Release of v1r12 (#275)

* ruleid updates for v1r12 refer changelog Signed-off-by: Mark Bolwell <[email protected]> * updated Signed-off-by: Mark Bolwell <[email protected]> * updated PRELIM in title Signed-off-by: Mark Bolwell <[email protected]> * updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell <[email protected]> * fix typo Signed-off-by: Mark Bolwell <[email protected]> * Oraclelinux updated thanks to @BillSkiCO Signed-off-by: Mark Bolwell <[email protected]> * updated task 20030 thanks to @BillSkiCO Signed-off-by: Mark Bolwell <[email protected]> * updated 40321 thanks to @whitehat237 Signed-off-by: Mark Bolwell <[email protected]> * updated after feedback from #245 Signed-off-by: Mark Bolwell <[email protected]> * added issue #248 fix Signed-off-by: Mark Bolwell <[email protected]> * Added fix for #254 Signed-off-by: Mark Bolwell <[email protected]> * fix syntax Signed-off-by: Mark Bolwell <[email protected]> * Squashed commit of the following: commit 14d7da6a3335dea85d73044cac45f851d45e721f Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:52:45 2024 +0000 updated Signed-off-by: Mark Bolwell <[email protected]> commit e6b8a7c2008da9cf11075265801723c597284d6e Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:52:05 2024 +0000 lint and variable improvements Signed-off-by: Mark Bolwell <[email protected]> commit 79948fb314df745bc37f94dffcdf6ec818d945bc Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:51:32 2024 +0000 ssh validation added Signed-off-by: Mark Bolwell <[email protected]> commit 4742d58286387ffdbf569c2094d34290c8f2f90a Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:50:46 2024 +0000 ssh validation added Signed-off-by: Mark Bolwell <[email protected]> commit 33348bc1d3a0537d0cdbcfc70c10286875d97261 Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:50:25 2024 +0000 changed ordering and added logic Signed-off-by: Mark Bolwell <[email protected]> commit 6c2d07987d379575c6ecf766e528da19ba5ffae0 Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:50:12 2024 +0000 removed as mnot required Signed-off-by: Mark Bolwell <[email protected]> commit 1d775c698c9270f707dddbd955d096bfaa978dae Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:50:04 2024 +0000 updated Signed-off-by: Mark Bolwell <[email protected]> commit 562d7604e5263ed4d5cd97cdd2a46ea4a1c3f58f Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 15:49:57 2024 +0000 updated precommit Signed-off-by: Mark Bolwell <[email protected]> commit bb46131304f00cfe9c9b7b62dda9150ab5d19643 Author: Mark Bolwell <[email protected]> Date: Wed Feb 21 12:04:15 2024 +0000 Added ability for audit_only Signed-off-by: Mark Bolwell <[email protected]> Signed-off-by: Mark Bolwell <[email protected]> * fix typo line 020030 Signed-off-by: Mark Bolwell <[email protected]> * updated due to galaxy_ng changes Signed-off-by: Mark Bolwell <[email protected]> * Revert "fixed gnutls as per issue 196 thansk to @jmalpede" This reverts commit 63c4c84. Signed-off-by: William Panlener <[email protected]> * Update main.yml Removing stale var rhel8stig_sshd_compression Signed-off-by: William Golembieski <[email protected]> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/pre-commit/pre-commit-hooks: v4.4.0 → v4.5.0](pre-commit/pre-commit-hooks@v4.4.0...v4.5.0) - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](gitleaks/gitleaks@v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.20.2 → v6.22.1](ansible/ansible-lint@v6.20.2...v6.22.1) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](gitleaks/gitleaks@v8.18.1...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.22.1 → v24.2.0](ansible/ansible-lint@v6.22.1...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.33.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.35.1) * updated Readme credits Signed-off-by: Mark Bolwell <[email protected]> * updated credits Signed-off-by: Mark Bolwell <[email protected]> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](ansible/ansible-lint@v24.2.0...v24.2.1) * Updated RHEL-08-020050 to loop over stdout_lines. Fixes issue #261. Signed-off-by: Phenix66 <[email protected]> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](pre-commit/pre-commit-hooks@v4.5.0...v4.6.0) * addressing #251 Signed-off-by: Mark Bolwell <[email protected]> * fix issue #263 Signed-off-by: Mark Bolwell <[email protected]> * Address issues #242 Signed-off-by: Mark Bolwell <[email protected]> * housekeeping lint Signed-off-by: Mark Bolwell <[email protected]> * Meet fix text of V-244546 Signed-off-by: Eric Lehmann <[email protected]> * issue #267 Signed-off-by: Mark Bolwell <[email protected]> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/ansible-community/ansible-lint: v24.2.1 → v24.2.2](ansible/ansible-lint@v24.2.1...v24.2.2) * fixed error in conditional rhel-08-020022 Signed-off-by: Mark Bolwell <[email protected]> --------- Signed-off-by: Mark Bolwell <[email protected]> Signed-off-by: William Panlener <[email protected]> Signed-off-by: William Golembieski <[email protected]> Signed-off-by: uk-bolly <[email protected]> Signed-off-by: Phenix66 <[email protected]> Signed-off-by: Eric Lehmann <[email protected]> Co-authored-by: William Panlener <[email protected]> Co-authored-by: William Golembieski <[email protected]> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Phenix66 <[email protected]> Co-authored-by: Eric Lehmann <[email protected]>
ansible-lockdown · Apr 30, 2024 · 26e9ed2 · 26e9ed2
1 parent 2cc56d7
commit 26e9ed2
Show file tree

Hide file tree

Showing 20 changed files with 456 additions and 684 deletions.
diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json
diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.5.0
+  rev: v4.6.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -33,17 +33,14 @@ repos:
   rev: v1.4.0
   hooks:
   - id: detect-secrets
-    args: [ '--baseline', '.config/.secrets.baseline' ]
-    exclude: .config/.gitleaks-report.json
 
 - repo: https://github.com/gitleaks/gitleaks
   rev: v8.18.2
   hooks:
   - id: gitleaks
-    args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.2.0
+  rev: v24.2.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint

diff --git a/Changelog.md b/Changelog.md
@@ -1,7 +1,25 @@
 # Changes to RHEL8STIG
 
+## 3.1 - STIG V1R12 - 25th Oct 2023
+
+ruleid updated
+
+- 010020
+- 010471
+- 030741
+- 030742
+- 040400
+
+- added SSH validation
+- added ansible_facts for variable usage
+
+- AUDIT
+  - Audit_only ability now added to run standalone audit
+    - audit_only: true
+  - Related Audit repo updated to improve tests audit binary(goss updated to latest version)
+
 ## 3.0.3 - Stig V1R11 - 26th July 2023
-q
+
 - updates to collections since galaxy updated
 - updates to audit
 

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 ## Configure a RHEL8 based system to be complaint with Disa STIG
 
-This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R11_STIG.zip).
+This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R12_STIG.zip).
 
 ---
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,6 +1,6 @@
 ---
 ## metadata for Audit benchmark
-benchmark_version: 'v1r11'
+benchmark_version: 'v1r12'
 
 ## Benchmark name used by audting control role
 # The audit variable found at the base
@@ -56,24 +56,46 @@ rhel8stig_skip_reboot: true
 # Defined will change if control requires
 change_requires_reboot: false
 
-### Goss is required on the remote host
+##########################################
+### Goss is required on the remote host ###
+## Refer to vars/auditd.yml for any other settings ##
+
+# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
 setup_audit: false
+
+# enable audits to run - this runs the audit and get the latest content
+run_audit: false
+
+# Only run Audit do not remediate
+audit_only: false
+# As part of audit_only
+# This will enable files to be copied back to control node
+fetch_audit_files: false
+# Path to copy the files to will create dir structure
+audit_capture_files_dir: /some/location to copy to on control node
+
 # How to retrieve audit binary
 # Options are copy or download - detailed settings at the bottom of this file
 # you will need to access to either github or the file already dowmloaded
 get_audit_binary_method: download
 
+## if get_audit_binary_method - copy the following needs to be updated for your environment
+## it is expected that it will be copied from somewhere accessible to the control node
+## e.g copy from ansible control node to remote host
+audit_bin_copy_location: /some/accessible/path
+
 # how to get audit files onto host options
 # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
 audit_content: git
 
-# enable audits to run - this  runs the audit and get the latest content
-run_audit: false
+# archive or copy:
+audit_conf_copy: "some path to copy from"
+
+# get_url:
+audit_files_url: "some url maybe s3?"
 
 # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
 audit_run_heavy_tests: true
-# Timeout for those cmds that take longer to run where timeout set
-audit_cmd_timeout: 60000
 
 ### End Goss enablements ####
 #### Detailed settings found at the end of this document ####
@@ -856,20 +878,26 @@ rhel8stig_ntp_server_name: 0.us.pool.ntp.mil
 # rhel8stig_fapolicy_white_list is the whitelist for fapolicyd, the last item in the list must be dyny all all
 rhel8stig_fapolicy_white_list:
     - 'deny_audit perm=any pattern=ld_so : all'
-    - deny all all
+    - 'deny perm=any all : all'
 
 # RHEL-08-040090
 # rhel8stig_custom_firewall_zone is the desired name for the new customer firewall zone
 rhel8stig_custom_firewall_zone: "new_fw_zone"
 
+# rhel8stig_copy_existing_zone - if you wish to copy an existing zones rules to the new zone
+rhel8stig_copy_existing_zone: true
+# rhel8stig_existing_zone_to_copy - name of the zone that you wish to copy from
+rhel8stig_existing_zone_to_copy: public
+
 # RHEL-08-040090
-# rhel8stig_white_list_services is the services that you want to allow through initially for teh new firewall zone
+# This designed not work with rhel8stig_existing_zone_to_copy and when deploy new rules
+# rhel8stig_white_list_services is the services that you want to allow through initially for the new firewall zone
 # http and ssh need to be enabled for the role to run.
 # This can also be a port number if no service exists
 rhel8stig_white_list_services:
+    - ssh
     - http
     - https
-    - ssh
 
 # RHEL-08-010290
 # RHEL-08-010290
@@ -900,55 +928,3 @@ rhel8stig_tmux_lock_after_time: 900
 # The value given to Defaults timestamp timeout= in the sudo file.
 # Value must be greater than 0 to conform to STIG standards
 rhel8stig_sudo_timestamp_timeout: 1
-
-#### Goss Configuration Settings ####
-# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
-audit_run_script_environment:
-    AUDIT_BIN: "{{ audit_bin }}"
-    AUDIT_FILE: 'goss.yml'
-    AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
-
-### Goss binary settings ###
-audit_bin_version:
-    release: v0.3.23
-    checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d'
-audit_bin_path: /usr/local/bin/
-audit_bin: "{{ audit_bin_path }}goss"
-audit_format: json
-
-# if get_audit_binary_method == download change accordingly
-audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64"
-
-## if get_audit_binary_method - copy the following needs to be updated for your environment
-## it is expected that it will be copied from somewhere accessible to the control node
-## e.g copy from ansible control node to remote host
-audit_bin_copy_location: /some/accessible/path
-
-#### Goss Audit Benchmark file ###
-## managed by the control audit_content
-# git
-audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
-audit_git_version: "benchmark_{{ benchmark_version }}_rh8"
-
-# archive or copy:
-audit_conf_copy: "some path to copy from"
-
-# get_url:
-audit_files_url: "some url maybe s3?"
-
-## Goss configuration information
-# Where the goss configs and outputs are stored
-audit_out_dir: '/opt'
-# Where the goss audit configuration will be stored
-audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit"
-
-# If changed these can affect other products
-pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
-post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
-
-## The following should not need changing
-audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml"
-audit_results: |
-      The pre remediation results are: {{ pre_audit_summary }}.
-      The post remediation results are: {{ post_audit_summary }}.
-      Full breakdown can be found in {{ audit_out_dir }}
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,4 +1,9 @@
 ---
+
+- name: change_requires_reboot
+  ansible.builtin.set_fact:
+      change_requires_reboot: true
+
 - name: systemctl daemon-reload
   ansible.builtin.systemd:
       daemon_reload: true
@@ -16,6 +21,7 @@
   when:
       - not rhel8stig_system_is_chroot
       - "'openssh-server' in ansible_facts.packages"
+      - not change_requires_reboot
 
 - name: restart sssd
   ansible.builtin.service:
@@ -30,6 +36,7 @@
       state: restarted
   when:
       - not rhel8stig_system_is_chroot
+      - not change_requires_reboot
 
 - name: restart rsyslog
   ansible.builtin.service:
@@ -82,6 +89,7 @@
       - not rhel8stig_skip_for_travis
       - not rhel8stig_system_is_chroot
       - not system_is_container
+      - not change_requires_reboot
 
 - name: update auditd
   ansible.builtin.template:
@@ -98,6 +106,7 @@
       - not rhel8stig_skip_for_travis
       - not rhel8stig_system_is_chroot
       - not system_is_container
+      - not change_requires_reboot
 
 - name: rebuild initramfs
   ansible.builtin.shell: dracut -f
@@ -146,7 +155,3 @@
   ansible.builtin.debug:
       msg: "Post-run OpenSCAP score is {{ rhel8stig_postscanresults.Benchmark.TestResult.score['#text'] }}"
   when: rhel8stig_oscap_scan
-
-- name: change_requires_reboot
-  ansible.builtin.set_fact:
-      change_requires_reboot: true
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,7 +2,7 @@ @@
     ## Configure a RHEL8 based system to be complaint with Disa STIG
-    This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R11_STIG.zip).
+    This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R12_STIG.zip).
     ---
@@ Expand Down @@