From f117074ffe393e1fa65ad3db5b3204286233d8ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Luzar?= Date: Fri, 15 Sep 2023 10:29:10 +0200 Subject: [PATCH 01/84] Specify missing state parameter for package MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anže Luzar --- tasks/prelim.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f1863acd..aa2be1a7 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -55,6 +55,7 @@ - name: "PRELIM | Install dconf" ansible.builtin.package: name: dconf + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -148,6 +149,7 @@ - name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | Install grub2-tools." ansible.builtin.package: name: grub2-tools + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -210,6 +212,7 @@ - name: "PRELIM | ensure cronie is available" ansible.builtin.package: name: cronie + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -282,6 +285,7 @@ - name: "PRELIM | RHEL-07-021100 | RHEL-07-031000 | RHEL-07-031010 | Ensure rsyslog is installed when required." ansible.builtin.package: name: rsyslog + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -310,6 +314,7 @@ - name: "PRELIM | RHEL-07-030300 | RHEL-07-030310 | RHEL-07-030320 | RHEL-07-030321 | Install audit remote plugin." ansible.builtin.package: name: audispd-plugins + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -387,6 +392,7 @@ - libselinux-python - policycoreutils-python - selinux-policy-targeted + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -399,6 +405,7 @@ - name: "PRELIM | Install SSH" ansible.builtin.package: name: openssh-server + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" From 130e021090ad288ec991bf923daa5092ad957c9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Luzar?= Date: Fri, 15 Sep 2023 10:42:12 +0200 Subject: [PATCH 02/84] Correct with_items indentation for package MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anže Luzar --- tasks/fix-cat2.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 694a304c..3d145677 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1109,9 +1109,9 @@ ansible.builtin.package: name: "{{ item }}" state: present - with_items: - - pam_pkcs11 - - pcsc-lite-libs + with_items: + - pam_pkcs11 + - pcsc-lite-libs vars: ansible_python_interpreter: "{{ python2_bin }}" register: rhel_07_010500pkcs11install From 601ef18853e0d7ac4f74bf56f481242d07fd5369 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Luzar?= Date: Fri, 15 Sep 2023 10:46:33 +0200 Subject: [PATCH 03/84] Replace inline strings with module parameters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anže Luzar --- tasks/fix-cat2.yml | 42 ++++++++++++++++++--------------- tasks/main.yml | 18 +++++++++----- tasks/pre_remediation_audit.yml | 3 ++- tasks/prelim.yml | 3 ++- 4 files changed, 39 insertions(+), 27 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3d145677..2083c369 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1368,7 +1368,7 @@ - name: | "MEDIUM | RHEL-07-020210 | PATCH | The Red Hat Enterprise Linux operating system must enable SELinux." "MEDIUM | RHEL-07-020220 | PATCH | The Red Hat Enterprise Linux operating system must enable SELinux targeted policy." - selinux: + ansible.posix.selinux: state: enforcing policy: targeted check_mode: "{{ ansible_check_mode or rhel7stig_system_is_chroot }}" @@ -1444,7 +1444,8 @@ - "{{ rhel7stig_unnecessary_accounts }}" - name: "MEDIUM | RHEL-07-020270 | AUDIT | Re-parse /etc/passwd since it changed." - include_tasks: parse_etc_passwd.yml # noqa: no-handler + ansible.builtin.include_tasks: + file: parse_etc_passwd.yml vars: rhel7stig_passwd_tasks: "RHEL-07-020270" when: rhel_07_020270_patch is changed @@ -1754,7 +1755,7 @@ # set default ACLs so the homedir has an effective umask of 0027 - name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - acl: + ansible.posix.acl: path: "{{ item.0 }}" default: true state: present @@ -1925,7 +1926,8 @@ register: rhel_07_020730_perms_results - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." - include_tasks: audit_homedirinifiles.yml + ansible.builtin.include_tasks: + file: audit_homedirinifiles.yml loop: - "{{ rhel_07_stig_interactive_homedir_inifiles }}" loop_control: @@ -3405,7 +3407,7 @@ - ldap - name: "MEDIUM | RHEL-07-040201 | PATCH | The Red Hat Enterprise Linux operating system must implement virtual address space randomization." - sysctl: + ansible.posix.sysctl: name: kernel.randomize_va_space value: '2' state: present @@ -3918,7 +3920,7 @@ - firewall - name: "MEDIUM | RHEL-07-040610 | PATCH | The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.accept_source_route state: present value: '0' @@ -3936,7 +3938,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040611 | PATCH | The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.rp_filter value: '1' state: present @@ -3954,7 +3956,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040612 | PATCH | The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.rp_filter state: present value: '1' @@ -3972,7 +3974,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040620 | PATCH | The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.accept_source_route state: present value: '0' @@ -3990,7 +3992,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040630 | PATCH | The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." - sysctl: + ansible.posix.sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts state: present value: '1' @@ -4009,7 +4011,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040640 | PATCH | The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.accept_redirects state: present value: '0' @@ -4027,7 +4029,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040641 | PATCH | The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages" - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.accept_redirects state: present value: '0' @@ -4045,7 +4047,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040650 | PATCH | The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.send_redirects state: present value: '0' @@ -4063,7 +4065,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040660 | PATCH | The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.send_redirects state: present value: '0' @@ -4215,7 +4217,7 @@ - x11 - name: "MEDIUM | RHEL-07-040740 | PATCH | The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router." - sysctl: + ansible.posix.sysctl: name: net.ipv4.ip_forward state: present value: '0' @@ -4268,11 +4270,13 @@ - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." block: - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - include_tasks: audit_firewalld.yml + ansible.builtin.include_tasks: + file: audit_firewalld.yml when: rhel7stig_firewall_service == "firewalld" - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - include_tasks: audit_iptables.yml + ansible.builtin.include_tasks: + file: audit_iptables.yml when: rhel7stig_firewall_service != "firewalld" - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." @@ -4311,7 +4315,7 @@ - V-204629 - name: "MEDIUM | RHEL-07-040830 | PATCH | The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets." - sysctl: + ansible.posix.sysctl: name: net.ipv6.conf.all.accept_source_route state: present value: '0' @@ -4742,7 +4746,7 @@ - V-250312 - name: "MEDIUM | RHEL-07-020022 | PATCH | The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH." - seboolean: + ansible.posix.seboolean: name: ssh_sysadm_login persistent: true state: "{{ rhel7stig_ssh_sysadm_login_state }}" diff --git a/tasks/main.yml b/tasks/main.yml index 33a01a26..00f1923f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -73,13 +73,15 @@ - always - name: include prelim tasks - ansible.builtin.import_tasks: prelim.yml + ansible.builtin.import_tasks: + file: prelim.yml tags: - prelim_tasks - run_audit - name: include pre-remediation audit - ansible.builtin.import_tasks: pre_remediation_audit.yml + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml when: - run_audit tags: @@ -92,21 +94,24 @@ - always - name: Include CAT I patches - ansible.builtin.import_tasks: fix-cat1.yml + ansible.builtin.import_tasks: + file: fix-cat1.yml when: rhel7stig_cat1_patch tags: - cat1 - high - name: Include CAT II patches - ansible.builtin.import_tasks: fix-cat2.yml + ansible.builtin.import_tasks: + file: fix-cat2.yml when: rhel7stig_cat2_patch tags: - cat2 - medium - name: Include CAT III patches - ansible.builtin.import_tasks: fix-cat3.yml + ansible.builtin.import_tasks: + file: fix-cat3.yml when: rhel7stig_cat3_patch tags: - cat3 @@ -133,7 +138,8 @@ - not rhel7stig_skip_reboot - name: include post-remediation audit - ansible.builtin.import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: + file: post_remediation_audit.yml when: - run_audit diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index e7b7319c..81f53f79 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,7 +1,8 @@ --- - name: Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml when: - setup_audit tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index aa2be1a7..fe3e3c93 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -226,7 +226,8 @@ - RHEL-07-020040 - name: "PRELIM | RHEL-07-020600 | RHEL-07-020620 | RHEL-07-020630 | RHEL-07-020640 | RHEL-07-020650 | RHEL-07-020660 | RHEL-07-020690 | Parse /etc/passwd" - ansible.builtin.include_tasks: parse_etc_passwd.yml + ansible.builtin.include_tasks: + file: parse_etc_passwd.yml vars: rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" when: From dfb979177f01c2ab166f63a32699fd23aaae08e0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 16:52:48 +0100 Subject: [PATCH 04/84] updated link Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index a4e7d48a..dba39dc0 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. # This workflow contains a single job which tests the playbook playbook-test: From 5108506807ba1eaefdaf7fc06b6d3bad2d7605ae Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 16:55:32 +0100 Subject: [PATCH 05/84] lint updates Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 10 +++++----- tasks/main.yml | 12 ++++++------ tasks/pre_remediation_audit.yml | 2 +- tasks/prelim.yml | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 2083c369..de38a195 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1445,9 +1445,9 @@ - name: "MEDIUM | RHEL-07-020270 | AUDIT | Re-parse /etc/passwd since it changed." ansible.builtin.include_tasks: - file: parse_etc_passwd.yml + file: parse_etc_passwd.yml vars: - rhel7stig_passwd_tasks: "RHEL-07-020270" + rhel7stig_passwd_tasks: "RHEL-07-020270" # noqa: no-handler when: rhel_07_020270_patch is changed when: - rhel_07_020270 @@ -1927,7 +1927,7 @@ - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." ansible.builtin.include_tasks: - file: audit_homedirinifiles.yml + file: audit_homedirinifiles.yml loop: - "{{ rhel_07_stig_interactive_homedir_inifiles }}" loop_control: @@ -4271,12 +4271,12 @@ block: - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." ansible.builtin.include_tasks: - file: audit_firewalld.yml + file: audit_firewalld.yml when: rhel7stig_firewall_service == "firewalld" - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." ansible.builtin.include_tasks: - file: audit_iptables.yml + file: audit_iptables.yml when: rhel7stig_firewall_service != "firewalld" - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." diff --git a/tasks/main.yml b/tasks/main.yml index 00f1923f..e807f16e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -74,14 +74,14 @@ - name: include prelim tasks ansible.builtin.import_tasks: - file: prelim.yml + file: prelim.yml tags: - prelim_tasks - run_audit - name: include pre-remediation audit ansible.builtin.import_tasks: - file: pre_remediation_audit.yml + file: pre_remediation_audit.yml when: - run_audit tags: @@ -95,7 +95,7 @@ - name: Include CAT I patches ansible.builtin.import_tasks: - file: fix-cat1.yml + file: fix-cat1.yml when: rhel7stig_cat1_patch tags: - cat1 @@ -103,7 +103,7 @@ - name: Include CAT II patches ansible.builtin.import_tasks: - file: fix-cat2.yml + file: fix-cat2.yml when: rhel7stig_cat2_patch tags: - cat2 @@ -111,7 +111,7 @@ - name: Include CAT III patches ansible.builtin.import_tasks: - file: fix-cat3.yml + file: fix-cat3.yml when: rhel7stig_cat3_patch tags: - cat3 @@ -139,7 +139,7 @@ - name: include post-remediation audit ansible.builtin.import_tasks: - file: post_remediation_audit.yml + file: post_remediation_audit.yml when: - run_audit diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 81f53f79..7b4d06f5 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -2,7 +2,7 @@ - name: Audit Binary Setup | Setup the LE audit ansible.builtin.include_tasks: - file: LE_audit_setup.yml + file: LE_audit_setup.yml when: - setup_audit tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index fe3e3c93..84373abd 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -227,7 +227,7 @@ - name: "PRELIM | RHEL-07-020600 | RHEL-07-020620 | RHEL-07-020630 | RHEL-07-020640 | RHEL-07-020650 | RHEL-07-020660 | RHEL-07-020690 | Parse /etc/passwd" ansible.builtin.include_tasks: - file: parse_etc_passwd.yml + file: parse_etc_passwd.yml vars: rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" when: From 223624e9941c7f8e8ef9c13601a73df108aa6c22 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 17:01:48 +0100 Subject: [PATCH 06/84] removed old Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 190 -------------------------------------- 1 file changed, 190 deletions(-) delete mode 100644 .config/.secrets.baseline diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline deleted file mode 100644 index 522a6339..00000000 --- a/.config/.secrets.baseline +++ /dev/null @@ -1,190 +0,0 @@ -{ - "version": "1.4.0", - "plugins_used": [ - { - "name": "ArtifactoryDetector" - }, - { - "name": "AWSKeyDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "name": "Base64HighEntropyString", - "limit": 4.5 - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "CloudantDetector" - }, - { - "name": "DiscordBotTokenDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "name": "HexHighEntropyString", - "limit": 3.0 - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "name": "KeywordDetector", - "keyword_exclude": "" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "SendGridDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "filters_used": [ - { - "path": "detect_secrets.filters.allowlist.is_line_allowlisted" - }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, - { - "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", - "min_level": 2 - }, - { - "path": "detect_secrets.filters.heuristic.is_indirect_reference" - }, - { - "path": "detect_secrets.filters.heuristic.is_likely_id_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_lock_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_potential_uuid" - }, - { - "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" - }, - { - "path": "detect_secrets.filters.heuristic.is_sequential_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_swagger_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json" - ] - } - ], - "results": { - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 467, - "is_secret": false - } - ], - "tasks/fix-cat2.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/fix-cat2.yml", - "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859", - "is_verified": false, - "line_number": 1449, - "is_secret": false - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e", - "is_verified": false, - "line_number": 39, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 56, - "is_secret": false - } - ], - "tasks/parse_etc_passwd.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_passwd.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ], - "tasks/prelim.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/prelim.yml", - "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", - "is_verified": false, - "line_number": 228, - "is_secret": false - } - ], - "templates/pam_pkcs11.conf.j2": [ - { - "type": "Secret Keyword", - "filename": "templates/pam_pkcs11.conf.j2", - "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "is_verified": false, - "line_number": 173, - "is_secret": false - } - ] - }, - "generated_at": "2023-09-14T14:19:49Z" -} From 20a720a780bc8da17abca7a74ac6b2882265a442 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 17:02:56 +0100 Subject: [PATCH 07/84] added new defined secrets file Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 143 ++++++++++++++++++++++++- .config/.secrets.baseline | 190 ++++++++++++++++++++++++++++++++++ 2 files changed, 332 insertions(+), 1 deletion(-) create mode 100644 .config/.secrets.baseline diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json index fe51488c..bea9d1d8 100644 --- a/.config/.gitleaks-report.json +++ b/.config/.gitleaks-report.json @@ -1 +1,142 @@ -[] +[ + { + "Description": "Generic API Key", + "StartLine": 125, + "EndLine": 125, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", + "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", + "Entropy": 3.646039, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-14T14:20:12Z", + "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:125" + }, + { + "Description": "Generic API Key", + "StartLine": 135, + "EndLine": 135, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"673504d3db128a01a93d32de2b104a05dc2e6859\"", + "Secret": "673504d3db128a01a93d32de2b104a05dc2e6859", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", + "Entropy": 3.7750704, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-14T14:20:12Z", + "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:135" + }, + { + "Description": "Generic API Key", + "StartLine": 145, + "EndLine": 145, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2784977b09b611a32db88f631d88a5806605967e\"", + "Secret": "2784977b09b611a32db88f631d88a5806605967e", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", + "Entropy": 3.718454, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-14T14:20:12Z", + "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:145" + }, + { + "Description": "Generic API Key", + "StartLine": 153, + "EndLine": 153, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", + "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", + "Entropy": 3.646039, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-14T14:20:12Z", + "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:153" + }, + { + "Description": "Generic API Key", + "StartLine": 163, + "EndLine": 163, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", + "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", + "Entropy": 3.8439426, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-14T14:20:12Z", + "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:163" + }, + { + "Description": "Generic API Key", + "StartLine": 172, + "EndLine": 172, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"fd917ab33fb6bd01e799f4b72da0586589cd909a\"", + "Secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", + "Entropy": 3.808695, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-14T14:20:12Z", + "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:172" + }, + { + "Description": "Generic API Key", + "StartLine": 182, + "EndLine": 182, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\"", + "Secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", + "Entropy": 3.8250706, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-14T14:20:12Z", + "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:182" + } +] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline new file mode 100644 index 00000000..47521f1c --- /dev/null +++ b/.config/.secrets.baseline @@ -0,0 +1,190 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".config/.secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json" + ] + } + ], + "results": { + "defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 467, + "is_secret": false + } + ], + "tasks/fix-cat2.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/fix-cat2.yml", + "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859", + "is_verified": false, + "line_number": 1450, + "is_secret": false + } + ], + "tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e", + "is_verified": false, + "line_number": 39, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 56, + "is_secret": false + } + ], + "tasks/parse_etc_passwd.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/parse_etc_passwd.yml", + "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "is_verified": false, + "line_number": 18 + } + ], + "tasks/prelim.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/prelim.yml", + "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", + "is_verified": false, + "line_number": 232, + "is_secret": false + } + ], + "templates/pam_pkcs11.conf.j2": [ + { + "type": "Secret Keyword", + "filename": "templates/pam_pkcs11.conf.j2", + "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "is_verified": false, + "line_number": 173, + "is_secret": false + } + ] + }, + "generated_at": "2023-09-15T16:02:38Z" +} From 5956a0f6ba4134a1ce579a0ad482392793648078 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 17:03:14 +0100 Subject: [PATCH 08/84] added precommit Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 97c79434..40a21e27 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,6 +41,7 @@ repos: hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] + exclude: .config/.secrets.baseline - repo: https://github.com/ansible-community/ansible-lint rev: v6.17.2 From aa000e8c31a227501a657baa3ec7327a6e776a60 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:39:15 +0100 Subject: [PATCH 09/84] lint updates Signed-off-by: Mark Bolwell --- CONTRIBUTING.rst | 1 - ChangeLog.md | 4 ++-- ansible.cfg | 1 - doc/README.md | 1 - templates/01-banner-message.j2 | 2 +- templates/ansible_vars_goss.yml.j2 | 4 ++-- templates/audit/99_auditd.rules.j2 | 2 +- templates/pam_pkcs11.conf.j2 | 12 ++++++------ 8 files changed, 12 insertions(+), 15 deletions(-) diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 2fa743d8..23ce2fb7 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -65,4 +65,3 @@ following text in your contribution commit message: This message can be entered manually, or if you have configured git with the correct `user.name` and `user.email`, you can use the `-s` option to `git commit` to automatically include the signoff message. - diff --git a/ChangeLog.md b/ChangeLog.md index 0859edd9..608849fd 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -115,14 +115,14 @@ README ## Release 1.9.0 -- RHEL-07-010271 - New Control Added +- RHEL-07-010271 - New Control Added - Update to STIG V3R9 Oct 27th 2022 - Changes Listed Below - RHEL-07-010342, RHEL-07-010343, RHEL- 07-020023, RHEL-07-030201 - Updated fix text. - RHEL-07-021040, RHEL-07-021700 - Updated check text command to eliminate false positives. - RHEL-07-030840 - Updated check and fix text. - RHEL-07-040160 - Updated check text. - RHEL-07-040310 - Corrected typo in the Vulnerability Discussion. - - RHEL-07-040360, RHEL-07-040530 - Updated CCI. + - RHEL-07-040360, RHEL-07-040530 - Updated CCI. - Update to README and requirements - RHEL-07-010010, RHEL-07-010020, RHEL-07-010291, RHEL-07-021030,RHEL-07-021040 - Updated Tag Information diff --git a/ansible.cfg b/ansible.cfg index f0ab6836..c7c4ec86 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -23,4 +23,3 @@ transfer_method=scp [colors] [diff] - diff --git a/doc/README.md b/doc/README.md index fb11aec8..923de017 100644 --- a/doc/README.md +++ b/doc/README.md @@ -5,4 +5,3 @@ To generate the documentation on a RHEL/CentOS 7 system, take the following step * `sudo pip3 install -r requirements.txt` 3. Generate the documentation: * `make singlehtml` - diff --git a/templates/01-banner-message.j2 b/templates/01-banner-message.j2 index 21e7c2b2..7d9c917b 100644 --- a/templates/01-banner-message.j2 +++ b/templates/01-banner-message.j2 @@ -1,4 +1,4 @@ -[org/gnome/login-screen] +[org/gnome/login-screen] banner-message-enable=true banner-message-text='{{ rhel7stig_logon_banner }}' diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 7e75ab30..8e562654 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -28,7 +28,7 @@ rhel7stig_cat1: {{ rhel7stig_cat1_patch }} rhel7stig_cat2: {{ rhel7stig_cat2_patch }} rhel7stig_cat3: {{ rhel7stig_cat3_patch }} -## CAT I +## CAT I RHEL_07_010010: {{ rhel_07_010010 }} RHEL_07_010020: {{ rhel_07_010020 }} RHEL_07_010290: {{ rhel_07_010290 }} @@ -337,7 +337,7 @@ rhel7stig_staff_u: # host intrision protection e.g. Mcafee HIPS rhel7stig_hip_enabled: false -rhel7stig_hip_pkg: +rhel7stig_hip_pkg: rhel7stig_hip_proc: # RHEL-07-010483 & RHEL-07-010492 diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 2b730902..445e5ef7 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -50,7 +50,7 @@ {% endif %} {% if rhel_07_030620 %} --w /var/log/lastlog -p wa -k logins +-w /var/log/lastlog -p wa -k logins {% endif %} {% if rhel_07_030630 %} diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2 index 7ca73675..657b9931 100644 --- a/templates/pam_pkcs11.conf.j2 +++ b/templates/pam_pkcs11.conf.j2 @@ -9,7 +9,7 @@ pam_pkcs11 { nullok = true; # Enable debugging support. - debug = false; + debug = false; # If the smart card is inserted, only use it card_only = true; @@ -32,7 +32,7 @@ pam_pkcs11 { screen_savers = gnome-screensaver,xscreensaver,kscreensaver pkcs11_module {{ rhel07stig_smartcarddriver }} { - {% if rhel07stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel07stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} + {% if rhel07stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel07stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} module = /usr/lib64/libcackey.so; description = "{{ rhel07stig_smartcarddriver }}"; slot_num = 0; @@ -54,7 +54,7 @@ pam_pkcs11 { # you can mange the certs in this database with the certutil command in # the package nss-tools nss_dir = /etc/pki/nssdb; - + # Sets the Certificate Policy, (see above) cert_policy = ca, signature; } @@ -96,10 +96,10 @@ pam_pkcs11 { # When no absolute path or module info is provided, use this # value as module search path # TODO: - # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH + # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH mapper_search_path = /usr/$LIB/pam_pkcs11; - # + # # Generic certificate contents mapper mapper generic { debug = true; @@ -194,7 +194,7 @@ pam_pkcs11 { module = internal; # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; # Declare mapfile or - # leave empty "" or "none" to use no map + # leave empty "" or "none" to use no map mapfile = file:///etc/pam_pkcs11/mail_mapping; # Some certs store email in uppercase. take care on this ignorecase = true; From d14af2e9be8c479f3d429fb03b6b1b89865533cd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:39:26 +0100 Subject: [PATCH 10/84] updated Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 47521f1c..a363f314 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -113,7 +109,8 @@ { "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ - ".config/.gitleaks-report.json" + ".config/.gitleaks-report.json", + "tasks/parse_etc_password.yml" ] } ], @@ -124,8 +121,7 @@ "filename": "defaults/main.yml", "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", "is_verified": false, - "line_number": 467, - "is_secret": false + "line_number": 467 } ], "tasks/fix-cat2.yml": [ @@ -134,8 +130,7 @@ "filename": "tasks/fix-cat2.yml", "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859", "is_verified": false, - "line_number": 1450, - "is_secret": false + "line_number": 1450 } ], "tasks/main.yml": [ @@ -144,16 +139,14 @@ "filename": "tasks/main.yml", "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e", "is_verified": false, - "line_number": 39, - "is_secret": false + "line_number": 39 }, { "type": "Secret Keyword", "filename": "tasks/main.yml", "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", "is_verified": false, - "line_number": 56, - "is_secret": false + "line_number": 56 } ], "tasks/parse_etc_passwd.yml": [ @@ -171,8 +164,7 @@ "filename": "tasks/prelim.yml", "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", "is_verified": false, - "line_number": 232, - "is_secret": false + "line_number": 232 } ], "templates/pam_pkcs11.conf.j2": [ @@ -181,10 +173,9 @@ "filename": "templates/pam_pkcs11.conf.j2", "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", "is_verified": false, - "line_number": 173, - "is_secret": false + "line_number": 173 } ] }, - "generated_at": "2023-09-15T16:02:38Z" + "generated_at": "2023-10-09T14:38:05Z" } From 1dc0f9b6af888b6f8dd40358ec27a6b0cadc0cba Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:43:48 +0100 Subject: [PATCH 11/84] added pragma allow list Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 68 ++---------------------------------- defaults/main.yml | 2 +- tasks/fix-cat2.yml | 2 +- tasks/main.yml | 6 ++-- tasks/prelim.yml | 2 +- templates/pam_pkcs11.conf.j2 | 2 +- 6 files changed, 10 insertions(+), 72 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index a363f314..eab74d91 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -110,72 +110,10 @@ "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ ".config/.gitleaks-report.json", - "tasks/parse_etc_password.yml" + "tasks/parse_etc_passwd.yml" ] } ], - "results": { - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 467 - } - ], - "tasks/fix-cat2.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/fix-cat2.yml", - "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859", - "is_verified": false, - "line_number": 1450 - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e", - "is_verified": false, - "line_number": 39 - }, - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 56 - } - ], - "tasks/parse_etc_passwd.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_passwd.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ], - "tasks/prelim.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/prelim.yml", - "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", - "is_verified": false, - "line_number": 232 - } - ], - "templates/pam_pkcs11.conf.j2": [ - { - "type": "Secret Keyword", - "filename": "templates/pam_pkcs11.conf.j2", - "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "is_verified": false, - "line_number": 173 - } - ] - }, - "generated_at": "2023-10-09T14:38:05Z" + "results": {}, + "generated_at": "2023-10-09T14:42:52Z" } diff --git a/defaults/main.yml b/defaults/main.yml index 916abcca..5310cee1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -464,7 +464,7 @@ rhel7stig_force_exact_packages: "{{ rhel7stig_disruption_high }}" # RHEL-07-010480 and RHEL-07-010490 # Password protect the boot loader -rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' +rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret rhel7stig_boot_superuser: root # RHEL-07-021700 set the value for correctly configured grub bootloader sequence diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index de38a195..0355d7a5 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1447,7 +1447,7 @@ ansible.builtin.include_tasks: file: parse_etc_passwd.yml vars: - rhel7stig_passwd_tasks: "RHEL-07-020270" # noqa: no-handler + rhel7stig_passwd_tasks: "RHEL-07-020270" # noqa: no-handler # pragma: allowlist secret when: rhel_07_020270_patch is changed when: - rhel_07_020270 diff --git a/tasks/main.yml b/tasks/main.yml index e807f16e..2041044a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -36,7 +36,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You a password set for the {{ ansible_env.SUDO_USER }}" vars: - sudo_password_rule: RHEL-07-010340 + sudo_password_rule: RHEL-07-010340 # pragma: allowlist secret when: - rhel_07_010340 - ansible_env.SUDO_USER is defined @@ -53,8 +53,8 @@ - name: Check rhel7stig_bootloader_password_hash variable has been changed ansible.builtin.assert: - that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' - msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'" + that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret + msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'" # pragma: allowlist secret when: - rhel_07_010481 or rhel_07_010482 or diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 84373abd..8bfaf00b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -229,7 +229,7 @@ ansible.builtin.include_tasks: file: parse_etc_passwd.yml vars: - rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" + rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" # pragma: allowlist secret when: - rhel_07_020600 or rhel_07_020620 or diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2 index 657b9931..9fac3d9f 100644 --- a/templates/pam_pkcs11.conf.j2 +++ b/templates/pam_pkcs11.conf.j2 @@ -170,7 +170,7 @@ pam_pkcs11 { # DN to bind with. Must have read-access for user entries under "base" binddn = "cn=pam,o=example,c=com"; # Password for above DN - passwd = "test"; + passwd = "test"; # pragma: allowlist secret # Searchbase for user entries base = "ou=People,o=example,c=com"; # Attribute of user entry which contains the certificate From 6098b0256fc2e5c233e3b4ae9fd6d91e5d2d3788 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 16:03:42 +0100 Subject: [PATCH 12/84] updated due to galaxy changes Signed-off-by: Mark Bolwell --- collections/requirements.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/collections/requirements.yml b/collections/requirements.yml index 4a418efa..8ebc6180 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,8 +1,14 @@ --- collections: -- name: community.general + - name: community.general + source: https://github.com/ansible-collections/community.general + type: git -- name: community.crypto + - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git -- name: ansible.posix + - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git From 197f96149baf54fdf668d9e96ba9dba9e2a4c0ed Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 16:06:34 +0100 Subject: [PATCH 13/84] moved file Signed-off-by: Mark Bolwell --- {vars => tasks}/CentOS.yml | 0 vars/Centos.yml | 9 --------- 2 files changed, 9 deletions(-) rename {vars => tasks}/CentOS.yml (100%) delete mode 100644 vars/Centos.yml diff --git a/vars/CentOS.yml b/tasks/CentOS.yml similarity index 100% rename from vars/CentOS.yml rename to tasks/CentOS.yml diff --git a/vars/Centos.yml b/vars/Centos.yml deleted file mode 100644 index 05e0e648..00000000 --- a/vars/Centos.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -gpg_keys: - - name: 'CentOS 7 Official Signing Key' - packager: "security@centos.org" - fingerprint: "6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5" - -gpg_package: centos-release -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 From d49469b0b69672411a59f4c9d703ba3e318f0b0b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 16:06:55 +0100 Subject: [PATCH 14/84] updated path Signed-off-by: Mark Bolwell --- {tasks => vars}/CentOS.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {tasks => vars}/CentOS.yml (100%) diff --git a/tasks/CentOS.yml b/vars/CentOS.yml similarity index 100% rename from tasks/CentOS.yml rename to vars/CentOS.yml From 5aae574e522fc3ae91f62d6dff6e97dbfc0d9049 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 16:24:50 +0100 Subject: [PATCH 15/84] removed quality badge since galaxy-ng Signed-off-by: Mark Bolwell --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 40081ffc..70be8088 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,6 @@ This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on July 23 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61792?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) From fb6f4fefa384b9538cbf582ab485c4f5eab520de Mon Sep 17 00:00:00 2001 From: layluke Date: Wed, 18 Oct 2023 17:44:53 -0400 Subject: [PATCH 16/84] Adding additional condition for rhel7stig_grub2_user_cfg for task Signed-off-by: layluke --- handlers/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index c414bd4c..88fb8027 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -27,7 +27,7 @@ - name: make grub2 config ansible.builtin.shell: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_bootloader_path }}grub.cfg when: - - rhel7stig_grub2_user_cfg.stat.exists + - (rhel7stig_grub2_user_cfg is defined) and (rhel7stig_grub2_user_cfg.stat.exists) - not rhel7stig_skip_for_travis - not rhel7stig_system_is_container @@ -42,7 +42,7 @@ - grub.cfg - user.cfg when: - - rhel7stig_grub2_user_cfg.stat.exists + - (rhel7stig_grub2_user_cfg is defined) and (rhel7stig_grub2_user_cfg.stat.exists) - rhel7stig_workaround_for_disa_benchmark - not rhel7stig_skip_for_travis - not rhel7stig_system_is_container From 88f570b43d5a09cb36c1032c5698a8c63d700712 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Oct 2023 10:39:23 +0100 Subject: [PATCH 17/84] updated version Signed-off-by: Mark Bolwell --- README.md | 4 ++-- defaults/main.yml | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 70be8088..2309d92a 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL7 based system to be complaint with Disa STIG -This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on July 23, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R12_STIG.zip). +This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 13 released on October 23, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R13_STIG.zip). --- @@ -47,7 +47,7 @@ Configure a RHEL 7 system to be DISA STIG compliant. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `true`. -# Caution(s) +## Caution(s) This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. diff --git a/defaults/main.yml b/defaults/main.yml index 5310cee1..77a4a0f3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,7 +13,7 @@ python2_bin: /bin/python2.7 # audit variable found at the base benchmark: RHEL7-STIG ## metadata for Audit benchmark -benchmark_version: 'v3r12' +benchmark_version: 'v3r13' # Whether to skip the reboot rhel7stig_skip_reboot: true @@ -348,6 +348,10 @@ rhel7stig_smartcard: false # Configure your smartcard driver rhel7stig_smartcarddriver: cackey + +# RHEL_07_010310 +# Must be 35 or less but not 0 or -1 +rhel_07_010310_inactive: 35 # RHEL_07_020020 # Set "selinux_change_users" false to disable this control's actions and just report results. # You will need to adjust the paths for installed HIPS/HBSS for this control. From ea14041a2ee8794d7ec120f9f9192b80b44594a2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Oct 2023 10:39:39 +0100 Subject: [PATCH 18/84] quoted version Signed-off-by: Mark Bolwell --- meta/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/main.yml b/meta/main.yml index a028684f..e3c413a8 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -10,7 +10,7 @@ galaxy_info: platforms: - name: EL versions: - - 7 + - '7' galaxy_tags: - system - security From c48ab81db7adcd23c71f7c7bb1232c6b2c639667 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Oct 2023 10:40:37 +0100 Subject: [PATCH 19/84] updated rule id 020230 Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index a46c1f74..fa21f039 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -1,4 +1,5 @@ --- + - name: "HIGH | RHEL-07-010010 | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." block: - name: "HIGH | RHEL-07-010010 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." @@ -306,7 +307,7 @@ - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204455r833106_rule + - SV-204455r928574_rule - V-204455 - systemctl From d602fd91ccc9e95a6c6cc85aa7c46d042b0835ca Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Oct 2023 10:41:10 +0100 Subject: [PATCH 20/84] rule ids and inactive variable added Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 0355d7a5..6577542b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -756,7 +756,7 @@ ansible.builtin.lineinfile: path: /etc/default/useradd regexp: ^#?INACTIVE - line: INACTIVE=35 + line: "INACTIVE={{ rhel_07_010310_inactive }}" when: - rhel_07_010310 tags: @@ -1167,15 +1167,15 @@ # ############################## # This control should be manually implemented -- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." +- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." block: - - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Get SELinux authorized users" + - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Get SELinux authorized users" ansible.builtin.shell: semanage login -l changed_when: false failed_when: false register: rhel_07_020020_sel_auth_users - - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Show SELinux authorized users" + - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Show SELinux authorized users" ansible.builtin.debug: msg: - "Warning!! Below is your SELinux user/group list. Please review and make sure all of the following are met:" @@ -1184,7 +1184,7 @@ - "{{ rhel_07_020020_sel_auth_users.stdout_lines }}" when: rhel_07_020020_sel_auth_users.stdout | length > 0 - - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Warn that semanage is not installed" + - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Warn that semanage is not installed" ansible.builtin.debug: msg: - "Warning!! You do not have semanage installed! Please installed the needed packages" @@ -1197,7 +1197,7 @@ - CCI-002235 - CCI-002165 - SRG-OS-000324-GPOS-00125 - - SV-204444r754744_rule + - SV-204444r928571_rule - V-204444 - name: "MEDIUM | RHEL-07-020028 | PATCH | The Red Hat Enterprise Linux operating system must be configured to allow sending email notifications of configuration changes and adverse events to designated personnel." @@ -2307,7 +2307,7 @@ - CCI-001813 - CCI-000318 - SRG-OS-000364-GPOS-00151 - - SV-204501r603261_rule + - SV-204501r928576_rule - V-204501 - grub - bootloader @@ -4742,7 +4742,7 @@ - CCI-002165 - CCI-002235 - SRG-OS-000324-GPOS-00125 - - SV-250312r792843_rule + - SV-250312r928579_rule - V-250312 - name: "MEDIUM | RHEL-07-020022 | PATCH | The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH." @@ -4791,5 +4791,5 @@ - CCI-002165 - CCI-002235 - SRG-OS-000324-GPOS-00125 - - SV-250314r861076_rule + - SV-250314r877392_rule - V-250314 From f48020400988feb1c2fb4207acc62a4c7253d051 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Oct 2023 10:41:15 +0100 Subject: [PATCH 21/84] updated Signed-off-by: Mark Bolwell --- ChangeLog.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ChangeLog.md b/ChangeLog.md index 608849fd..16e9886b 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,14 @@ # Changelog +## 3.1 STIG V3R13 25th Oct 2023 + +- RHEL_07_010310 - ruleid updated and INACTIVE var created +- RHEL_07_020020 - ruleid +- RHEL_07_020021 - ruleid +- RHEL_07_020023 - ruleid +- RHEL_07_020230 - ruleid +- RHEL_07_021700 - ruleid + ## 3.0 Stig V3R12 26th July 2023 - RHEL-07-010199 - pamd password and system auth rewrite and ruleid updated From 6a7137f5b43a4552b59b3ed29b630134cfecccd2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 31 Oct 2023 16:24:40 +0000 Subject: [PATCH 22/84] updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/main_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/update_galaxy.yml | 14 ++++++-------- 3 files changed, 24 insertions(+), 26 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index dba39dc0..9fbe7aa8 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -29,7 +29,7 @@ Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -44,13 +44,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -74,7 +74,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -82,7 +82,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -90,7 +90,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -111,9 +111,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 0b149fb3..67ee9d90 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,7 +18,7 @@ # that can run sequentially or in parallel jobs: - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -33,13 +33,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -63,7 +63,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -71,7 +71,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -79,7 +79,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -100,9 +100,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 951a53cb..f9352800 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,11 +1,7 @@ --- -# This is a basic workflow to help you get started with Actions - name: update galaxy -# Controls when the action will run. -# Triggers the workflow on merge request events to the main branch on: push: branches: @@ -14,8 +10,10 @@ jobs: update_role: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: robertdebock/galaxy-action@master + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} - git_branch: main + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} From b3f324894dfe8a13013e31169ebf4c624405635e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 31 Oct 2023 16:25:23 +0000 Subject: [PATCH 23/84] updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/main_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/update_galaxy.yml | 14 ++++++-------- 3 files changed, 24 insertions(+), 26 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index dba39dc0..9fbe7aa8 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -29,7 +29,7 @@ Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -44,13 +44,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -74,7 +74,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -82,7 +82,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -90,7 +90,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -111,9 +111,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 0b149fb3..67ee9d90 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,7 +18,7 @@ # that can run sequentially or in parallel jobs: - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -33,13 +33,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -63,7 +63,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -71,7 +71,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -79,7 +79,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -100,9 +100,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 951a53cb..f9352800 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,11 +1,7 @@ --- -# This is a basic workflow to help you get started with Actions - name: update galaxy -# Controls when the action will run. -# Triggers the workflow on merge request events to the main branch on: push: branches: @@ -14,8 +10,10 @@ jobs: update_role: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: robertdebock/galaxy-action@master + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} - git_branch: main + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} From d687371cf0ff509bf1e9fa0a0da7526995825119 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:26:54 +0000 Subject: [PATCH 24/84] removed file Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 142 ---------------------------------- 1 file changed, 142 deletions(-) delete mode 100644 .config/.gitleaks-report.json diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json deleted file mode 100644 index bea9d1d8..00000000 --- a/.config/.gitleaks-report.json +++ /dev/null @@ -1,142 +0,0 @@ -[ - { - "Description": "Generic API Key", - "StartLine": 125, - "EndLine": 125, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", - "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.646039, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:125" - }, - { - "Description": "Generic API Key", - "StartLine": 135, - "EndLine": 135, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"673504d3db128a01a93d32de2b104a05dc2e6859\"", - "Secret": "673504d3db128a01a93d32de2b104a05dc2e6859", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.7750704, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:135" - }, - { - "Description": "Generic API Key", - "StartLine": 145, - "EndLine": 145, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"2784977b09b611a32db88f631d88a5806605967e\"", - "Secret": "2784977b09b611a32db88f631d88a5806605967e", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.718454, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:145" - }, - { - "Description": "Generic API Key", - "StartLine": 153, - "EndLine": 153, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", - "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.646039, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:153" - }, - { - "Description": "Generic API Key", - "StartLine": 163, - "EndLine": 163, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", - "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.8439426, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:163" - }, - { - "Description": "Generic API Key", - "StartLine": 172, - "EndLine": 172, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"fd917ab33fb6bd01e799f4b72da0586589cd909a\"", - "Secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.808695, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:172" - }, - { - "Description": "Generic API Key", - "StartLine": 182, - "EndLine": 182, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\"", - "Secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.8250706, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:182" - } -] From 9dd216c104c7942e2aa5c7c75c86c4b8848863df Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:27:08 +0000 Subject: [PATCH 25/84] updated Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 40a21e27..97c79434 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,7 +41,6 @@ repos: hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - exclude: .config/.secrets.baseline - repo: https://github.com/ansible-community/ansible-lint rev: v6.17.2 From 388f85061c0b8ffe04d9a10173666e0542c1b02b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:27:44 +0000 Subject: [PATCH 26/84] updated Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 97c79434..00d0e09d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 + rev: v4.5.0 hooks: # Safety - id: detect-aws-credentials @@ -34,16 +34,16 @@ repos: hooks: - id: detect-secrets args: [ '--baseline', '.config/.secrets.baseline' ] - exclude: .config/.gitleaks-report.json + - repo: https://github.com/gitleaks/gitleaks - rev: v8.17.0 + rev: v8.18.0 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.17.2 + rev: v6.21.1 hooks: - id: ansible-lint name: Ansible-lint From 22f7dabfedc1afb76f45deba55129427de70f169 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:28:47 +0000 Subject: [PATCH 27/84] lint update Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 00d0e09d..f2f732af 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,7 +35,6 @@ repos: - id: detect-secrets args: [ '--baseline', '.config/.secrets.baseline' ] - - repo: https://github.com/gitleaks/gitleaks rev: v8.18.0 hooks: From 51b2df3a671cc1d33eb6d891a1b480283857942f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:30:39 +0000 Subject: [PATCH 28/84] fix typo Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- .github/workflows/main_pipeline_validation.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 9fbe7aa8..39af625a 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -113,7 +113,7 @@ - name: Sleep for 60 seconds run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansibleplaybook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 67ee9d90..8ded7018 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -102,7 +102,7 @@ - name: Sleep for 60 seconds run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansibleplaybook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: From fb58a03f9c8546a6158e6a6d8c62c216d4a42594 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Nov 2023 08:32:24 +0000 Subject: [PATCH 29/84] lint Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- .github/workflows/main_pipeline_validation.yml | 2 +- defaults/main.yml | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 9fbe7aa8..39af625a 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -113,7 +113,7 @@ - name: Sleep for 60 seconds run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansibleplaybook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 67ee9d90..8ded7018 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -102,7 +102,7 @@ - name: Sleep for 60 seconds run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansibleplaybook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/defaults/main.yml b/defaults/main.yml index 77a4a0f3..1842913e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -348,7 +348,6 @@ rhel7stig_smartcard: false # Configure your smartcard driver rhel7stig_smartcarddriver: cackey - # RHEL_07_010310 # Must be 35 or less but not 0 or -1 rhel_07_010310_inactive: 35 From ad96dd79db366370ee617846581cbd5f0554c780 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Nov 2023 08:33:36 +0000 Subject: [PATCH 30/84] updated precommit files Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 142 ---------------------------------- .pre-commit-config.yaml | 1 - 2 files changed, 143 deletions(-) delete mode 100644 .config/.gitleaks-report.json diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json deleted file mode 100644 index bea9d1d8..00000000 --- a/.config/.gitleaks-report.json +++ /dev/null @@ -1,142 +0,0 @@ -[ - { - "Description": "Generic API Key", - "StartLine": 125, - "EndLine": 125, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", - "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.646039, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:125" - }, - { - "Description": "Generic API Key", - "StartLine": 135, - "EndLine": 135, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"673504d3db128a01a93d32de2b104a05dc2e6859\"", - "Secret": "673504d3db128a01a93d32de2b104a05dc2e6859", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.7750704, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:135" - }, - { - "Description": "Generic API Key", - "StartLine": 145, - "EndLine": 145, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"2784977b09b611a32db88f631d88a5806605967e\"", - "Secret": "2784977b09b611a32db88f631d88a5806605967e", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.718454, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:145" - }, - { - "Description": "Generic API Key", - "StartLine": 153, - "EndLine": 153, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", - "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.646039, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:153" - }, - { - "Description": "Generic API Key", - "StartLine": 163, - "EndLine": 163, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", - "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.8439426, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:163" - }, - { - "Description": "Generic API Key", - "StartLine": 172, - "EndLine": 172, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"fd917ab33fb6bd01e799f4b72da0586589cd909a\"", - "Secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.808695, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:172" - }, - { - "Description": "Generic API Key", - "StartLine": 182, - "EndLine": 182, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\"", - "Secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.8250706, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:182" - } -] diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 40a21e27..97c79434 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,7 +41,6 @@ repos: hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - exclude: .config/.secrets.baseline - repo: https://github.com/ansible-community/ansible-lint rev: v6.17.2 From 444074df1e271f4a156a5233ca86d69f2c0ae1c8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 14 Nov 2023 16:28:23 +0000 Subject: [PATCH 31/84] rhel7stig_boot_part variable now discovered Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 -- tasks/prelim.yml | 15 +++------------ 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5310cee1..d773ab60 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -693,8 +693,6 @@ rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1, rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}" -rhel7stig_boot_part: "{{ rhel_07_boot_part.stdout }}" - rhel7stig_legacy_boot_path: '/boot/grub2/' rhel7stig_efi_boot_path: '/boot/efi/EFI/' diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8bfaf00b..5c66c1a1 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -300,18 +300,6 @@ - RHEL-07-031000 - RHEL-07-031010 -- name: "PRELIM | RHEL-07-021350 | Check if /boot or /boot/efi reside on separate partitions" - ansible.builtin.shell: df --output=target /boot | tail -n 1 - changed_when: false - check_mode: false - register: rhel_07_boot_part - when: - - rhel_07_021350 - tags: - - cat1 - - high - - RHEL-07-021350 - - name: "PRELIM | RHEL-07-030300 | RHEL-07-030310 | RHEL-07-030320 | RHEL-07-030321 | Install audit remote plugin." ansible.builtin.package: name: audispd-plugins @@ -443,6 +431,7 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false + rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path @@ -452,6 +441,7 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false + rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution == 'CentOS' @@ -461,6 +451,7 @@ rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" rhel7stig_legacy_boot: true + rhel7stig_boot_part: /boot when: not rhel7_efi_boot.stat.exists - name: PRELIM | output bootloader and efi state From 6276776d77ab640872d7aba4365b765516d80110 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 14 Nov 2023 17:22:51 +0000 Subject: [PATCH 32/84] tidy up of rhel7stig_boot_part variable Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 ++ tasks/prelim.yml | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d773ab60..89b65ab1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -693,6 +693,8 @@ rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1, rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}" +rhel7stig_boot_part: /boot + rhel7stig_legacy_boot_path: '/boot/grub2/' rhel7stig_efi_boot_path: '/boot/efi/EFI/' diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5c66c1a1..17fe42bb 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -431,7 +431,6 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false - rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path @@ -441,7 +440,6 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false - rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution == 'CentOS' @@ -451,7 +449,6 @@ rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" rhel7stig_legacy_boot: true - rhel7stig_boot_part: /boot when: not rhel7_efi_boot.stat.exists - name: PRELIM | output bootloader and efi state From ad3b174385559e249b5d644bb058c50bc660dc5f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 15 Nov 2023 17:23:22 +0000 Subject: [PATCH 33/84] changed logic on 20620 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 0355d7a5..efc68379 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1554,7 +1554,7 @@ label: "{{ rhel7stig_passwd_label }}" when: - rhel_07_020620 - - rhel7stig_interactive_uid_start | int <= item.uid + - item.uid >= rhel7stig_interactive_uid_start | int tags: - RHEL-07-020620 - CAT2 From 617e0084622f1fcdf8be449221d2a0c4ba8c98f4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Nov 2023 18:23:48 +0000 Subject: [PATCH 34/84] updated logic for uuid Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index a46c1f74..37dd1f24 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -441,6 +441,7 @@ - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." block: + - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." ansible.builtin.replace: path: /etc/default/grub @@ -456,6 +457,7 @@ insert: true when: - rhel7stig_boot_part not in ['/', ''] + - item.uuid is defined - not ansible_check_mode or rhel7_stig_grub_template is not changed notify: confirm grub2 user cfg @@ -474,9 +476,9 @@ - ansible_check_mode - rhel_07_021350_audit is failed failed_when: - - rhel_07_021350_audit is failed - - not ansible_check_mode or - rhel_07_021350_audit.rc > 1 + - rhel_07_021350_audit.rc not in [ 0, 1 ] + - not ansible_check_mode + when: - not ansible_check_mode or rhel7_stig_grub_template is not changed From 6e7329b786396c601791d3221e9a2ba4f76e5dac Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 14:06:20 +0000 Subject: [PATCH 35/84] removed extra line Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 37dd1f24..a8dab97d 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -441,7 +441,6 @@ - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." block: - - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." ansible.builtin.replace: path: /etc/default/grub From 207be13c6f3cb0d66a23ef95dde5e1b1b1d9ab34 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 11 Jan 2024 15:29:34 +0000 Subject: [PATCH 36/84] removed doc dir Signed-off-by: Mark Bolwell --- doc/README.md | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 doc/README.md diff --git a/doc/README.md b/doc/README.md deleted file mode 100644 index 923de017..00000000 --- a/doc/README.md +++ /dev/null @@ -1,7 +0,0 @@ -To generate the documentation on a RHEL/CentOS 7 system, take the following steps: -1. Install required packages: - * `yum install python3-pip python-sphinx` -2. Install the requirements: - * `sudo pip3 install -r requirements.txt` -3. Generate the documentation: - * `make singlehtml` From 3901021fabd66678a590e443d00edaebed177bd5 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 22 Jan 2024 17:33:41 +0000 Subject: [PATCH 37/84] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](https://github.com/gitleaks/gitleaks/compare/v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.21.1 → v6.22.2](https://github.com/ansible-community/ansible-lint/compare/v6.21.1...v6.22.2) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f2f732af..43020660 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,13 +36,13 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 + rev: v8.18.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.21.1 + rev: v6.22.2 hooks: - id: ansible-lint name: Ansible-lint @@ -61,6 +61,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag + rev: v1.33.0 # or higher tag hooks: - id: yamllint From 594ece92b5f0189ec4daf1313d54eada17765796 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 26 Jan 2024 10:15:35 +0000 Subject: [PATCH 38/84] Issue #446 tag update to always - thanks to @prestonSeaman2 Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 17fe42bb..a4cdb913 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -159,13 +159,7 @@ rhel_07_010491 or rhel_07_021350 tags: - - cat1 - - high - - RHEL-07-010481 - - RHEL-07-010482 - - RHEL-07-010483 - - RHEL-07-010491 - - RHEL-07-021350 + - always - name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | RHEL-07-021700 | Check whether machine is UEFI-based" ansible.builtin.stat: From e401d83f636572fd2d8caebf976d32f6252ee390 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 26 Jan 2024 10:19:02 +0000 Subject: [PATCH 39/84] conditional updated 021000 & 021010 #448 thanks @erosen03 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index efc68379..1ea2f6de 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2042,7 +2042,7 @@ removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid] when: - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - - "'nosuid' not in home_mount.options" + - "'nosuid' not in removable_mount.options" - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." ansible.posix.mount: @@ -2055,7 +2055,7 @@ removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid] when: - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - - "'nosuid' not in home_mount.options" + - "'nosuid' not in removable_mount2.options" when: - rhel_07_021010 - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container) From 1f997b7d37d128f41498546f62637bb34b6c18f3 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Wed, 14 Feb 2024 16:56:56 +0000 Subject: [PATCH 40/84] [pre-commit.ci] pre-commit autoupdate (#451) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](https://github.com/gitleaks/gitleaks/compare/v8.18.1...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.22.2 → v24.2.0](https://github.com/ansible-community/ansible-lint/compare/v6.22.2...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.33.0 → v1.34.0](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.34.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 43020660..0fc547e5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,13 +36,13 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.1 + rev: v8.18.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.2 + rev: v24.2.0 hooks: - id: ansible-lint name: Ansible-lint @@ -61,6 +61,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.33.0 # or higher tag + rev: v1.34.0 # or higher tag hooks: - id: yamllint From dfe8425696553ccf11e76a689681ce1a0fec83d4 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 5 Mar 2024 08:47:27 +0000 Subject: [PATCH 41/84] [pre-commit.ci] pre-commit autoupdate (#454) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/adrienverge/yamllint.git: v1.34.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.34.0...v1.35.1) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0fc547e5..82858b54 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -61,6 +61,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.34.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint From df38ef9fb460e7ec8a866f93b2ec6ae39653057a Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Wed, 6 Mar 2024 10:41:22 +0000 Subject: [PATCH 42/84] Feb 24 updates (#455) * issue #452 addressed * issue #453 addressed * updated for galaxy_ng reqs --------- Signed-off-by: Mark Bolwell --- README.md | 4 ++ meta/main.yml | 4 +- templates/audit/99_auditd.rules.j2 | 80 +++++++++++++++--------------- 3 files changed, 46 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index 70be8088..f8a2adec 100644 --- a/README.md +++ b/README.md @@ -220,3 +220,7 @@ pre-commit run ## Credits This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig) + +Massive thanks to the fantastic community and all its members. +This includes a huge thanks and credit to the original authors and maintainers. +Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell diff --git a/meta/main.yml b/meta/main.yml index a028684f..6a51cb12 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,6 +1,6 @@ --- galaxy_info: - author: "Sam Doran, Josh Springer, Daniel Shepherd, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell" + author: "MindPoint Group" description: "Apply the DISA RHEL 7 STIG" company: "MindPoint Group" license: MIT @@ -10,7 +10,7 @@ galaxy_info: platforms: - name: EL versions: - - 7 + - '7' galaxy_tags: - system - security diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 445e5ef7..8452a493 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -8,41 +8,41 @@ {% endif %} {% if rhel_07_030370 %} --a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod {% endif %} {% if rhel_07_030410 %} --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod {% endif %} {% if rhel_07_030440 %} --a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod {% endif %} {% if rhel_07_030510 %} --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access {% endif %} {% if rhel_07_030560 %} --a always,exit -F path=/usr/sbin/semanage -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030570 %} --a always,exit -F path=/usr/sbin/setsebool -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030580 %} --a always,exit -F path=/usr/bin/chcon -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030590 %} --a always,exit -F path=/usr/sbin/setfiles -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030610 %} @@ -54,31 +54,31 @@ {% endif %} {% if rhel_07_030630 %} --a always,exit -F path=/usr/bin/passwd -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030640 %} --a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030650 %} --a always,exit -F path=/usr/bin/gpasswd -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030660 %} --a always,exit -F path=/usr/bin/chage -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030670 %} --a always,exit -F path=/usr/sbin/userhelper -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030680 %} --a always,exit -F path=/usr/bin/su -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030690 %} --a always,exit -F path=/usr/bin/sudo -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030700 %} @@ -87,56 +87,56 @@ {% endif %} {% if rhel_07_030710 %} --a always,exit -F path=/usr/bin/newgrp -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030720 %} --a always,exit -F path=/usr/bin/chsh -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030740 %} --a always,exit -F arch=b32 -S mount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount --a always,exit -F arch=b64 -S mount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount --a always,exit -F path=/usr/bin/mount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount +-a always,exit -F arch=b32 -S mount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount +-a always,exit -F arch=b64 -S mount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount {% endif %} {% if rhel_07_030750 %} --a always,exit -F path=/usr/bin/umount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount {% endif %} {% if rhel_07_030760 %} --a always,exit -F path=/usr/sbin/postdrop -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-postfix +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-postfix {% endif %} {% if rhel_07_030770 %} --a always,exit -F path=/usr/sbin/postqueue -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-postfix +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-postfix {% endif %} {% if rhel_07_030780 %} --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-ssh +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-ssh {% endif %} {% if rhel_07_030800 %} --a always,exit -F path=/usr/bin/crontab -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-cron +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-cron {% endif %} {% if rhel_07_030810 %} --a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-pam +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-pam {% endif %} {% if rhel_07_030819 %} --a always,exit -F arch=b32 -S create_module -k module-change --a always,exit -F arch=b64 -S create_module -k module-change +-a always,exit -F arch=b32 -S create_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change +-a always,exit -F arch=b64 -S create_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change {% endif %} {% if rhel_07_030820 %} --a always,exit -F arch=b32 -S init_module,finit_module -k modulechange --a always,exit -F arch=b64 -S init_module,finit_module -k modulechange +-a always,exit -F arch=b32 -S init_module,finit_module -F auid>={{ rhel7stig_interactive_uid_start }} -k modulechange +-a always,exit -F arch=b64 -S init_module,finit_module -F auid>={{ rhel7stig_interactive_uid_start }} -k modulechange {% endif %} {% if rhel_07_030830 %} --a always,exit -F arch=b32 -S delete_module -k module-change --a always,exit -F arch=b64 -S delete_module -k module-change +-a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change +-a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change {% endif %} {% if rhel_07_030840 %} @@ -164,6 +164,6 @@ {% endif %} {% if rhel_07_030910 %} --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k delete {% endif %} From 82abd513bfad6dba2e309f4a6ff275a15f3f5db9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Mar 2024 11:39:07 +0000 Subject: [PATCH 43/84] incorporated Feb_24 fixes Signed-off-by: Mark Bolwell --- README.md | 6 +++ templates/audit/99_auditd.rules.j2 | 80 +++++++++++++++--------------- 2 files changed, 46 insertions(+), 40 deletions(-) diff --git a/README.md b/README.md index 2309d92a..9d9c4d84 100644 --- a/README.md +++ b/README.md @@ -220,3 +220,9 @@ pre-commit run ## Credits This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig) + +Massive thanks to the fantastic community and all its members. + +This includes a huge thanks and credit to the original authors and maintainers. + +- Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 445e5ef7..8452a493 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -8,41 +8,41 @@ {% endif %} {% if rhel_07_030370 %} --a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod {% endif %} {% if rhel_07_030410 %} --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod {% endif %} {% if rhel_07_030440 %} --a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k perm_mod {% endif %} {% if rhel_07_030510 %} --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k access {% endif %} {% if rhel_07_030560 %} --a always,exit -F path=/usr/sbin/semanage -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030570 %} --a always,exit -F path=/usr/sbin/setsebool -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030580 %} --a always,exit -F path=/usr/bin/chcon -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030590 %} --a always,exit -F path=/usr/sbin/setfiles -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030610 %} @@ -54,31 +54,31 @@ {% endif %} {% if rhel_07_030630 %} --a always,exit -F path=/usr/bin/passwd -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030640 %} --a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030650 %} --a always,exit -F path=/usr/bin/gpasswd -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030660 %} --a always,exit -F path=/usr/bin/chage -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030670 %} --a always,exit -F path=/usr/sbin/userhelper -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-passwd +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-passwd {% endif %} {% if rhel_07_030680 %} --a always,exit -F path=/usr/bin/su -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030690 %} --a always,exit -F path=/usr/bin/sudo -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030700 %} @@ -87,56 +87,56 @@ {% endif %} {% if rhel_07_030710 %} --a always,exit -F path=/usr/bin/newgrp -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030720 %} --a always,exit -F path=/usr/bin/chsh -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-priv_change {% endif %} {% if rhel_07_030740 %} --a always,exit -F arch=b32 -S mount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount --a always,exit -F arch=b64 -S mount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount --a always,exit -F path=/usr/bin/mount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount +-a always,exit -F arch=b32 -S mount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount +-a always,exit -F arch=b64 -S mount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount {% endif %} {% if rhel_07_030750 %} --a always,exit -F path=/usr/bin/umount -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-mount +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-mount {% endif %} {% if rhel_07_030760 %} --a always,exit -F path=/usr/sbin/postdrop -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-postfix +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-postfix {% endif %} {% if rhel_07_030770 %} --a always,exit -F path=/usr/sbin/postqueue -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-postfix +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-postfix {% endif %} {% if rhel_07_030780 %} --a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-ssh +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-ssh {% endif %} {% if rhel_07_030800 %} --a always,exit -F path=/usr/bin/crontab -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-cron +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-cron {% endif %} {% if rhel_07_030810 %} --a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k privileged-pam +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k privileged-pam {% endif %} {% if rhel_07_030819 %} --a always,exit -F arch=b32 -S create_module -k module-change --a always,exit -F arch=b64 -S create_module -k module-change +-a always,exit -F arch=b32 -S create_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change +-a always,exit -F arch=b64 -S create_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change {% endif %} {% if rhel_07_030820 %} --a always,exit -F arch=b32 -S init_module,finit_module -k modulechange --a always,exit -F arch=b64 -S init_module,finit_module -k modulechange +-a always,exit -F arch=b32 -S init_module,finit_module -F auid>={{ rhel7stig_interactive_uid_start }} -k modulechange +-a always,exit -F arch=b64 -S init_module,finit_module -F auid>={{ rhel7stig_interactive_uid_start }} -k modulechange {% endif %} {% if rhel_07_030830 %} --a always,exit -F arch=b32 -S delete_module -k module-change --a always,exit -F arch=b64 -S delete_module -k module-change +-a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change +-a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel7stig_interactive_uid_start }} -k module-change {% endif %} {% if rhel_07_030840 %} @@ -164,6 +164,6 @@ {% endif %} {% if rhel_07_030910 %} --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_min_uid.stdout}} -F auid!=unset -k delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>={{ rhel7stig_interactive_uid_start}} -F auid!=unset -k delete {% endif %} From e277b23fe9458893ea081b1a70849f6aba21f509 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Mar 2024 12:08:40 +0000 Subject: [PATCH 44/84] v3r14 ref updated Signed-off-by: Mark Bolwell --- ChangeLog.md | 11 +++++++++++ defaults/main.yml | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/ChangeLog.md b/ChangeLog.md index 16e9886b..363e9a52 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,16 @@ # Changelog +## 3.2 STIG v3R14 24th Jan 2024 + +- RHEL-07-020019 - title and ruleid update +- RHEL-07-020022 - ruleid update +- RHEL-07-020210 - ruleid update +- RHEL-07-020220 - ruleid update +- RHEL-07-020100 - ruleid update and bin/false +- RHEL-07-020101 - ruleid update and bin/false +- RHEL-07-040180 - ruleid update and bin/false +- RHEL-07-040190 - ruleid update and bin/false + ## 3.1 STIG V3R13 25th Oct 2023 - RHEL_07_010310 - ruleid updated and INACTIVE var created diff --git a/defaults/main.yml b/defaults/main.yml index 3c6b0a42..0b05aca4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,7 +13,7 @@ python2_bin: /bin/python2.7 # audit variable found at the base benchmark: RHEL7-STIG ## metadata for Audit benchmark -benchmark_version: 'v3r13' +benchmark_version: 'v3r14' # Whether to skip the reboot rhel7stig_skip_reboot: true From 09e75c83fec9c418c37e70e8258c35eb6112ff9c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Mar 2024 12:09:27 +0000 Subject: [PATCH 45/84] v3r14 update Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9d9c4d84..dddbdb35 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL7 based system to be complaint with Disa STIG -This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 13 released on October 23, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R13_STIG.zip). +This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 14 released on January 24, 2024 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R14_STIG.zip). --- From 82d5761acd2ef38d371e948846a5bb9c62a4067b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Mar 2024 12:12:06 +0000 Subject: [PATCH 46/84] associated rule updated v3r14 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5d78599b..dfd7e744 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1292,7 +1292,7 @@ - file: /etc/modprobe.d/usb-storage.conf insertafter: "^#install usb-storage" regexp: "^install usb-storage" - line: install usb-storage /bin/true + line: install usb-storage /bin/false when: - rhel_07_020100 tags: @@ -1302,7 +1302,7 @@ - CCI-000778 - CCI-000366 - SRG-OS-000114-GPOS-00059 - - SV-204449r603261_rule + - SV-204449r942894_rule - V-204449 - usb_devices @@ -1324,7 +1324,7 @@ - file: /etc/modprobe.d/dccp.conf insertafter: ^#install dccp regexp: "^install dccp " - line: install dccp /bin/true + line: install dccp /bin/false when: - rhel_07_020101 tags: @@ -1332,7 +1332,7 @@ - CAT2 - CCI-001958 - SRG-OS-000378-GPOS-00163 - - SV-204450r603261_rule + - SV-204450r942897_rule - V-204450 - dccp @@ -1382,7 +1382,7 @@ - CCI-002696 - CCI-002165 - SRG-OS-000445-GPOS-00199 - - SV-204453r754746_rule + - SV-204453r942900_rule - V-204453 - RHEL-07-020220 - SV-204454r754748_rule @@ -3399,10 +3399,10 @@ - SV-204581r603261_rule - V-204581 - RHEL-07-040190 - - SV-204582r603261_rule + - SV-204582r942909_rule - V-204582 - RHEL-07-040200 - - SV-204583r603261_rule + - SV-204583r942912_rule - V-204583 - ldap @@ -4444,11 +4444,11 @@ - wifi - networking -- name: "MEDIUM | RHEL-07-020019 | AUDIT | The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed." +- name: "MEDIUM | RHEL-07-020019 | AUDIT | The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool." ansible.builtin.debug: msg: - - "Please install and enable the latest McAfee HIPS package, available from USCYBERCOM." - - "If the system does not support the McAfee HIPS package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official." + - "Please Install and enable the latest Trellix ENSLTP package." + - "If the system does not support the Trellix ENSLTP package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official." when: - rhel_07_020019 tags: @@ -4457,7 +4457,7 @@ - CAT2 - CCI-001263 - SRG-OS-000480-GPOS-00227 - - SV-214800r603261_rule + - SV-214800r942888_rule - V-214800 - antivirus @@ -4758,7 +4758,7 @@ - CCI-002165 - CI-002235 - SRG-OS-000324-GPOS-00125 - - SV-250313r792846_rule + - SV-250313r942891_rule - V-250313 - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command" From 6d800a48f7c5bd357fd3f874ae695efa470b0e4f Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Thu, 14 Mar 2024 16:03:43 +0000 Subject: [PATCH 47/84] Stig v3r13 into devel (#457) * updated version Signed-off-by: Mark Bolwell * quoted version Signed-off-by: Mark Bolwell * updated rule id 020230 Signed-off-by: Mark Bolwell * rule ids and inactive variable added Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell * updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell * lint Signed-off-by: Mark Bolwell * updated precommit files Signed-off-by: Mark Bolwell * incorporated Feb_24 fixes Signed-off-by: Mark Bolwell --------- Signed-off-by: Mark Bolwell Signed-off-by: uk-bolly --- ChangeLog.md | 9 +++++++++ README.md | 8 +++++--- defaults/main.yml | 5 ++++- tasks/fix-cat1.yml | 3 ++- tasks/fix-cat2.yml | 18 +++++++++--------- 5 files changed, 29 insertions(+), 14 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 608849fd..16e9886b 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,14 @@ # Changelog +## 3.1 STIG V3R13 25th Oct 2023 + +- RHEL_07_010310 - ruleid updated and INACTIVE var created +- RHEL_07_020020 - ruleid +- RHEL_07_020021 - ruleid +- RHEL_07_020023 - ruleid +- RHEL_07_020230 - ruleid +- RHEL_07_021700 - ruleid + ## 3.0 Stig V3R12 26th July 2023 - RHEL-07-010199 - pamd password and system auth rewrite and ruleid updated diff --git a/README.md b/README.md index f8a2adec..9d9c4d84 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL7 based system to be complaint with Disa STIG -This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on July 23, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R12_STIG.zip). +This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 13 released on October 23, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R13_STIG.zip). --- @@ -47,7 +47,7 @@ Configure a RHEL 7 system to be DISA STIG compliant. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `true`. -# Caution(s) +## Caution(s) This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. @@ -222,5 +222,7 @@ pre-commit run This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig) Massive thanks to the fantastic community and all its members. + This includes a huge thanks and credit to the original authors and maintainers. -Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell + +- Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell diff --git a/defaults/main.yml b/defaults/main.yml index 89b65ab1..3c6b0a42 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,7 +13,7 @@ python2_bin: /bin/python2.7 # audit variable found at the base benchmark: RHEL7-STIG ## metadata for Audit benchmark -benchmark_version: 'v3r12' +benchmark_version: 'v3r13' # Whether to skip the reboot rhel7stig_skip_reboot: true @@ -348,6 +348,9 @@ rhel7stig_smartcard: false # Configure your smartcard driver rhel7stig_smartcarddriver: cackey +# RHEL_07_010310 +# Must be 35 or less but not 0 or -1 +rhel_07_010310_inactive: 35 # RHEL_07_020020 # Set "selinux_change_users" false to disable this control's actions and just report results. # You will need to adjust the paths for installed HIPS/HBSS for this control. diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index a8dab97d..1ab19f04 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -1,4 +1,5 @@ --- + - name: "HIGH | RHEL-07-010010 | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." block: - name: "HIGH | RHEL-07-010010 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." @@ -306,7 +307,7 @@ - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204455r833106_rule + - SV-204455r928574_rule - V-204455 - systemctl diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 1ea2f6de..5d78599b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -756,7 +756,7 @@ ansible.builtin.lineinfile: path: /etc/default/useradd regexp: ^#?INACTIVE - line: INACTIVE=35 + line: "INACTIVE={{ rhel_07_010310_inactive }}" when: - rhel_07_010310 tags: @@ -1167,15 +1167,15 @@ # ############################## # This control should be manually implemented -- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." +- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." block: - - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Get SELinux authorized users" + - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Get SELinux authorized users" ansible.builtin.shell: semanage login -l changed_when: false failed_when: false register: rhel_07_020020_sel_auth_users - - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Show SELinux authorized users" + - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Show SELinux authorized users" ansible.builtin.debug: msg: - "Warning!! Below is your SELinux user/group list. Please review and make sure all of the following are met:" @@ -1184,7 +1184,7 @@ - "{{ rhel_07_020020_sel_auth_users.stdout_lines }}" when: rhel_07_020020_sel_auth_users.stdout | length > 0 - - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Warn that semanage is not installed" + - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Warn that semanage is not installed" ansible.builtin.debug: msg: - "Warning!! You do not have semanage installed! Please installed the needed packages" @@ -1197,7 +1197,7 @@ - CCI-002235 - CCI-002165 - SRG-OS-000324-GPOS-00125 - - SV-204444r754744_rule + - SV-204444r928571_rule - V-204444 - name: "MEDIUM | RHEL-07-020028 | PATCH | The Red Hat Enterprise Linux operating system must be configured to allow sending email notifications of configuration changes and adverse events to designated personnel." @@ -2307,7 +2307,7 @@ - CCI-001813 - CCI-000318 - SRG-OS-000364-GPOS-00151 - - SV-204501r603261_rule + - SV-204501r928576_rule - V-204501 - grub - bootloader @@ -4742,7 +4742,7 @@ - CCI-002165 - CCI-002235 - SRG-OS-000324-GPOS-00125 - - SV-250312r792843_rule + - SV-250312r928579_rule - V-250312 - name: "MEDIUM | RHEL-07-020022 | PATCH | The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH." @@ -4791,5 +4791,5 @@ - CCI-002165 - CCI-002235 - SRG-OS-000324-GPOS-00125 - - SV-250314r861076_rule + - SV-250314r877392_rule - V-250314 From 8911cbd9611b6584f18422e143c73072087962f2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 19 Mar 2024 11:47:30 +0000 Subject: [PATCH 48/84] updated meta Signed-off-by: Mark Bolwell --- meta/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/main.yml b/meta/main.yml index e3c413a8..6a51cb12 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,6 +1,6 @@ --- galaxy_info: - author: "Sam Doran, Josh Springer, Daniel Shepherd, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell" + author: "MindPoint Group" description: "Apply the DISA RHEL 7 STIG" company: "MindPoint Group" license: MIT From 91fd0d96d4ae6752c2ed274237ee10600d3fb4a5 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 10:58:28 +0100 Subject: [PATCH 49/84] [pre-commit.ci] pre-commit autoupdate (#458) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.5.0...v4.6.0) - [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](https://github.com/ansible-community/ansible-lint/compare/v24.2.0...v24.2.1) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 82858b54..5f7e3c0c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v4.6.0 hooks: # Safety - id: detect-aws-credentials @@ -42,7 +42,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.0 + rev: v24.2.1 hooks: - id: ansible-lint name: Ansible-lint From 16f3465da60eaf1dad25907c296c3a12554471a4 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 11 Apr 2024 11:16:48 -0400 Subject: [PATCH 50/84] prelim.yml fixes on when conditions on cronie passwd_tasks Signed-off-by: Frederick Witty --- tasks/prelim.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index a4cdb913..3d097c4b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -211,8 +211,7 @@ ansible_python_interpreter: "{{ python2_bin }}" when: - rhel_07_020030 or - rhel_07_020040 or - false + rhel_07_020040 tags: - cat2 - medium @@ -234,8 +233,7 @@ rhel_07_020670 or rhel_07_020680 or rhel_07_020690 or - rhel_07_020700 or - false + rhel_07_020700 tags: - cat2 - medium From c7ebdb09be3a1d45f837790622e0d45117b83e14 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 15 Apr 2024 12:34:04 +0100 Subject: [PATCH 51/84] audit rewrite and logic improvements Signed-off-by: Mark Bolwell --- ChangeLog.md | 4 + defaults/main.yml | 102 ++++++++------------ tasks/LE_audit_setup.yml | 24 +++-- tasks/audit_only.yml | 30 ++++++ tasks/post_remediation_audit.yml | 32 ++++--- tasks/pre_remediation_audit.yml | 106 +++++++++++---------- tasks/prelim.yml | 144 ++++++++++++++++------------- templates/ansible_vars_goss.yml.j2 | 1 - vars/audit.yml | 40 ++++++++ 9 files changed, 283 insertions(+), 200 deletions(-) create mode 100644 tasks/audit_only.yml create mode 100644 vars/audit.yml diff --git a/ChangeLog.md b/ChangeLog.md index 363e9a52..86a695a3 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -2,6 +2,10 @@ ## 3.2 STIG v3R14 24th Jan 2024 +- Audit updated + - moved audit into prelim + - updates to audit logic for copy and archive options + - RHEL-07-020019 - title and ruleid update - RHEL-07-020022 - ruleid update - RHEL-07-020210 - ruleid update diff --git a/defaults/main.yml b/defaults/main.yml index 0b05aca4..76f592d2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -18,27 +18,56 @@ benchmark_version: 'v3r14' # Whether to skip the reboot rhel7stig_skip_reboot: true -### Audit Binary is required on the remote host +########################################### +### Goss is required on the remote host ### +### vars/auditd.yml for other settings ### + +# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false + +# enable audits to run - this runs the audit and get the latest content +run_audit: false +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true + +## Only run Audit do not remediate +audit_only: false +### As part of audit_only ### +# This will enable files to be copied back to control node in audit_only mode +fetch_audit_files: false +# Path to copy the files to will create dir structure in audit_only mode +audit_capture_files_dir: /some/location to copy to on control node +############################# + # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download +## if get_audit_binary_method - copy the following needs to be updated for your environment +## it is expected that it will be copied from somewhere accessible to the control node +## e.g copy from ansible control node to remote host +audit_bin_copy_location: /some/accessible/path + # how to get audit files onto host options -# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# enable audits to run - this runs the audit and get the latest content -run_audit: false +# If using either archive, copy, get_url: +## Note will work with .tar files - zip will require extra configuration +### If using get_url this is expecting github url in tar.gz format e.g. +### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +audit_conf_source: "some path or url to copy from" -# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system -audit_run_heavy_tests: true -# Timeout for those cmds that take longer to run where timeout set -audit_cmd_timeout: 60000 +# Destination for the audit content to be placed on managed node +# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory +audit_conf_dest: "/opt" + +# Where the audit logs are stored +audit_log_dir: '/opt' -### End Audit enablements #### -#### Detailed settings found at the end of this document #### +### Goss Settings ## +####### END ######## # We've defined complexity-high to mean that we cannot automatically remediate # the rule in question. In the future this might mean that the remediation @@ -737,56 +766,3 @@ rhel7stig_world_write_files_owner_root: false # The value given to Defaults timestamp timeout= in the sudo file. # Value must be greater than 0 to conform to STIG standards rhel7stig_sudo_timestamp_timeout: 1 - -#### Audit Configuration Settings #### -# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_run_script_environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_FILE: 'goss.yml' - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - -### Audit binary settings ### -audit_bin_version: - release: v0.3.21 - checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' -audit_bin_path: /usr/local/bin/ -audit_bin: "{{ audit_bin_path }}goss" -audit_format: json - -# if get_audit_binary_method == download change accordingly -audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64" - -## if get_audit_binary_method - copy the following needs to be updated for your environment -## it is expected that it will be copied from somewhere accessible to the control node -## e.g copy from ansible control node to remote host -audit_bin_copy_location: /some/accessible/path - -### Goss Audit Benchmark file ### -## managed by the control audit_content -# git -audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark_{{ benchmark_version }}_rh7" - -# copy: -audit_local_copy: "some path to copy from" - -# get_url: -audit_files_url: "some url maybe s3?" - -## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" - -# If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" - -## The following should not need changing -audit_control_file: "{{ audit_conf_dir }}goss.yml" -audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" -audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index fd75cea5..7ef94b4a 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,21 +1,33 @@ --- -- name: Download audit binary +- name: Pre Audit Setup | Set audit package name + block: + - name: Pre Audit Setup | Set audit package name | 64bit + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 + when: ansible_facts.machine == "x86_64" + + - name: Pre Audit Setup | Set audit package name | ARM64 + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 + when: ansible_facts.machine == "arm64" + +- name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: - url: "{{ audit_bin_url }}" + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" dest: "{{ audit_bin }}" owner: root group: root - checksum: "{{ audit_bin_version.checksum }}" - mode: 0555 + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" + mode: '0555' when: - get_audit_binary_method == 'download' -- name: copy audit binary +- name: Pre Audit Setup | Copy audit binary ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: 0555 + mode: '0555' owner: root group: root when: diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml new file mode 100644 index 00000000..864f5bbe --- /dev/null +++ b/tasks/audit_only.yml @@ -0,0 +1,30 @@ +--- + +- name: Audit_Only | Create local Directories for hosts + ansible.builtin.file: + mode: '0755' + path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + recurse: true + state: directory + when: fetch_audit_files + delegate_to: localhost + become: false + +- name: Audit_only | Get audits from systems and put in group dir + ansible.builtin.fetch: + dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" + flat: true + mode: '0644' + src: "{{ pre_audit_outfile }}" + when: fetch_audit_files + +- name: Audit_only | Show Audit Summary + when: + - audit_only + ansible.builtin.debug: + msg: "The Audit results are: {{ pre_audit_summary }}." + +- name: Audit_only | Stop Playbook Audit Only selected + when: + - audit_only + ansible.builtin.meta: end_play diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 6d20eeaa..b3111c80 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,44 +1,46 @@ --- -- name: "Post Audit | Run post_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: false - register: audit_run_post_remediation +- name: Post Audit | Run post_remediation {{ benchmark }} audit + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" + AUDIT_FILE: goss.yml - name: Post Audit | ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" - mode: 0644 + mode: '0644' state: file loop: - "{{ post_audit_outfile }}" - "{{ pre_audit_outfile }}" - name: Post Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "Post Audit | capture data {{ post_audit_outfile }} | JSON format" + - name: capture data {{ post_audit_outfile }} ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false - - name: PostAudit | Capture post-audit result | JSON format + - name: Capture post-audit result ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + summary: summary."summary-line" - name: Post Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - name: "Post Audit | capture data {{ post_audit_outfile }} | documentation format" + - name: Post Audit | capture data {{ post_audit_outfile }} ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false - - name: Post Audit | Capture post-audit result | documentation format + - name: Post Audit | Capture post-audit result ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" - when: - - audit_format == "documentation" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 7b4d06f5..d0137e81 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,62 +1,61 @@ --- -- name: Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: - file: LE_audit_setup.yml +- name: Pre Audit Setup | Setup the LE audit when: - setup_audit tags: - setup_audit + ansible.builtin.include_tasks: + file: LE_audit_setup.yml -- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" +- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' - name: Pre Audit Setup | If using git for content set up + when: + - audit_content == 'git' block: - - name: Pre Audit Setup | Install git (rh8 python3) + - name: Pre Audit Setup | Install git ansible.builtin.package: name: git state: present - when: ansible_distribution_major_version == '8' - - name: Pre Audit Setup | Install git (rh7 python2) - ansible.builtin.package: - name: git - state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == '7' - - - name: Pre Audit Setup | retrieve audit content files from git + - name: Pre Audit Setup | Retrieve audit content files from git ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" - when: - - audit_content == 'git' -- name: Pre Audit Setup | copy to audit content files to server - ansible.builtin.copy: - src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dir }}" - mode: 0644 +- name: Pre Audit Setup | Copy to audit content files to server when: - audit_content == 'copy' + ansible.builtin.copy: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" + mode: preserve -- name: Pre Audit Setup | get audit content from url - ansible.builtin.get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" - owner: root - group: root - mode: 0755 +- name: Pre Audit Setup | Unarchive audit content files on server + when: + - audit_content == 'archive' + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" + +- name: Pre Audit Setup | Get audit content from url when: - audit_content == 'get_url' + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available + when: + - run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: @@ -64,31 +63,35 @@ register: goss_available - name: Pre Audit Setup | If audit ensure goss is available + when: + - not goss_available.stat.exists ansible.builtin.assert: - that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - run_audit - name: Pre Audit Setup | Copy ansible default vars values to test audit + tags: + - goss_template + - run_audit + when: + - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: 0600 - when: - - run_audit - tags: - - goss_template + mode: '0600' -- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: audit_run_pre_remediation.rc == 0 - register: audit_run_pre_remediation +- name: Pre Audit | Run pre_remediation {{ benchmark }} audit + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" + AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "capture data {{ pre_audit_outfile }}" + - name: Pre Audit | Capture data {{ pre_audit_outfile }} ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false @@ -97,19 +100,22 @@ ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + summary: summary."summary-line" - name: Pre Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - name: "capture data {{ pre_audit_outfile }}" + - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false - - name: Pre Audit | Capture pre-audit result + - name: Pre Audit | Capture pre-audit result | documentation format ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" - when: - - audit_format == "documentation" + +- name: Audit_Only | Run Audit Only + when: + - audit_only + ansible.builtin.import_tasks: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index a4cdb913..2f28dd74 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,5 +1,84 @@ --- +- name: set bootloader type + block: + - name: "PRELIM | Check whether machine is UEFI-based" + ansible.builtin.stat: + path: /sys/firmware/efi + register: rhel7_efi_boot + + - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" + ansible.builtin.set_fact: + rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" + rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" + rhel7stig_legacy_boot: false + when: + - rhel7_efi_boot.stat.exists + - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path + + - name: "PRELIM | set fact if UEFI boot | CentOS " + ansible.builtin.set_fact: + rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" + rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" + rhel7stig_legacy_boot: false + when: + - rhel7_efi_boot.stat.exists + - ansible_distribution == 'CentOS' + + - name: "PRELIM | set if not UEFI boot" + ansible.builtin.set_fact: + rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" + rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" + rhel7stig_legacy_boot: true + when: not rhel7_efi_boot.stat.exists + + - name: PRELIM | output bootloader and efi state + ansible.builtin.debug: + msg: + - "bootloader path set to {{ rhel7stig_bootloader_path }}" + - "legacy boot equals {{ rhel7stig_legacy_boot }}" + tags: + - always + +- name: "PRELIM | Gather interactive user ID min" + block: + - name: "PRELIM | Gather interactive user ID min" + ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: rhel7stig_min_uid + + - name: "PRELIM | Gather interactive user ID max" + ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: rhel7stig_max_uid + + - name: "PRELIM | Setting the fact" + ansible.builtin.set_fact: + rhel7stig_interactive_uid_start: "{{ rhel7stig_min_uid.stdout }}" + rhel7stig_interactive_uid_stop: "{{ rhel7stig_max_uid.stdout }}" + tags: + - always + - auditd + +- name: Include audit specific variables + ansible.builtin.include_vars: audit.yml + when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit + - run_audit + +- name: Include pre-remediation audit tasks + ansible.builtin.import_tasks: pre_remediation_audit.yml + when: + - run_audit or audit_only + - setup_audit + tags: + - run_audit + - name: "PRELIM | Check required packages installed | Python2" ansible.builtin.package: name: @@ -409,68 +488,3 @@ when: not rhel7stig_ssh_host_rsa_key_stat.stat.exists when: - rhel7stig_ssh_required - -- name: "PRELIM | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel7_efi_boot - tags: - - goss_template - - always - -- name: set bootloader type - block: - - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" - ansible.builtin.set_fact: - rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" - rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" - rhel7stig_legacy_boot: false - when: - - rhel7_efi_boot.stat.exists - - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path - - - name: "PRELIM | set fact if UEFI boot | CentOS " - ansible.builtin.set_fact: - rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" - rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" - rhel7stig_legacy_boot: false - when: - - rhel7_efi_boot.stat.exists - - ansible_distribution == 'CentOS' - - - name: "PRELIM | set if not UEFI boot" - ansible.builtin.set_fact: - rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" - rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" - rhel7stig_legacy_boot: true - when: not rhel7_efi_boot.stat.exists - - - name: PRELIM | output bootloader and efi state - ansible.builtin.debug: - msg: - - "bootloader path set to {{ rhel7stig_bootloader_path }}" - - "legacy boot equals {{ rhel7stig_legacy_boot }}" - tags: - - always - -- name: "PRELIM | Gather interactive user ID min" - block: - - name: "PRELIM | Gather interactive user ID min" - ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' - changed_when: false - failed_when: false - register: rhel7stig_min_uid - - - name: "PRELIM | Gather interactive user ID max" - ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' - changed_when: false - failed_when: false - register: rhel7stig_max_uid - - - name: "PRELIM | Setting the fact" - ansible.builtin.set_fact: - rhel7stig_interactive_uid_start: "{{ rhel7stig_min_uid.stdout }}" - rhel7stig_interactive_uid_stop: "{{ rhel7stig_max_uid.stdout }}" - tags: - - always - - auditd diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 8e562654..199dac24 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -164,7 +164,6 @@ RHEL_07_030201: {{ rhel_07_030201 }} RHEL_07_030210: {{ rhel_07_030210 }} RHEL_07_030211: {{ rhel_07_030211 }} # if you set 030300 to 'true' ensure you define rhel7stig_audisp_remote_server -RHEL_07_010375: {{ rhel_07_010375 }} RHEL_07_030300: {{ rhel_07_030300 }} RHEL_07_030310: {{ rhel_07_030310 }} RHEL_07_030320: {{ rhel_07_030320 }} diff --git a/vars/audit.yml b/vars/audit.yml new file mode 100644 index 00000000..bee39e94 --- /dev/null +++ b/vars/audit.yml @@ -0,0 +1,40 @@ +--- + +#### Audit Configuration Settings #### + +# Timeout for those cmds that take longer to run where timeout set +audit_cmd_timeout: 120000 + +# if get_audit_binary_method == download change accordingly +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-" + +### Goss Audit Benchmark file ### +## managed by the control audit_content +# git +audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +audit_git_version: "benchmark_{{ benchmark_version }}_rh7" + +## Goss configuration information +# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected +audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit" + +# If changed these can affect other products +pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" + +## The following should not need changing + +### Audit binary settings ### +audit_bin_version: + release: v0.4.4 + AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' +audit_bin_path: /usr/local/bin/ +audit_bin: "{{ audit_bin_path }}goss" +audit_format: json + +audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" +audit_results: | + The audit results are: {{ pre_audit_summary }} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} + + Full breakdown can be found in {{ audit_log_dir }} From 4edeb2a4aa20dda5d6961464ce131c05b81e883c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 15 Apr 2024 13:38:18 +0100 Subject: [PATCH 52/84] added prelim to includes Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 2f28dd74..8cabe707 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -62,7 +62,7 @@ - always - auditd -- name: Include audit specific variables +- name: PRELIM | Include audit specific variables ansible.builtin.include_vars: audit.yml when: - run_audit or audit_only @@ -71,7 +71,7 @@ - setup_audit - run_audit -- name: Include pre-remediation audit tasks +- name: PRELIM | Include pre-remediation audit tasks ansible.builtin.import_tasks: pre_remediation_audit.yml when: - run_audit or audit_only From 509fa41dca9b9ad7b0f2f5ec2e8984d57857aa9f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 15 Apr 2024 13:40:18 +0100 Subject: [PATCH 53/84] added prelim to includes quoted Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8cabe707..70a7b5f7 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -62,7 +62,7 @@ - always - auditd -- name: PRELIM | Include audit specific variables +- name: "PRELIM | Include audit specific variables" ansible.builtin.include_vars: audit.yml when: - run_audit or audit_only @@ -71,7 +71,7 @@ - setup_audit - run_audit -- name: PRELIM | Include pre-remediation audit tasks +- name: "PRELIM | Include pre-remediation audit tasks" ansible.builtin.import_tasks: pre_remediation_audit.yml when: - run_audit or audit_only From 3508dfccee5af4f70369f2628eb0f9209111eada Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 22 Apr 2024 14:11:19 +0100 Subject: [PATCH 54/84] [pre-commit.ci] pre-commit autoupdate (#461) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.2.1 → v24.2.2](https://github.com/ansible-community/ansible-lint/compare/v24.2.1...v24.2.2) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5f7e3c0c..976cd4aa 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,7 +42,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.1 + rev: v24.2.2 hooks: - id: ansible-lint name: Ansible-lint From 2db15ef565a8155a95bdac5eee2ec0fcba5d8517 Mon Sep 17 00:00:00 2001 From: layluke Date: Thu, 2 May 2024 00:17:47 -0400 Subject: [PATCH 55/84] Excluding non-interactive logins shells from being parsed Signed-off-by: layluke --- tasks/parse_etc_passwd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/parse_etc_passwd.yml b/tasks/parse_etc_passwd.yml index 4df03de1..0285c947 100644 --- a/tasks/parse_etc_passwd.yml +++ b/tasks/parse_etc_passwd.yml @@ -2,7 +2,7 @@ - name: "PRELIM | {{ rhel7stig_passwd_tasks }} | Parse /etc/passwd" block: - name: "PRELIM | {{ rhel7stig_passwd_tasks }} | Parse /etc/passwd" - ansible.builtin.shell: cat /etc/passwd + ansible.builtin.shell: cat /etc/passwd | grep -v '/sbin/nologin\|/usr/sbin/nologin' changed_when: false check_mode: false register: rhel7stig_passwd_file_audit From c0c0ba5b5908ce88509dd148ba8ffded74acaffb Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 17 Jun 2024 17:46:11 +0000 Subject: [PATCH 56/84] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/Yelp/detect-secrets: v1.4.0 → v1.5.0](https://github.com/Yelp/detect-secrets/compare/v1.4.0...v1.5.0) - [github.com/gitleaks/gitleaks: v8.18.2 → v8.18.4](https://github.com/gitleaks/gitleaks/compare/v8.18.2...v8.18.4) - [github.com/ansible-community/ansible-lint: v24.2.2 → v24.6.0](https://github.com/ansible-community/ansible-lint/compare/v24.2.2...v24.6.0) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 976cd4aa..9dbbb0ae 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -30,19 +30,19 @@ repos: # Scan for passwords - repo: https://github.com/Yelp/detect-secrets - rev: v1.4.0 + rev: v1.5.0 hooks: - id: detect-secrets args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.2 + rev: v8.18.4 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.2 + rev: v24.6.0 hooks: - id: ansible-lint name: Ansible-lint From a57f56ed0d1d9a696332a3f9a879c3257301284d Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 17:49:45 +0000 Subject: [PATCH 57/84] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.6.0 → v24.7.0](https://github.com/ansible-community/ansible-lint/compare/v24.6.0...v24.7.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9dbbb0ae..9b4a326a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,7 +42,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.6.0 + rev: v24.7.0 hooks: - id: ansible-lint name: Ansible-lint From c5936ffc08df04beb4a048471d7f73b273572dfc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 Jul 2024 13:02:20 +0100 Subject: [PATCH 58/84] 21350 improvements Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 202 +++++++++++++++++++++++---------------------- tasks/prelim.yml | 138 +++++++++++++++++++++---------- 2 files changed, 200 insertions(+), 140 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 1ab19f04..70f00751 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -43,31 +43,31 @@ - V-204392 - permissions -- name: "HIGH | RHEL-07-010020 | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." +- name: "HIGH | RHEL-07-021350 | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." block: - - name: "HIGH | RHEL-07-010020 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." + - name: "HIGH | RHEL-07-021350 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." ansible.builtin.shell: 'rpm -Va --noconfig --nolinkto --nosize --nouser --nogroup --nomtime --nomode --nodigest --nosignature | grep ''^..5'' | tee /dev/stderr | cut -c13- | sed ''s/^ //'' | xargs rpm -qf --qf=''%{name}\n'' | sort -u' check_mode: false failed_when: false - changed_when: rhel_07_010020_audit.stdout| length > 0 - register: rhel_07_010020_audit + changed_when: rhel_07_021350_audit.stdout| length > 0 + register: rhel_07_021350_audit - - name: "HIGH | RHEL-07-010020 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." + - name: "HIGH | RHEL-07-021350 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." ansible.builtin.debug: - msg: "{{ rhel_07_010020_audit.stderr_lines }}" + msg: "{{ rhel_07_021350_audit.stderr_lines }}" changed_when: true - when: rhel_07_010020_audit.stdout | length > 0 + when: rhel_07_021350_audit.stdout | length > 0 - - name: "HIGH | RHEL-07-010020 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." + - name: "HIGH | RHEL-07-021350 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." ansible.builtin.shell: yum reinstall -y {{ item }} failed_when: false with_items: - - "{{ rhel_07_010020_audit.stdout_lines }}" - when: rhel_07_010020_audit.stdout_lines | length > 0 + - "{{ rhel_07_021350_audit.stdout_lines }}" + when: rhel_07_021350_audit.stdout_lines | length > 0 when: - - rhel_07_010020 + - rhel_07_021350 tags: - - RHEL-07-010020 + - RHEL-07-021350 - CAT1 - CCI-001749 - SRG-OS-000480-GPOS-00227 @@ -378,52 +378,59 @@ - V-204462 - accounts -- name: "HIGH | RHEL-07-021350 | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." +- name: "HIGH | RHEL-07-021350 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." block: - - name: "HIGH | RHEL-07-021350 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." + - name: "HIGH | RHEL-07-021350 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | install FIPS" ansible.builtin.package: name: dracut-fips state: present vars: ansible_python_interpreter: "{{ python2_bin }}" - notify: rebuild initramfs - when: - - "'dracut-fips' not in ansible_facts.packages" + notify: + - rebuild initramfs + - change_requires_reboot + when: "'dracut-fips' not in ansible_facts.packages" - name: "HIGH | RHEL-07-021350 | PATCH | Disable prelinking." ansible.builtin.lineinfile: - path: /etc/sysconfig/prelink + dest: /etc/sysconfig/prelink regexp: ^#?PRELINKING line: PRELINKING=no + when: "'prelink' in ansible_facts.packages" notify: undo existing prelinking - when: - - "'prelink' in ansible_facts.packages" - - name: "HIGH | RHEL-07-021350 | AUDIT | Check /etc/default/grub exists" - ansible.builtin.stat: - path: /etc/default/grub - register: rhel7_stig_default_grub - - - name: "HIGH | RHEL-07-021350 | AUDIT | Capture GRUB_CMDLINE_LINUX from /proc/cmdline" - block: - - name: "HIGH | RHEL-07-021350 | AUDIT | Capture GRUB_CMDLINE_LINUX from /proc/cmdline" - ansible.builtin.shell: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline - check_mode: false - changed_when: false - failed_when: rhel_07_021350_grub_cmdline_linux_audit.rc > 1 - register: rhel_07_021350_grub_cmdline_linux_audit - - - name: "HIGH | RHEL-07-021350 | PATCH | Copy over a sane /etc/default/grub" - ansible.builtin.template: - src: etc_default_grub.j2 - dest: /etc/default/grub - owner: root - group: root - mode: 0644 - register: rhel7_stig_grub_template - vars: - grub_cmdline_linux: "{{ rhel_07_021350_grub_cmdline_linux_audit.stdout }}" - when: not rhel7_stig_default_grub.stat.exists + - name: "HIGH | RHEL-07-021350 | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub + check_mode: false + failed_when: false + changed_when: rhel_07_021350_default_grub_missing_audit.rc > 0 + register: rhel_07_021350_default_grub_missing_audit + + - name: "HIGH | RHEL-07-021350 | AUDIT | Parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" + ansible.builtin.shell: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline + check_mode: false + changed_when: false + failed_when: rhel_07_021350_grub_cmdline_linux_audit.rc > 1 + when: rhel_07_021350_default_grub_missing_audit is changed # noqa no-handler + register: rhel_07_021350_grub_cmdline_linux_audit + + - name: "HIGH | RHEL-07-021350 | PATCH | Copy over a sane /etc/default/grub" + ansible.builtin.template: + src: etc_default_grub.j2 + dest: /etc/default/grub + owner: root + group: root + mode: '0644' + vars: + grub_cmdline_linux: "{{ rhel_07_021350_grub_cmdline_linux_audit.stdout }}" + when: rhel_07_021350_default_grub_missing_audit is changed # noqa no-handler + + - name: "HIGH | RHEL-07-021350 | AUDIT | Verify fips kernel parameters in /etc/default/grub" + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])fips=1(?=[" ]).*"$' /etc/default/grub + check_mode: false + changed_when: false + failed_when: rhel_07_021350_fips_kernel_set.rc not in [ 0, 1 ] + register: rhel_07_021350_fips_kernel_set - name: "HIGH | RHEL-07-021350 | PATCH | fips=1 must be in /etc/default/grub" ansible.builtin.replace: @@ -433,71 +440,72 @@ vars: key: GRUB_CMDLINE_LINUX param: fips - value: "{{ fips_value }}" + value: 1 append: true # this is the default - notify: confirm grub2 user cfg when: - not ansible_check_mode or - rhel7_stig_grub_template is not changed + rhel_07_021350_default_grub_missing_audit is not changed + - rhel_07_021350_fips_kernel_set.stdout | length == 0 + notify: + - confirm grub2 user cfg + - change_requires_reboot + + - name: "HIGH | RHEL-07-021350 | AUDIT | Verify boot kernel parameters in /etc/default/grub" + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])boot=UUID={{ rhel7stig_boot_uuid.stdout }}(?=[" ]).*"$' /etc/default/grub + check_mode: false + changed_when: false + failed_when: rhel_07_021350_boot_kernel_set.rc not in [ 0, 1 ] + register: rhel_07_021350_boot_kernel_set - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." - block: - - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." - ansible.builtin.replace: - path: /etc/default/grub - regexp: "{{ rhel7stig_regexp_quoted_params }}" - replace: "{{ rhel7stig_replace_quoted_params }}" - with_items: - - "{{ ansible_mounts | json_query(query) }}" - vars: - query: "[?mount=='{{ rhel7stig_boot_part }}'] | [0]" # noqa: jinja[invalid] - key: GRUB_CMDLINE_LINUX - param: boot - value: UUID={{ item.uuid }} - insert: true - when: - - rhel7stig_boot_part not in ['/', ''] - - item.uuid is defined - - not ansible_check_mode or - rhel7_stig_grub_template is not changed - notify: confirm grub2 user cfg - register: result - - - name: "HIGH | RHEL-07-021350 | AUDIT | Verify kernel parameters in /etc/default/grub" - ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub - check_mode: false - with_items: - - "fips={{ fips_value }}" - - boot=UUID={{ ansible_mounts | json_query(query) }} - vars: - query: "[?mount=='{{ rhel7stig_boot_part }}'].uuid | [0]" # noqa: jinja[invalid] - register: rhel_07_021350_audit - changed_when: - - ansible_check_mode - - rhel_07_021350_audit is failed - failed_when: - - rhel_07_021350_audit.rc not in [ 0, 1 ] - - not ansible_check_mode - - when: - - not ansible_check_mode or - rhel7_stig_grub_template is not changed - - rhel7stig_boot_part not in ['/', ''] or - 'boot=' not in item + ansible.builtin.replace: + path: /etc/default/grub + regexp: "{{ rhel7stig_regexp_quoted_params }}" + replace: "{{ rhel7stig_replace_quoted_params }}" + vars: + query: "{{ rhel7stig_boot_part.stdout }}" + key: GRUB_CMDLINE_LINUX + param: boot + value: UUID={{ rhel7stig_boot_uuid.stdout }} + insert: true + when: + - rhel7stig_boot_part.stdout not in ['/', ''] + - rhel_07_021350_boot_kernel_set.stdout | length == 0 + - not ansible_check_mode or + rhel_07_021350_default_grub_missing_audit is not changed + + notify: confirm grub2 user cfg + register: result + + - name: "HIGH | RHEL-07-021350 | AUDIT | Verify kernel parameters in /etc/default/grub" + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub + check_mode: false + with_items: + - fips=1 + - boot=UUID={{ rhel7stig_boot_uuid.stdout }} + register: rhel_07_021350_audit + when: + - not ansible_check_mode or + rhel_07_021350_default_grub_missing_audit is not changed + - "rhel7stig_boot_part.stdout not in ['/', ''] or + 'boot=' not in item" + changed_when: + - ansible_check_mode + - rhel_07_021350_audit is failed + failed_when: + - rhel_07_021350_audit is failed + - not ansible_check_mode or + rhel_07_021350_audit.rc > 1 when: - rhel_07_021350 - rhel7stig_use_fips tags: - RHEL-07-021350 - CAT1 - - CCI-001199 - CCI-000068 - - CCI-002450 - - CCI-002476 - SRG-OS-000033-GPOS-00014 - - SV-204497r603261_rule - - V-204497 - - fips + - SV-230223r928585_rule + - V-230223 - name: "HIGH | RHEL-07-021710 | PATCH | The Red Hat Enterprise Linux operating system must not have the telnet-server package installed." ansible.builtin.package: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 3d097c4b..59fccbc8 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,5 +1,67 @@ --- +- name: "PRELIM | Check whether machine is UEFI-based" + ansible.builtin.stat: + path: /sys/firmware/efi + register: rhel7_efi_boot + tags: + - goss_template + - always + +- name: set bootloader type + block: + - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" + ansible.builtin.set_fact: + rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" + rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" + rhel7stig_legacy_boot: false + when: + - rhel7_efi_boot.stat.exists + - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path + + - name: "PRELIM | set fact if UEFI boot | CentOS " + ansible.builtin.set_fact: + rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" + rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" + rhel7stig_legacy_boot: false + when: + - rhel7_efi_boot.stat.exists + - ansible_distribution == 'CentOS' + + - name: "PRELIM | set if not UEFI boot" + ansible.builtin.set_fact: + rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" + rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" + rhel7stig_legacy_boot: true + when: not rhel7_efi_boot.stat.exists + + - name: PRELIM | output bootloader and efi state + ansible.builtin.debug: + msg: + - "bootloader path set to {{ rhel7stig_bootloader_path }}" + - "legacy boot equals {{ rhel7stig_legacy_boot }}" + tags: + - always + +- name: Include audit specific variables + when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit + - run_audit + ansible.builtin.include_vars: + file: audit.yml + +- name: Include pre-remediation audit tasks + when: + - run_audit or audit_only + - setup_audit + tags: + - run_audit + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml + - name: "PRELIM | Check required packages installed | Python2" ansible.builtin.package: name: @@ -43,6 +105,33 @@ vars: ansible_python_interpreter: "{{ python2_bin }}" +- name: "PRELIM | RHEL-07-021350" + block: + - name: "PRELIM | RHEL-07-021350 | Check if /boot or /boot/efi reside on separate partitions" + ansible.builtin.shell: df --output=target /boot | tail -n 1 + changed_when: false + check_mode: false + register: rhel7stig_boot_part + + - name: "PRELIM | RHEL-07-021350 | Check if /boot or /boot/efi reside on separate partitions | get UUID" + ansible.builtin.shell: lsblk -f | grep -E "{{ rhel7stig_boot_part.stdout }}$" | awk '{ print $3 }' + changed_when: false + check_mode: false + register: rhel7stig_boot_uuid + when: + - rhel_07_021350 + tags: + - RHEL-07-021350 + - CAT1 + - CCI-001199 + - CCI-000068 + - CCI-002450 + - CCI-002476 + - SRG-OS-000033-GPOS-00014 + - SV-204497r603261_rule + - V-204497 + - fips + - name: "PRELIM | dconf" block: - name: "PRELIM | Check for dconf availability" @@ -408,49 +497,6 @@ when: - rhel7stig_ssh_required -- name: "PRELIM | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel7_efi_boot - tags: - - goss_template - - always - -- name: set bootloader type - block: - - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" - ansible.builtin.set_fact: - rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" - rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" - rhel7stig_legacy_boot: false - when: - - rhel7_efi_boot.stat.exists - - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path - - - name: "PRELIM | set fact if UEFI boot | CentOS " - ansible.builtin.set_fact: - rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" - rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" - rhel7stig_legacy_boot: false - when: - - rhel7_efi_boot.stat.exists - - ansible_distribution == 'CentOS' - - - name: "PRELIM | set if not UEFI boot" - ansible.builtin.set_fact: - rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" - rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" - rhel7stig_legacy_boot: true - when: not rhel7_efi_boot.stat.exists - - - name: PRELIM | output bootloader and efi state - ansible.builtin.debug: - msg: - - "bootloader path set to {{ rhel7stig_bootloader_path }}" - - "legacy boot equals {{ rhel7stig_legacy_boot }}" - tags: - - always - - name: "PRELIM | Gather interactive user ID min" block: - name: "PRELIM | Gather interactive user ID min" @@ -472,3 +518,9 @@ tags: - always - auditd + +- name: Gather the package facts + ansible.builtin.package_facts: + manager: auto + tags: + - always From ebaefbde5927174497ec2f75444b9a7e8ac80123 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 Jul 2024 13:05:09 +0100 Subject: [PATCH 59/84] moved audit to prelim Signed-off-by: Mark Bolwell --- tasks/main.yml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 2041044a..3196e8c6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -79,20 +79,6 @@ - prelim_tasks - run_audit -- name: include pre-remediation audit - ansible.builtin.import_tasks: - file: pre_remediation_audit.yml - when: - - run_audit - tags: - - run_audit - -- name: Gather the package facts - ansible.builtin.package_facts: - manager: auto - tags: - - always - - name: Include CAT I patches ansible.builtin.import_tasks: file: fix-cat1.yml From bb6ed8d203f8bc871958061b6c504beb5b59fd8b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 Jul 2024 13:24:33 +0100 Subject: [PATCH 60/84] Audit updates Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 30 +++++--- tasks/audit_only.yml | 30 ++++++++ tasks/parse_etc_passwd.yml | 2 +- tasks/post_remediation_audit.yml | 44 +++++------ tasks/pre_remediation_audit.yml | 121 ++++++++++++++++--------------- vars/audit.yml | 40 ++++++++++ vars/main.yml | 2 + 7 files changed, 178 insertions(+), 91 deletions(-) create mode 100644 tasks/audit_only.yml create mode 100644 vars/audit.yml diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index fd75cea5..b08985e2 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,22 +1,32 @@ --- -- name: Download audit binary +- name: Pre Audit Setup | Set audit package name + block: + - name: Pre Audit Setup | Set audit package name | 64bit + when: ansible_facts.machine == "x86_64" + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 + + - name: Pre Audit Setup | Set audit package name | ARM64 + when: ansible_facts.machine == "arm64" + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 + +- name: Pre Audit Setup | Download audit binary + when: get_audit_binary_method == 'download' ansible.builtin.get_url: - url: "{{ audit_bin_url }}" + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" dest: "{{ audit_bin }}" owner: root group: root - checksum: "{{ audit_bin_version.checksum }}" - mode: 0555 - when: - - get_audit_binary_method == 'download' + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" + mode: '0555' -- name: copy audit binary +- name: Pre Audit Setup | Copy audit binary + when: get_audit_binary_method == 'copy' ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: 0555 + mode: '0555' owner: root group: root - when: - - get_audit_binary_method == 'copy' diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml new file mode 100644 index 00000000..66b036d3 --- /dev/null +++ b/tasks/audit_only.yml @@ -0,0 +1,30 @@ +--- + +- name: Audit_Only | Create local Directories for hosts + when: fetch_audit_files + delegate_to: localhost + become: false + ansible.builtin.file: + mode: '0755' + path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + recurse: true + state: directory + +- name: Audit_only | Get audits from systems and put in group dir + when: fetch_audit_files + ansible.builtin.fetch: + dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" + flat: true + mode: '0644' + src: "{{ pre_audit_outfile }}" + +- name: Audit_only | Show Audit Summary + when: + - audit_only + ansible.builtin.debug: + msg: "{{ audit_results.split('\n') }}" + +- name: Audit_only | Stop Playbook Audit Only selected + when: + - audit_only + ansible.builtin.meta: end_play diff --git a/tasks/parse_etc_passwd.yml b/tasks/parse_etc_passwd.yml index 4df03de1..e7612845 100644 --- a/tasks/parse_etc_passwd.yml +++ b/tasks/parse_etc_passwd.yml @@ -15,7 +15,7 @@ vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) - ld_passwd_yaml: | + ld_passwd_yaml: | # pragma: allowlist secret id: >-4 \g password: >-4 diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 6d20eeaa..d58e9217 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,44 +1,44 @@ --- -- name: "Post Audit | Run post_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: false - register: audit_run_post_remediation +- name: Post Audit | Run post_remediation {{ benchmark }} audit + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" + AUDIT_FILE: goss.yml - name: Post Audit | ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" - mode: 0644 + mode: '0644' state: file loop: - "{{ post_audit_outfile }}" - "{{ pre_audit_outfile }}" - name: Post Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "Post Audit | capture data {{ post_audit_outfile }} | JSON format" - ansible.builtin.shell: "cat {{ post_audit_outfile }}" - register: post_audit + - name: Post Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 + register: post_audit_summary changed_when: false - - name: PostAudit | Capture post-audit result | JSON format + - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + post_audit_results: "{{ post_audit_summary.stdout }}" - name: Post Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - name: "Post Audit | capture data {{ post_audit_outfile }} | documentation format" - ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" - register: post_audit + - name: Post Audit | Capture audit data if documentation format + ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation" + register: post_audit_summary changed_when: false - - name: Post Audit | Capture post-audit result | documentation format + - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout_lines }}" - when: - - audit_format == "documentation" + post_audit_results: "{{ post_audit_summary.stdout }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 7b4d06f5..a745826f 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,62 +1,61 @@ --- -- name: Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: - file: LE_audit_setup.yml +- name: Pre Audit Setup | Setup the LE audit when: - setup_audit tags: - setup_audit + ansible.builtin.include_tasks: + file: LE_audit_setup.yml -- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" +- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' - name: Pre Audit Setup | If using git for content set up + when: + - audit_content == 'git' block: - - name: Pre Audit Setup | Install git (rh8 python3) - ansible.builtin.package: - name: git - state: present - when: ansible_distribution_major_version == '8' - - - name: Pre Audit Setup | Install git (rh7 python2) + - name: Pre Audit Setup | Install git ansible.builtin.package: name: git state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == '7' - - name: Pre Audit Setup | retrieve audit content files from git + - name: Pre Audit Setup | Retrieve audit content files from git ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" - when: - - audit_content == 'git' -- name: Pre Audit Setup | copy to audit content files to server - ansible.builtin.copy: - src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dir }}" - mode: 0644 +- name: Pre Audit Setup | Copy to audit content files to server when: - audit_content == 'copy' + ansible.builtin.copy: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" + mode: preserve -- name: Pre Audit Setup | get audit content from url - ansible.builtin.get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" - owner: root - group: root - mode: 0755 +- name: Pre Audit Setup | Unarchive audit content files on server + when: + - audit_content == 'archive' + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" + +- name: Pre Audit Setup | Get audit content from url when: - audit_content == 'get_url' + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available + when: + - run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: @@ -64,52 +63,58 @@ register: goss_available - name: Pre Audit Setup | If audit ensure goss is available + when: + - not goss_available.stat.exists ansible.builtin.assert: - that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - run_audit - name: Pre Audit Setup | Copy ansible default vars values to test audit + tags: + - goss_template + - run_audit + when: + - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: 0600 - when: - - run_audit - tags: - - goss_template + mode: '0600' -- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: audit_run_pre_remediation.rc == 0 - register: audit_run_pre_remediation +- name: Pre Audit | Run pre_remediation {{ benchmark }} audit + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" + AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" - register: pre_audit + - name: Pre Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 + register: pre_audit_summary changed_when: false - - name: Pre Audit | Capture pre-audit result + - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Pre Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - name: "capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" - register: pre_audit + - name: Pre Audit | Capture audit data if documentation format + ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' + register: pre_audit_summary changed_when: false - - name: Pre Audit | Capture pre-audit result + - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" - when: - - audit_format == "documentation" + pre_audit_results: "{{ pre_audit_summary.stdout }}" + +- name: Audit_Only | Run Audit Only + when: + - audit_only + ansible.builtin.import_tasks: + file: audit_only.yml diff --git a/vars/audit.yml b/vars/audit.yml new file mode 100644 index 00000000..9486cdc6 --- /dev/null +++ b/vars/audit.yml @@ -0,0 +1,40 @@ +--- + +#### Audit Configuration Settings #### + +# Timeout for those cmds that take longer to run where timeout set +audit_cmd_timeout: 120000 + +# if get_audit_binary_method == download change accordingly +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-" + +### Goss Audit Benchmark file ### +## managed by the control audit_content +# git +audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +audit_git_version: "benchmark_{{ benchmark_version }}_rh7" + +## Goss configuration information +# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected +audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit" + +# If changed these can affect other products +pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" + +## The following should not need changing + +### Audit binary settings ### +audit_bin_version: + release: v0.3.21 + AMD64_checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' +audit_bin_path: /usr/local/bin/ +audit_bin: "{{ audit_bin_path }}goss" +audit_format: json + +audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" +audit_results: | + The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} + + Full breakdown can be found in {{ audit_log_dir }} diff --git a/vars/main.yml b/vars/main.yml index dbe06ca9..fa752df5 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,6 +1,8 @@ --- rhel7stig_min_ansible_version: 2.10.1 +is_container: false + rhel7stig_dconf_available: "{{ rhel7stig_gui or rhel7stig_dconf_audit.rc == 0 or rhel7stig_always_configure_dconf }}" rhel7stig_has_dconf_command: "{{ rhel7stig_gui or rhel7stig_dconf_audit.rc == 0 }}" From 6a1dd5cff0c4bf467ccc7684c7d8e7d8a2c8a8fa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 Jul 2024 13:25:17 +0100 Subject: [PATCH 61/84] moved var from site to vars/main.yml Signed-off-by: Mark Bolwell --- defaults/main.yml | 105 +++++++++++++++++++--------------------------- site.yml | 10 ++--- 2 files changed, 46 insertions(+), 69 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3c6b0a42..da941427 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -18,26 +18,60 @@ benchmark_version: 'v3r13' # Whether to skip the reboot rhel7stig_skip_reboot: true -### Audit Binary is required on the remote host +### +### Settings for associated Audit role using Goss +### + +########################################### +### Goss is required on the remote host ### +### vars/auditd.yml for other settings ### + +# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false + +# enable audits to run - this runs the audit and get the latest content +run_audit: false +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true + +## Only run Audit do not remediate +audit_only: false +### As part of audit_only ### +# This will enable files to be copied back to control node in audit_only mode +fetch_audit_files: false +# Path to copy the files to will create dir structure in audit_only mode +audit_capture_files_dir: /some/location to copy to on control node +############################# + # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download +## if get_audit_binary_method - copy the following needs to be updated for your environment +## it is expected that it will be copied from somewhere accessible to the control node +## e.g copy from ansible control node to remote host +audit_bin_copy_location: /some/accessible/path + # how to get audit files onto host options -# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# enable audits to run - this runs the audit and get the latest content -run_audit: false +# If using either archive, copy, get_url: +## Note will work with .tar files - zip will require extra configuration +### If using get_url this is expecting github url in tar.gz format e.g. +### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +audit_conf_source: "some path or url to copy from" -# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system -audit_run_heavy_tests: true -# Timeout for those cmds that take longer to run where timeout set -audit_cmd_timeout: 60000 +# Destination for the audit content to be placed on managed node +# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory +audit_conf_dest: "/opt" -### End Audit enablements #### +# Where the audit logs are stored +audit_log_dir: '/opt' + +### Goss Settings ## +####### END ######## #### Detailed settings found at the end of this document #### # We've defined complexity-high to mean that we cannot automatically remediate @@ -737,56 +771,3 @@ rhel7stig_world_write_files_owner_root: false # The value given to Defaults timestamp timeout= in the sudo file. # Value must be greater than 0 to conform to STIG standards rhel7stig_sudo_timestamp_timeout: 1 - -#### Audit Configuration Settings #### -# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_run_script_environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_FILE: 'goss.yml' - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - -### Audit binary settings ### -audit_bin_version: - release: v0.3.21 - checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' -audit_bin_path: /usr/local/bin/ -audit_bin: "{{ audit_bin_path }}goss" -audit_format: json - -# if get_audit_binary_method == download change accordingly -audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64" - -## if get_audit_binary_method - copy the following needs to be updated for your environment -## it is expected that it will be copied from somewhere accessible to the control node -## e.g copy from ansible control node to remote host -audit_bin_copy_location: /some/accessible/path - -### Goss Audit Benchmark file ### -## managed by the control audit_content -# git -audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark_{{ benchmark_version }}_rh7" - -# copy: -audit_local_copy: "some path to copy from" - -# get_url: -audit_files_url: "some url maybe s3?" - -## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" - -# If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" - -## The following should not need changing -audit_control_file: "{{ audit_conf_dir }}goss.yml" -audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" -audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} diff --git a/site.yml b/site.yml index 830c253d..171abc53 100644 --- a/site.yml +++ b/site.yml @@ -1,10 +1,6 @@ --- -- hosts: all # noqa: name[play] +- name: Ansible Lockdown Remediation Role + hosts: all become: true - vars: - is_container: false - roles: - - role: "{{ playbook_dir }}" - rhel7stig_system_is_container: "{{ is_container | default(false) }}" - rhel7stig_skip_for_travis: false + - role: "{{ playbook_dir }}" From 1e000ce0e253f70e43d2ad7c1d1a0cb2c7f2de01 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 Jul 2024 15:36:53 +0100 Subject: [PATCH 62/84] reorder Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 26 +++++++++++++------------- tasks/post_remediation_audit.yml | 4 ++-- tasks/pre_remediation_audit.yml | 4 ++-- tasks/prelim.yml | 8 ++++---- 4 files changed, 21 insertions(+), 21 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 70f00751..4501e626 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -393,7 +393,7 @@ - name: "HIGH | RHEL-07-021350 | PATCH | Disable prelinking." ansible.builtin.lineinfile: - dest: /etc/sysconfig/prelink + path: /etc/sysconfig/prelink regexp: ^#?PRELINKING line: PRELINKING=no when: "'prelink' in ansible_facts.packages" @@ -401,16 +401,16 @@ - name: "HIGH | RHEL-07-021350 | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub - check_mode: false failed_when: false changed_when: rhel_07_021350_default_grub_missing_audit.rc > 0 + check_mode: false register: rhel_07_021350_default_grub_missing_audit - name: "HIGH | RHEL-07-021350 | AUDIT | Parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" ansible.builtin.shell: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline - check_mode: false changed_when: false failed_when: rhel_07_021350_grub_cmdline_linux_audit.rc > 1 + check_mode: false when: rhel_07_021350_default_grub_missing_audit is changed # noqa no-handler register: rhel_07_021350_grub_cmdline_linux_audit @@ -427,9 +427,9 @@ - name: "HIGH | RHEL-07-021350 | AUDIT | Verify fips kernel parameters in /etc/default/grub" ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])fips=1(?=[" ]).*"$' /etc/default/grub - check_mode: false changed_when: false failed_when: rhel_07_021350_fips_kernel_set.rc not in [ 0, 1 ] + check_mode: false register: rhel_07_021350_fips_kernel_set - name: "HIGH | RHEL-07-021350 | PATCH | fips=1 must be in /etc/default/grub" @@ -452,9 +452,9 @@ - name: "HIGH | RHEL-07-021350 | AUDIT | Verify boot kernel parameters in /etc/default/grub" ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])boot=UUID={{ rhel7stig_boot_uuid.stdout }}(?=[" ]).*"$' /etc/default/grub - check_mode: false changed_when: false failed_when: rhel_07_021350_boot_kernel_set.rc not in [ 0, 1 ] + check_mode: false register: rhel_07_021350_boot_kernel_set - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." @@ -479,23 +479,23 @@ - name: "HIGH | RHEL-07-021350 | AUDIT | Verify kernel parameters in /etc/default/grub" ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub + changed_when: + - ansible_check_mode + - rhel_07_021350_audit is failed + failed_when: + - rhel_07_021350_audit is failed + - not ansible_check_mode or + rhel_07_021350_audit.rc > 1 check_mode: false + register: rhel_07_021350_audit with_items: - fips=1 - boot=UUID={{ rhel7stig_boot_uuid.stdout }} - register: rhel_07_021350_audit when: - not ansible_check_mode or rhel_07_021350_default_grub_missing_audit is not changed - "rhel7stig_boot_part.stdout not in ['/', ''] or 'boot=' not in item" - changed_when: - - ansible_check_mode - - rhel_07_021350_audit is failed - failed_when: - - rhel_07_021350_audit is failed - - not ansible_check_mode or - rhel_07_021350_audit.rc > 1 when: - rhel_07_021350 - rhel7stig_use_fips diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index d58e9217..ad433527 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -23,8 +23,8 @@ block: - name: Post Audit | Capture audit data if json format ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 - register: post_audit_summary changed_when: false + register: post_audit_summary - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: @@ -36,8 +36,8 @@ block: - name: Post Audit | Capture audit data if documentation format ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation" - register: post_audit_summary changed_when: false + register: post_audit_summary - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index a745826f..25038fcd 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -93,8 +93,8 @@ block: - name: Pre Audit | Capture audit data if json format ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: @@ -106,8 +106,8 @@ block: - name: Pre Audit | Capture audit data if documentation format ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 59fccbc8..5e4d7848 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -44,23 +44,23 @@ - always - name: Include audit specific variables + ansible.builtin.include_vars: + file: audit.yml when: - run_audit or audit_only - setup_audit tags: - setup_audit - run_audit - ansible.builtin.include_vars: - file: audit.yml - name: Include pre-remediation audit tasks + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml when: - run_audit or audit_only - setup_audit tags: - run_audit - ansible.builtin.import_tasks: - file: pre_remediation_audit.yml - name: "PRELIM | Check required packages installed | Python2" ansible.builtin.package: From aeef574cdfe258efde65fb12abfaa6190a38ad93 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 Jul 2024 15:50:59 +0100 Subject: [PATCH 63/84] quotes on mode items Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- tasks/fix-cat2.yml | 72 +++++++++++++++++++++++----------------------- tasks/main.yml | 2 +- 3 files changed, 38 insertions(+), 38 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 88fb8027..0180d931 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -37,7 +37,7 @@ src: "{{ rhel7stig_bootloader_path }}/{{ item }}" dest: "{{ rhel7stig_not_boot_path }}/{{ item }}" remote_src: true - mode: 0600 + mode: '0600' with_items: - grub.cfg - user.cfg diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5d78599b..d95cc5e3 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -67,7 +67,7 @@ dest: "{{ item }}" owner: root group: root - mode: 0644 + mode: '0644' with_items: - /etc/issue - /etc/issue.net @@ -338,7 +338,7 @@ dest: /etc/pam.d/system-auth regexp: '^#?password\s+(required|requisite) pam_pwquality.so retry' line: password requisite pam_pwquality.so retry=3 - mode: 0644 + mode: '0644' when: - rhel_07_010119 tags: @@ -356,7 +356,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*ucredit' line: "ucredit = {{ rhel7stig_password_complexity.ucredit | default('-1') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010120 tags: @@ -374,7 +374,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*lcredit' line: "lcredit = {{ rhel7stig_password_complexity.lcredit | default('-1') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010130 tags: @@ -392,7 +392,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*dcredit' line: "dcredit = {{ rhel7stig_password_complexity.dcredit | default('-1') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010140 tags: @@ -409,7 +409,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*ocredit' line: "ocredit = {{ rhel7stig_password_complexity.ocredit | default('-1') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010150 tags: @@ -427,7 +427,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*difok' line: "difok = {{ rhel7stig_password_complexity.difok | default('8') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010160 tags: @@ -445,7 +445,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*minclass' line: "minclass = {{ rhel7stig_password_complexity.minclass | default('4') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010170 tags: @@ -463,7 +463,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*maxrepeat' line: "maxrepeat = {{ rhel7stig_password_complexity.maxrepeat | default('3') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010180 tags: @@ -481,7 +481,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*maxclassrepeat' line: "maxclassrepeat = {{ rhel7stig_password_complexity.maxclassrepeat | default('4') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010190 tags: @@ -501,7 +501,7 @@ dest: "/{{ item }}" owner: root group: root - mode: 0644 + mode: '0644' loop: - etc/pam.d/password-auth-local - etc/pam.d/system-auth-local @@ -594,7 +594,7 @@ dest: /etc/login.defs regexp: ^#?PASS_MIN_DAYS line: "PASS_MIN_DAYS {{ rhel7stig_login_defaults.pass_min_days | default('1') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010230 tags: @@ -637,7 +637,7 @@ dest: /etc/login.defs regexp: ^#?PASS_MAX_DAYS line: "PASS_MAX_DAYS {{ rhel7stig_login_defaults.pass_max_days | default('60') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010250 tags: @@ -740,7 +740,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*minlen' line: "minlen = {{ rhel7stig_password_complexity.minlen | default('15') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010280 tags: @@ -1136,7 +1136,7 @@ dest: /etc/pam_pkcs11/pkcs11_eventmgr.conf regexp: '^#?/usr/X11R6/bin/xscreensaver-command -lock' line: "/usr/X11R6/bin/xscreensaver-command -lock" - mode: 0644 + mode: '0644' # This remediates the pam_pkcs11.conf file to enforce the cackey usage for smartcard authentication ### NOTE: If you have custom rules for /etc/pam_pkcs11/pam_pkcs11.conf then change the template pam_pkcs11.conf.j2 @@ -1146,7 +1146,7 @@ dest: /etc/pam_pkcs11/pam_pkcs11.conf owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_07_010500pkcs11install is changed when: @@ -1283,7 +1283,7 @@ create: true owner: root group: root - mode: "0644" + mode: '0644' with_items: - file: /etc/modprobe.d/blacklist.conf insertafter: "^#blacklist usb-storage(\\s+|$)" @@ -1315,7 +1315,7 @@ create: true owner: root group: root - mode: "0644" + mode: '0644' with_items: - file: /etc/modprobe.d/blacklist.conf insertafter: ^#blacklist dccp @@ -1547,7 +1547,7 @@ ansible.builtin.file: path: "{{ item.dir }}" state: directory - mode: 0700 + mode: '0700' with_items: - "{{ rhel7stig_passwd }}" loop_control: @@ -1589,7 +1589,7 @@ ansible.builtin.file: path: "{{ item.dir }}" owner: "{{ item.id }}" - mode: 0700 + mode: '0700' state: directory with_items: - "{{ rhel7stig_passwd }}" @@ -1612,7 +1612,7 @@ path: "{{ item.dir }}" group: "{{ item.gid }}" # noqa risky-file-permissions state: directory - mode: 0700 + mode: '0700' with_items: - "{{ rhel7stig_passwd }}" loop_control: @@ -2206,7 +2206,7 @@ state: file owner: root group: root - mode: 0600 + mode: '0600' when: cron_allow_file_check.stat.exists when: - rhel_07_021110 @@ -2371,7 +2371,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" create: true - mode: 0640 + mode: '0640' notify: restart auditd with_items: - { regexp: '^active =', line: 'active = yes'} @@ -3296,7 +3296,7 @@ - name: "MEDIUM | RHEL-07-040160 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements." ansible.builtin.blockinfile: create: true - mode: 0644 + mode: '0644' dest: "{{ item.dest }}" state: "{{ item.state }}" marker: "# {mark} ANSIBLE MANAGED" @@ -3385,7 +3385,7 @@ path: /etc/sssd/sssd.conf insertafter: "^ldap_search_base*" create: true - mode: 0600 + mode: '0600' when: rhel_07_040180_audit.stdout == "Active" when: - rhel_07_040180 or @@ -3475,7 +3475,7 @@ regexp: "(?i)^#?ClientAliveInterval" line: ClientAliveInterval {{ rhel7stig_ssh_session_timeout }} validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040320 @@ -3517,7 +3517,7 @@ regexp: "(?i)^#?ClientAliveCountMax" line: ClientAliveCountMax 0 validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040340 @@ -3578,7 +3578,7 @@ line: PermitRootLogin no insertafter: '(?i)^#?authentication' validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040370 @@ -3598,7 +3598,7 @@ regexp: "(?i)^#?IgnoreUserKnownHosts" line: IgnoreUserKnownHosts yes validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040380 @@ -3619,7 +3619,7 @@ regexp: "(?i)^#?MACs" line: "MACs {{ rhel7stig_ssh_macs }}" validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040400 @@ -3703,7 +3703,7 @@ regexp: "(?i)^#?GSSAPIAuthentication" line: GSSAPIAuthentication no validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040430 @@ -3826,7 +3826,7 @@ dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" - mode: 0600 + mode: '0600' notify: restart {{ rhel7stig_time_service }} with_items: - "{{ rhel7stig_time_service_configs[rhel7stig_time_service].lines }}" @@ -4138,7 +4138,7 @@ regexp: "(?i)^#?X11Forwarding" line: X11Forwarding no validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040710 @@ -4159,7 +4159,7 @@ regexp: "(?i)^#?KexAlgorithms" line: KexAlgorithms "{{ rhel7stig_ssh_kex }}" validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040712 @@ -4540,7 +4540,7 @@ path: "{{ item.path }}" owner: root group: root - mode: 0600 + mode: '0600' with_items: - "{{ rhel_07_910055_audit_log_files.files }}" when: item.mode is not search '(0[4,6]00)' @@ -4565,7 +4565,7 @@ regexp: "(?i)^#?X11UseLocalhost" line: X11UseLocalhost yes validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040711 diff --git a/tasks/main.yml b/tasks/main.yml index 3196e8c6..2f15a2c7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -109,7 +109,7 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: 0600 + mode: '0600' register: auditd_file notify: restart auditd when: From e00e54b4ccc70900a9c88303704bb4302ccef697 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 18 Jul 2024 10:55:54 +0100 Subject: [PATCH 64/84] added update repo url for centos option Signed-off-by: Mark Bolwell --- defaults/main.yml | 5 +++ tasks/main.yml | 16 +++++++-- templates/etc/yum.repos.d/CentOS-Base.repo.j2 | 34 +++++++++++++++++++ 3 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 templates/etc/yum.repos.d/CentOS-Base.repo.j2 diff --git a/defaults/main.yml b/defaults/main.yml index da941427..f4841b9f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -18,6 +18,11 @@ benchmark_version: 'v3r13' # Whether to skip the reboot rhel7stig_skip_reboot: true +# With CentOS being EoL many mirrors no longer exist and fail for updates +# setting to true will replace the default /etc/yum.repos.d/CentOS-Base.repo +# It will add the new vaulted location where it is possible to get updates and package +rhel7stig_add_updated_repo: false + ### ### Settings for associated Audit role using Goss ### diff --git a/tasks/main.yml b/tasks/main.yml index 2f15a2c7..e2ca6494 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -72,7 +72,19 @@ tags: - always -- name: include prelim tasks +- name: Update CentOS repo for packages - Use vaulted/archive URL - backup original + ansible.builtin.template: + src: etc/yum.repos.d/CentOS-Base.repo.j2 + dest: /etc/yum.repos.d/CentOS-Base.repo + owner: root + group: root + mode: '0644' + backup: true + when: + - rhel7stig_add_updated_repo + - ansible_distribution == "CentOS" + +- name: Include prelim tasks ansible.builtin.import_tasks: file: prelim.yml tags: @@ -103,7 +115,7 @@ - cat3 - low -- name: update auditd +- name: Update auditd ansible.builtin.template: src: audit/99_auditd.rules.j2 dest: /etc/audit/rules.d/99_auditd.rules diff --git a/templates/etc/yum.repos.d/CentOS-Base.repo.j2 b/templates/etc/yum.repos.d/CentOS-Base.repo.j2 new file mode 100644 index 00000000..f2a66f9b --- /dev/null +++ b/templates/etc/yum.repos.d/CentOS-Base.repo.j2 @@ -0,0 +1,34 @@ +# Note the BaseUrl Changes +## This is due to CentOS being End Of Life +# This will now use the legacy archived path +# Original paths +# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra +# #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ + +[base] +name=CentOS-$releasever - Base +baseurl=https://vault.centos.org/7.9.2009/os/$basearch +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#released updates +[updates] +name=CentOS-$releasever - Updates +baseurl=https://vault.centos.org/7.9.2009/updates/$basearch +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#additional packages that may be useful +[extras] +name=CentOS-$releasever - Extras +baseurl=https://vault.centos.org/7.9.2009/extras/$basearch +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#additional packages that extend functionality of existing packages +[centosplus] +name=CentOS-$releasever - Plus +baseurl=https://vault.centos.org/7.9.2009/centosplus/$basearch +gpgcheck=1 +enabled=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 From 150a6b65fd67cc71ff101a11e23ee67e6a1f0bfe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 18 Jul 2024 10:59:22 +0100 Subject: [PATCH 65/84] removed notify not required Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 4501e626..84ca19f8 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -388,7 +388,6 @@ ansible_python_interpreter: "{{ python2_bin }}" notify: - rebuild initramfs - - change_requires_reboot when: "'dracut-fips' not in ansible_facts.packages" - name: "HIGH | RHEL-07-021350 | PATCH | Disable prelinking." @@ -448,7 +447,6 @@ - rhel_07_021350_fips_kernel_set.stdout | length == 0 notify: - confirm grub2 user cfg - - change_requires_reboot - name: "HIGH | RHEL-07-021350 | AUDIT | Verify boot kernel parameters in /etc/default/grub" ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])boot=UUID={{ rhel7stig_boot_uuid.stdout }}(?=[" ]).*"$' /etc/default/grub From ddd17c72be681556c3674768010d3cc209b7820a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 18 Jul 2024 11:00:06 +0100 Subject: [PATCH 66/84] Updated Signed-off-by: Mark Bolwell --- ChangeLog.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ChangeLog.md b/ChangeLog.md index 16e9886b..d362e9f2 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,13 @@ # Changelog +## 3.2 STIG V3R13 25th Oct 2023 + +- updated workflow to use new methods + - new ami being used as old obsolete +- Updated the audit layout +- New options if using CentOS to update repo files to vaulted.repo + - rhel7stig_add_updated_repo + ## 3.1 STIG V3R13 25th Oct 2023 - RHEL_07_010310 - ruleid updated and INACTIVE var created From d1ef0657f042220be48291b8bcb74f13910a5ca6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 18 Jul 2024 13:47:15 +0100 Subject: [PATCH 67/84] Updated workflow Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 291 ++++++++++-------- .../workflows/main_pipeline_validation.yml | 277 +++++++++-------- .github/workflows/update_galaxy.yml | 30 +- 3 files changed, 324 insertions(+), 274 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 39af625a..e02fe1f0 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -1,138 +1,159 @@ --- - name: Devel pipeline - - on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - - # A workflow run is made up of one or more jobs - # that can run sequentially or in parallel - jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - - # This workflow contains a single job that tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v4 + name: Devel pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + # Allow manual running of workflow + workflow_dispatch: + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: self-hosted + + steps: + - uses: actions/first-interaction@main with: - ref: ${{ github.event.pull_request.head.sha }} - - # Pull in terraform code for linux servers - - name: Clone GitHub IaC plan - uses: actions/checkout@v4 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - pwd - ls - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Init - id: init - run: terraform init - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Validate - id: validate - run: terraform validate - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Apply - id: apply - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep ${{ vars.BUILD_SLEEPTIME }} - - # Run the Ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/github_linux_IaC/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION: "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows + + steps: + + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} + + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} + + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + + # Remove test system - User secrets to keep if necessary + + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 8ded7018..4a5adc9c 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -1,127 +1,156 @@ --- - name: Main pipeline - - on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - - # A workflow run is made up of one or more jobs - # that can run sequentially or in parallel - jobs: - - # This workflow contains a single job that tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v4 + name: Main pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: self-hosted + + steps: + - uses: actions/first-interaction@main with: - ref: ${{ github.event.pull_request.head.sha }} - - # Pull in terraform code for linux servers - - name: Clone GitHub IaC plan - uses: actions/checkout@v4 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - pwd - ls - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Init - id: init - run: terraform init - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Validate - id: validate - run: terraform validate - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Apply - id: apply - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep ${{ vars.BUILD_SLEEPTIME }} - - # Run the Ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/github_linux_IaC/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION : "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows + + steps: + + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} + + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} + + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + + # Remove test system - User secrets to keep if necessary + + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index f9352800..b6ee6a1f 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,19 +1,19 @@ --- -name: update galaxy + name: update galaxy -on: - push: - branches: - - main -jobs: - update_role: - runs-on: ubuntu-latest - steps: - - name: Checkout repo - uses: actions/checkout@v4 + on: + push: + branches: + - main + jobs: + update_role: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v4 - - name: Action Ansible Galaxy Release ${{ github.ref_name }} - uses: ansible-actions/ansible-galaxy-action@main - with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} From a25e8bf17727ca8f908a962312407512cff5c486 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:48:35 +0000 Subject: [PATCH 68/84] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.4 → v8.19.2](https://github.com/gitleaks/gitleaks/compare/v8.18.4...v8.19.2) - [github.com/ansible-community/ansible-lint: v24.7.0 → v24.9.0](https://github.com/ansible-community/ansible-lint/compare/v24.7.0...v24.9.0) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9b4a326a..a930b981 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,13 +36,13 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.4 + rev: v8.19.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.7.0 + rev: v24.9.0 hooks: - id: ansible-lint name: Ansible-lint From b51cdf46afc711d7f0daec73d284a44b3fdd4367 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Sep 2024 17:10:12 +0100 Subject: [PATCH 69/84] added solution for gui and X11 for 040730 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 +--- tasks/prelim.yml | 29 ++++++++++++++++------------- vars/main.yml | 5 +++++ 3 files changed, 22 insertions(+), 16 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8bfa35c8..d7595e7e 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4198,9 +4198,7 @@ - name: "MEDIUM | RHEL-07-040730 | PATCH | The Red Hat Enterprise Linux operating system must not have an X Windows display manager installed unless approved." ansible.builtin.package: - name: - - "@x11" - - xorg-x11-server-common + name: "{{ rhel7stig_gui_pkgs }}" state: absent vars: ansible_python_interpreter: "{{ python2_bin }}" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5e4d7848..c8a90ed2 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -132,6 +132,20 @@ - V-204497 - fips +- name: PRELIM | Gnome Desktop Environment Discovery + tags: + - always + block: + - name: PRELIM | Gnome Desktop Environment Discovery + ansible.builtin.stat: + path: /usr/share/gnome/gnome-version.xml + register: prelim_gnome_present + + - name: PRELIM | Gnome Desktop Environment Discovery | add packages if x11 not required + when: rhel_07_040710 + ansible.builtin.set_fact: + rhel7stig_gui_pkgs: "{{ rhel7stig_gui_pkgs + [ '@X11', 'xorg-x11-*' ] }}" + - name: "PRELIM | dconf" block: - name: "PRELIM | Check for dconf availability" @@ -292,7 +306,7 @@ tags: - always -- name: "PRELIM | ensure cronie is available" +- name: "PRELIM | Ensure cronie is available" ansible.builtin.package: name: cronie state: present @@ -324,18 +338,7 @@ rhel_07_020690 or rhel_07_020700 tags: - - cat2 - - medium - - RHEL-07-020600 - - RHEL-07-020620 - - RHEL-07-020630 - - RHEL-07-020640 - - RHEL-07-020650 - - RHEL-07-020660 - - RHEL-07-020670 - - RHEL-07-020680 - - RHEL-07-020690 - - RHEL-07-020700 + - always # NOTE: You will need to adjust the UID range in parenthases below. # ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below. diff --git a/vars/main.yml b/vars/main.yml index fa752df5..00654713 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -43,3 +43,8 @@ rhel7stig_re_qp_key_end: (?:" *) # insert the parameter at the beginning or append to the end, default append rhel7stig_re_qp_insert: "{{ insert | default(not (append | default(true))) }}" + +rhel7stig_gui_pkgs: + - xorg-x11-server-common + - '@^gnome-desktop' + - 'gnome*' From f2baee295a91a09fffbe725dbdd15f91d482bced Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Sep 2024 17:26:52 +0100 Subject: [PATCH 70/84] updated default var to use discovered value Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7d63ad0c..18234ec6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -375,8 +375,8 @@ rhel_07_040000: true rhel_07_040530: true rhel_07_040600: true -# Whether or not to run tasks related to auditing/patching the desktop environment -rhel7stig_gui: false +# Whether or not to run tasks related to auditing/patching the desktop environment - is discovered if using gnome +rhel7stig_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" # Whether to configure dconf rules unconditionally (ignoring presence of dconf # or rhel7stig_gui) From b38ce35ca8ba0261a27c7871d1da2f5dc7e8b032 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Sep 2024 17:38:31 +0100 Subject: [PATCH 71/84] Alignment Signed-off-by: Mark Bolwell --- ChangeLog.md | 4 +++ defaults/main.yml | 5 +--- tasks/pre_remediation_audit.yml | 3 +++ tasks/prelim.yml | 47 ++++++++++++++++++++++----------- vars/audit.yml | 2 +- 5 files changed, 41 insertions(+), 20 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 363e9a52..86a695a3 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -2,6 +2,10 @@ ## 3.2 STIG v3R14 24th Jan 2024 +- Audit updated + - moved audit into prelim + - updates to audit logic for copy and archive options + - RHEL-07-020019 - title and ruleid update - RHEL-07-020022 - ruleid update - RHEL-07-020210 - ruleid update diff --git a/defaults/main.yml b/defaults/main.yml index 18234ec6..42fe4fdc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -23,10 +23,6 @@ rhel7stig_skip_reboot: true # It will add the new vaulted location where it is possible to get updates and package rhel7stig_add_updated_repo: false -### -### Settings for associated Audit role using Goss -### - ########################################### ### Goss is required on the remote host ### ### vars/auditd.yml for other settings ### @@ -77,6 +73,7 @@ audit_log_dir: '/opt' ### Goss Settings ## ####### END ######## + #### Detailed settings found at the end of this document #### # We've defined complexity-high to mean that we cannot automatically remediate diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 25038fcd..d822b587 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -19,9 +19,12 @@ - audit_content == 'git' block: - name: Pre Audit Setup | Install git + when: ansible_distribution_major_version == '7' ansible.builtin.package: name: git state: present + vars: + ansible_python_interpreter: "{{ python2_bin }}" - name: Pre Audit Setup | Retrieve audit content files from git ansible.builtin.git: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c8a90ed2..92dac6f2 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,15 +1,12 @@ --- -- name: "PRELIM | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel7_efi_boot - tags: - - goss_template - - always - -- name: set bootloader type +- name: Set bootloader type block: + - name: "PRELIM | Check whether machine is UEFI-based" + ansible.builtin.stat: + path: /sys/firmware/efi + register: rhel7_efi_boot + - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" ansible.builtin.set_fact: rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" @@ -43,9 +40,30 @@ tags: - always -- name: Include audit specific variables - ansible.builtin.include_vars: - file: audit.yml +- name: "PRELIM | Gather interactive user ID min" + block: + - name: "PRELIM | Gather interactive user ID min" + ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: rhel7stig_min_uid + + - name: "PRELIM | Gather interactive user ID max" + ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: rhel7stig_max_uid + + - name: "PRELIM | Setting the fact" + ansible.builtin.set_fact: + rhel7stig_interactive_uid_start: "{{ rhel7stig_min_uid.stdout }}" + rhel7stig_interactive_uid_stop: "{{ rhel7stig_max_uid.stdout }}" + tags: + - always + - auditd + +- name: "PRELIM | Include audit specific variables" + ansible.builtin.include_vars: audit.yml when: - run_audit or audit_only - setup_audit @@ -53,9 +71,8 @@ - setup_audit - run_audit -- name: Include pre-remediation audit tasks - ansible.builtin.import_tasks: - file: pre_remediation_audit.yml +- name: "PRELIM | Include pre-remediation audit tasks" + ansible.builtin.import_tasks: pre_remediation_audit.yml when: - run_audit or audit_only - setup_audit diff --git a/vars/audit.yml b/vars/audit.yml index 9486cdc6..5417f292 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -34,7 +34,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}} + The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }} {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} Full breakdown can be found in {{ audit_log_dir }} From cbeab4a11b1571608d3b5a2334a002801df3541f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Sep 2024 17:27:16 +0100 Subject: [PATCH 72/84] remove jmespath on the way mountspoints are check Signed-off-by: Mark Bolwell --- defaults/main.yml | 10 ---------- tasks/fix-cat1.yml | 4 ++-- tasks/prelim.yml | 7 +++++++ 3 files changed, 9 insertions(+), 12 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 42fe4fdc..7850f265 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -689,10 +689,6 @@ update_audit_template: false # RHEL-07-030300 uncomment and set the value to a remote IP address that can receive audit logs # rhel7stig_audisp_remote_server: 10.10.10.10 -# RHEL-07-030330: set this to 25% of the free space in /var/log/audit (measured in megabytes) -rhel7stig_auditd_space_left: "{{ ( ansible_mounts | json_query(rhel7stig_audit_disk_size_query) | int / 4 / 1024 / 1024 ) | int + 1 }}" -rhel7stig_audit_disk_size_query: "[?mount=='{{ rhel7stig_audit_part }}'].size_total | [0]" - # RHEL-07-030350 rhel7stig_audit_daemon: auditd rhel7stig_auditd_mail_acct: root @@ -746,12 +742,6 @@ rhel7stig_efi_boot_path: '/boot/efi/EFI/' rhel7stig_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" -rhel7stig_local_mounts: "{{ ansible_mounts | to_json | from_json | json_query(rhel7stig_local_mounts_query) }}" -rhel7stig_local_mounts_query: "[?starts_with(device, '/dev/')].mount" - -rhel7stig_nfs_mounts: "{{ ansible_mounts | to_json | from_json | json_query(rhel7stig_nfs_mounts_query) }}" -rhel7stig_nfs_mounts_query: "[?starts_with(fstype, 'nfs')].mount" - # DNS Servers to configure, you need two to conform to STIG standards rhel_07_040600_dns_servers: - 9.9.9.9 diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 84ca19f8..19e0272f 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -574,7 +574,7 @@ - name: "HIGH | RHEL-07-040540 | The Red Hat Enterprise Linux operating system must not contain .shosts files." block: - name: "HIGH | RHEL-07-040540 | AUDIT | The Red Hat Enterprise Linux operating system must not contain .shosts files." - ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -name '.shosts' + ansible.builtin.shell: find / -xdev -not -fstype nfs -name '.shosts' check_mode: false changed_when: false register: rhel_07_040540_audit @@ -599,7 +599,7 @@ - name: "HIGH | RHEL-07-040550 | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." block: - name: "HIGH | RHEL-07-040550 | AUDIT | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." - ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -name 'shosts.equiv' + ansible.builtin.shell: find / -xdev -not -fstype nfs -name 'shosts.equiv' check_mode: false changed_when: false register: rhel_07_040550_audit diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 92dac6f2..44bb85f2 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -314,6 +314,13 @@ tags: - always +- name: "PRELIM | AUDIT | Create list of mount points" + ansible.builtin.set_fact: + prelim_local_mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" + prelim_nfs_mount_names: "{{ ansible_facts.mounts | selectattr('fstype', 'equalto', 'nfs') | map(attribute='mount') | list | default([]) }}" + tags: + - always + - name: "PRELIM | Gather mount information" ansible.builtin.setup: gather_subset: hardware,!all,!min From 594c50feaa64def30eaa35b135abc81f0a993a84 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Sep 2024 17:29:37 +0100 Subject: [PATCH 73/84] removed breaking dupe line Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 8e562654..199dac24 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -164,7 +164,6 @@ RHEL_07_030201: {{ rhel_07_030201 }} RHEL_07_030210: {{ rhel_07_030210 }} RHEL_07_030211: {{ rhel_07_030211 }} # if you set 030300 to 'true' ensure you define rhel7stig_audisp_remote_server -RHEL_07_010375: {{ rhel_07_010375 }} RHEL_07_030300: {{ rhel_07_030300 }} RHEL_07_030310: {{ rhel_07_030310 }} RHEL_07_030320: {{ rhel_07_030320 }} From c6d2e0615eab4eb473d6c75e37920941b51294b8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Sep 2024 17:30:48 +0100 Subject: [PATCH 74/84] Updated goss version and added ARM Signed-off-by: Mark Bolwell --- vars/audit.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/vars/audit.yml b/vars/audit.yml index 5417f292..8118865e 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -26,8 +26,9 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma ### Audit binary settings ### audit_bin_version: - release: v0.3.21 - AMD64_checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' + release: v0.4.8 + AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f' + ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json From a94da63881421641c2c4996a7a24ea7787d022d7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Sep 2024 17:32:02 +0100 Subject: [PATCH 75/84] updated mount and wireless checks Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 117 +++++++++++++++++++++++++-------------------- 1 file changed, 65 insertions(+), 52 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index d7595e7e..b1752277 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1051,6 +1051,7 @@ path: /etc/grub.d/01_users regexp: "{{ item.regexp }}" line: "{{ item.line }}" + create: true notify: - make grub2 config with_items: @@ -1463,18 +1464,17 @@ - name: "MEDIUM | RHEL-07-020320 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." block: - name: "MEDIUM | RHEL-07-020320 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." - ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser + ansible.builtin.shell: find "{{ item }}" -xdev -nouser check_mode: false failed_when: false changed_when: false register: rhel_07_020320_audit with_items: - - "{{ ansible_mounts }}" - when: item['device'].startswith('/dev') and not 'bind' in item['options'] + - "{{ prelim_local_mount_names }}" - name: "MEDIUM | RHEL-07-020320 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." ansible.builtin.debug: - msg: "Warning!! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + msg: "Warning!! Manual intervention is required -- missing owner on items in {{ item.stdout_lines }}" changed_when: rhel7stig_audit_complex with_items: - "{{ rhel_07_020320_audit.results }}" @@ -1496,18 +1496,17 @@ - name: "MEDIUM | RHEL-07-020330 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." block: - name: "MEDIUM | RHEL-07-020330 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." - ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup + ansible.builtin.shell: find "{{ item }}" -xdev -nogroup check_mode: false failed_when: false changed_when: false register: rhel_07_020330_audit with_items: - - "{{ ansible_mounts }}" - when: item['device'].startswith('/dev') and not 'bind' in item['options'] + - "{{ prelim_local_mount_names }}" - name: "MEDIUM | RHEL-07-020330 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." ansible.builtin.debug: - msg: "Warning!! Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + msg: "Warning!! Manual intervention is required -- missing group on items in {{ item.stdout_lines }}" changed_when: rhel7stig_audit_complex with_items: - "{{ rhel_07_020330_audit.results }}" @@ -1880,7 +1879,7 @@ - name: "MEDIUM | RHEL-07-020720 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory." block: - name: "MEDIUM | RHEL-07-020720 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory." - ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath + ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath with_items: "{{ rhel_07_stig_interactive_homedir_results }}" changed_when: false failed_when: false @@ -1920,7 +1919,7 @@ block: # Let's find any progerams with world-writable permissions. - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." - ansible.builtin.shell: find / -xdev -perm -002 -type f -exec ls -ld {} \; | awk '{print $9}' + ansible.builtin.shell: find / -xdev -not -fstype nfs -perm -002 -type f -exec ls -ld {} \; | awk '{print $9}' failed_when: false changed_when: false register: rhel_07_020730_perms_results @@ -1981,7 +1980,7 @@ - name: "MEDIUM | RHEL-07-020900 | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification." block: - name: "MEDIUM | RHEL-07-020900 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification." - ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -context *:device_t:* -o -context *:unlabeled_t:* -type c -o -type b -printf '%p %Z\n' + ansible.builtin.shell: find / -xdev -not -fstype nfs -context *:device_t:* -o -context *:unlabeled_t:* -type c -o -type b -printf '%p %Z\n' changed_when: false check_mode: false register: rhel_07_020900_audit @@ -2012,15 +2011,16 @@ ansible.posix.mount: path: /home state: mounted - src: "{{ home_mount.device }}" - fstype: "{{ home_mount.fstype }}" - opts: "{{ home_mount.options }},nosuid" - vars: - home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" # noqa: jinja[invalid] + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + opts: "{{ item.options }},nosuid" + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" when: - rhel_07_021000 - - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 - - "'nosuid' not in home_mount.options" + - item.mount == "/home" + - "'nosuid' not in item.options" tags: - RHEL-07-021000 - CAT2 @@ -2035,27 +2035,29 @@ ansible.posix.mount: path: /media state: mounted - src: "{{ removable_mount.device }}" - fstype: "{{ removable_mount.fstype }}" - opts: "{{ removable_mount.options }},nosuid" - vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid] + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + opts: "{{ item.options }},nosuid" + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" when: - - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - - "'nosuid' not in removable_mount.options" + - item.mount == "/media" + - "'nosuid' not in item.options" - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." ansible.posix.mount: path: /mnt state: mounted - src: "{{ removable_mount2.device }}" - fstype: "{{ removable_mount2.fstype }}" - opts: "{{ removable_mount2.options }},nosuid" - vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid] + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + opts: "{{ item.options }},nosuid" + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" when: - - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - - "'nosuid' not in removable_mount2.options" + - item.mount == "/mnt" + - "'nosuid' not in item.options" when: - rhel_07_021010 - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container) @@ -2070,19 +2072,15 @@ - name: "MEDIUM | RHEL-07-021020 | PATCH | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)." ansible.posix.mount: path: "{{ item }}" - src: "{{ ansible_mounts | json_query(device_query) }}" - fstype: "{{ ansible_mounts | json_query(fstype_query) }}" - opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" + src: "{{ item.src }}" + fstype: "{{ aitem.fstype }}" + opts: "{{ item.opts,nosuid }}" state: mounted - vars: - device_query: '[?mount == `{{ item }}`] | [0].device' # noqa: jinja[invalid] - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' # noqa: jinja[invalid] - options_query: '[?mount == `{{ item }}`] | [0].options' # noqa: jinja[invalid] with_items: - - "{{ rhel7stig_nfs_mounts }}" + - "{{ prelim_nfs_mount_names }}" when: - rhel_07_021020 - - "'nosuid' not in (ansible_mounts | json_query(options_query))" + - "'nosuid' not in item" tags: - RHEL-07-021020 - CAT2 @@ -2095,19 +2093,15 @@ - name: "MEDIUM | RHEL-07-021021 | PATCH | The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)." ansible.posix.mount: path: "{{ item }}" - src: "{{ ansible_mounts | json_query(device_query) }}" - fstype: "{{ ansible_mounts | json_query(fstype_query) }}" - opts: "{{ ansible_mounts | json_query(options_query) }},noexec" + src: "{{ item.src }}" + fstype: "{{ aitem.fstype }}" + opts: "{{ item.opts,noexec }}" state: mounted - vars: - device_query: '[?mount == `{{ item }}`] | [0].device' # noqa: jinja[invalid] - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' # noqa: jinja[invalid] - options_query: '[?mount == `{{ item }}`] | [0].options' # noqa: jinja[invalid] with_items: - - "{{ rhel7stig_nfs_mounts }}" + - "{{ prelim_nfs_mount_names }}" when: - rhel_07_021021 - - "'noexec' not in (ansible_mounts | json_query(options_query))" + - "'noexec' not in item" tags: - RHEL-07-021021 - CAT2 @@ -2120,7 +2114,7 @@ - name: "MEDIUM | RHEL-07-021030 | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group." block: - name: "MEDIUM | RHEL-07-021030 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group." - ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -type d -perm -002 -gid +999 + ansible.builtin.shell: find / -xdev -not -fstype nfs -type d -perm -002 -gid +999 changed_when: rhel_07_021030_audit.stdout != "" check_mode: false register: rhel_07_021030_audit @@ -2498,7 +2492,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: ^space_left += - line: "space_left = {{ [rhel7stig_auditd_space_left | int, 51] | max }}" + line: "space_left = 25%" when: - rhel_07_030330 tags: @@ -4417,16 +4411,35 @@ - name: "MEDIUM | RHEL-07-041010 | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled." block: + - name: "MEDIUM | RHEL-07-041010 | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled. | Discover if wirelss adapter on system" + ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless + changed_when: false + failed_when: discovered_wireless_adapters.rc not in [ 0, 1 ] + register: discovered_wireless_adapters + + - name: "MEDIUM | RHEL-07-041010 | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled. | if wireless adapter present" + ansible.builtin.package: + name: NetworkManager + state: present + when: + - discovered_wireless_adapters.rc == 0 + - "'NetworkManager' not in ansible_facts.packages" + - name: "MEDIUM | RHEL-07-041010 | AUDIT | check if wifi is enabled" ansible.builtin.shell: nmcli radio wifi changed_when: false check_mode: false + failed_when: rhel_07_wifi_enabled.rc not in [ 0, 1 ] register: rhel_07_wifi_enabled + when: + - discovered_wireless_adapters.rc == 0 - name: "MEDIUM | RHEL-07-041010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled." ansible.builtin.shell: nmcli radio wifi off when: + - discovered_wireless_adapters.rc == 0 - "'enabled' in rhel_07_wifi_enabled.stdout" + - rhel_07_wifi_enabled.rc == 0 when: - rhel_07_041010 - "'NetworkManager' in ansible_facts.packages" From 272ce78e13fdd151e584d91b58b4da5bf45a7a6a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Sep 2024 17:33:58 +0100 Subject: [PATCH 76/84] aligned benchmark git version name Signed-off-by: Mark Bolwell --- vars/audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/audit.yml b/vars/audit.yml index 8118865e..7a2e9ec8 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -12,7 +12,7 @@ audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_ ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark_{{ benchmark_version }}_rh7" +audit_git_version: "benchmark_{{ benchmark_version }}" ## Goss configuration information # Where the goss audit configuration will be stored - NOTE benchmark-audit is expected From 06d5a345ec3b0ed44b3d98dda45a24249753d176 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Sep 2024 08:36:31 +0100 Subject: [PATCH 77/84] removed empty line Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 3 +-- .github/workflows/main_pipeline_validation.yml | 12 ------------ defaults/main.yml | 1 - 3 files changed, 1 insertion(+), 15 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index e02fe1f0..c9328cbc 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ jobs: # This will create messages for first time contributers and direct them to the Discord server welcome: - runs-on: self-hosted + runs-on: ubuntu-latest steps: - uses: actions/first-interaction@main @@ -70,7 +70,6 @@ echo IAC_BRANCH=main >> $GITHUB_ENV fi - # Pull in terraform code for linux servers - name: Clone GitHub IaC plan uses: actions/checkout@v4 diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 4a5adc9c..ab11c37b 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -23,18 +23,6 @@ # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: self-hosted - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on diff --git a/defaults/main.yml b/defaults/main.yml index dd1e1cd8..7850f265 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -76,7 +76,6 @@ audit_log_dir: '/opt' #### Detailed settings found at the end of this document #### - # We've defined complexity-high to mean that we cannot automatically remediate # the rule in question. In the future this might mean that the remediation # may fail in some cases. From df0e444cd27bc4f26435a756eb726778850ee67b Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 17:48:46 +0000 Subject: [PATCH 78/84] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.9.0 → v24.9.2](https://github.com/ansible-community/ansible-lint/compare/v24.9.0...v24.9.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a930b981..382c345d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,7 +42,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.9.0 + rev: v24.9.2 hooks: - id: ansible-lint name: Ansible-lint From 0b0049a32ea405bb2d22fe1d2fb0bd49cd78217e Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 17:55:00 +0000 Subject: [PATCH 79/84] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.6.0 → v5.0.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.6.0...v5.0.0) - [github.com/gitleaks/gitleaks: v8.19.2 → v8.21.1](https://github.com/gitleaks/gitleaks/compare/v8.19.2...v8.21.1) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 382c345d..c6a8d07f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: # Safety - id: detect-aws-credentials @@ -36,7 +36,7 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.19.2 + rev: v8.21.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From e904997149649a469e2e90b09d41f20b8878f018 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 18:01:31 +0000 Subject: [PATCH 80/84] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.21.1 → v8.21.2](https://github.com/gitleaks/gitleaks/compare/v8.21.1...v8.21.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c6a8d07f..a679c82a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,7 +36,7 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.21.1 + rev: v8.21.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From 0e839b71de74f3cead422a57fb906d6c4613fa49 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Oct 2024 19:10:10 +0000 Subject: [PATCH 81/84] updated layout 21350 Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 19e0272f..d4b02673 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -43,31 +43,31 @@ - V-204392 - permissions -- name: "HIGH | RHEL-07-021350 | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." +- name: "HIGH | RHEL-07-010020 | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." block: - - name: "HIGH | RHEL-07-021350 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." + - name: "HIGH | RHEL-07-010020 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." ansible.builtin.shell: 'rpm -Va --noconfig --nolinkto --nosize --nouser --nogroup --nomtime --nomode --nodigest --nosignature | grep ''^..5'' | tee /dev/stderr | cut -c13- | sed ''s/^ //'' | xargs rpm -qf --qf=''%{name}\n'' | sort -u' check_mode: false failed_when: false - changed_when: rhel_07_021350_audit.stdout| length > 0 - register: rhel_07_021350_audit + changed_when: rhel_07_010020_audit.stdout| length > 0 + register: rhel_07_010020_audit - - name: "HIGH | RHEL-07-021350 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." + - name: "HIGH | RHEL-07-010020 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." ansible.builtin.debug: - msg: "{{ rhel_07_021350_audit.stderr_lines }}" + msg: "{{ rhel_07_010020_audit.stderr_lines }}" changed_when: true - when: rhel_07_021350_audit.stdout | length > 0 + when: rhel_07_010020_audit.stdout | length > 0 - - name: "HIGH | RHEL-07-021350 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." + - name: "HIGH | RHEL-07-010020 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." ansible.builtin.shell: yum reinstall -y {{ item }} failed_when: false with_items: - - "{{ rhel_07_021350_audit.stdout_lines }}" - when: rhel_07_021350_audit.stdout_lines | length > 0 + - "{{ rhel_07_010020_audit.stdout_lines }}" + when: rhel_07_010020_audit.stdout_lines | length > 0 when: - - rhel_07_021350 + - rhel_07_010020 tags: - - RHEL-07-021350 + - RHEL-07-010020 - CAT1 - CCI-001749 - SRG-OS-000480-GPOS-00227 @@ -471,9 +471,7 @@ - rhel_07_021350_boot_kernel_set.stdout | length == 0 - not ansible_check_mode or rhel_07_021350_default_grub_missing_audit is not changed - notify: confirm grub2 user cfg - register: result - name: "HIGH | RHEL-07-021350 | AUDIT | Verify kernel parameters in /etc/default/grub" ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub From 18f123f13bd663d7ac02f18bff699f736dfed9f2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Oct 2024 19:12:18 +0000 Subject: [PATCH 82/84] fixed layout 041010 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index b1752277..7d923e58 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4427,8 +4427,8 @@ - name: "MEDIUM | RHEL-07-041010 | AUDIT | check if wifi is enabled" ansible.builtin.shell: nmcli radio wifi - changed_when: false check_mode: false + changed_when: false failed_when: rhel_07_wifi_enabled.rc not in [ 0, 1 ] register: rhel_07_wifi_enabled when: @@ -4458,7 +4458,7 @@ - name: "MEDIUM | RHEL-07-020019 | AUDIT | The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool." ansible.builtin.debug: msg: - - "Please Install and enable the latest Trellix ENSLTP package." + - "Please install and enable the latest Trellix ENSLTP package." - "If the system does not support the Trellix ENSLTP package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official." when: - rhel_07_020019 From aa0be1c5646c739899d39d014b4bc1cf220f6d49 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Nov 2024 10:46:44 +0000 Subject: [PATCH 83/84] moved check_mode Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 6 +++--- tasks/fix-cat2.yml | 34 +++++++++++++++++----------------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index d4b02673..99a580c6 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -573,8 +573,8 @@ block: - name: "HIGH | RHEL-07-040540 | AUDIT | The Red Hat Enterprise Linux operating system must not contain .shosts files." ansible.builtin.shell: find / -xdev -not -fstype nfs -name '.shosts' - check_mode: false changed_when: false + check_mode: false register: rhel_07_040540_audit - name: "HIGH | RHEL-07-040540 | PATCH | The Red Hat Enterprise Linux operating system must not contain .shosts files." @@ -598,8 +598,8 @@ block: - name: "HIGH | RHEL-07-040550 | AUDIT | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." ansible.builtin.shell: find / -xdev -not -fstype nfs -name 'shosts.equiv' - check_mode: false changed_when: false + check_mode: false register: rhel_07_040550_audit - name: "HIGH | RHEL-07-040550 | PATCH | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." @@ -667,9 +667,9 @@ block: - name: "HIGH | RHEL-07-040800 | AUDIT | SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default." ansible.builtin.shell: grep {{ item }} /etc/snmp/snmpd.conf - check_mode: false failed_when: false changed_when: false + check_mode: false register: rhel_07_040800_audit with_items: - public diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 7d923e58..c341d7d9 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -610,14 +610,14 @@ block: - name: "MEDIUM | RHEL-07-010240 | AUDIT | Passwords must be restricted to a 24 hours/1 day minimum lifetime." ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" - check_mode: false changed_when: false + check_mode: false register: rhel_07_010240_audit - name: "MEDIUM | RHEL-07-010240 | PATCH | Passwords must be restricted to a 24 hours/1 day minimum lifetime." ansible.builtin.shell: chage -m 1 {{ item }} - check_mode: false changed_when: true + check_mode: false with_items: - "{{ rhel_07_010240_audit.stdout_lines }}" when: @@ -653,8 +653,8 @@ block: - name: "MEDIUM | RHEL-07-010260 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime." ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" - check_mode: false changed_when: false + check_mode: false register: rhel_07_010260_audit - name: "MEDIUM | RHEL-07-010260 | PATCH | Reset password timeout to prevent locking out user." @@ -1428,9 +1428,9 @@ block: - name: "MEDIUM | RHEL-07-020270 | AUDIT | The Red Hat Enterprise Linux operating system must not have unnecessary accounts." ansible.builtin.shell: "grep '^{{ item }}:' /etc/passwd" - check_mode: false failed_when: rhel_07_020270_audit.rc > 1 changed_when: rhel_07_020270_audit.rc == 0 + check_mode: false register: rhel_07_020270_audit with_items: - "{{ rhel7stig_unnecessary_accounts }}" @@ -1465,9 +1465,9 @@ block: - name: "MEDIUM | RHEL-07-020320 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." ansible.builtin.shell: find "{{ item }}" -xdev -nouser - check_mode: false failed_when: false changed_when: false + check_mode: false register: rhel_07_020320_audit with_items: - "{{ prelim_local_mount_names }}" @@ -1497,9 +1497,9 @@ block: - name: "MEDIUM | RHEL-07-020330 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." ansible.builtin.shell: find "{{ item }}" -xdev -nogroup - check_mode: false failed_when: false changed_when: false + check_mode: false register: rhel_07_020330_audit with_items: - "{{ prelim_local_mount_names }}" @@ -1632,8 +1632,8 @@ block: - name: "MEDIUM | RHEL-07-020660 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory." ansible.builtin.shell: "{{ find_command_base }} -print -quit" - check_mode: false changed_when: rhel_07_020660_audit.stdout |length > 0 + check_mode: false register: rhel_07_020660_audit with_items: "{{ rhel7stig_passwd }}" loop_control: @@ -1669,8 +1669,8 @@ block: - name: "MEDIUM | RHEL-07-020670 | AUDIT | Get all GIDs for each user." ansible.builtin.shell: id -G "{{ item.id }}" - check_mode: false changed_when: false + check_mode: false register: rhel_07_all_gid_audit with_items: - "{{ rhel7stig_passwd }}" @@ -1679,8 +1679,8 @@ - name: "MEDIUM | RHEL-07-020670 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." ansible.builtin.shell: "{{ find_command_base }} -print -quit" - check_mode: false changed_when: rhel_07_020670_audit.stdout| length > 0 + check_mode: false register: rhel_07_020670_audit with_items: - "{{ rhel_07_all_gid_audit.results }}" @@ -1725,8 +1725,8 @@ - name: "MEDIUM | RHEL-07-020680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 - check_mode: false changed_when: rhel_07_020680_patch_audit.stdout| length > 0 + check_mode: false register: rhel_07_020680_patch_audit with_together: - "{{ rhel_07_020680_audit.results | map(attribute='item') | list }}" @@ -1785,8 +1785,8 @@ block: - name: "MEDIUM | RHEL-07-020690 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root." ansible.builtin.shell: "{{ find_command_base }} -print -quit" - check_mode: false changed_when: rhel_07_020690_audit.stdout | length > 0 + check_mode: false register: rhel_07_020690_audit with_items: - "{{ rhel7stig_passwd }}" @@ -1823,8 +1823,8 @@ block: - name: "MEDIUM | RHEL-07-020700 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root." ansible.builtin.shell: "{{ find_command_base }} -print -quit" - check_mode: false changed_when: rhel_07_020700_audit.stdout| length > 0 + check_mode: false register: rhel_07_020700_audit with_items: - "{{ rhel7stig_passwd }}" @@ -2220,9 +2220,9 @@ block: - name: "MEDIUM | RHEL-07-021300 | PATCH | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed." ansible.builtin.shell: "systemctl show kdump | grep LoadState | cut -d = -f 2" - register: rhel_07_021300_kdump_service_status changed_when: false check_mode: false + register: rhel_07_021300_kdump_service_status - name: "MEDIUM | RHEL-07-021300 | PATCH | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed." ansible.builtin.service: @@ -3352,9 +3352,9 @@ "MEDIUM | RHEL-07-040190 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." "MEDIUM | RHEL-07-040200 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." ansible.builtin.shell: systemctl status sssd.service | grep "Active" | cut -d ':' -f1 | tr " " "\n" | sed '/^$/d' - check_mode: false failed_when: false changed_when: false + check_mode: false register: rhel_07_040180_audit - name: | @@ -4105,8 +4105,8 @@ block: - name: "MEDIUM | RHEL-07-040680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying." ansible.builtin.shell: "/usr/sbin/postconf -n smtpd_client_restrictions" - check_mode: false changed_when: false + check_mode: false register: rhel_07_040680_postconf_audit when: "'postfix' in ansible_facts.packages" @@ -4231,10 +4231,10 @@ block: - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS." ansible.builtin.shell: cat /etc/fstab | grep nfs - register: rhel_07_040750_nfssec_check changed_when: false failed_when: false check_mode: false + register: rhel_07_040750_nfssec_check - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS." ansible.builtin.debug: @@ -4361,13 +4361,13 @@ block: - name: "MEDIUM | RHEL-07-041002 | AUDIT | Check if pam service is configured in sssd file" ansible.builtin.shell: 'grep -E "^\s*services\s*=.*pam" /etc/sssd/sssd.conf' - check_mode: false changed_when: - sssd_services_check.rc == 1 - not rhel7stig_skip_for_travis failed_when: false # todo: only run if sssd installed and config file present # failed_when: sssd_services_check.rc > 1 + check_mode: false register: sssd_services_check - name: "MEDIUM | RHEL-07-041002 | PATCH | The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)." From 744f42e274cb63fe9ea3405599bbe371b3898c98 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Nov 2024 10:58:19 +0000 Subject: [PATCH 84/84] moved check_mode Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c341d7d9..0744996b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4427,9 +4427,9 @@ - name: "MEDIUM | RHEL-07-041010 | AUDIT | check if wifi is enabled" ansible.builtin.shell: nmcli radio wifi - check_mode: false changed_when: false failed_when: rhel_07_wifi_enabled.rc not in [ 0, 1 ] + check_mode: false register: rhel_07_wifi_enabled when: - discovered_wireless_adapters.rc == 0