From 1e8f9a3503e73db3d8db189337d79243aea7c327 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 18 Oct 2021 16:35:34 -0400 Subject: [PATCH] Issue #57, #58, #59 fixes and handler items from PR #51 Signed-off-by: George Nalen --- handlers/main.yml | 9 +++++---- tasks/fix-cat2.yml | 9 ++++++--- templates/aide.conf.j2 | 3 +-- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index ddeddfbd..cc5a0e13 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -33,16 +33,17 @@ - name: confirm grub2 user cfg stat: - path: /boot/grub2/user.cfg + path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg" + changed_when: rhel8stig_grub2_user_cfg.stat.exists register: rhel8stig_grub2_user_cfg notify: make grub2 config - name: make grub2 config command: /usr/sbin/grub2-mkconfig --output={{ rhel8stig_grub_cfg_path }} when: - - rhel7stig_grub2_user_cfg.stat.exists - - not rhel7stig_skip_for_travis - - not rhel7stig_system_is_container + - rhel8stig_grub2_user_cfg.stat.exists + - not rhel8stig_skip_for_travis + - not rhel8stig_system_is_container - name: copy grub2 config to BIOS/UEFI to satisfy benchmark listen: make grub2 config diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 10d3cdd5..6e54c953 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1194,11 +1194,12 @@ path: '{{ rhel8stig_sssd_conf }}' regexp: '^certificate_verification = {{ item.regexp }}' state: "{{ item.state }}" + line: "{{ item.line | default(omit) }}" with_items: - { regexp: 'no_ocsp, no_verification', state: absent } - { regexp: 'no_ocsp', state: absent } - { regexp: 'no_verification', state: absent } - - { regexp: 'ocsp_dgst=sha1', state: present } + - { regexp: 'ocsp_dgst=sha1', state: present, line: 'certificate_verification = ocsp_dgst=sha1' } notify: restart sssd when: - rhel8stig_sssd_conf_present.stat.exists @@ -1269,6 +1270,9 @@ - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active" shell: grubby --update-kernel=ALL --args="page_poison=1" + when: + - (ansible_proc_cmdline.page_poison is defined and ansible_proc_cmdline.page_poison != '1') or + (ansible_proc_cmdline.page_poison is not defined) - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist" lineinfile: @@ -5618,8 +5622,7 @@ - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 when: - rhel_08_030650 diff --git a/templates/aide.conf.j2 b/templates/aide.conf.j2 index 8b808301..92ebb20a 100644 --- a/templates/aide.conf.j2 +++ b/templates/aide.conf.j2 @@ -314,8 +314,7 @@ DATAONLY = FIPSR /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 -/usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 -/usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512