Merge pull request #71 from ansible-lockdown/devel

Release 2.3.1
ansible-lockdown · Jan 7, 2022 · 35c9d2b · 35c9d2b
2 parents a2ce7bb + 6c370cd
commit 35c9d2b
Show file tree

Hide file tree

Showing 13 changed files with 512 additions and 764 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,6 @@
+# adding github settings to show correct language
+*.sh linguist-detectable=true
+*.yml linguist-detectable=true
+*.ps1 linguist-detectable=true
+*.j2 linguist-detectable=true
+*.md linguist-documentation
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,8 +1,13 @@
 ---
+## metadata for Audit benchmark
+benchmark_version: '1.4'
+
 ## Benchmark name used by audting control role
 # The audit variable found at the base
 benchmark: RHEL8-STIG
 
+# Whether to skip the reboot
+rhel8cis_skip_reboot: true
 
 rhel8stig_cat1_patch: true
 rhel8stig_cat2_patch: true
@@ -226,6 +231,8 @@ rhel_08_020022: true
 rhel_08_020023: true
 rhel_08_020025: true
 rhel_08_020026: true
+rhel_08_020027: true
+rhel_08_020028: true
 rhel_08_020030: true
 rhel_08_020031: true
 rhel_08_020032: true
@@ -410,6 +417,7 @@ rhel_08_040239: true
 rhel_08_040240: true
 rhel_08_040249: true
 rhel_08_040250: true
+rhel_08_040259: true
 rhel_08_040260: true
 rhel_08_040261: true
 rhel_08_040262: true
@@ -826,6 +834,7 @@ rhel8stig_ntp_server_name: server.name
 # RHEL-08-040137
 # rhel8stig_fapolicy_white_list is the whitelist for fapolicyd, the last item in the list must be dyny all all
 rhel8stig_fapolicy_white_list:
+    - 'deny_audit perm=any pattern=ld_so : all'
     - deny all all
 
 # RHEL-08-040090

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -2,6 +2,15 @@
 - name: systemctl daemon-reload
   systemd: daemon_reload=yes
 
+- name: update sysctl
+  template:
+      src: 99-sysctl.conf.j2
+      dest: /etc/sysctl.d/99-sysctl.conf
+      owner: root
+      group: root
+      mode: 0644
+  notify: sysctl system
+
 - name: sysctl system
   command: sysctl --system
 
@@ -31,6 +40,11 @@
       name: rsyslog
       state: restarted
 
+- name: restart fapolicyd
+  service:
+      name: fapolicyd
+      state: restarted
+
 - name: confirm grub2 user cfg
   stat:
       path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg"

diff --git a/library/goss.py b/library/goss.py
diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml
@@ -133,7 +133,7 @@
       - CAT1
       - CCI-000068
       - SRG-OS-000033-GPOS-00014
-      - SV-230223r627750_rule
+      - SV-230223r792855_rule
       - V-230223
 
 - name: |