Updated first 322 cat2

Signed-off-by: George Nalen <[email protected]>
ansible-lockdown · Sep 27, 2021 · 93b8348 · 93b8348
1 parent ae9bdd1
commit 93b8348
Show file tree

Hide file tree

Showing 4 changed files with 660 additions and 140 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -478,6 +478,9 @@ rhel8stig_smartcard: false
 # Configure your smartcard driver
 rhel8stig_smartcarddriver: cackey
 
+# IPv6 required
+rhel8stig_ipv6_required: true
+
 # RHEL-08-010210
 # rhel8stig_var_log_messages_perm is the permissions the /var/log/messages file is set to.
 # To conform to STIG standards this needs to be 0640 or more restrictive
@@ -531,6 +534,12 @@ rhel8stig_ww_dir_grpowner: root
 # To conform to STIG standards this needs to be set to 0750 more less permissive
 rhel8stig_local_int_home_perms: 0750
 
+# RHEL-08-010731
+# rhel8stig_local_int_home_file_perms is the permissions set to files in the local interactive
+# user home directories. These are only set when rhel8stig_disruption_high is set to true
+# All files users home directories that are less restrictive than 0750 will be set to this value
+rhel8stig_local_int_home_file_perms: 750
+
 # RHEL-08-010770
 # rhel8stig_local_int_perm is the permissions set to the local initialization files
 # To connform to STIG standards this needs to be set to 0740 or less permissive
@@ -814,7 +823,7 @@ rhel8stig_interactive_uid_start: 1000
 # rhel8stig_ntp_server_name is the name of the NTP server
 rhel8stig_ntp_server_name: server.name
 
-# RHEL-08-040130
+# RHEL-08-040137
 # rhel8stig_fapolicy_white_list is the whitelist for fapolicyd, the last item in the list must be dyny all all
 rhel8stig_fapolicy_white_list:
     - deny all all

diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml
@@ -152,16 +152,6 @@
             group: root
             mode: 0640
         notify: confirm grub2 user cfg
-
-      # - name: |
-      #       "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set UEFI superusers"
-      #       "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set UEFI superusers"
-      #   lineinfile:
-      #       dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg"
-      #       regexp: '^set superusers'
-      #       line: 'set superusers="{{ rhel8stig_boot_superuser }}"'
-      #       insertafter: '### BEGIN /etc/grub.d/01_users ###'
-      #   notify: confirm grub2 user cfg
   when:
       - not system_is_ec2
       - rhel_08_010140 or