RHEL-07-041010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled." ansible.builtin.shell: nmcli radio wifi off when: + - discovered_wireless_adapters.rc == 0 - "'enabled' in rhel_07_wifi_enabled.stdout" + - rhel_07_wifi_enabled.rc == 0 when: - rhel_07_041010 - "'NetworkManager' in ansible_facts.packages" @@ -4444,11 +4455,11 @@ - wifi - networking -- name: "MEDIUM | RHEL-07-020019 | AUDIT | The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed." +- name: "MEDIUM | RHEL-07-020019 | AUDIT | The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool." ansible.builtin.debug: msg: - - "Please install and enable the latest McAfee HIPS package, available from USCYBERCOM." - - "If the system does not support the McAfee HIPS package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official." + - "Please Install and enable the latest Trellix ENSLTP package." + - "If the system does not support the Trellix ENSLTP package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official." when: - rhel_07_020019 tags: @@ -4457,7 +4468,7 @@ - CAT2 - CCI-001263 - SRG-OS-000480-GPOS-00227 - - SV-214800r603261_rule + - SV-214800r942888_rule - V-214800 - antivirus @@ -4758,7 +4769,7 @@ - CCI-002165 - CI-002235 - SRG-OS-000324-GPOS-00125 - - SV-250313r792846_rule + - SV-250313r942891_rule - V-250313 - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 25038fcd..d822b587 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -19,9 +19,12 @@ - audit_content == 'git' block: - name: Pre Audit Setup | Install git + when: ansible_distribution_major_version == '7' ansible.builtin.package: name: git state: present + vars: + ansible_python_interpreter: "{{ python2_bin }}" - name: Pre Audit Setup | Retrieve audit content files from git ansible.builtin.git: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5e4d7848..44bb85f2 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,15 +1,12 @@ --- -- name: "PRELIM | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel7_efi_boot - tags: - - goss_template - - always - -- name: set bootloader type +- name: Set bootloader type block: + - name: "PRELIM | Check whether machine is UEFI-based" + ansible.builtin.stat: + path: /sys/firmware/efi + register: rhel7_efi_boot + - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" ansible.builtin.set_fact: rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" @@ -43,9 +40,30 @@ tags: - always -- name: Include audit specific variables - ansible.builtin.include_vars: - file: audit.yml +- name: "PRELIM | Gather interactive user ID min" + block: + - name: "PRELIM | Gather interactive user ID min" + ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: rhel7stig_min_uid + + - name: "PRELIM | Gather interactive user ID max" + ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: rhel7stig_max_uid + + - name: "PRELIM | Setting the fact" + ansible.builtin.set_fact: + rhel7stig_interactive_uid_start: "{{ rhel7stig_min_uid.stdout }}" + rhel7stig_interactive_uid_stop: "{{ rhel7stig_max_uid.stdout }}" + tags: + - always + - auditd + +- name: "PRELIM | Include audit specific variables" + ansible.builtin.include_vars: audit.yml when: - run_audit or audit_only - setup_audit @@ -53,9 +71,8 @@ - setup_audit - run_audit -- name: Include pre-remediation audit tasks - ansible.builtin.import_tasks: - file: pre_remediation_audit.yml +- name: "PRELIM | Include pre-remediation audit tasks" + ansible.builtin.import_tasks: pre_remediation_audit.yml when: - run_audit or audit_only - setup_audit @@ -132,6 +149,20 @@ - V-204497 - fips +- name: PRELIM | Gnome Desktop Environment Discovery + tags: + - always + block: + - name: PRELIM | Gnome Desktop Environment Discovery + ansible.builtin.stat: + path: /usr/share/gnome/gnome-version.xml + register: prelim_gnome_present + + - name: PRELIM | Gnome Desktop Environment Discovery | add packages if x11 not required + when: rhel_07_040710 + ansible.builtin.set_fact: + rhel7stig_gui_pkgs: "{{ rhel7stig_gui_pkgs + [ '@X11', 'xorg-x11-*' ] }}" + - name: "PRELIM | dconf" block: - name: "PRELIM | Check for dconf availability" @@ -283,6 +314,13 @@ tags: - always +- name: "PRELIM | AUDIT | Create list of mount points" + ansible.builtin.set_fact: + prelim_local_mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" + prelim_nfs_mount_names: "{{ ansible_facts.mounts | selectattr('fstype', 'equalto', 'nfs') | map(attribute='mount') | list | default([]) }}" + tags: + - always + - name: "PRELIM | Gather mount information" ansible.builtin.setup: gather_subset: hardware,!all,!min @@ -292,7 +330,7 @@ tags: - always -- name: "PRELIM | ensure cronie is available" +- name: "PRELIM | Ensure cronie is available" ansible.builtin.package: name: cronie state: present @@ -324,18 +362,7 @@ rhel_07_020690 or rhel_07_020700 tags: - - cat2 - - medium - - RHEL-07-020600 - - RHEL-07-020620 - - RHEL-07-020630 - - RHEL-07-020640 - - RHEL-07-020650 - - RHEL-07-020660 - - RHEL-07-020670 - - RHEL-07-020680 - - RHEL-07-020690 - - RHEL-07-020700 + - always # NOTE: You will need to adjust the UID range in parenthases below. # ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below. diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 8e562654..199dac24 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -164,7 +164,6 @@ RHEL_07_030201: {{ rhel_07_030201 }} RHEL_07_030210: {{ rhel_07_030210 }} RHEL_07_030211: {{ rhel_07_030211 }} # if you set 030300 to 'true' ensure you define rhel7stig_audisp_remote_server -RHEL_07_010375: {{ rhel_07_010375 }} RHEL_07_030300: {{ rhel_07_030300 }} RHEL_07_030310: {{ rhel_07_030310 }} RHEL_07_030320: {{ rhel_07_030320 }} diff --git a/vars/audit.yml b/vars/audit.yml index 9486cdc6..7a2e9ec8 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -12,7 +12,7 @@ audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_ ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark_{{ benchmark_version }}_rh7" +audit_git_version: "benchmark_{{ benchmark_version }}" ## Goss configuration information # Where the goss audit configuration will be stored - NOTE benchmark-audit is expected @@ -26,15 +26,16 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma ### Audit binary settings ### audit_bin_version: - release: v0.3.21 - AMD64_checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' + release: v0.4.8 + AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f' + ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}} + The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }} {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} Full breakdown can be found in {{ audit_log_dir }} diff --git a/vars/main.yml b/vars/main.yml index fa752df5..00654713 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -43,3 +43,8 @@ rhel7stig_re_qp_key_end: (?:" *) # insert the parameter at the beginning or append to the end, default append rhel7stig_re_qp_insert: "{{ insert | default(not (append | default(true))) }}" + +rhel7stig_gui_pkgs: + - xorg-x11-server-common + - '@^gnome-desktop' + - 'gnome*'