From e05385d508f4b9ef087d5f53f88ef34b4b06da36 Mon Sep 17 00:00:00 2001 From: George Nalen <57152366+georgenalen@users.noreply.github.com> Date: Wed, 1 Sep 2021 14:54:14 -0400 Subject: [PATCH 01/21] Updated pr template Signed-off-by: George Nalen --- .github/pull_request_template.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 3e628098..1bf89d37 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,9 +1,11 @@ -**Overall Review of Changes** +**Overall Review of Changes:** A general description of the changes made that are being requested for merge -**Any Related Open Issues** -Please list any open issues this PR addresses +**Issue Fixes:** +Please list (using linking) any open issues this PR addresses -**How as this been tested?** -Please give an overview of how these changes were tested. If they were not please use N/A +**Enhancements:** +Please list any enhancements/features that are not open issue tickets +**How has this been tested?:** +Please give an overview of how these changes were tested. If they were not please use N/A From 862fcd1485f7e330904366df9012fb97a9475449 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 15 Sep 2021 10:14:52 +0100 Subject: [PATCH 02/21] Updated template file for new benchmark metadata Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ab334cee..976ee489 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,10 +1,16 @@ +audit_run: ansible # This is forced to wrapper by running the run_audit wrapper script (placeholder only if run via ansible) ## metadata for Audit benchmark rhel8stig_benchmark: - "type: STIG" -- "version: '1.2'" +- "version: '1.3'" - "os: RHEL 8" - "epoch: {{ ansible_date_time.epoch }}" - "hostname: {{ ansible_hostname }}" +- "automation_group: {% if group_names|length == 0 %}[ungrouped]"{% else %}{% for group in group_names %}[{{ group }}{% if not loop.last %},{% else %}]"{% endif %}{% endfor %}{% endif +%} +- "fullname: red_hat_enterprise_linux_7" +- "machine_uuid: {{ ansible_product_uuid }}" +- "os_locale: {{ ansible_date_time.tz }}" +- "host_os_version: {{ ansible_distribution_version }}" rhel8stig_os_distribution: {{ ansible_distribution | lower }} From 5427cade8f3fe289f7f5dc6cbbb615ee20212cb5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 15 Sep 2021 12:41:12 +0100 Subject: [PATCH 03/21] updated controls ID vars inline with v1r3 Signed-off-by: Mark Bolwell --- defaults/main.yml | 38 +++++++++++++++++++++++++- templates/ansible_vars_goss.yml.j2 | 43 +++++++++++++++++++++++++++--- 2 files changed, 77 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 69d1f899..07889635 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -86,6 +86,8 @@ rhel_08_010460: true rhel_08_010470: true rhel_08_010820: true rhel_08_020330: true +rhel_08_020331: true +rhel_08_020332: true rhel_08_040000: true rhel_08_040010: true rhel_08_040060: true @@ -97,9 +99,11 @@ rhel_08_040200: true rhel_08_040360: true # CAT 2 rules +rhel_08_010001: true rhel_08_010010: true rhel_08_010030: true rhel_08_010040: true +rhel_08_010049: true rhel_08_010050: true rhel_08_010060: true rhel_08_010070: true @@ -108,7 +112,12 @@ rhel_08_010100: true rhel_08_010110: true rhel_08_010120: true rhel_08_010130: true +rhel_08_010131: true +rhel_08_010141: true +rhel_08_010149: true rhel_08_010151: true +rhel_08_010152: true +rhel_08_010159: true rhel_08_010160: true rhel_08_010161: true rhel_08_010162: true @@ -117,12 +126,14 @@ rhel_08_010170: true rhel_08_010180: true rhel_08_010190: true rhel_08_010200: true +rhel_08_010201: true rhel_08_010210: true rhel_08_010220: true rhel_08_010230: true rhel_08_010240: true rhel_08_010250: true rhel_08_010260: true +rhel_08_010287: true rhel_08_010290: true rhel_08_010291: true rhel_08_010293: true @@ -152,18 +163,22 @@ rhel_08_010422: true rhel_08_010423: true rhel_08_010430: true rhel_08_010450: true +rhel_08_010472: true rhel_08_010480: true rhel_08_010490: true rhel_08_010500: true rhel_08_010510: true rhel_08_010520: true rhel_08_010521: true +rhel_08_010522: true rhel_08_010543: true +rhel_08_010544: true rhel_08_010550: true rhel_08_010560: true rhel_08_010561: true rhel_08_010570: true rhel_08_010571: true +rhel_08_010572: true rhel_08_010580: true rhel_08_010590: true rhel_08_010600: true @@ -185,7 +200,9 @@ rhel_08_010700: true rhel_08_010710: true rhel_08_010720: true rhel_08_010730: true +rhel_08_010731: true rhel_08_010740: true +rhel_08_010741: true rhel_08_010750: true rhel_08_010760: true rhel_08_010770: true @@ -208,13 +225,20 @@ rhel_08_020020: true rhel_08_020021: true rhel_08_020022: true rhel_08_020023: true +rhel_08_020025: true +rhel_08_020026: true rhel_08_020030: true +rhel_08_020031: true +rhel_08_020032: true +rhel_08_020039: true rhel_08_020040: true rhel_08_020041: true rhel_08_020050: true rhel_08_020060: true rhel_08_020070: true rhel_08_020080: true +rhel_08_020081: true +rhel_08_020082: true rhel_08_020090: true rhel_08_020100: true rhel_08_020110: true @@ -269,6 +293,7 @@ rhel_08_030170: true rhel_08_030171: true rhel_08_030172: true rhel_08_030180: true +rhel_08_030181: true rhel_08_030190: true rhel_08_030200: true rhel_08_030210: true @@ -338,6 +363,7 @@ rhel_08_030700: true rhel_08_030710: true rhel_08_030720: true rhel_08_030730: true +rhel_08_030731: true rhel_08_030740: true rhel_08_040001: true rhel_08_040002: true @@ -348,6 +374,7 @@ rhel_08_040070: true rhel_08_040080: true rhel_08_040090: true rhel_08_040100: true +rhel_08_040101: true rhel_08_040110: true rhel_08_040111: true rhel_08_040120: true @@ -366,27 +393,36 @@ rhel_08_040132: true rhel_08_040133: true rhel_08_040134: true rhel_08_040135: true +rhel_08_040136: true +rhel_08_040137: true +rhel_08_040139: true rhel_08_040140: true +rhel_08_040141: true rhel_08_040150: true +rhel_08_040159: true rhel_08_040160: true rhel_08_040161: true -rhel_08_040162: true rhel_08_040180: true +rhel_08_040209: true rhel_08_040210: true rhel_08_040220: true rhel_08_040230: true +rhel_08_040239: true rhel_08_040240: true +rhel_08_040249: true rhel_08_040250: true rhel_08_040260: true rhel_08_040261: true rhel_08_040262: true rhel_08_040270: true +rhel_08_040279: true rhel_08_040280: true rhel_08_040281: true rhel_08_040282: true rhel_08_040283: true rhel_08_040284: true rhel_08_040285: true +rhel_08_040286: true rhel_08_040290: true rhel_08_040320: true rhel_08_040330: true diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 976ee489..7f959c74 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -60,6 +60,8 @@ RHEL_08_010460: {{ rhel_08_010460 }} RHEL_08_010470: {{ rhel_08_010470 }} RHEL_08_010820: {{ rhel_08_010820 }} RHEL_08_020330: {{ rhel_08_020330 }} +RHEL_08_020331: {{ rhel_08_020331 }} +RHEL_08_020332: {{ rhel_08_020332 }} RHEL_08_040000: {{ rhel_08_040000 }} RHEL_08_040010: {{ rhel_08_040010 }} RHEL_08_040170: {{ rhel_08_040170 }} @@ -69,10 +71,13 @@ RHEL_08_040190: {{ rhel_08_040190 }} RHEL_08_040200: {{ rhel_08_040200 }} RHEL_08_040360: {{ rhel_08_040360 }} + # Cat 2 rules +RHEL_08_010001: {{ rhel_08_010001 }} RHEL_08_010010: {{ rhel_08_010010 }} RHEL_08_010030: {{ rhel_08_010030 }} RHEL_08_010040: {{ rhel_08_010040 }} # Variable options below +RHEL_08_010049: {{ rhel_08_010049 }} # Variable options below RHEL_08_010050: {{ rhel_08_010050 }} # Variable options below RHEL_08_010060: {{ rhel_08_010060 }} # Variable options below RHEL_08_010070: {{ rhel_08_010070 }} @@ -81,7 +86,12 @@ RHEL_08_010100: {{ rhel_08_010100 }} RHEL_08_010110: {{ rhel_08_010110 }} RHEL_08_010120: {{ rhel_08_010120 }} RHEL_08_010130: {{ rhel_08_010130 }} +RHEL_08_010131: {{ rhel_08_010131 }} +RHEL_08_010141: {{ rhel_08_010141 }} +RHEL_08_010149: {{ rhel_08_010149 }} RHEL_08_010151: {{ rhel_08_010151 }} +RHEL_08_010152: {{ rhel_08_010152 }} +RHEL_08_010159: {{ rhel_08_010159 }} RHEL_08_010160: {{ rhel_08_010160 }} RHEL_08_010161: {{ rhel_08_010161 }} RHEL_08_010162: {{ rhel_08_010162 }} @@ -90,12 +100,14 @@ RHEL_08_010170: {{ rhel_08_010170 }} RHEL_08_010180: {{ rhel_08_010180 }} RHEL_08_010190: {{ rhel_08_010190 }} RHEL_08_010200: {{ rhel_08_010200 }} +RHEL_08_010201: {{ rhel_08_010201 }} RHEL_08_010210: {{ rhel_08_010210 }} RHEL_08_010220: {{ rhel_08_010220 }} RHEL_08_010230: {{ rhel_08_010230 }} RHEL_08_010240: {{ rhel_08_010240 }} RHEL_08_010250: {{ rhel_08_010250 }} RHEL_08_010260: {{ rhel_08_010260 }} +RHEL_08_010287: {{ rhel_08_010287 }} RHEL_08_010290: {{ rhel_08_010290 }} RHEL_08_010291: {{ rhel_08_010291 }} RHEL_08_010293: {{ rhel_08_010293 }} @@ -125,18 +137,22 @@ RHEL_08_010422: {{ rhel_08_010422 }} RHEL_08_010423: {{ rhel_08_010423 }} RHEL_08_010430: {{ rhel_08_010430 }} RHEL_08_010450: {{ rhel_08_010450 }} +RHEL_08_010472: {{ rhel_08_010472 }} RHEL_08_010480: {{ rhel_08_010480 }} RHEL_08_010490: {{ rhel_08_010490 }} RHEL_08_010500: {{ rhel_08_010500 }} RHEL_08_010510: {{ rhel_08_010510 }} RHEL_08_010520: {{ rhel_08_010520 }} RHEL_08_010521: {{ rhel_08_010521 }} +RHEL_08_010522: {{ rhel_08_010522 }} RHEL_08_010543: {{ rhel_08_010543 }} +RHEL_08_010544: {{ rhel_08_010544 }} RHEL_08_010550: {{ rhel_08_010550 }} RHEL_08_010560: {{ rhel_08_010560 }} RHEL_08_010561: {{ rhel_08_010561 }} RHEL_08_010570: {{ rhel_08_010570 }} -RHEL_08_010571: {{ rhel_08_010171 }} +RHEL_08_010571: {{ rhel_08_010571 }} +RHEL_08_010572: {{ rhel_08_010572 }} RHEL_08_010580: {{ rhel_08_010580 }} RHEL_08_010590: {{ rhel_08_010590 }} RHEL_08_010600: {{ rhel_08_010600 }} @@ -158,7 +174,9 @@ RHEL_08_010700: {{ rhel_08_010700 }} RHEL_08_010710: {{ rhel_08_010710 }} RHEL_08_010720: {{ rhel_08_010720 }} RHEL_08_010730: {{ rhel_08_010730 }} +RHEL_08_010731: {{ rhel_08_010731 }} RHEL_08_010740: {{ rhel_08_010740 }} +RHEL_08_010741: {{ rhel_08_010741 }} RHEL_08_010750: {{ rhel_08_010750 }} RHEL_08_010760: {{ rhel_08_010760 }} RHEL_08_010770: {{ rhel_08_010770 }} @@ -182,13 +200,20 @@ RHEL_08_020020: {{ rhel_08_020020 }} RHEL_08_020021: {{ rhel_08_020021 }} RHEL_08_020022: {{ rhel_08_020022 }} RHEL_08_020023: {{ rhel_08_020023 }} -RHEL_08_020030: {{ rhel_08_020024 }} +RHEL_08_020025: {{ rhel_08_020025 }} +RHEL_08_020026: {{ rhel_08_020026 }} +RHEL_08_020030: {{ rhel_08_020030 }} +RHEL_08_020031: {{ rhel_08_020031 }} +RHEL_08_020032: {{ rhel_08_020032 }} +RHEL_08_020039: {{ rhel_08_020039 }} RHEL_08_020040: {{ rhel_08_020040 }} RHEL_08_020041: {{ rhel_08_020041 }} RHEL_08_020050: {{ rhel_08_020050 }} RHEL_08_020060: {{ rhel_08_020060 }} RHEL_08_020070: {{ rhel_08_020070 }} RHEL_08_020080: {{ rhel_08_020080 }} +RHEL_08_020081: {{ rhel_08_020081 }} +RHEL_08_020082: {{ rhel_08_020082 }} RHEL_08_020090: {{ rhel_08_020090 }} # TODO RHEL_08_020100: {{ rhel_08_020100 }} RHEL_08_020110: {{ rhel_08_020110 }} @@ -243,6 +268,7 @@ RHEL_08_030170: {{ rhel_08_030170 }} RHEL_08_030171: {{ rhel_08_030171 }} RHEL_08_030172: {{ rhel_08_030172 }} RHEL_08_030180: {{ rhel_08_030180 }} +RHEL_08_030181: {{ rhel_08_030181 }} RHEL_08_030190: {{ rhel_08_030190 }} RHEL_08_030200: {{ rhel_08_030200 }} RHEL_08_030210: {{ rhel_08_030210 }} @@ -312,6 +338,7 @@ RHEL_08_030700: {{ rhel_08_030700 }} RHEL_08_030710: {{ rhel_08_030710 }} RHEL_08_030720: {{ rhel_08_030720 }} RHEL_08_030730: {{ rhel_08_030730 }} +RHEL_08_030731: {{ rhel_08_030731 }} RHEL_08_030740: {{ rhel_08_030740 }} RHEL_08_040001: {{ rhel_08_040001 }} RHEL_08_040002: {{ rhel_08_040002 }} @@ -321,6 +348,7 @@ RHEL_08_040070: {{ rhel_08_040070 }} RHEL_08_040080: {{ rhel_08_040080 }} RHEL_08_040090: {{ rhel_08_040090 }} RHEL_08_040100: {{ rhel_08_040100 }} +RHEL_08_040101: {{ rhel_08_040101 }} RHEL_08_040110: {{ rhel_08_040110 }} RHEL_08_040111: {{ rhel_08_040111 }} RHEL_08_040120: {{ rhel_08_040120 }} @@ -339,27 +367,36 @@ RHEL_08_040132: {{ rhel_08_040132 }} RHEL_08_040133: {{ rhel_08_040133 }} RHEL_08_040134: {{ rhel_08_040134 }} RHEL_08_040135: {{ rhel_08_040135 }} +RHEL_08_040136: {{ rhel_08_040136 }} +RHEL_08_040137: {{ rhel_08_040137 }} +RHEL_08_040139: {{ rhel_08_040139 }} RHEL_08_040140: {{ rhel_08_040140 }} +RHEL_08_040141: {{ rhel_08_040141 }} RHEL_08_040150: {{ rhel_08_040150 }} +RHEL_08_040159: {{ rhel_08_040159 }} RHEL_08_040160: {{ rhel_08_040160 }} RHEL_08_040161: {{ rhel_08_040161 }} -RHEL_08_040162: {{ rhel_08_040162 }} RHEL_08_040180: {{ rhel_08_040180 }} +RHEL_08_040209: {{ rhel_08_040209 }} RHEL_08_040210: {{ rhel_08_040210 }} RHEL_08_040220: {{ rhel_08_040220 }} RHEL_08_040230: {{ rhel_08_040230 }} +RHEL_08_040239: {{ rhel_08_040239 }} RHEL_08_040240: {{ rhel_08_040240 }} +RHEL_08_040249: {{ rhel_08_040249 }} RHEL_08_040250: {{ rhel_08_040250 }} RHEL_08_040260: {{ rhel_08_040260 }} RHEL_08_040261: {{ rhel_08_040261 }} RHEL_08_040262: {{ rhel_08_040262 }} RHEL_08_040270: {{ rhel_08_040270 }} +RHEL_08_040279: {{ rhel_08_040279 }} RHEL_08_040280: {{ rhel_08_040280 }} RHEL_08_040281: {{ rhel_08_040281 }} RHEL_08_040282: {{ rhel_08_040282 }} RHEL_08_040283: {{ rhel_08_040283 }} RHEL_08_040284: {{ rhel_08_040284 }} RHEL_08_040285: {{ rhel_08_040285 }} +RHEL_08_040286: {{ rhel_08_040286 }} RHEL_08_040290: {{ rhel_08_040290 }} RHEL_08_040320: {{ rhel_08_040320 }} RHEL_08_040330: {{ rhel_08_040330 }} From 72e18225de443e5301753a563603959266a6398c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 15 Sep 2021 15:22:44 -0400 Subject: [PATCH 04/21] Inital CAT1 1.3 updates Signed-off-by: George Nalen --- README.md | 2 +- tasks/fix-cat1.yml | 72 ++++++++++++++++++++++++++++++---------------- 2 files changed, 48 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 9907b1d6..914ef744 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ RHEL 8 DISA STIG Configure a RHEL 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`. -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 2 released on April 23, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R2_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 3 released on July 23, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R3_STIG.zip). Updating -------- diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 84de205f..18f95278 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -152,15 +152,15 @@ mode: 0640 notify: confirm grub2 user cfg - - name: | - "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set UEFI superusers" - "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set UEFI superusers" - lineinfile: - dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg" - regexp: '^set superusers' - line: 'set superusers="{{ rhel8stig_boot_superuser }}"' - insertafter: '### BEGIN /etc/grub.d/01_users ###' - notify: confirm grub2 user cfg + # - name: | + # "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set UEFI superusers" + # "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set UEFI superusers" + # lineinfile: + # dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg" + # regexp: '^set superusers' + # line: 'set superusers="{{ rhel8stig_boot_superuser }}"' + # insertafter: '### BEGIN /etc/grub.d/01_users ###' + # notify: confirm grub2 user cfg when: - not system_is_ec2 - rhel_08_010140 or @@ -289,22 +289,11 @@ - V-230329 - name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords." - block: - - name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Remove nullok" - replace: - path: "{{ item }}" - regexp: ' nullok' - replace: '' - with_items: - - /etc/pam.d/system-auth - - /etc/pam.d/password-auth - - - name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Set PermitEmptyPasswords to no" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?PermitEmptyPasswords' - line: 'PermitEmptyPasswords no' - notify: restart sshd + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?PermitEmptyPasswords' + line: 'PermitEmptyPasswords no' + notify: restart sshd when: - rhel_08_020330 - rhel8stig_disruption_high @@ -317,6 +306,39 @@ - V-230380 - disruption_high +- name: "RHEL-08-020331 | HIGH | PATCH | RHEL 8 must not allow blank or null passwords in the system-auth file." + replace: + path: etc/pam.d/system-auth + regexp: ' nullok' + replace: '' + with_items: + - /etc/pam.d/system-auth + - /etc/pam.d/password-auth + when: + - rhel_08_020331 + tags: + - RHEL-08-020331 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244540r743869_rule + - V-244540 + +- name: "RHEL-08-020332 | HIGH | RHEL 8 must not allow blank or null passwords in the password-auth file." + replace: + path: etc/pam.d/password-auth + regexp: ' nullok' + replace: '' + when: + - rhel_08_020332 + tags: + - RHEL-08-020332 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244541r743872_rule + - V-244541 + - name: "RHEL-08-040000 | HIGH | PATCH | RHEL 8 must not have the telnet-server package installed." package: name: telnet-server From 7ee30f6ad7a360debb20a2d5190db383bd10a118 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 15 Sep 2021 15:36:26 -0400 Subject: [PATCH 05/21] updated metadata for new benchmarks Signed-off-by: George Nalen --- tasks/fix-cat1.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 18f95278..f0010a80 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -11,7 +11,7 @@ - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230221r627750_rule + - SV-230221r743913_rule - V-230221 - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." @@ -126,7 +126,8 @@ - rhel_08_010020_audit is failed - not ansible_check_mode or rhel_08_010020_audit.rc > 1 - when: rhel_08_010020 + when: + - rhel_08_010020 tags: - RHEL-08-010020 - CAT1 @@ -171,8 +172,8 @@ - CAT1 - CCI-000213 - SRG-OS-000080-GPOS-00048 - - SV-230234r627750_rule - - SV-230235r627750_rule + - SV-230234r743922_rule + - SV-230235r743925_rule - V-230234 - V-230235 - grub @@ -302,7 +303,7 @@ - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230380r627750_rule + - SV-230380r743993_rule - V-230380 - disruption_high From 5d1a4aae2af9596c43fcecac21c150420c0e29d3 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 15 Sep 2021 16:48:08 -0400 Subject: [PATCH 06/21] Initial CAT3 1.3 updates Signed-off-by: George Nalen --- defaults/main.yml | 1 + tasks/fix-cat3.yml | 46 ++++++++++++++++++++++++++++++++-------------- 2 files changed, 33 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 07889635..1d7df025 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -440,6 +440,7 @@ rhel_08_010375: true rhel_08_010376: true rhel_08_010440: true rhel_08_010471: true +rhel_08_010472: true rhel_08_010540: true rhel_08_010541: true rhel_08_010542: true diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 2e559b57..2c4a8e67 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -1,4 +1,5 @@ --- + - name: "LOW | RHEL-08-010171 | PATCH | RHEL 8 must have policycoreutils package installed." dnf: name: policycoreutils @@ -124,21 +125,39 @@ - SV-230281r627750_rule - V-230281 -- name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service." - systemd: - name: rngd.service - state: started - enabled: yes +- name: | + "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service. + LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service" + block: + - name: "LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service + package: + name: rng-tools + state: present + when: + - rhel_08_010472 + - "'rng-tools' not in ansible_facts.packages" + + - name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service." + systemd: + name: rngd.service + state: started + enabled: yes + when: + - rhel_08_010471 + - "'rng-tools' in ansible_facts.packages" when: - - rhel_08_010471 - - "'rng-tools' in ansible_facts.packages" + - rhel_08_010471 or + rhel_08_010472 tags: - RHEL-08-010471 + - RHEL-08-010472 - CAT3 - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-230285r627750_rule + - SV-244527r743830_rule - V-230285 + - V-244527 - name: "LOW | RHEL-08-010540 | AUDIT | The RHEL 8 must use a separate file system for /var." debug: @@ -347,7 +366,8 @@ - RHEL-08-030602 - CAT3 - CCI-001849 - - SV-230469r627750_rule + - SRG-OS-000341-GPOS-00132 + - SV-230469r744004_rule - V-230469 - grub @@ -367,7 +387,7 @@ - CAT3 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230470r627750_rule + - SV-230470r744006_rule - V-230470 - usb @@ -517,7 +537,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230496r627750_rule + - SV-230496r744017_rule - V-230496 - modprobe - sctp @@ -615,13 +635,11 @@ tags: - CAT3 - RHEL-08-040300 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230551r627750_rule - - V-230551 - RHEL-08-040310 - CCI-000366 - SRG-OS-000480-GPOS-00227 + - SV-230551r627750_rule - SV-230552r627750_rule + - V-230551 - V-230552 - aide From d5cb3a53c4460f66f13c4d95ffe4174f7e8d4b7f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 16 Sep 2021 09:35:30 +0100 Subject: [PATCH 07/21] Fixed version number Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 7f959c74..e98b8c87 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -7,7 +7,7 @@ rhel8stig_benchmark: - "epoch: {{ ansible_date_time.epoch }}" - "hostname: {{ ansible_hostname }}" - "automation_group: {% if group_names|length == 0 %}[ungrouped]"{% else %}{% for group in group_names %}[{{ group }}{% if not loop.last %},{% else %}]"{% endif %}{% endfor %}{% endif +%} -- "fullname: red_hat_enterprise_linux_7" +- "fullname: red_hat_enterprise_linux_8" - "machine_uuid: {{ ansible_product_uuid }}" - "os_locale: {{ ansible_date_time.tz }}" - "host_os_version: {{ ansible_distribution_version }}" From cd5ecbeaaf1eab9c8d17a6949eb0b5c540bfd568 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 16 Sep 2021 17:01:46 -0400 Subject: [PATCH 08/21] Initial CAT2 updates to controls 1-88 Signed-off-by: George Nalen --- defaults/main.yml | 51 +++++++++++ tasks/fix-cat2.yml | 218 +++++++++++++++++++++------------------------ 2 files changed, 155 insertions(+), 114 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 1d7df025..9e11eab4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -478,6 +478,36 @@ rhel8stig_smartcard: false # Configure your smartcard driver rhel8stig_smartcarddriver: cackey +# RHEL-08-010210 +# rhel8stig_var_log_messages_perm is the permissions the /var/log/messages file is set to. +# To conform to STIG standards this needs to be 0640 or more restrictive +rhel8stig_var_log_messages_perm: 0640 + +# RHEL-08-010240 +# rhel8stig_var_log_perm is the permissions the /var/log file is set to. +# To conform to STIG standards this needs to be 0755 or more restrictive +rhel8stig_var_log_perm: 0755 + +# RHEL-08-010300 +# rhel8stig_sys_commands_perm is the permissions the system comments will have +# To conform to STIG standards this needs to be set to 0755 or more restrictive +rhel8stig_sys_commands_perm: 0755 + +# RHEL-08-010330 +# rhel8stig_lib_file_perm is the permissions teh library files will be set to +# To conform to STIG standards this needs to be set to 0755 or more restrictive +rhel8stig_lib_file_perm: 0755 + +# RHEL-08-010480 +# rhel8stig_ssh_pub_key_perm are the permissions set to the SSH public host keys +# To conform to STIG standards this needs to be set to 0644 or less permissive +rhel8stig_ssh_pub_key_perm: 0644 + +# RHEL-08-010490 +# rhel8stig_ssh_priv_key_perm are the permssions set to the SSH private host keys +# To conform to STIG standards this needs to be set to 0600 or less permissive +rhel8stig_ssh_priv_key_perm: 0600 + # RHEL-08-010690 # Set standard user paths here # Also set whether we should automatically remediate paths in user ini files. @@ -485,6 +515,27 @@ rhel8stig_smartcarddriver: cackey rhel8stig_standard_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin" rhel8stig_change_user_path: false + +# RHEL-08-010700 +# rhel8stig_ww_dir_owner is the owenr of all world-writable directories +# To conform to STIG standards this needs to be set to root, sys, bin, or an application group +rhel8stig_ww_dir_owner: root + +# RHEL-08-010710 +# rhel8stig_ww_dir_grpowner is the owenr of all world-writable directories +# To conform to STIG standards this needs to be set to root, sys, bin, or an application group +rhel8stig_ww_dir_grpowner: root + +# RHEL-08-010730 +# rhel8stig_local_int_home_perms is the permissions set to local interactive user home directories +# To conform to STIG standards this needs to be set to 0750 more less permissive +rhel8stig_local_int_home_perms: 0750 + +# RHEL-08-010770 +# rhel8stig_local_int_perm is the permissions set to the local initialization files +# To connform to STIG standards this needs to be set to 0740 or less permissive +rhel8stig_local_int_perm: 0740 + # RHEL-08-020250 # This is a check for a "supported release" # These are the minimum supported releases. diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 882a8390..daf4034c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -71,22 +71,22 @@ tags: - CAT2 - RHEL-08-010040 - - CCI-000048 - - SRG-OS-000023-GPOS-00006 - - SV-230226r627750_rule - - V-230226 - RHEL-08-010060 - CCI-000048 - SRG-OS-000023-GPOS-00006 + - SV-230225r627750_rule - SV-230227r627750_rule + - V-230225 - V-230227 + +# !!!!!!!REMOVE Banner-message-enable part. That moves to 010049 - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." copy: dest: /etc/dconf/db/local.d/01-banner-message content: | [org/gnome/login-screen] - banner-message-enable=true + # banner-message-enable=true banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' mode: '0644' owner: root @@ -103,7 +103,7 @@ - CAT2 - CCI-000048 - SRG-OS-000023-GPOS-00006 - - SV-230226r627750_rule + - SV-230226r743916_rule - V-230226 - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." @@ -223,17 +223,18 @@ - V-230232 - disruption_high -- name: "MEDIUM | RHEL-08-010130 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all created passwords." +# !!!!!!!!!remove with items. Leaveing that there for 010131 referrence. +- name: "MEDIUM | RHEL-08-010130 | PATCH | The RHEL 8 password-auth file must be configured to use a sufficient number of hashing rounds." pamd: - name: "{{ item }}" + name: password-auth type: password control: sufficient module_path: pam_unix.so module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" state: args_present - with_items: - - password-auth - - system-auth + # with_items: + # - password-auth + # - system-auth when: - rhel_08_010130 tags: @@ -241,7 +242,7 @@ - CAT2 - CCI-000196 - SRG-OS-000073-GPOS-00041 - - SV-230233r627750_rule + - SV-230233r743919_rule - V-230233 - pamd @@ -261,21 +262,22 @@ - CAT2 - CCI-000213 - SRG-OS-000080-GPOS-00048 - - SV-230236r627750_rule + - SV-230236r743928_rule - V-230236 - systemd +# !!!!!!!!!!Remove with_items. Left there for reference in 010159 - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." pamd: - name: "{{ item }}" + name: password-auth" type: password control: sufficient module_path: pam_unix.so module_arguments: sha512 state: args_present - with_items: - - password-auth - - system-auth + # with_items: + # - password-auth + # - system-auth when: - rhel_08_010160 tags: @@ -283,13 +285,13 @@ - CAT2 - CCI-000803 - SRG-OS-000120-GPOS-00061 - - SV-230237r627750_rule + - SV-230237r743931_rule - V-230237 - pamd - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication." block: - - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" + - name: "MEDIUM | RHEL-08-010161 | AUDIT | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" find: path: / patterns: '*.keytab' @@ -344,14 +346,14 @@ tags: - CAT2 - RHEL-08-010170 - - CCI-001084 - - SRG-OS-000134-GPOS-00068 - - SV-230240r627750_rule - - V-230240 - RHEL-08-010450 + - CCI-001084 - CCI-002696 + - SRG-OS-000134-GPOS-00068 - SRG-OS-000445-GPOS-00199 + - SV-230240r627750_rule - SV-230282r627750_rule + - V-230240 - V-230282 - selinux - disruption_high @@ -407,15 +409,16 @@ - V-230243 - permissions +# !!!!! Remove with_items. Keeping as reference for 010201 - name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." lineinfile: path: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + regexp: '(?i)^#?ClientAliveCountMax.*' + line: ClientAliveCountMax 0 notify: restart sshd - with_items: - - { regexp: '(?i)^#?ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} - - { regexp: '(?i)^#?ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } + # with_items: + # - { regexp: '(?i)^#?ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} + # - { regexp: '(?i)^#?ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } when: - rhel_08_010200 - rhel8stig_ssh_required @@ -424,7 +427,7 @@ - CAT2 - CCI-001133 - SRG-OS-000163-GPOS-00072 - - SV-230244r627750_rule + - SV-230244r743934_rule - V-230244 - ssh @@ -436,7 +439,7 @@ path: /var/log/messages owner: root group: root - mode: '0640' + mode: "{{ rhel8stig_var_log_messages_perm }}" when: - rhel_08_010210 or rhel_08_010220 or @@ -444,19 +447,15 @@ tags: - CAT2 - RHEL-08-010210 - - CCI-001314 - - SRG-OS-000206-GPOS-00084 - - SV-230245r627750_rule - - V-230245 - RHEL-08-010220 - - CCI-001314 - - SRG-OS-000206-GPOS-00084 - - SV-230246r627750_rule - - V-230246 - RHEL-08-010230 - CCI-001314 - SRG-OS-000206-GPOS-00084 + - SV-230245r627750_rule + - SV-230246r627750_rule - SV-230247r627750_rule + - V-230245 + - V-230246 - V-230247 - permissions @@ -468,7 +467,7 @@ path: /var/log owner: root group: root - mode: '0755' + mode: "{{ rhel8stig_var_log_perm }}" when: - rhel_08_010240 or rhel_08_010250 or @@ -476,22 +475,19 @@ tags: - CAT2 - RHEL-08-010240 - - CCI-001314 - - SRG-OS-000206-GPOS-00084 - - SV-230248r627750_rule - - V-230248 - RHEL-08-010250 - - CCI-001314 - - SRG-OS-000206-GPOS-00084 - - SV-230249r627750_rule - - V-230249 - RHEL-08-010260 - CCI-001314 - SRG-OS-000206-GPOS-00084 + - SV-230248r627750_rule + - SV-230249r627750_rule - SV-230250r627750_rule + - V-230248 + - V-230249 - V-230250 - permissions +# !!!!!!!!Remove with_items. Leaving for reference if needed - name: | "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms." "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections." @@ -516,27 +512,25 @@ "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Add ssh ciphers" lineinfile: - path: "{{ item.path }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + path: /etc/crypto-policies/back-ends/opensshserver.config + regexp: '^CRYPTO_POLICY=' + line: CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}' notify: change_requires_reboot - with_items: - - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^Ciphers', line: "Ciphers {{ rhel8stig_ssh_cipher_settings }}" } - - { path: /etc/crypto-policies/back-ends/opensshserver.config, regexp: '^CRYPTO_POLICY=', line: "CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" } + # with_items: + # - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^Ciphers', line: "Ciphers {{ rhel8stig_ssh_cipher_settings }}" } + # - { path: /etc/crypto-policies/back-ends/opensshserver.config, regexp: '^CRYPTO_POLICY=', line: "CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" } when: - rhel_08_010290 or rhel_08_010291 tags: - CAT2 - RHEL-08-010290 - - CCI-001453 - - SRG-OS-000250-GPOS-00093 - - SV-230251r646866_rule - - V-230251 - RHEL-08-010291 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-230252r646869_rule + - SV-230251r743937_rule + - SV-230252r743940_rule + - V-230251 - V-230252 - fips @@ -627,7 +621,7 @@ path: "{{ item }}" owner: root group: root - mode: '0755' + mode: "{{ rhel8stig_sys_commands_perm }}" force: yes with_items: - "{{ rhel_08_010300_commands.stdout_lines }}" @@ -638,19 +632,15 @@ tags: - CAT2 - RHEL-08-010300 - - CCI-001499 - - SRG-OS-000259-GPOS-00100 - - SV-230257r627750_rule - - V-230257 - RHEL-08-010310 - - CCI-001499 - - SRG-OS-000259-GPOS-00100 - - SV-230258r627750_rule - - V-230258 - RHEL-08-010320 - CCI-001499 - SRG-OS-000259-GPOS-00100 + - SV-230257r627750_rule + - SV-230258r627750_rule - SV-230259r627750_rule + - V-230257 + - V-230258 - V-230259 - permissions @@ -678,7 +668,7 @@ path: "{{ item }}" owner: root group: root - mode: '0755' + mode: "{{ rhel8stig_lib_file_perm }}" with_items: - "{{ rhel_08_010330_library_files.stdout_lines }}" when: @@ -688,19 +678,15 @@ tags: - CAT2 - RHEL-08-010330 - - CCI-001499 - - SRG-OS-000259-GPOS-00100 - - SV-230260r627750_rule - - V-230260 - RHEL-08-010340 - - CCI-001499 - - SRG-OS-000259-GPOS-00100 - - SV-230261r627750_rule - - V-230261 - RHEL-08-010350 - CCI-001499 - SRG-OS-000259-GPOS-00100 + - SV-230260r627750_rule + - SV-230261r627750_rule - SV-230262r627750_rule + - V-230260 + - V-230261 - V-230262 - permissions @@ -866,22 +852,24 @@ - RHEL-08-010381 - CAT2 - CCI-002038 + - SRG-OS-000373-GPOS-00156 - SV-230272r627750_rule - V-230272 - sudoers +# !!!!!New version does not have GUI packages included in fix text. I removed it for now but I might add it back later - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." - block: - - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" - package: - name: esc - state: present - when: rhel8stig_gui - - - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" - package: - name: openssl-pkcs11 - state: present + # block: + # - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" + # package: + # name: esc + # state: present + # when: rhel8stig_gui + + # - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" + package: + name: openssl-pkcs11 + state: present when: - rhel_08_010390 - "'openssl-pkcs11' not in ansible_facts.packages" @@ -890,7 +878,7 @@ - CAT2 - CCI-001948 - SRG-OS-000375-GPOS-00160 - - SV-230273r627750_rule + - SV-230273r743943_rule - V-230273 - multifactor @@ -913,7 +901,7 @@ - CAT2 - CCI-001948 - SRG-OS-000375-GPOS-00160 - - SV-230274r627750_rule + - SV-230274r743945_rule - V-230274 - multifactor @@ -927,6 +915,7 @@ - RHEL-08-010410 - CAT2 - CCI-001953 + - SRG-OS-000376-GPOS-00161 - SV-230275r627750_rule - V-230275 - opensc @@ -1033,7 +1022,8 @@ - RHEL-08-010422 - CAT2 - CCI-001084 - - SV-230278r627750_rule + - SRG-OS-000134-GPOS-00068 + - SV-230278r743948_rule - V-230278 - grub @@ -1113,7 +1103,7 @@ - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" file: path: "{{ item.path }}" - mode: '0644' + mode: "{{ rhel8stig_ssh_pub_key_perm }}" with_items: - "{{ rhel_08_010480_public_files.files }}" notify: restart sshd @@ -1129,9 +1119,7 @@ - V-230286 - ssh -# This control asks for permissions to be set to 0640. However that is the incorrect permission for that file and will cause issues. -# The title is left to match the incorrect value in the STIG but the actual value set is adjusted to correct permissions -- name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." +- name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0600 or less permissive." block: - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Find files" find: @@ -1144,10 +1132,10 @@ failed_when: false register: rhel_08_010490_private_host_key_files - - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" + - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0600 or less permissive. | Set permissions" file: path: "{{ item.path }}" - mode: '0600' + mode: "{{ rhel8stig_ssh_priv_key_perm }}" with_items: - "{{ rhel_08_010490_private_host_key_files.files }}" notify: restart sshd @@ -1159,7 +1147,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230287r627750_rule + - SV-230287r743951_rule - V-230287 - ssh @@ -1195,7 +1183,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230289r627750_rule + - SV-230289r743954_rule - V-230289 - ssh @@ -1217,14 +1205,15 @@ - V-230290 - ssh -- name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow unused methods of authentication." +# !!!!!!!!!!Remove wtih_items. leaveing as a referecne for when I create 010522 +- name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements." lineinfile: path: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '(?i)^#?KerberosAuthentication', line: "KerberosAuthentication no" } - - { regexp: '(?i)^#?GSSAPIAuthentication', line: "GSSAPIAuthentication no" } + regexp: '(?i)^#?KerberosAuthentication' + line: "KerberosAuthentication no" + # with_items: + # - { regexp: '(?i)^#?KerberosAuthentication', line: "KerberosAuthentication no" } + # - { regexp: '(?i)^#?GSSAPIAuthentication', line: "GSSAPIAuthentication no" } notify: restart sshd when: - rhel_08_010521 @@ -1233,7 +1222,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230291r627750_rule + - SV-230291r743957_rule - V-230291 - ssh @@ -1349,7 +1338,8 @@ - RHEL-08-010571 - CAT2 - CCI-000366 - - SV-230300r627750_rule + - SRG-OS-000480-GPOS-00227 + - SV-230300r743959_rule - V-230300 - mounts - boot @@ -1763,7 +1753,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230313r627750_rul + - SV-230313r627750_rule - V-230313 - security - limits @@ -1921,7 +1911,7 @@ - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" file: path: "{{ item }}" - owner: root + owner: "{{ rhel8stig_ww_dir_owner }}" with_items: - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" when: rhel_08_010700_world_writable_directories.stdout | length > 0 @@ -1932,7 +1922,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230318r627750_rule + - SV-230318r743960_rule - V-230318 - permissions @@ -1947,7 +1937,7 @@ - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" file: path: "{{ item }}" - group: root + group: "{{ rhel8stig_ww_dir_grpowner }}" with_items: - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" when: rhel_08_010710_world_writable_directories.stdout | length > 0 @@ -1958,7 +1948,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230319r627750_rule + - SV-230319r743961_rule - V-230319 - permissions @@ -2002,7 +1992,7 @@ - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." file: path: "{{ item }}" - mode: 0750 + mode: "{{ rhel8stig_local_int_home_perms }}" with_items: - "{{ rhel_08_010730_home_directories.stdout_lines }}" when: rhel_08_010730_home_directories.stdout | length > 0 @@ -2034,7 +2024,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230322r627750_rule + - SV-230322r743963_rule - V-230322 - permissions @@ -2078,7 +2068,7 @@ - name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." file: path: "{{ item }}" - mode: 0740 + mode: "{{ rhel8stig_local_int_perm }}" with_items: - "{{ rhel_08_stig_interactive_homedir_inifiles }}" when: From ae9bdd106e7cebd469c697e5f9a3cea3ca80c61b Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 21 Sep 2021 17:05:37 -0400 Subject: [PATCH 09/21] Initial CAT2 fixes up to 267th control Signed-off-by: George Nalen --- defaults/main.yml | 4 + tasks/fix-cat2.yml | 918 +++++++++++++++++++++++---------------------- 2 files changed, 465 insertions(+), 457 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9e11eab4..3af3179f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -684,6 +684,10 @@ rhel8stig_pam_pwhistory: remember: 5 retries: 3 +# !!!!!!!!! 020011 no longer uses dir, fail_for_root, interval, and unlock time. It only uses attempts, adjust these vars as needed +# !!!!!!!!! 020013 no longer uses attempts, unlock_time, fail_for_root, and dir. It only uses interval +# !!!!!!!!! 020015 no longer uses attempts, interval, fail_for_root, and dir. It only uses unlock_time +# !!!!!!!!! 020017 no longer uses attempts, interval, unlock_time, and fail_for_root. It only uses dir # RHEL-08-020010 # RHEL-08-020011 # RHEL-08-020012 diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index daf4034c..3cd0e8ef 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2240,46 +2240,47 @@ - V-230332 - pamd +# !!!!!!Remove commented items. Leaveing incase they are referrenced later - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^deny =|^\# deny =' - line: "deny = {{ rhel8stig_pam_faillock.attempts }}" + # block: + # - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^auth required pam_faillock.so preauth' + # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + # insertafter: '^auth' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^auth required pam_faillock.so authfail' + # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + # insertafter: '^auth' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^account required pam_faillock.so' + # line: 'account required pam_faillock.so' + # insertafter: '^account' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^deny =|^\# deny =' + line: "deny = {{ rhel8stig_pam_faillock.attempts }}" when: - rhel_08_020011 tags: @@ -2287,7 +2288,7 @@ - CAT2 - CCI-000044 - SRG-OS-000021-GPOS-00005 - - SV-230333r627750_rule + - SV-230333r743966_rule - V-230333 - pamd @@ -2336,49 +2337,47 @@ - V-230334 - pamd +# !!!!!!!!!!!Remve commented items. Leaving for reference if used later - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^fail_interval =|^\# fail_interval =' - line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" - with_items: - - system-auth - - password-auth + # block: + # - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^auth required pam_faillock.so preauth' + # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + # insertafter: '^auth' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^auth required pam_faillock.so authfail' + # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + # insertafter: '^auth' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^account required pam_faillock.so' + # line: 'account required pam_faillock.so' + # insertafter: '^account' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^fail_interval =|^\# fail_interval =' + line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" when: - rhel_08_020013 tags: @@ -2386,7 +2385,7 @@ - CAT2 - CCI-000044 - SRG-OS-000021-GPOS-00005 - - SV-230335r627750_rule + - SV-230335r743969_rule - V-230335 - pamd @@ -2435,57 +2434,55 @@ - V-230336 - pamd +# !!!!!!!!!! Remove commented items. Leaving in as referrence if used later - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^unlock_time =|^\# unlock_time =' - line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}" - with_items: - - system-auth - - password-auth + # block: + # - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^auth required pam_faillock.so preauth' + # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + # insertafter: '^auth' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^auth required pam_faillock.so authfail' + # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + # insertafter: '^auth' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^account required pam_faillock.so' + # line: 'account required pam_faillock.so' + # insertafter: '^account' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^unlock_time =|^\# unlock_time =' + line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}" when: - rhel_08_020015 tags: - RHEL-08-020015 - CAT2 - CCI-000044 - - RG-OS-000021-GPOS-00005 - - SV-230337r627750_rule + - SRG-OS-000021-GPOS-00005 + - SV-230337r743972_rule - V-230337 - pamd @@ -2534,49 +2531,47 @@ - V-230338 - pamd +# !!!!!!! Remove comments, leaving just as referrence if needed later - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist." - block: - - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^dir =|^\# dir =' - line: "dir = {{ rhel8stig_pam_faillock.dir }}" - with_items: - - system-auth - - password-auth + # block: + # - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^auth required pam_faillock.so preauth' + # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + # insertafter: '^auth' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^auth required pam_faillock.so authfail' + # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + # insertafter: '^auth' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^account required pam_faillock.so' + # line: 'account required pam_faillock.so' + # insertafter: '^account' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^dir =|^\# dir =' + line: "dir = {{ rhel8stig_pam_faillock.dir }}" when: - rhel_08_020017 tags: @@ -2584,7 +2579,7 @@ - CAT2 - CCI-000044 - SRG-OS-000021-GPOS-00005 - - SV-230339r627750_rule + - SV-230339r743975_rule - V-230339 - pamd @@ -2633,49 +2628,47 @@ - V-230340 - pamd +# !!!!! Remove comments, leaving in as referrence if needed later - name: "MEDIUM | RHEL-08-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^silent|^\# silent' - line: "silent" - with_items: - - system-auth - - password-auth + # block: + # - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^auth required pam_faillock.so preauth' + # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + # insertafter: '^auth' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^auth required pam_faillock.so authfail' + # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + # insertafter: '^auth' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^account required pam_faillock.so' + # line: 'account required pam_faillock.so' + # insertafter: '^account' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^silent|^\# silent' + line: "silent" when: - rhel_08_020019 tags: @@ -2683,7 +2676,7 @@ - CAT2 - CCI-000044 - SRG-OS-000021-GPOS-00005 - - SV-230341r627750_rule + - SV-230341r743978_rule - V-230341 - pamd @@ -2732,49 +2725,47 @@ - V-230342 - pamd +# !!!!!! Remove comments, leaving in to referrence if needed later - name: "MEDIUM | RHEL-08-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." - block: - - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^audit|^\# audit' - line: "audit" - with_items: - - system-auth - - password-auth + # block: + # - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^auth required pam_faillock.so preauth' + # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + # insertafter: '^auth' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^auth required pam_faillock.so authfail' + # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + # insertafter: '^auth' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^account required pam_faillock.so' + # line: 'account required pam_faillock.so' + # insertafter: '^account' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^audit|^\# audit' + line: "audit" when: - rhel_08_020021 tags: @@ -2782,7 +2773,7 @@ - CAT2 - CCI-000044 - SRG-OS-000021-GPOS-00005 - - SV-230343r627750_rule + - SV-230343r743981_rule - V-230343 - pamd @@ -2831,49 +2822,47 @@ - V-230344 - pamd +# !!!! - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - block: - - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: - path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - with_items: - - system-auth - - password-auth - - - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" - lineinfile: - path: "/etc/security/faillock.conf" - regexp: '^even_deny_root|^\# even_deny_root' - line: "even_deny_root" - with_items: - - system-auth - - password-auth + # block: + # - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^auth required pam_faillock.so preauth' + # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + # insertafter: '^auth' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^auth required pam_faillock.so authfail' + # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + # insertafter: '^auth' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" + # lineinfile: + # path: "/etc/pam.d/{{ item }}" + # regexp: '^account required pam_faillock.so' + # line: 'account required pam_faillock.so' + # insertafter: '^account' + # notify: restart sssd + # with_items: + # - system-auth + # - password-auth + + # - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" + lineinfile: + path: "/etc/security/faillock.conf" + regexp: '^even_deny_root|^\# even_deny_root' + line: "even_deny_root" when: - rhel_08_020023 tags: @@ -2881,7 +2870,7 @@ - CAT2 - CCI-000044 - SRG-OS-000021-GPOS-00005 - - SV-230345r627750_rule + - SV-230345r743984_rule - V-230345 - pamd @@ -2934,6 +2923,7 @@ package: name: tmux state: present + when: "'tmux' not in ansible_facts.packages" - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Configure tmux" lineinfile: @@ -2950,8 +2940,8 @@ - RHEL-08-020040 - CAT2 - CCI-000056 - - RG-OS-000028-GPOS-00009 - - SV-230348r627750_rule + - SRG-OS-000028-GPOS-00009 + - SV-230348r743987_rule - V-230348 - tmux @@ -3085,13 +3075,21 @@ - gui - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." - lineinfile: - path: /etc/tmux.conf - regexp: '^set -g lock-after-time' - line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" - owner: root - group: root - mode: 0644 + block: + - name: ""MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity. | Install tmux if needed" + package: + name: tmux + state: present + when: "'tmux' not in ansible_facts.packages" + + - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity. | Set tmux settings" + lineinfile: + path: /etc/tmux.conf + regexp: '^set -g lock-after-time' + line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" + owner: root + group: root + mode: 0644 when: - rhel_08_020070 tags: @@ -3107,19 +3105,10 @@ lineinfile: path: /etc/dconf/db/local.d/locks/session create: yes - line: "{{ item }}" + line: /org/gnome/desktop/screensaver/lock-delay owner: root group: root mode: 0640 - with_items: - - /org/gnome/desktop/session/idle-delay - - /org/gnome/desktop/screensaver/lock-enabled - - /org/gnome/desktop/screensaver/lock-delay - - /org/gnome/settings-daemon/plugins/media-keys/logout - - /org/gnome/login-screen/disable-user-list - - /org/gnome/login-screen/banner-message-text - - /org/gnome/login-screen/banner-message-enable - - /org/gnome/desktop/lockdown/disable-lock-screen when: - rhel_08_020080 - "'dconf' in ansible_facts.packages" @@ -3129,7 +3118,7 @@ - CAT2 - CCI-000057 - SRG-OS-000029-GPOS-00010 - - SV-230354r627750_rule + - SV-230354r743990_rule - V-230354 - gui @@ -3894,7 +3883,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230387r627750_rule + - SV-230387r743996_rule - V-230387 - cron @@ -3962,7 +3951,7 @@ - CAT2 - CCI-000140 - SRG-OS-000047-GPOS-00023 - - SV-230391r627750_rule + - SV-230391r743998_rule - V-230391 - auditd @@ -3979,6 +3968,7 @@ tags: - RHEL-08-030060 - CAT2 + - CCI-000140 - SRG-OS-000047-GPOS-00023 - SV-230392r627750_rule - V-230392 @@ -4316,14 +4306,14 @@ - V-230410 - auditd -- name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." +- name: "MEDIUM | RHEL-08-030180 | PATCH | The RHEL 8 audit package must be installed." block: - - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Install audit" + - name: "MEDIUM | RHEL-08-030180 | PATCH | The RHEL 8 audit package must be installed. | Install audit" package: name: audit state: present - - name: "MEDIUM | RHEL-08-030180 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events. | Enable and start service" + - name: "MEDIUM | RHEL-08-030180 | PATCH | The RHEL 8 audit package must be installed. | Enable and start service" service: name: auditd enabled: yes @@ -4335,7 +4325,7 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230411r646881_rule + - SV-230411r744000_rule - V-230411 - dnf - auditd @@ -4564,14 +4554,12 @@ tags: - CAT2 - RHEL-08-030300 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230423r627750_rule - - V-230423 - RHEL-08-030302 - CCI-000169 - SRG-OS-000062-GPOS-00031 + - SV-230423r627750_rule - SV-230425r627750_rule + - V-230423 - V-230425 - auditd @@ -4731,7 +4719,7 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230434r627750_rule + - SV-230434r744002_rule - V-230434 - auditd @@ -5401,7 +5389,7 @@ - CAT2 - CCI-001493 - SRG-OS-000256-GPOS-00097 - - SV-230473r627750_rule + - SV-230473r744008_rule - V-230473 - permissions @@ -5506,7 +5494,7 @@ - name: "MEDIUM | RHEL-08-030680 | PATCH | RHEL 8 must have the packages required for encrypting offloaded audit logs installed." package: - name: gnutls + name: rsyslog-gnutls state: present when: - rhel_08_030680 @@ -5514,9 +5502,9 @@ tags: - RHEL-08-030680 - CAT2 - - CCI-00036 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230478r627750_rule + - SV-230478r744011_rule - V-230478 - gnutls @@ -5593,14 +5581,15 @@ - V-230482 - auditd -- name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." +# !!!!!!! Remove With items, leaving for reference for later control +- name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." lineinfile: path: /etc/audit/auditd.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^space_left =', line: 'space_left = 25%' } - - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } + regexp: '^space_left =' + line: 'space_left = 25%' + # with_items: + # - { regexp: '^space_left =', line: 'space_left = 25%' } + # - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } when: - rhel_08_030730 tags: @@ -5608,7 +5597,7 @@ - CAT2 - CCI-001855 - SRG-OS-000343-GPOS-00134 - - SV-230483r627750_rule + - SV-230483r744014_rule - V-230483 - auditd @@ -5663,22 +5652,23 @@ - dnf - sendmail -- name: "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." - package: - name: gssproxy - state: absent - when: - - rhel_08_040370 - - "'gssproxy' in ansible_facts.packages" - tags: - - RHEL-08-040370 - - CAT2 - - CCI-000381 - - SRG-OS-000480-GPOS-00227 - - SV-230559r646887_rule - - V-230559 - - dnf - - gssproxy +# !!!!! Not in order possibly comes up later +# - name: "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." +# package: +# name: gssproxy +# state: absent +# when: +# - rhel_08_040370 +# - "'gssproxy' in ansible_facts.packages" +# tags: +# - RHEL-08-040370 +# - CAT2 +# - CCI-000381 +# - SRG-OS-000480-GPOS-00227 +# - SV-230559r646887_rule +# - V-230559 +# - dnf +# - gssproxy - name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." lineinfile: @@ -5855,7 +5845,7 @@ block: - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" package: - name: firewalld + name: firewalld.noarch state: present when: rhel8stig_firewall_service == "firewalld" @@ -5877,7 +5867,7 @@ - CAT2 - CCI-002314 - SRG-OS-000297-GPOS-00115 - - SV-230505r627750_rule + - SV-230505r744020_rule - V-230505 - firewall - "{{ rhel8stig_firewall_service }}" @@ -6010,19 +6000,15 @@ tags: - CAT2 - RHEL-08-040120 - - CCI-001764 - - SRG-OS-000368-GPOS-00154 - - SV-230508r627750_rule - - V-230508 - RHEL-08-040121 - - CCI-001764 - - SRG-OS-000368-GPOS-00154 - - SV-230509r627750_rule - - V-230509 - RHEL-08-040122 - CCI-001764 - SRG-OS-000368-GPOS-00154 + - SV-230508r627750_rule + - SV-230509r627750_rule - SV-230510r627750_rule + - V-230508 + - V-230509 - V-230510 - mounts @@ -6061,19 +6047,15 @@ tags: - CAT2 - RHEL-08-040123 - - CCI-001764 - - SRG-OS-000368-GPOS-00154 - - SV-230511r627750_rule - - V-230511 - RHEL-08-040124 + - RHEL-08-04125 - CCI-001764 - SRG-OS-000368-GPOS-00154 + - SV-230511r627750_rule - SV-230512r627750_rule - - V-230512 - - RHEL-08-04125 - - CCI-00176 - - SRG-OS-000368-GPOS-00154 - SV-230513r627750_rule + - V-230511 + - V-230512 - V-230513 - mounts @@ -6111,19 +6093,15 @@ tags: - CAT2 - RHEL-08-040126 - - CCI-001764 - - SRG-OS-000368-GPOS-00154 - - SV-230514r627750_rule - - V-230514 - RHEL-08-040127 - - V-230514 - - SRG-OS-000368-GPOS-00154 - - SV-230515r627750_rule - - V-230515 - RHEL-08-040128 - CCI-001764 - SRG-OS-000368-GPOS-00154 + - SV-230514r627750_rule + - SV-230515r627750_rule - SV-230516r627750_rule + - V-230514 + - V-230515 - V-230516 - mounts @@ -6161,19 +6139,15 @@ tags: - CAT2 - RHEL-08-040129 - - CCI-001764 - - SRG-OS-000368-GPOS-00154 - - SV-230517r627750_rule - - V-230517 - RHEL-08-040130 - - CCI-001764 - - SRG-OS-000368-GPOS-00154 - - SV-230518r627750_rule - - V-230518 - RHEL-08-040131 - CCI-001764 - SRG-OS-000368-GPOS-00154 + - SV-230517r627750_rule + - SV-230518r627750_rule - SV-230519r627750_rule + - V-230517 + - V-230518 - V-230519 - mounts @@ -6211,107 +6185,125 @@ tags: - CAT2 - RHEL-08-040132 - - CCI-001764 - - SRG-OS-000368-GPOS-00154 - - SV-230520r627750_rule - - V-230520 - RHEL-08-040133 - - CCI-001764 - - SRG-OS-000368-GPOS-00154 - - SV-230521r627750_rule - - V-230521 - RHEL-08-040134 - CCI-001764 - SRG-OS-000368-GPOS-00154 + - SV-230520r627750_rule + - SV-230521r627750_rule - SV-230522r627750_rule + - V-230520 + - V-230521 - V-230522 - mounts -- name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." - block: - - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Install fapolicy" - package: - name: fapolicyd - state: present - - - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" - shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts - changed_when: false - failed_when: false - - - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" - service: - name: fapolicyd - state: started - enabled: yes - - - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " - lineinfile: - path: /etc/fapolicyd/fapolicyd.rules - line: "{{ item }}" - with_items: - - "{{ rhel8stig_fapolicy_white_list }}" - - - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" - lineinfile: - path: /etc/fapolicyd/fapolicyd.conf - regexp: '^permissive =' - line: 'permissive = 0' +# !!!!! Remove comments, leaving for reference later +- name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be installed." + package: + name: fapolicyd + state: present + # - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" + # shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts + # changed_when: false + # failed_when: false + + # - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" + # service: + # name: fapolicyd + # state: started + # enabled: yes + + # - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " + # lineinfile: + # path: /etc/fapolicyd/fapolicyd.rules + # line: "{{ item }}" + # with_items: + # - "{{ rhel8stig_fapolicy_white_list }}" + + # - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" + # lineinfile: + # path: /etc/fapolicyd/fapolicyd.conf + # regexp: '^permissive =' + # line: 'permissive = 0' when: - rhel_08_040135 + - "'fapolicyd' not in ansible_facts.packages" tags: - RHEL-08-040135 - CAT2 - CCI-001764 - SRG-OS-000368-GPOS-00154 - - SV-230523r627750_rule + - SV-230523r744023_rule - V-230523 - fapolicyd -- name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." +- name: | + "MEDIUM | RHEL-08-040139 | PATCH | RHEL 8 must have the USBGuard installed." + "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." + "MEDIUM | RHEL-08-040141 | PATCH | RHEL 8 must enable the USBGuard." block: - - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Install usbguard" + - name: "MEDIUM | RHEL-08-040139 | PATCH | RHEL 8 must have the USBGuard installed. | Install usbguard" package: name: usbguard state: present + when: + - rhel_08_040139 + - "'usbguard' not in ansible_facts.packages" - - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | generate policy" + - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | generate policy" shell: usbguard generate-policy > /etc/usbguard/rules.conf + when: + - rhel_08_040140 + - "'usbguard' in ansible_facts.packages" or + rhel_08_040139 - - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | Start/Enable service" + - name: "MEDIUM | RHEL-08-040141 | PATCH | RHEL 8 must enable the USBGuard. | Start/Enable service" service: name: usbguard state: started enabled: yes + when: + - rhel_08_040141 + - "'usbguard' in ansible_facts.packages" or + rhel_08_040139 when: - - rhel_08_040140 + - rhel_08_040139 or + rhel_08_040140 or + rhel_08_040141 tags: + - RHEL-08-040139 - RHEL-08-040140 + - RHEL-08-040141 - CAT2 - CCI-001958 - SRG-OS-000378-GPOS-00163 - - SV-230524r627750_rule + - SV-244547r743890_rule + - SV-230524r744026_rule + - SV-244548r743893_rule + - V-244547 - V-230524 + - V-244548 - usbguard +# !!!!!!Remove comments. Leaving for future reference. - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." - block: - - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" - package: - name: nftables - state: present + # block: + # - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" + # package: + # name: nftables + # state: present - - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" - systemd: - name: nftables - state: started - enabled: yes + # - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" + # systemd: + # name: nftables + # state: started + # enabled: yes - - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" - lineinfile: - path: /etc/firewalld/firewalld.conf - regexp: '^FirewallBackend=' - line: 'FirewallBackend=nftables' + # - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" + lineinfile: + path: /etc/firewalld/firewalld.conf + regexp: '^FirewallBackend=' + line: 'FirewallBackend=nftables' when: - rhel_08_040150 tags: @@ -6319,31 +6311,43 @@ - CAT2 - CCI-002385 - SRG-OS-000420-GPOS-00186 - - SV-230525r627750_rule + - SV-230525r744029_rule - V-230525 - firewall - nftables -- name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." +- name: | + "MEDIUM | RHEL-08-040159 | PATCH | All RHEL 8 networked systems must have SSH installed." + "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." block: - - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Install openssh-server" + - name: "MEDIUM | RHEL-08-040159 | PATCH | All RHEL 8 networked systems must have SSH installed. | Install openssh-server" package: name: openssh-server state: present + when: + - "'openssh-server' not in ansible_facts.packages" + - rhel_08_040159 - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" service: name: sshd state: started enabled: yes + when: + - "'openssh-server' in ansible_facts.packages" or + rhel_08_040159 when: - - rhel_08_040160 + - rhel_08_040159 or + rhel_08_040160 tags: - - rhel_08_040160 + - RHEL-08-040159 + - RHEL-08-040160 - CAT2 - CCI-002418 - SRG-OS-000423-GPOS-00187 - - SV-230526r627750_rule + - SV-244549r743896_rule + - SV-230526r744032_rule + - V-244549 - V-230526 - ssh From 93b8348010272b5087bcc87043c561768c7f4989 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 27 Sep 2021 16:56:11 -0400 Subject: [PATCH 10/21] Updated first 322 cat2 Signed-off-by: George Nalen --- defaults/main.yml | 11 +- tasks/fix-cat1.yml | 10 - tasks/fix-cat2.yml | 775 +++++++++++++++++++++++++++++++++++++-------- tasks/prelim.yml | 4 + 4 files changed, 660 insertions(+), 140 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3af3179f..2f0fe949 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -478,6 +478,9 @@ rhel8stig_smartcard: false # Configure your smartcard driver rhel8stig_smartcarddriver: cackey +# IPv6 required +rhel8stig_ipv6_required: true + # RHEL-08-010210 # rhel8stig_var_log_messages_perm is the permissions the /var/log/messages file is set to. # To conform to STIG standards this needs to be 0640 or more restrictive @@ -531,6 +534,12 @@ rhel8stig_ww_dir_grpowner: root # To conform to STIG standards this needs to be set to 0750 more less permissive rhel8stig_local_int_home_perms: 0750 +# RHEL-08-010731 +# rhel8stig_local_int_home_file_perms is the permissions set to files in the local interactive +# user home directories. These are only set when rhel8stig_disruption_high is set to true +# All files users home directories that are less restrictive than 0750 will be set to this value +rhel8stig_local_int_home_file_perms: 750 + # RHEL-08-010770 # rhel8stig_local_int_perm is the permissions set to the local initialization files # To connform to STIG standards this needs to be set to 0740 or less permissive @@ -814,7 +823,7 @@ rhel8stig_interactive_uid_start: 1000 # rhel8stig_ntp_server_name is the name of the NTP server rhel8stig_ntp_server_name: server.name -# RHEL-08-040130 +# RHEL-08-040137 # rhel8stig_fapolicy_white_list is the whitelist for fapolicyd, the last item in the list must be dyny all all rhel8stig_fapolicy_white_list: - deny all all diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index f0010a80..f7d24436 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -152,16 +152,6 @@ group: root mode: 0640 notify: confirm grub2 user cfg - - # - name: | - # "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set UEFI superusers" - # "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set UEFI superusers" - # lineinfile: - # dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg" - # regexp: '^set superusers' - # line: 'set superusers="{{ rhel8stig_boot_superuser }}"' - # insertafter: '### BEGIN /etc/grub.d/01_users ###' - # notify: confirm grub2 user cfg when: - not system_is_ec2 - rhel_08_010140 or diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3cd0e8ef..3bc78227 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -79,14 +79,11 @@ - V-230225 - V-230227 - -# !!!!!!!REMOVE Banner-message-enable part. That moves to 010049 - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." copy: dest: /etc/dconf/db/local.d/01-banner-message content: | [org/gnome/login-screen] - # banner-message-enable=true banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}' mode: '0644' owner: root @@ -223,7 +220,6 @@ - V-230232 - disruption_high -# !!!!!!!!!remove with items. Leaveing that there for 010131 referrence. - name: "MEDIUM | RHEL-08-010130 | PATCH | The RHEL 8 password-auth file must be configured to use a sufficient number of hashing rounds." pamd: name: password-auth @@ -232,9 +228,6 @@ module_path: pam_unix.so module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" state: args_present - # with_items: - # - password-auth - # - system-auth when: - rhel_08_010130 tags: @@ -266,7 +259,6 @@ - V-230236 - systemd -# !!!!!!!!!!Remove with_items. Left there for reference in 010159 - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." pamd: name: password-auth" @@ -275,9 +267,6 @@ module_path: pam_unix.so module_arguments: sha512 state: args_present - # with_items: - # - password-auth - # - system-auth when: - rhel_08_010160 tags: @@ -409,16 +398,12 @@ - V-230243 - permissions -# !!!!! Remove with_items. Keeping as reference for 010201 - name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?ClientAliveCountMax.*' line: ClientAliveCountMax 0 notify: restart sshd - # with_items: - # - { regexp: '(?i)^#?ClientAliveInterval.*', line: 'ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}'} - # - { regexp: '(?i)^#?ClientAliveCountMax.*', line: 'ClientAliveCountMax 0' } when: - rhel_08_010200 - rhel8stig_ssh_required @@ -487,7 +472,6 @@ - V-230250 - permissions -# !!!!!!!!Remove with_items. Leaving for reference if needed - name: | "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms." "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections." @@ -516,9 +500,6 @@ regexp: '^CRYPTO_POLICY=' line: CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}' notify: change_requires_reboot - # with_items: - # - { path: /etc/crypto-policies/back-ends/openssh.config, regexp: '^Ciphers', line: "Ciphers {{ rhel8stig_ssh_cipher_settings }}" } - # - { path: /etc/crypto-policies/back-ends/opensshserver.config, regexp: '^CRYPTO_POLICY=', line: "CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'" } when: - rhel_08_010290 or rhel_08_010291 @@ -1205,15 +1186,11 @@ - V-230290 - ssh -# !!!!!!!!!!Remove wtih_items. leaveing as a referecne for when I create 010522 - name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements." lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?KerberosAuthentication' line: "KerberosAuthentication no" - # with_items: - # - { regexp: '(?i)^#?KerberosAuthentication', line: "KerberosAuthentication no" } - # - { regexp: '(?i)^#?GSSAPIAuthentication', line: "GSSAPIAuthentication no" } notify: restart sshd when: - rhel_08_010521 @@ -5581,15 +5558,11 @@ - V-230482 - auditd -# !!!!!!! Remove With items, leaving for reference for later control - name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." lineinfile: path: /etc/audit/auditd.conf regexp: '^space_left =' line: 'space_left = 25%' - # with_items: - # - { regexp: '^space_left =', line: 'space_left = 25%' } - # - { regexp: '^space_left_action =', line: 'space_left_action = EMAIL' } when: - rhel_08_030730 tags: @@ -5652,24 +5625,6 @@ - dnf - sendmail -# !!!!! Not in order possibly comes up later -# - name: "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." -# package: -# name: gssproxy -# state: absent -# when: -# - rhel_08_040370 -# - "'gssproxy' in ansible_facts.packages" -# tags: -# - RHEL-08-040370 -# - CAT2 -# - CCI-000381 -# - SRG-OS-000480-GPOS-00227 -# - SV-230559r646887_rule -# - V-230559 -# - dnf -# - gssproxy - - name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." lineinfile: path: /etc/modprobe.d/blacklist.conf @@ -6368,22 +6323,23 @@ - V-230527 - sshd -- name: "MEDIUM | RHEL-08-040162 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections by the client." - lineinfile: - path: /etc/ssh/ssh_config - regexp: '(?i)^#?RekeyLimit' - line: 'RekeyLimit 1G 1h' - notify: restart sshd - when: - - rhel_08_040162 - tags: - - RHEL-08-040162 - - CAT2 - - CCI-000068 - - SRG-OS-000033-GPOS-00014 - - SV-230528r627750_rule - - V-230528 - - sshd +# !!!!!! Possibly remove, leaving for reference if needed +# - name: "MEDIUM | RHEL-08-040162 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections by the client." +# lineinfile: +# path: /etc/ssh/ssh_config +# regexp: '(?i)^#?RekeyLimit' +# line: 'RekeyLimit 1G 1h' +# notify: restart sshd +# when: +# - rhel_08_040162 +# tags: +# - RHEL-08-040162 +# - CAT2 +# - CCI-000068 +# - SRG-OS-000033-GPOS-00014 +# - SV-230528r627750_rule +# - V-230528 +# - sshd - name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." systemd: @@ -6403,34 +6359,36 @@ - V-230532 - debug-shell -- name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted." +# !!!!!!!! Remove comments, leaving there for reference. +- name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted." block: - - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" + - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" sysctl: - name: "{{ item }}" + name: net.ipv6.conf.default.accept_redirects state: present value: '0' notify: change_requires_reboot - with_items: - - net.ipv4.conf.default.accept_redirects - - net.ipv6.conf.default.accept_redirects + # with_items: + # - net.ipv4.conf.default.accept_redirects + # - net.ipv6.conf.default.accept_redirects - - name: "MEDIUM | RHEL-08-040210 | PATCH | The RHEL 8 must prevent Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" + - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" lineinfile: path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } - - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } + regexp: '^net.ipv6.conf.default.accept_redirects=' + line: 'net.ipv6.conf.default.accept_redirects=0' + # with_items: + # - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } + # - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } when: - rhel_08_040210 + - rhel8stig_ipv6_required tags: - RHEL-08-040210 - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230535r627750_rule + - SV-230535r744035_rule - V-230535 - icmp @@ -6455,7 +6413,7 @@ - CAT2 - CCI-00036 - SRG-OS-000480-GPOS-00227 - - SV-230536r627750_rule + - SV-230536r744037_rule - V-230536 - icmp @@ -6480,93 +6438,104 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230537r627750_rule + - SV-230537r744039_rule - V-230537 - icmp -- name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets." +# !!!!!!Remove Comments, leaving for later reference. +- name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets." block: - - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route in sysctl" + - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Set conf.all accept_source_route in sysctl" sysctl: - name: "{{ item }}" + name: net.ipv6.conf.all.accept_source_route state: present value: '0' notify: change_requires_reboot - with_items: - - net.ipv4.conf.all.accept_source_route - - net.ipv6.conf.all.accept_source_route + # with_items: + # - net.ipv4.conf.all.accept_source_route + # - net.ipv6.conf.all.accept_source_route - - name: "MEDIUM | RHEL-08-040240 | PATCH | The RHEL 8 must not forward source-routed packets. | Set conf.all accept_source_route default value to 0" + - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Set conf.all accept_source_route default value to 0" lineinfile: path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } - - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } + regexp: '^net.ipv6.conf.all.accept_source_route' + line: 'net.ipv6.conf.all.accept_source_route=0' + # with_items: + # - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } + # - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } when: - rhel_08_040240 + - rhel8stig_ipv6_required tags: - RHEL-08-040240 - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230538r627750_rule + - SV-230538r744042_rule - V-230538 - icmp -- name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default." +- name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default." block: - - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route in sysctl" + - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Set conf.default accept_source_route in sysctl" sysctl: - name: "{{ item }}" + name: net.ipv6.conf.default.accept_source_route state: present value: '0' notify: change_requires_reboot - with_items: - - net.ipv4.conf.default.accept_source_route - - net.ipv6.conf.default.accept_source_route + # with_items: + # - net.ipv4.conf.default.accept_source_route + # - net.ipv6.conf.default.accept_source_route - - name: "MEDIUM | RHEL-08-040250 | PATCH | The RHEL 8 must not forward source-routed packets by default. | Set conf.default accept_source_route value to 0" + - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Set conf.default accept_source_route value to 0" lineinfile: path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } - - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } + regexp: '^net.ipv6.conf.default.accept_source_route' + line: 'net.ipv6.conf.default.accept_source_route=0' + # with_items: + # - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } + # - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } when: - rhel_08_040250 + - rhel8stig_ipv6_required tags: - RHEL-08-040250 - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230539r627750_rule + - SV-230539r744045_rule - V-230539 - icmp - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router." block: - - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward in sysctl" + - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set IPv4 ip_forward in sysctl" sysctl: - name: "{{ item }}" + name: net.ipv4.ip_forward state: present value: '0' notify: change_requires_reboot - with_items: - - net.ipv4.ip_forward - - net.ipv6.conf.all.forwarding - - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set ip_forward value to 0" + - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set IPv6 ip_forward in sysctl" + sysctl: + name: net.ipv6.conf.all.forwarding + state: present + value: '0' + notify: change_requires_reboot + when: rhel8stig_ipv6_required + + - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set IPv4 ip_forward value to 0" lineinfile: path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.ip_forward', line: 'net.ipv4.ip_forward=0' } - - { regexp: '^net.ipv6.conf.all.forwarding', line: 'net.ipv6.conf.all.forwarding=0' } + regexp: '^net.ipv4.ip_forward' + line: 'net.ipv4.ip_forward=0' + - name: "MEDIUM | RHEL-08-040260 | PATCH | The RHEL 8 must not be performing packet forwarding unless the system is a router. | Set IPv6 ip_forward value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv6.conf.all.forwarding' + line: 'net.ipv6.conf.all.forwarding=0' + when: rhel8stig_ipv6_required when: - rhel_08_040260 - not rhel8stig_system_is_router @@ -6595,6 +6564,7 @@ line: 'net.ipv6.conf.all.accept_ra=0' when: - rhel_08_040261 + - rhel8stig_ipv6_required - not rhel8stig_system_is_router tags: - RHEL-08-040261 @@ -6621,6 +6591,7 @@ line: 'net.ipv6.conf.default.accept_ra=0' when: - rhel_08_040262 + - rhel8stig_ipv6_required - not rhel8stig_system_is_router tags: - RHEL-08-040262 @@ -6652,38 +6623,40 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230543r627750_rule + - SV-230543r744047_rule - V-230543 - icmp -- name: "MEDIUM | RHEL-08-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages." +# !!!!!!!! Remove comments, leaving for reference. +- name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages." block: - - name: "MEDIUM | RHEL-08-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" + - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" sysctl: - name: "{{ item }}" + name: net.ipv6.conf.all.accept_redirects state: present value: '0' notify: change_requires_reboot - with_items: - - net.ipv4.conf.all.accept_redirects - - net.ipv6.conf.all.accept_redirects + # with_items: + # - net.ipv4.conf.all.accept_redirects + # - net.ipv6.conf.all.accept_redirects - - name: "MEDIUM | RHEL-08-040280 | PATCH | The RHEL 8 must ignore Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" + - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" lineinfile: path: /etc/sysctl.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } - - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } + regexp: '^net.ipv6.conf.all.accept_redirects' + line: 'net.ipv6.conf.all.accept_redirects=0' + # with_items: + # - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } + # - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } when: - rhel_08_040280 + - rhel8stig_ipv6_required tags: - RHEL-08-040280 - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230544r627750_rule + - SV-230544r744050_rule - V-230544 - icmp @@ -6895,6 +6868,23 @@ - V-230557 - tftp +- name: "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." + package: + name: gssproxy + state: absent + when: + - rhel_08_040370 + - "'gssproxy' in ansible_facts.packages" + tags: + - RHEL-08-040370 + - CAT2 + - CCI-000381 + - SRG-OS-000480-GPOS-00227 + - SV-230559r646887_rule + - V-230559 + - dnf + - gssproxy + - name: "MEDIUM | RHEL-08-040380 | PATCH | The iprutils package must not be installed unless mission essential on RHEL 8." package: name: iprutils @@ -6984,7 +6974,7 @@ - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo." block: - - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Get privilege escalation" + - name: "MEDIUM | RHEL-08-010383 | AUDIT | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Get privilege escalation" shell: egrep -is '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d ':' -f1 | sort --uniq changed_when: false failed_when: false @@ -7047,7 +7037,7 @@ - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command." block: - - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command. | Get files with timeout set" + - name: "MEDIUM | RHEL-08-010384 | AUDIT | RHEL 8 must require re-authentication when using the sudo command. | Get files with timeout set" shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false @@ -7081,3 +7071,530 @@ - SV-237643r646899_rule - V-237643 - sudo +# ----------------NEW------------ +- name: "MEDIUM | RHEL-08-010049 | PATCH | RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon" + lineinfile: + path: /etc/dconf/db/local.d/01-banner-message + regexp: 'banner-message-enabled=' + line: banner-message-enable=true + create: true + mode: '0644' + owner: root + group: root + insertafter: '[org/gnome/login-screen]' + notify: dconf update + when: + - rhel_08_010049 + tags: + - RHEL-08-010049 + - CAT2 + - CCI-000048 + - SRG-OS-000023-GPOS-00006 + - SV-244519r743806_rule + - V-244519 + - banner + +- name: "MEDIUM | RHEL-08-010131 | PATCH | The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds." + pamd: + name: system-auth + type: password + control: sufficient + module_path: pam_unix.so + module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" + state: args_present + when: + - rhel_08_010131 + tags: + - RHEL-08-010131 + - CAT2 + - CCI-000196 + - SRG-OS-000073-GPOS-00041 + - SV-244520r743809_rule + - V-244520 + - pamd + +- name: | + "MEDIUM | RHEL-08-010141 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance." + "MEDIUM | RHEL-08-010149 | PATCH | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes." + lineinfile: + dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + notify: confirm grub2 user cfg + with_items: + - { regexp: '^set superusers', line: 'set superusers="{{ rhel8stig_boot_superuser }}"', insertafter: '### BEGIN /etc/grub.d/01_users ###' } + - { regexp: '^export superusers', line: 'export superusers', insertafter: '^set superusers' } + - { regexp: '^password_pbkdf2', line: 'password_pbkdf2 {{ rhel8stig_boot_superuser }} ${GRUB2_PASSWORD}', insertafter: '^export superusers' } + when: + - rhel_08_010141 or + rhel_08_010141 + tags: + - RHEL-08-010141 + - RHEL-08-010149 + - CAT2 + - CCI-000213 + - SRG-OS-000080-GPOS-00048 + - SV-244521r743812_rule + - SV-244522r743815_rule + - V-244521 + - V-244522 + +- name: "MEDIUM | RHEL-08-010152 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency mode." + lineinfile: + path: /usr/lib/systemd/system/emergency.service + regexp: '^ExecStart=' + line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + create: yes + owner: root + group: root + mode: 0644 + when: + - rhel_08_010152 + tags: + - RHEL-08-010152 + - CAT2 + - CCI-000213 + - SRG-OS-000080-GPOS-00048 + - SV-244523r743818_rule + - V-244523 + - systemd + +- name: "MEDIUM | RHEL-08-010159 | PATCH | The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." + pamd: + name: system-auth + type: password + control: sufficient + module_path: pam_unix.so + module_arguments: sha512 + state: args_present + when: + - rhel_08_010159 + tags: + - RHEL-08-010159 + - CAT2 + - CCI-000803 + - SRG-OS-000120-GPOS-00061 + - SV-244524r743821_rule + - V-244524 + - pamd + +- name: "MEDIUM | RHEL-08-010201 | PATCH | The RHEL 8 SSH daemon must be configured with a timeout interval" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?ClientAliveInterval.*' + line: ClientAliveCountMax 0 + notify: restart sshd + when: + - rhel_08_010201 + - rhel8stig_ssh_required + tags: + - RHEL-08-010201 + - CAT2 + - CCI-001133 + - SRG-OS-000163-GPOS-00072 + - SV-244525r743824_rule + - V-244525 + - ssh + +- name: "MEDIUM | RHEL-08-010287 | PATCH | The RHEL 8 SSH daemon must be configured to use system-wide crypto policies." + lineinfile: + path: /etc/sysconfig/sshd + regexp: '^CRYPTO_POLICY=' + line: '# CRYPTO_POLICY=' + notify: change_requires_reboot + when: + - rhel_08_010287 + tags: + - RHEL-08-010287 + - CAT2 + - CCI-001453 + - SRG-OS-000250-GPOS-00093 + - SV-244526r743827_rule + - V-244526 + - ssh + +- name: "MEDIUM | RHEL-08-010522 | PATCH | The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?GSSAPIAuthentication' + line: "GSSAPIAuthentication no" + when: + - rhel_08_010522 + tags: + - RHEL-08-010522 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244528r743833_rule + - V-244528 + - ssh + +- name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp." + block: + - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Alert on missing mount" + debug: + msg: "Warning! /var/tmp does not exist, /var/tmp needs to use a sperate file system. This is a manual task" + register: var_tmp_mount_absent + changed_when: var_tmp_mount_absent.skipped is defined + when: "'/var/tmp' not in mount_names" + + - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Mount is present" + debug: + msg: "Congratulations: /var/tmp does exist." + when: "'/var/tmp' in mount_names" + when: + - rhel_08_010544 + tags: + - RHEL-08-010544 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244529r743836_rule + - V-244529 + - mounts + +- name: "MEDIUM | RHEL-08-010572 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory." + mount: + path: /boot/efi + state: mounted + src: "{{ boot_efi_mount.device }}" + fstype: "{{ boot_efi_mount.fstype }}" + opts: "{{ boot_efi_mount.options }},nosuid" + when: + - rhel_08_010572 + - ansible_mounts | selectattr('mount', 'match', '^/boot/efi$') | list | length != 0 + - "'nosuid' not in boot_efi_mount.options" + vars: + boot_efi_mount: "{{ ansible_mounts | json_query('[?mount == `/boot/efi`] | [0]') }}" + tags: + - RHEL-08-010572 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244530r743839_rule + - V-244530 + - mounts + - efi + +- name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive." + block: + - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Find out of compliance files" + shell: "find {{ item }} -perm -750 ! -perm 750" + changed_when: false + failed_when: false + register: rhel_08_010731_files + with_items: + - "{{ rhel8stig_passwd | selectattr('uid', '>=', rhel8stig_interactive_uid_start) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + + - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Bring files into compliance" + file: + path: "{{ item }}" + mode: "{{ rhel8stig_local_int_home_file_perms }}" + with_items: + - "{{ rhel_08_010731_files.results | map(attribute='stdout_lines') | flatten }}" + when: rhel8stig_disruption_high + + - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Alert on out of compliance files" + debug: + msg: + - "Alert! Below are the files that are in interactive user folders but permissiosn less restrictiv than 0750." + - "Please review the files to bring into STIG compliance" + - "{{ rhel_08_010731_files.results | map(attribute='stdout_lines') | flatten }} + when: not rhel8stig_disruption_high + when: + - rhel_08_010572 + tags: + - RHEL-08-010731 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244531r743842_rule + - V-244531 + - permissions + +- name: "MEDIUM | RHEL-08-010741 | PATCH | RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." + file: + path: "{{ item.dir }}" + group: "{{ item.gid }}" + state: directory + recurse: true + with_items: "{{ rhel8stig_passwd }}" + when: + - rhel_08_010572 + - (item.uid >= rhel8stig_interactive_uid_start|int) + tags: + - RHEL-08-010741 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244532r743845_rule + - V-244532 + - permissions + +- name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file." + block: + - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set preauth" + lineinfile: + path: /etc/pam.d/system-auth + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + + - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set authfail" + lineinfile: + path: /etc/pam.d/system-auth + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + + - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set account faillock" + lineinfile: + path: /etc/pam.d/system-auth + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + when: + - rhel_08_020025 + tags: + - RHEL-08-020025 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-244533r743848_rule + - V-244533 + - pamd + +- name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file." + block: + - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set preauth" + lineinfile: + path: /etc/pam.d/password-auth + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + + - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set authfail" + lineinfile: + path: /etc/pam.d/password-auth + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + + - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set account faillock" + lineinfile: + path: /etc/pam.d/password-auth + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd + when: + - rhel_08_020026 + tags: + - RHEL-08-020026 + - CAT2 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-244534r743851_rule + - V-244534 + - pamd + +- name: "MEDIUM | RHEL-08-020031 | PATCH | RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated." + copy: + dest: /etc/dconf/db/local.d/00-screensaver_rhel_08_020031 + content: | + [org/gnome/desktop/screensaver] + lock-delay=uint32 5 + mode: '0644' + notify: dconf update + when: + - rhel_08_020026 + - rhel8stig_always_configure_dconf + - rhel8stig_gui + tags: + - RHEL-08-020031 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-244535r743854_rule + - V-244535 + - dconf + +- name: "MEDIUM | RHEL-08-020032 | PATCH | RHEL 8 must disable the user list at logon for graphical user interfaces." + copy: + dest: /etc/dconf/db/local.d/02-login-screen_rhel_08_020032 + content: | + [org/gnome/login-screen] + disable-user-list=true + when: + - rhel_08_020032 + - rhel8stig_always_configure_dconf + - rhel8stig_gui + tags: + - RHEL-08-020032 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244536r743857_rule + - V-244536 + - dconf + +- name: "MEDIUM | RHEL-08-020039 | PATCH | RHEL 8 must have the tmux package installed." + package: + name: tmux + state: present + when: + - rhel_08_020032 + - "'tmux' not in ansible_facts.packages" + tags: + - RHEL-08-020039 + - CAT2 + - CCI-000056 + - SRG-OS-000028-GPOS-00009 + - SV-244537r743860_rule + - V-244537 + - tmux + +- name: "MEDIUM | RHEL-08-020081 | PATCH | RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface." + copy: + dest: /etc/dconf/db/local.d/locks/session_rhel_08_020081 + content: | + /org/gnome/desktop/session/idle-delay + mode: '0644' + notify: dconf update + when: + - rhel_08_020081 + - rhel8stig_always_configure_dconf + - rhel8stig_gui + tags: + - RHEL-08-020081 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-244538r743863_rule + - V-244538 + +- name: "MEDIUM | RHEL-08-020082 | PATCH | RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." + copy: + dest: /etc/dconf/db/local.d/locks/session_rhel_08_020082 + content: | + /org/gnome/desktop/screensaver/lock-enabled + mode: '0644' + notify: dconf update + when: + when: + - rhel_08_020082 + - rhel8stig_always_configure_dconf + - rhel8stig_gui + tags: + - RHEL-08-020082 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-244539r743866_rule + - V-244539 + - dconf + +- name: "MEDIUM | RHEL-08-030181 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." + service: + name: auditd + state: started + enabled: true + when: + - rhel_08_030181 + tags: + - RHEL-08-030181 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-244542r743875_rule + - V-244542 + - auditd + +- name: "MEDIUM | RHEL-08-030731 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^space_left_action =' + line: 'space_left_action = EMAIL' + when: + - rhel_08_030731 + tags: + - RHEL-08-030731 + - CAT2 + - CCI-001855 + - SRG-OS-000343-GPOS-00134 + - SV-244543r743878_rule + - V-244543 + - auditd + +- name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8" + block: + - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Install firewalld if needed" + package: + name: firewalld + state: present + when: "'firewalld' not in ansible_facts.packages" + + - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Enable the service" + systemd: + name: firewalld + state: started + enabled: true + when: + - rhel_08_040101 + - rhel8stig_firewall_service == "firewalld" + tags: + - RHEL-08-040101 + - CAT2 + - CCI-002314 + - SRG-OS-000297-GPOS-00115 + - SV-244544r743881_rule + - V-244544 + - firewalld + - firewall + +- name: "MEDIUM | RHEL-08-040136 | PATCH | The RHEL 8 fapolicy module must be enabled." + systemd: + name: fapolicyd + state: started + enabled: true + when: + - rhel_08_040136 + tags: + - RHEL-08-040136 + - CAT2 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-244545r743884_rule + - V-244545 + - fapolicy + +- name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." + block: + - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " + lineinfile: + path: /etc/fapolicyd/fapolicyd.rules + line: "{{ item }}" + with_items: + - "{{ rhel8stig_fapolicy_white_list }}" + + - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" + lineinfile: + path: /etc/fapolicyd/fapolicyd.conf + regexp: '^permissive =' + line: 'permissive = 0' + when: + - rhel_08_040137 + tags: + - RHEL-08-040137 + - CAT2 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-244546r743887_rule + - V-244546 + - fapolicy \ No newline at end of file diff --git a/tasks/prelim.yml b/tasks/prelim.yml index bc36c967..c907f621 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -454,3 +454,7 @@ when: modify_secontext.changed when: - rhel_08_020017 + +- name: "PRELIM | Section 1.1 | Create list of mount points" + set_fact: + mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" From 3ef65a4feea4f1129b3d0e83c2784fb579cbcea2 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 28 Sep 2021 14:39:53 -0400 Subject: [PATCH 11/21] finish initial adding of updates Signed-off-by: George Nalen --- defaults/main.yml | 5 ++ tasks/fix-cat2.yml | 143 ++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 147 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2f0fe949..905dbd6a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -481,6 +481,11 @@ rhel8stig_smartcarddriver: cackey # IPv6 required rhel8stig_ipv6_required: true +# RHEL-08-010001 +# rhel8stig_av_sftw is the AV software package. When set to mcafee it enables the check for these packages +# When set to anything other than mcafee it will skip this control assuming localized threat prevention management +rhel8stig_av_sftw: mcafee + # RHEL-08-010210 # rhel8stig_var_log_messages_perm is the permissions the /var/log/messages file is set to. # To conform to STIG standards this needs to be 0640 or more restrictive diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3bc78227..737f0d96 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -7597,4 +7597,145 @@ - SRG-OS-000368-GPOS-00154 - SV-244546r743887_rule - V-244546 - - fapolicy \ No newline at end of file + - fapolicy + +- name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted." + block: + - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accept_redirects value 0 active" + sysctl: + name: net.ipv4.conf.default.accept_redirect + state: present + value: '0' + notify: change_requires_reboot + + - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accept_redirects default value to 0 config" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.default.accept_redirect=' + line: 'net.ipv4.conf.default.accept_redirect=0' + when: + - rhel_08_040209 + - CAT2 + - CI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244550r743899_rule + - V-244550 + - ipv4 + +- name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets." + block: + - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Set accept_source_route in sysctl" + sysctl: + name: net.ipv4.conf.all.accept_source_route + state: present + value: '0' + notify: change_requires_reboot + + - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Set accept_source_route default value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.all.accept_source_routes=' + line: 'net.ipv4.conf.all.accept_source_route=0' + when: + - rhel_08_040239 + tags: + - RHEL-08-040239 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244551r743902_rule + - V-244551 + - ip4 + +- name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default." + block: + - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Set accept_source_route in sysctl" + sysctl: + name: net.ipv4.conf.default.accept_source_route + state: present + value: '0' + notify: change_requires_reboot + + - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Set accept_source_route value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.default.accept_source_route=' + line: 'net.ipv4.conf.default.accept_source_route=0' + when: + - rhel_08_040249 + tags: + - RHEL-08-040249 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244552r743905_rule + - V-244552 + - ipv4 + +- name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages." + block: + - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Set accept_redirects in sysctl" + sysctl: + name: net.ipv4.conf.all.accept_redirects + state: present + value: '0' + + - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Set accept_redirects value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.all.accept_redirects=' + line: 'net.ipv4.conf.all.accept_redirects=0' + when: + - rhel_08_040279 + tags: + - RHEL-08-040279 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244553r743908_rule + - V-244553 + - ipv4 + +- name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler." + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.core.bpf_jit_harden=' + line: 'net.core.bpf_jit_harden=2' + notify: sysctl system + when: + - rhel_08_040286 + tags: + - RHEL-08-040286 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244554r743911_rule + - V-244554 + +- name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool." + block: + - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert no McAfee" + debug: + msg: + - "ALERT! You have no McAfee installed. To comply with STIG ID RHEL-08-010001 you need an AV tool" + - "McAfee is the suggested by STIG" + when: + - "'mcafeetp' not in ansible_facts.packages or + "'mfetpd' not in ansible_facts.packages + + - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert on McAfee present" + debug: + msg: "Congratulations! You have McAfee installed" + when: + - "'mcafeetp' in ansible_facts.packages or + "'mfetpd' in ansible_facts.packages + when: + - rhel_08_040286 + - rhel8stig_av_sftw == 'mcafee' + tags: + - RHEL-08-010001 + - CAT2 + - CCI-001233 + - SRG-OS-000191-GPOS-00080 + - SV-245540r754730_rule + - V-245540 \ No newline at end of file From df0b7c8a4e01b8de3bff93bef10080f5cb1e4d70 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 30 Sep 2021 09:30:34 -0400 Subject: [PATCH 12/21] Fixed linting issues and layout adjustments Signed-off-by: George Nalen --- defaults/main.yml | 1 - site.yml | 6 +- tasks/fix-cat1.yml | 6 +- tasks/fix-cat2.yml | 1824 ++++++++++++++++++-------------------------- tasks/fix-cat3.yml | 2 +- tasks/prelim.yml | 2 +- testing.yml | 11 - 7 files changed, 745 insertions(+), 1107 deletions(-) delete mode 100644 testing.yml diff --git a/defaults/main.yml b/defaults/main.yml index 905dbd6a..27239908 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -163,7 +163,6 @@ rhel_08_010422: true rhel_08_010423: true rhel_08_010430: true rhel_08_010450: true -rhel_08_010472: true rhel_08_010480: true rhel_08_010490: true rhel_08_010500: true diff --git a/site.yml b/site.yml index f3207c8b..379549f7 100644 --- a/site.yml +++ b/site.yml @@ -1,11 +1,7 @@ --- - hosts: all become: true - vars: - is_container: false roles: + - role: "{{ playbook_dir }}" - rhel8cis_system_is_container: "{{ is_container | default(false) }}" - rhel8cis_skip_for_travis: false - rhel8cis_oscap_scan: yes diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index f7d24436..b15a8aad 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -20,9 +20,9 @@ package: name: dracut-fips state: present - notify: - - rebuild initramfs - - change_requires_reboot + notify: + - rebuild initramfs + - change_requires_reboot when: "'dracut-fips' not in ansible_facts.packages" - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 737f0d96..ea8ba4bd 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1,5 +1,31 @@ --- +- name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool." + block: + - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert no McAfee" + debug: + msg: + - "ALERT! You have no McAfee installed. To comply with STIG ID RHEL-08-010001 you need an AV tool" + - "McAfee is the suggested by STIG" + when: + - "'mcafeetp' or 'mfetpd' not in ansible_facts.packages" + + - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert on McAfee present" + debug: + msg: "Congratulations! You have McAfee installed" + when: + - "'mcafeetp' or 'mfetpd' in ansible_facts.packages" + when: + - rhel_08_040286 + - rhel8stig_av_sftw == 'mcafee' + tags: + - RHEL-08-010001 + - CAT2 + - CCI-001233 + - SRG-OS-000191-GPOS-00080 + - SV-245540r754730_rule + - V-245540 + - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." package: name: "*" @@ -79,6 +105,28 @@ - V-230225 - V-230227 +- name: "MEDIUM | RHEL-08-010049 | PATCH | RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon" + lineinfile: + path: /etc/dconf/db/local.d/01-banner-message + regexp: 'banner-message-enabled=' + line: banner-message-enable=true + create: true + mode: '0644' + owner: root + group: root + insertafter: '[org/gnome/login-screen]' + notify: dconf update + when: + - rhel_08_010049 + tags: + - RHEL-08-010049 + - CAT2 + - CCI-000048 + - SRG-OS-000023-GPOS-00006 + - SV-244519r743806_rule + - V-244519 + - banner + - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." copy: dest: /etc/dconf/db/local.d/01-banner-message @@ -106,7 +154,6 @@ - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." lineinfile: path: /etc/rsyslog.conf - # regexp: "{{ item.regexp }}" line: "auth.*;authpriv.*;daemon.* /var/log/secure" create: yes mode: '0644' @@ -239,6 +286,52 @@ - V-230233 - pamd +- name: "MEDIUM | RHEL-08-010131 | PATCH | The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds." + pamd: + name: system-auth + type: password + control: sufficient + module_path: pam_unix.so + module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" + state: args_present + when: + - rhel_08_010131 + tags: + - RHEL-08-010131 + - CAT2 + - CCI-000196 + - SRG-OS-000073-GPOS-00041 + - SV-244520r743809_rule + - V-244520 + - pamd + +- name: | + "MEDIUM | RHEL-08-010141 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance." + "MEDIUM | RHEL-08-010149 | PATCH | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes." + lineinfile: + dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + notify: confirm grub2 user cfg + with_items: + - { regexp: '^set superusers', line: 'set superusers="{{ rhel8stig_boot_superuser }}"', insertafter: '### BEGIN /etc/grub.d/01_users ###' } + - { regexp: '^export superusers', line: 'export superusers', insertafter: '^set superusers' } + - { regexp: '^password_pbkdf2', line: 'password_pbkdf2 {{ rhel8stig_boot_superuser }} ${GRUB2_PASSWORD}', insertafter: '^export superusers' } + when: + - rhel_08_010141 or + rhel_08_010141 + tags: + - RHEL-08-010141 + - RHEL-08-010149 + - CAT2 + - CCI-000213 + - SRG-OS-000080-GPOS-00048 + - SV-244521r743812_rule + - SV-244522r743815_rule + - V-244521 + - V-244522 + - name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." lineinfile: path: /usr/lib/systemd/system/rescue.service @@ -259,6 +352,45 @@ - V-230236 - systemd +- name: "MEDIUM | RHEL-08-010152 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency mode." + lineinfile: + path: /usr/lib/systemd/system/emergency.service + regexp: '^ExecStart=' + line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" + create: yes + owner: root + group: root + mode: 0644 + when: + - rhel_08_010152 + tags: + - RHEL-08-010152 + - CAT2 + - CCI-000213 + - SRG-OS-000080-GPOS-00048 + - SV-244523r743818_rule + - V-244523 + - systemd + +- name: "MEDIUM | RHEL-08-010159 | PATCH | The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." + pamd: + name: system-auth + type: password + control: sufficient + module_path: pam_unix.so + module_arguments: sha512 + state: args_present + when: + - rhel_08_010159 + tags: + - RHEL-08-010159 + - CAT2 + - CCI-000803 + - SRG-OS-000120-GPOS-00061 + - SV-244524r743821_rule + - V-244524 + - pamd + - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." pamd: name: password-auth" @@ -416,6 +548,24 @@ - V-230244 - ssh +- name: "MEDIUM | RHEL-08-010201 | PATCH | The RHEL 8 SSH daemon must be configured with a timeout interval" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?ClientAliveInterval.*' + line: ClientAliveCountMax 0 + notify: restart sshd + when: + - rhel_08_010201 + - rhel8stig_ssh_required + tags: + - RHEL-08-010201 + - CAT2 + - CCI-001133 + - SRG-OS-000163-GPOS-00072 + - SV-244525r743824_rule + - V-244525 + - ssh + - name: | "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." @@ -444,71 +594,256 @@ - V-230247 - permissions -- name: | - "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." - "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." - "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." - file: - path: /var/log - owner: root - group: root - mode: "{{ rhel8stig_var_log_perm }}" +- name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file." + block: + - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set preauth" + lineinfile: + path: /etc/pam.d/system-auth + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + + - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set authfail" + lineinfile: + path: /etc/pam.d/system-auth + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + + - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set account faillock" + lineinfile: + path: /etc/pam.d/system-auth + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd when: - - rhel_08_010240 or - rhel_08_010250 or - rhel_08_010260 + - rhel_08_020025 tags: + - RHEL-08-020025 - CAT2 - - RHEL-08-010240 - - RHEL-08-010250 - - RHEL-08-010260 - - CCI-001314 - - SRG-OS-000206-GPOS-00084 - - SV-230248r627750_rule - - SV-230249r627750_rule - - SV-230250r627750_rule - - V-230248 - - V-230249 - - V-230250 - - permissions + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-244533r743848_rule + - V-244533 + - pamd -- name: | - "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms." - "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections." +- name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file." block: - - name: | - "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" - "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Get current FIPS mode state" - command: fips-mode-setup --check - changed_when: false - failed_when: false - register: rhel_08_010290_pre_fips_check + - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set preauth" + lineinfile: + path: /etc/pam.d/password-auth + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd - - name: | - "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" - "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Enable FIPS" - command: fips-mode-setup --enable - register: rhel_08_010290_fips_enable - notify: change_requires_reboot - when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' + - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set authfail" + lineinfile: + path: /etc/pam.d/password-auth + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd - - name: | - "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" - "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Add ssh ciphers" + - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set account faillock" lineinfile: - path: /etc/crypto-policies/back-ends/opensshserver.config - regexp: '^CRYPTO_POLICY=' - line: CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}' - notify: change_requires_reboot + path: /etc/pam.d/password-auth + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd when: - - rhel_08_010290 or - rhel_08_010291 + - rhel_08_020026 tags: + - RHEL-08-020026 - CAT2 - - RHEL-08-010290 - - RHEL-08-010291 - - CCI-001453 - - SRG-OS-000250-GPOS-00093 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-244534r743851_rule + - V-244534 + - pamd + +- name: "MEDIUM | RHEL-08-020031 | PATCH | RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated." + copy: + dest: /etc/dconf/db/local.d/00-screensaver_rhel_08_020031 + content: | + [org/gnome/desktop/screensaver] + lock-delay=uint32 5 + mode: '0644' + notify: dconf update + when: + - rhel_08_020031 + - rhel8stig_always_configure_dconf + - rhel8stig_gui + tags: + - RHEL-08-020031 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-244535r743854_rule + - V-244535 + - dconf + +- name: "MEDIUM | RHEL-08-020032 | PATCH | RHEL 8 must disable the user list at logon for graphical user interfaces." + copy: + dest: /etc/dconf/db/local.d/02-login-screen_rhel_08_020032 + content: | + [org/gnome/login-screen] + disable-user-list=true + mode: '0644' + when: + - rhel_08_020032 + - rhel8stig_always_configure_dconf + - rhel8stig_gui + tags: + - RHEL-08-020032 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244536r743857_rule + - V-244536 + - dconf + +- name: "MEDIUM | RHEL-08-020039 | PATCH | RHEL 8 must have the tmux package installed." + package: + name: tmux + state: present + when: + - rhel_08_020032 + - "'tmux' not in ansible_facts.packages" + tags: + - RHEL-08-020039 + - CAT2 + - CCI-000056 + - SRG-OS-000028-GPOS-00009 + - SV-244537r743860_rule + - V-244537 + - tmux + +- name: | + "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." + "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." + "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." + file: + path: /var/log + owner: root + group: root + mode: "{{ rhel8stig_var_log_perm }}" + when: + - rhel_08_010240 or + rhel_08_010250 or + rhel_08_010260 + tags: + - CAT2 + - RHEL-08-010240 + - RHEL-08-010250 + - RHEL-08-010260 + - CCI-001314 + - SRG-OS-000206-GPOS-00084 + - SV-230248r627750_rule + - SV-230249r627750_rule + - SV-230250r627750_rule + - V-230248 + - V-230249 + - V-230250 + - permissions + +- name: "MEDIUM | RHEL-08-020081 | PATCH | RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface." + copy: + dest: /etc/dconf/db/local.d/locks/session_rhel_08_020081 + content: | + /org/gnome/desktop/session/idle-delay + mode: '0644' + notify: dconf update + when: + - rhel_08_020081 + - rhel8stig_always_configure_dconf + - rhel8stig_gui + tags: + - RHEL-08-020081 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-244538r743863_rule + - V-244538 + +- name: "MEDIUM | RHEL-08-020082 | PATCH | RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." + copy: + dest: /etc/dconf/db/local.d/locks/session_rhel_08_020082 + content: | + /org/gnome/desktop/screensaver/lock-enabled + mode: '0644' + notify: dconf update + when: + - rhel_08_020082 + - rhel8stig_always_configure_dconf + - rhel8stig_gui + tags: + - RHEL-08-020082 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-244539r743866_rule + - V-244539 + - dconf + +- name: "MEDIUM | RHEL-08-010287 | PATCH | The RHEL 8 SSH daemon must be configured to use system-wide crypto policies." + lineinfile: + path: /etc/sysconfig/sshd + regexp: '^CRYPTO_POLICY=' + line: '# CRYPTO_POLICY=' + notify: change_requires_reboot + when: + - rhel_08_010287 + tags: + - RHEL-08-010287 + - CAT2 + - CCI-001453 + - SRG-OS-000250-GPOS-00093 + - SV-244526r743827_rule + - V-244526 + - ssh + +- name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms." + "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections." + block: + - name: | + "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" + "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Get current FIPS mode state" + command: fips-mode-setup --check + changed_when: false + failed_when: false + register: rhel_08_010290_pre_fips_check + + - name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" + "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Enable FIPS" + command: fips-mode-setup --enable + register: rhel_08_010290_fips_enable + notify: change_requires_reboot + when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' + + - name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" + "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Add ssh ciphers" + lineinfile: + path: /etc/crypto-policies/back-ends/opensshserver.config + regexp: '^CRYPTO_POLICY=' + line: CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}' + notify: change_requires_reboot + when: + - rhel_08_010290 or + rhel_08_010291 + tags: + - CAT2 + - RHEL-08-010290 + - RHEL-08-010291 + - CCI-001453 + - SRG-OS-000250-GPOS-00093 - SV-230251r743937_rule - SV-230252r743940_rule - V-230251 @@ -838,16 +1173,7 @@ - V-230272 - sudoers -# !!!!!New version does not have GUI packages included in fix text. I removed it for now but I might add it back later - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." - # block: - # - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" - # package: - # name: esc - # state: present - # when: rhel8stig_gui - - # - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" package: name: openssl-pkcs11 state: present @@ -1203,6 +1529,22 @@ - V-230291 - ssh +- name: "MEDIUM | RHEL-08-010522 | PATCH | The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?GSSAPIAuthentication' + line: "GSSAPIAuthentication no" + when: + - rhel_08_010522 + tags: + - RHEL-08-010522 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244528r743833_rule + - V-244528 + - ssh + - name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." debug: msg: "WARNING!!!! /tmp is not mounted on a separate partition" @@ -1224,6 +1566,30 @@ - mount - tmp +- name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp." + block: + - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Alert on missing mount" + debug: + msg: "Warning! /var/tmp does not exist, /var/tmp needs to use a sperate file system. This is a manual task" + register: var_tmp_mount_absent + changed_when: var_tmp_mount_absent.skipped is defined + when: "'/var/tmp' not in mount_names" + + - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Mount is present" + debug: + msg: "Congratulations: /var/tmp does exist." + when: "'/var/tmp' in mount_names" + when: + - rhel_08_010544 + tags: + - RHEL-08-010544 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244529r743836_rule + - V-244529 + - mounts + - name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." lineinfile: path: /etc/ssh/sshd_config @@ -1321,6 +1687,29 @@ - mounts - boot +- name: "MEDIUM | RHEL-08-010572 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory." + mount: + path: /boot/efi + state: mounted + src: "{{ boot_efi_mount.device }}" + fstype: "{{ boot_efi_mount.fstype }}" + opts: "{{ boot_efi_mount.options }},nosuid" + when: + - rhel_08_010572 + - ansible_mounts | selectattr('mount', 'match', '^/boot/efi$') | list | length != 0 + - "'nosuid' not in boot_efi_mount.options" + vars: + boot_efi_mount: "{{ ansible_mounts | json_query('[?mount == `/boot/efi`] | [0]') }}" + tags: + - RHEL-08-010572 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244530r743839_rule + - V-244530 + - mounts + - efi + - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions." block: - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" @@ -1805,7 +2194,6 @@ with_items: # Written as lineinfile replaces last found so reverse logic to keep order of servers - { regexp: ^nameserver, line: '{{ rhel8stig_dns_servers.1 }}', after: ^search } - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }})', line: '{{ rhel8stig_dns_servers.0 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } - # - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }}|{{ rhel8stig_dns_servers.0 }})', line: '{{ rhel8stig_dns_servers.2 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } when: - not rhel8_stig_use_resolv_template - rhel_08_010680_networkmanager_check.stdout == '0' @@ -1984,16 +2372,52 @@ - V-230321 - permissions -- name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." - file: - path: "{{ item.dir }}" - group: "{{ item.gid }}" - state: directory - with_items: "{{ rhel8stig_passwd }}" - loop_control: - label: "{{ rhel8stig_passwd_label }}" - when: - - rhel_08_010740 +- name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive." + block: + - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Find out of compliance files" + shell: "find {{ item }} -perm -750 ! -perm 750" + changed_when: false + failed_when: false + register: rhel_08_010731_files + with_items: + - "{{ rhel8stig_passwd | selectattr('uid', '>=', rhel8stig_interactive_uid_start) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + + - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Bring files into compliance" + file: + path: "{{ item }}" + mode: "{{ rhel8stig_local_int_home_file_perms }}" + with_items: + - "{{ rhel_08_010731_files.results | map(attribute='stdout_lines') | flatten }}" + when: rhel8stig_disruption_high + + - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Alert on out of compliance files" + debug: + msg: + - "Alert! Below are the files that are in interactive user folders but permissiosn less restrictiv than 0750." + - "Please review the files to bring into STIG compliance" + - "{{ rhel_08_010731_files.results | map(attribute='stdout_lines') | flatten }}" + when: not rhel8stig_disruption_high + when: + - rhel_08_010731 + tags: + - RHEL-08-010731 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244531r743842_rule + - V-244531 + - permissions + +- name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." + file: + path: "{{ item.dir }}" + group: "{{ item.gid }}" + state: directory + with_items: "{{ rhel8stig_passwd }}" + loop_control: + label: "{{ rhel8stig_passwd_label }}" + when: + - rhel_08_010740 - (item.uid >= rhel8stig_interactive_uid_start|int) tags: - skip_ansible_lint @@ -2005,6 +2429,25 @@ - V-230322 - permissions +- name: "MEDIUM | RHEL-08-010741 | PATCH | RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." + file: + path: "{{ item.dir }}" + group: "{{ item.gid }}" + state: directory + recurse: true + with_items: "{{ rhel8stig_passwd }}" + when: + - rhel_08_010741 + - (item.uid >= rhel8stig_interactive_uid_start|int) + tags: + - RHEL-08-010741 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244532r743845_rule + - V-244532 + - permissions + - name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." file: path: "{{ item.dir }}" @@ -2217,43 +2660,7 @@ - V-230332 - pamd -# !!!!!!Remove commented items. Leaveing incase they are referrenced later - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." - # block: - # - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so preauth' - # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so authfail' - # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^account required pam_faillock.so' - # line: 'account required pam_faillock.so' - # insertafter: '^account' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^deny =|^\# deny =' @@ -2314,43 +2721,7 @@ - V-230334 - pamd -# !!!!!!!!!!!Remve commented items. Leaving for reference if used later - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." - # block: - # - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so preauth' - # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so authfail' - # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^account required pam_faillock.so' - # line: 'account required pam_faillock.so' - # insertafter: '^account' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^fail_interval =|^\# fail_interval =' @@ -2411,43 +2782,7 @@ - V-230336 - pamd -# !!!!!!!!!! Remove commented items. Leaving in as referrence if used later - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - # block: - # - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so preauth' - # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so authfail' - # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^account required pam_faillock.so' - # line: 'account required pam_faillock.so' - # insertafter: '^account' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^unlock_time =|^\# unlock_time =' @@ -2508,43 +2843,7 @@ - V-230338 - pamd -# !!!!!!! Remove comments, leaving just as referrence if needed later - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist." - # block: - # - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so preauth' - # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so authfail' - # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^account required pam_faillock.so' - # line: 'account required pam_faillock.so' - # insertafter: '^account' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^dir =|^\# dir =' @@ -2605,43 +2904,7 @@ - V-230340 - pamd -# !!!!! Remove comments, leaving in as referrence if needed later - name: "MEDIUM | RHEL-08-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." - # block: - # - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so preauth' - # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so authfail' - # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^account required pam_faillock.so' - # line: 'account required pam_faillock.so' - # insertafter: '^account' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^silent|^\# silent' @@ -2702,43 +2965,7 @@ - V-230342 - pamd -# !!!!!! Remove comments, leaving in to referrence if needed later - name: "MEDIUM | RHEL-08-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." - # block: - # - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so preauth' - # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so authfail' - # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^account required pam_faillock.so' - # line: 'account required pam_faillock.so' - # insertafter: '^account' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^audit|^\# audit' @@ -2799,43 +3026,7 @@ - V-230344 - pamd -# !!!! - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - # block: - # - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so preauth' - # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so authfail' - # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^account required pam_faillock.so' - # line: 'account required pam_faillock.so' - # insertafter: '^account' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^even_deny_root|^\# even_deny_root' @@ -3053,7 +3244,7 @@ - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." block: - - name: ""MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity. | Install tmux if needed" + - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity. | Install tmux if needed" package: name: tmux state: present @@ -4307,6 +4498,22 @@ - dnf - auditd +- name: "MEDIUM | RHEL-08-030181 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." + service: + name: auditd + state: started + enabled: true + when: + - rhel_08_030181 + tags: + - RHEL-08-030181 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-244542r743875_rule + - V-244542 + - auditd + - name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." lineinfile: path: /etc/audit/rules.d/audit.rules @@ -5574,6 +5781,22 @@ - V-230483 - auditd +- name: "MEDIUM | RHEL-08-030731 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^space_left_action =' + line: 'space_left_action = EMAIL' + when: + - rhel_08_030731 + tags: + - RHEL-08-030731 + - CAT2 + - CCI-001855 + - SRG-OS-000343-GPOS-00134 + - SV-244543r743878_rule + - V-244543 + - auditd + - name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." lineinfile: path: /etc/chrony.conf @@ -5827,6 +6050,32 @@ - firewall - "{{ rhel8stig_firewall_service }}" +- name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8" + block: + - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Install firewalld if needed" + package: + name: firewalld + state: present + when: "'firewalld' not in ansible_facts.packages" + + - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Enable the service" + systemd: + name: firewalld + state: started + enabled: true + when: + - rhel_08_040101 + - rhel8stig_firewall_service == "firewalld" + tags: + - RHEL-08-040101 + - CAT2 + - CCI-002314 + - SRG-OS-000297-GPOS-00115 + - SV-244544r743881_rule + - V-244544 + - firewalld + - firewall + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." block: - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" @@ -6152,34 +6401,10 @@ - V-230522 - mounts -# !!!!! Remove comments, leaving for reference later - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be installed." package: name: fapolicyd state: present - # - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" - # shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts - # changed_when: false - # failed_when: false - - # - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" - # service: - # name: fapolicyd - # state: started - # enabled: yes - - # - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " - # lineinfile: - # path: /etc/fapolicyd/fapolicyd.rules - # line: "{{ item }}" - # with_items: - # - "{{ rhel8stig_fapolicy_white_list }}" - - # - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" - # lineinfile: - # path: /etc/fapolicyd/fapolicyd.conf - # regexp: '^permissive =' - # line: 'permissive = 0' when: - rhel_08_040135 - "'fapolicyd' not in ansible_facts.packages" @@ -6192,6 +6417,47 @@ - V-230523 - fapolicyd +- name: "MEDIUM | RHEL-08-040136 | PATCH | The RHEL 8 fapolicy module must be enabled." + systemd: + name: fapolicyd + state: started + enabled: true + when: + - rhel_08_040136 + tags: + - RHEL-08-040136 + - CAT2 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-244545r743884_rule + - V-244545 + - fapolicy + +- name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." + block: + - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " + lineinfile: + path: /etc/fapolicyd/fapolicyd.rules + line: "{{ item }}" + with_items: + - "{{ rhel8stig_fapolicy_white_list }}" + + - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" + lineinfile: + path: /etc/fapolicyd/fapolicyd.conf + regexp: '^permissive =' + line: 'permissive = 0' + when: + - rhel_08_040137 + tags: + - RHEL-08-040137 + - CAT2 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-244546r743887_rule + - V-244546 + - fapolicy + - name: | "MEDIUM | RHEL-08-040139 | PATCH | RHEL 8 must have the USBGuard installed." "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." @@ -6209,8 +6475,8 @@ shell: usbguard generate-policy > /etc/usbguard/rules.conf when: - rhel_08_040140 - - "'usbguard' in ansible_facts.packages" or - rhel_08_040139 + - rhel_08_040139 or + "'usbguard' in ansible_facts.packages" - name: "MEDIUM | RHEL-08-040141 | PATCH | RHEL 8 must enable the USBGuard. | Start/Enable service" service: @@ -6219,8 +6485,8 @@ enabled: yes when: - rhel_08_040141 - - "'usbguard' in ansible_facts.packages" or - rhel_08_040139 + - rhel_08_040139 or + "'usbguard' in ansible_facts.packages" when: - rhel_08_040139 or rhel_08_040140 or @@ -6240,21 +6506,7 @@ - V-244548 - usbguard -# !!!!!!Remove comments. Leaving for future reference. - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." - # block: - # - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" - # package: - # name: nftables - # state: present - - # - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" - # systemd: - # name: nftables - # state: started - # enabled: yes - - # - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" lineinfile: path: /etc/firewalld/firewalld.conf regexp: '^FirewallBackend=' @@ -6289,8 +6541,8 @@ state: started enabled: yes when: - - "'openssh-server' in ansible_facts.packages" or - rhel_08_040159 + - rhel_08_040159 or + "'openssh-server' in ansible_facts.packages" when: - rhel_08_040159 or rhel_08_040160 @@ -6323,24 +6575,6 @@ - V-230527 - sshd -# !!!!!! Possibly remove, leaving for reference if needed -# - name: "MEDIUM | RHEL-08-040162 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections by the client." -# lineinfile: -# path: /etc/ssh/ssh_config -# regexp: '(?i)^#?RekeyLimit' -# line: 'RekeyLimit 1G 1h' -# notify: restart sshd -# when: -# - rhel_08_040162 -# tags: -# - RHEL-08-040162 -# - CAT2 -# - CCI-000068 -# - SRG-OS-000033-GPOS-00014 -# - SV-230528r627750_rule -# - V-230528 -# - sshd - - name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." systemd: name: debug-shell.service @@ -6359,7 +6593,31 @@ - V-230532 - debug-shell -# !!!!!!!! Remove comments, leaving there for reference. +- name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted." + block: + - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accept_redirects value 0 active" + sysctl: + name: net.ipv4.conf.default.accept_redirect + state: present + value: '0' + notify: change_requires_reboot + + - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accept_redirects default value to 0 config" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.default.accept_redirect=' + line: 'net.ipv4.conf.default.accept_redirect=0' + when: + - rhel_08_040209 + tags: + - RHEL-08-040209 + - CAT2 + - CI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244550r743899_rule + - V-244550 + - ipv4 + - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted." block: - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" @@ -6368,18 +6626,12 @@ state: present value: '0' notify: change_requires_reboot - # with_items: - # - net.ipv4.conf.default.accept_redirects - # - net.ipv6.conf.default.accept_redirects - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" lineinfile: path: /etc/sysctl.conf regexp: '^net.ipv6.conf.default.accept_redirects=' line: 'net.ipv6.conf.default.accept_redirects=0' - # with_items: - # - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } - # - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } when: - rhel_08_040210 - rhel8stig_ipv6_required @@ -6442,7 +6694,31 @@ - V-230537 - icmp -# !!!!!!Remove Comments, leaving for later reference. +- name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets." + block: + - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Set accept_source_route in sysctl" + sysctl: + name: net.ipv4.conf.all.accept_source_route + state: present + value: '0' + notify: change_requires_reboot + + - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Set accept_source_route default value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.all.accept_source_routes=' + line: 'net.ipv4.conf.all.accept_source_route=0' + when: + - rhel_08_040239 + tags: + - RHEL-08-040239 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244551r743902_rule + - V-244551 + - ip4 + - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets." block: - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Set conf.all accept_source_route in sysctl" @@ -6451,18 +6727,12 @@ state: present value: '0' notify: change_requires_reboot - # with_items: - # - net.ipv4.conf.all.accept_source_route - # - net.ipv6.conf.all.accept_source_route - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Set conf.all accept_source_route default value to 0" lineinfile: path: /etc/sysctl.conf regexp: '^net.ipv6.conf.all.accept_source_route' line: 'net.ipv6.conf.all.accept_source_route=0' - # with_items: - # - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } - # - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } when: - rhel_08_040240 - rhel8stig_ipv6_required @@ -6475,6 +6745,31 @@ - V-230538 - icmp +- name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default." + block: + - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Set accept_source_route in sysctl" + sysctl: + name: net.ipv4.conf.default.accept_source_route + state: present + value: '0' + notify: change_requires_reboot + + - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Set accept_source_route value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.default.accept_source_route=' + line: 'net.ipv4.conf.default.accept_source_route=0' + when: + - rhel_08_040249 + tags: + - RHEL-08-040249 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244552r743905_rule + - V-244552 + - ipv4 + - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default." block: - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Set conf.default accept_source_route in sysctl" @@ -6483,18 +6778,12 @@ state: present value: '0' notify: change_requires_reboot - # with_items: - # - net.ipv4.conf.default.accept_source_route - # - net.ipv6.conf.default.accept_source_route - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Set conf.default accept_source_route value to 0" lineinfile: path: /etc/sysctl.conf regexp: '^net.ipv6.conf.default.accept_source_route' line: 'net.ipv6.conf.default.accept_source_route=0' - # with_items: - # - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } - # - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } when: - rhel_08_040250 - rhel8stig_ipv6_required @@ -6627,7 +6916,30 @@ - V-230543 - icmp -# !!!!!!!! Remove comments, leaving for reference. +- name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages." + block: + - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Set accept_redirects in sysctl" + sysctl: + name: net.ipv4.conf.all.accept_redirects + state: present + value: '0' + + - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Set accept_redirects value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.all.accept_redirects=' + line: 'net.ipv4.conf.all.accept_redirects=0' + when: + - rhel_08_040279 + tags: + - RHEL-08-040279 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244553r743908_rule + - V-244553 + - ipv4 + - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages." block: - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" @@ -6636,18 +6948,12 @@ state: present value: '0' notify: change_requires_reboot - # with_items: - # - net.ipv4.conf.all.accept_redirects - # - net.ipv6.conf.all.accept_redirects - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" lineinfile: path: /etc/sysctl.conf regexp: '^net.ipv6.conf.all.accept_redirects' line: 'net.ipv6.conf.all.accept_redirects=0' - # with_items: - # - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } - # - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } when: - rhel_08_040280 - rhel8stig_ipv6_required @@ -6751,6 +7057,22 @@ - V-230549 - sysctl +- name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler." + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.core.bpf_jit_harden=' + line: 'net.core.bpf_jit_harden=2' + notify: sysctl system + when: + - rhel_08_040286 + tags: + - RHEL-08-040286 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244554r743911_rule + - V-244554 + - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" when: @@ -7071,671 +7393,3 @@ - SV-237643r646899_rule - V-237643 - sudo -# ----------------NEW------------ -- name: "MEDIUM | RHEL-08-010049 | PATCH | RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon" - lineinfile: - path: /etc/dconf/db/local.d/01-banner-message - regexp: 'banner-message-enabled=' - line: banner-message-enable=true - create: true - mode: '0644' - owner: root - group: root - insertafter: '[org/gnome/login-screen]' - notify: dconf update - when: - - rhel_08_010049 - tags: - - RHEL-08-010049 - - CAT2 - - CCI-000048 - - SRG-OS-000023-GPOS-00006 - - SV-244519r743806_rule - - V-244519 - - banner - -- name: "MEDIUM | RHEL-08-010131 | PATCH | The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds." - pamd: - name: system-auth - type: password - control: sufficient - module_path: pam_unix.so - module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" - state: args_present - when: - - rhel_08_010131 - tags: - - RHEL-08-010131 - - CAT2 - - CCI-000196 - - SRG-OS-000073-GPOS-00041 - - SV-244520r743809_rule - - V-244520 - - pamd - -- name: | - "MEDIUM | RHEL-08-010141 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance." - "MEDIUM | RHEL-08-010149 | PATCH | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes." - lineinfile: - dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - notify: confirm grub2 user cfg - with_items: - - { regexp: '^set superusers', line: 'set superusers="{{ rhel8stig_boot_superuser }}"', insertafter: '### BEGIN /etc/grub.d/01_users ###' } - - { regexp: '^export superusers', line: 'export superusers', insertafter: '^set superusers' } - - { regexp: '^password_pbkdf2', line: 'password_pbkdf2 {{ rhel8stig_boot_superuser }} ${GRUB2_PASSWORD}', insertafter: '^export superusers' } - when: - - rhel_08_010141 or - rhel_08_010141 - tags: - - RHEL-08-010141 - - RHEL-08-010149 - - CAT2 - - CCI-000213 - - SRG-OS-000080-GPOS-00048 - - SV-244521r743812_rule - - SV-244522r743815_rule - - V-244521 - - V-244522 - -- name: "MEDIUM | RHEL-08-010152 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency mode." - lineinfile: - path: /usr/lib/systemd/system/emergency.service - regexp: '^ExecStart=' - line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency - create: yes - owner: root - group: root - mode: 0644 - when: - - rhel_08_010152 - tags: - - RHEL-08-010152 - - CAT2 - - CCI-000213 - - SRG-OS-000080-GPOS-00048 - - SV-244523r743818_rule - - V-244523 - - systemd - -- name: "MEDIUM | RHEL-08-010159 | PATCH | The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." - pamd: - name: system-auth - type: password - control: sufficient - module_path: pam_unix.so - module_arguments: sha512 - state: args_present - when: - - rhel_08_010159 - tags: - - RHEL-08-010159 - - CAT2 - - CCI-000803 - - SRG-OS-000120-GPOS-00061 - - SV-244524r743821_rule - - V-244524 - - pamd - -- name: "MEDIUM | RHEL-08-010201 | PATCH | The RHEL 8 SSH daemon must be configured with a timeout interval" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?ClientAliveInterval.*' - line: ClientAliveCountMax 0 - notify: restart sshd - when: - - rhel_08_010201 - - rhel8stig_ssh_required - tags: - - RHEL-08-010201 - - CAT2 - - CCI-001133 - - SRG-OS-000163-GPOS-00072 - - SV-244525r743824_rule - - V-244525 - - ssh - -- name: "MEDIUM | RHEL-08-010287 | PATCH | The RHEL 8 SSH daemon must be configured to use system-wide crypto policies." - lineinfile: - path: /etc/sysconfig/sshd - regexp: '^CRYPTO_POLICY=' - line: '# CRYPTO_POLICY=' - notify: change_requires_reboot - when: - - rhel_08_010287 - tags: - - RHEL-08-010287 - - CAT2 - - CCI-001453 - - SRG-OS-000250-GPOS-00093 - - SV-244526r743827_rule - - V-244526 - - ssh - -- name: "MEDIUM | RHEL-08-010522 | PATCH | The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?GSSAPIAuthentication' - line: "GSSAPIAuthentication no" - when: - - rhel_08_010522 - tags: - - RHEL-08-010522 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244528r743833_rule - - V-244528 - - ssh - -- name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp." - block: - - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Alert on missing mount" - debug: - msg: "Warning! /var/tmp does not exist, /var/tmp needs to use a sperate file system. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is defined - when: "'/var/tmp' not in mount_names" - - - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Mount is present" - debug: - msg: "Congratulations: /var/tmp does exist." - when: "'/var/tmp' in mount_names" - when: - - rhel_08_010544 - tags: - - RHEL-08-010544 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244529r743836_rule - - V-244529 - - mounts - -- name: "MEDIUM | RHEL-08-010572 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory." - mount: - path: /boot/efi - state: mounted - src: "{{ boot_efi_mount.device }}" - fstype: "{{ boot_efi_mount.fstype }}" - opts: "{{ boot_efi_mount.options }},nosuid" - when: - - rhel_08_010572 - - ansible_mounts | selectattr('mount', 'match', '^/boot/efi$') | list | length != 0 - - "'nosuid' not in boot_efi_mount.options" - vars: - boot_efi_mount: "{{ ansible_mounts | json_query('[?mount == `/boot/efi`] | [0]') }}" - tags: - - RHEL-08-010572 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244530r743839_rule - - V-244530 - - mounts - - efi - -- name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive." - block: - - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Find out of compliance files" - shell: "find {{ item }} -perm -750 ! -perm 750" - changed_when: false - failed_when: false - register: rhel_08_010731_files - with_items: - - "{{ rhel8stig_passwd | selectattr('uid', '>=', rhel8stig_interactive_uid_start) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - - - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Bring files into compliance" - file: - path: "{{ item }}" - mode: "{{ rhel8stig_local_int_home_file_perms }}" - with_items: - - "{{ rhel_08_010731_files.results | map(attribute='stdout_lines') | flatten }}" - when: rhel8stig_disruption_high - - - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Alert on out of compliance files" - debug: - msg: - - "Alert! Below are the files that are in interactive user folders but permissiosn less restrictiv than 0750." - - "Please review the files to bring into STIG compliance" - - "{{ rhel_08_010731_files.results | map(attribute='stdout_lines') | flatten }} - when: not rhel8stig_disruption_high - when: - - rhel_08_010572 - tags: - - RHEL-08-010731 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244531r743842_rule - - V-244531 - - permissions - -- name: "MEDIUM | RHEL-08-010741 | PATCH | RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." - file: - path: "{{ item.dir }}" - group: "{{ item.gid }}" - state: directory - recurse: true - with_items: "{{ rhel8stig_passwd }}" - when: - - rhel_08_010572 - - (item.uid >= rhel8stig_interactive_uid_start|int) - tags: - - RHEL-08-010741 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244532r743845_rule - - V-244532 - - permissions - -- name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file." - block: - - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set preauth" - lineinfile: - path: /etc/pam.d/system-auth - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - - - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set authfail" - lineinfile: - path: /etc/pam.d/system-auth - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - - - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set account faillock" - lineinfile: - path: /etc/pam.d/system-auth - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - when: - - rhel_08_020025 - tags: - - RHEL-08-020025 - - CAT2 - - CCI-000044 - - SRG-OS-000021-GPOS-00005 - - SV-244533r743848_rule - - V-244533 - - pamd - -- name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file." - block: - - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set preauth" - lineinfile: - path: /etc/pam.d/password-auth - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - - - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set authfail" - lineinfile: - path: /etc/pam.d/password-auth - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - - - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set account faillock" - lineinfile: - path: /etc/pam.d/password-auth - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - when: - - rhel_08_020026 - tags: - - RHEL-08-020026 - - CAT2 - - CCI-000044 - - SRG-OS-000021-GPOS-00005 - - SV-244534r743851_rule - - V-244534 - - pamd - -- name: "MEDIUM | RHEL-08-020031 | PATCH | RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated." - copy: - dest: /etc/dconf/db/local.d/00-screensaver_rhel_08_020031 - content: | - [org/gnome/desktop/screensaver] - lock-delay=uint32 5 - mode: '0644' - notify: dconf update - when: - - rhel_08_020026 - - rhel8stig_always_configure_dconf - - rhel8stig_gui - tags: - - RHEL-08-020031 - - CAT2 - - CCI-000057 - - SRG-OS-000029-GPOS-00010 - - SV-244535r743854_rule - - V-244535 - - dconf - -- name: "MEDIUM | RHEL-08-020032 | PATCH | RHEL 8 must disable the user list at logon for graphical user interfaces." - copy: - dest: /etc/dconf/db/local.d/02-login-screen_rhel_08_020032 - content: | - [org/gnome/login-screen] - disable-user-list=true - when: - - rhel_08_020032 - - rhel8stig_always_configure_dconf - - rhel8stig_gui - tags: - - RHEL-08-020032 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244536r743857_rule - - V-244536 - - dconf - -- name: "MEDIUM | RHEL-08-020039 | PATCH | RHEL 8 must have the tmux package installed." - package: - name: tmux - state: present - when: - - rhel_08_020032 - - "'tmux' not in ansible_facts.packages" - tags: - - RHEL-08-020039 - - CAT2 - - CCI-000056 - - SRG-OS-000028-GPOS-00009 - - SV-244537r743860_rule - - V-244537 - - tmux - -- name: "MEDIUM | RHEL-08-020081 | PATCH | RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface." - copy: - dest: /etc/dconf/db/local.d/locks/session_rhel_08_020081 - content: | - /org/gnome/desktop/session/idle-delay - mode: '0644' - notify: dconf update - when: - - rhel_08_020081 - - rhel8stig_always_configure_dconf - - rhel8stig_gui - tags: - - RHEL-08-020081 - - CAT2 - - CCI-000057 - - SRG-OS-000029-GPOS-00010 - - SV-244538r743863_rule - - V-244538 - -- name: "MEDIUM | RHEL-08-020082 | PATCH | RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." - copy: - dest: /etc/dconf/db/local.d/locks/session_rhel_08_020082 - content: | - /org/gnome/desktop/screensaver/lock-enabled - mode: '0644' - notify: dconf update - when: - when: - - rhel_08_020082 - - rhel8stig_always_configure_dconf - - rhel8stig_gui - tags: - - RHEL-08-020082 - - CAT2 - - CCI-000057 - - SRG-OS-000029-GPOS-00010 - - SV-244539r743866_rule - - V-244539 - - dconf - -- name: "MEDIUM | RHEL-08-030181 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." - service: - name: auditd - state: started - enabled: true - when: - - rhel_08_030181 - tags: - - RHEL-08-030181 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-244542r743875_rule - - V-244542 - - auditd - -- name: "MEDIUM | RHEL-08-030731 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^space_left_action =' - line: 'space_left_action = EMAIL' - when: - - rhel_08_030731 - tags: - - RHEL-08-030731 - - CAT2 - - CCI-001855 - - SRG-OS-000343-GPOS-00134 - - SV-244543r743878_rule - - V-244543 - - auditd - -- name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8" - block: - - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Install firewalld if needed" - package: - name: firewalld - state: present - when: "'firewalld' not in ansible_facts.packages" - - - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Enable the service" - systemd: - name: firewalld - state: started - enabled: true - when: - - rhel_08_040101 - - rhel8stig_firewall_service == "firewalld" - tags: - - RHEL-08-040101 - - CAT2 - - CCI-002314 - - SRG-OS-000297-GPOS-00115 - - SV-244544r743881_rule - - V-244544 - - firewalld - - firewall - -- name: "MEDIUM | RHEL-08-040136 | PATCH | The RHEL 8 fapolicy module must be enabled." - systemd: - name: fapolicyd - state: started - enabled: true - when: - - rhel_08_040136 - tags: - - RHEL-08-040136 - - CAT2 - - CCI-001764 - - SRG-OS-000368-GPOS-00154 - - SV-244545r743884_rule - - V-244545 - - fapolicy - -- name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." - block: - - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " - lineinfile: - path: /etc/fapolicyd/fapolicyd.rules - line: "{{ item }}" - with_items: - - "{{ rhel8stig_fapolicy_white_list }}" - - - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" - lineinfile: - path: /etc/fapolicyd/fapolicyd.conf - regexp: '^permissive =' - line: 'permissive = 0' - when: - - rhel_08_040137 - tags: - - RHEL-08-040137 - - CAT2 - - CCI-001764 - - SRG-OS-000368-GPOS-00154 - - SV-244546r743887_rule - - V-244546 - - fapolicy - -- name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted." - block: - - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accept_redirects value 0 active" - sysctl: - name: net.ipv4.conf.default.accept_redirect - state: present - value: '0' - notify: change_requires_reboot - - - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accept_redirects default value to 0 config" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.default.accept_redirect=' - line: 'net.ipv4.conf.default.accept_redirect=0' - when: - - rhel_08_040209 - - CAT2 - - CI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244550r743899_rule - - V-244550 - - ipv4 - -- name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets." - block: - - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Set accept_source_route in sysctl" - sysctl: - name: net.ipv4.conf.all.accept_source_route - state: present - value: '0' - notify: change_requires_reboot - - - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Set accept_source_route default value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.all.accept_source_routes=' - line: 'net.ipv4.conf.all.accept_source_route=0' - when: - - rhel_08_040239 - tags: - - RHEL-08-040239 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244551r743902_rule - - V-244551 - - ip4 - -- name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default." - block: - - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Set accept_source_route in sysctl" - sysctl: - name: net.ipv4.conf.default.accept_source_route - state: present - value: '0' - notify: change_requires_reboot - - - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Set accept_source_route value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.default.accept_source_route=' - line: 'net.ipv4.conf.default.accept_source_route=0' - when: - - rhel_08_040249 - tags: - - RHEL-08-040249 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244552r743905_rule - - V-244552 - - ipv4 - -- name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages." - block: - - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Set accept_redirects in sysctl" - sysctl: - name: net.ipv4.conf.all.accept_redirects - state: present - value: '0' - - - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Set accept_redirects value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.all.accept_redirects=' - line: 'net.ipv4.conf.all.accept_redirects=0' - when: - - rhel_08_040279 - tags: - - RHEL-08-040279 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244553r743908_rule - - V-244553 - - ipv4 - -- name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler." - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.core.bpf_jit_harden=' - line: 'net.core.bpf_jit_harden=2' - notify: sysctl system - when: - - rhel_08_040286 - tags: - - RHEL-08-040286 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244554r743911_rule - - V-244554 - -- name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool." - block: - - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert no McAfee" - debug: - msg: - - "ALERT! You have no McAfee installed. To comply with STIG ID RHEL-08-010001 you need an AV tool" - - "McAfee is the suggested by STIG" - when: - - "'mcafeetp' not in ansible_facts.packages or - "'mfetpd' not in ansible_facts.packages - - - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert on McAfee present" - debug: - msg: "Congratulations! You have McAfee installed" - when: - - "'mcafeetp' in ansible_facts.packages or - "'mfetpd' in ansible_facts.packages - when: - - rhel_08_040286 - - rhel8stig_av_sftw == 'mcafee' - tags: - - RHEL-08-010001 - - CAT2 - - CCI-001233 - - SRG-OS-000191-GPOS-00080 - - SV-245540r754730_rule - - V-245540 \ No newline at end of file diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 2c4a8e67..ed53bb28 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -129,7 +129,7 @@ "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service. LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service" block: - - name: "LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service + - name: "LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service" package: name: rng-tools state: present diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c907f621..68819373 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -448,7 +448,7 @@ shell: "semanage fcontext -m -t faillog_t -s system_u {{ rhel8stig_pam_faillock.dir }}" register: modify_secontext when: faillock_secontext.stdout != '1' - + - name: "PRELIM | RHEL-08-020017 | Set {{ rhel8stig_pam_faillock.dir }} selinux context" shell: "restorecon -irv {{ rhel8stig_pam_faillock.dir }}" when: modify_secontext.changed diff --git a/testing.yml b/testing.yml deleted file mode 100644 index f3207c8b..00000000 --- a/testing.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- hosts: all - become: true - vars: - is_container: false - - roles: - - role: "{{ playbook_dir }}" - rhel8cis_system_is_container: "{{ is_container | default(false) }}" - rhel8cis_skip_for_travis: false - rhel8cis_oscap_scan: yes From 817bce10f4cf2c8f705e63773eca0a690978b98e Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 15 Oct 2021 14:25:05 -0400 Subject: [PATCH 13/21] changes after testing Signed-off-by: George Nalen --- defaults/main.yml | 6 +-- tasks/fix-cat1.yml | 97 ++++++++++++++++++++++------------------------ tasks/fix-cat2.yml | 13 ++++--- tasks/prelim.yml | 3 +- 4 files changed, 58 insertions(+), 61 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 27239908..c7ed34db 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -697,10 +697,6 @@ rhel8stig_pam_pwhistory: remember: 5 retries: 3 -# !!!!!!!!! 020011 no longer uses dir, fail_for_root, interval, and unlock time. It only uses attempts, adjust these vars as needed -# !!!!!!!!! 020013 no longer uses attempts, unlock_time, fail_for_root, and dir. It only uses interval -# !!!!!!!!! 020015 no longer uses attempts, interval, fail_for_root, and dir. It only uses unlock_time -# !!!!!!!!! 020017 no longer uses attempts, interval, unlock_time, and fail_for_root. It only uses dir # RHEL-08-020010 # RHEL-08-020011 # RHEL-08-020012 @@ -821,7 +817,7 @@ rhel8stig_path_to_sshkey: "/root/.ssh/" rhel8stig_sshd_compression: "no" # now in prelim -rhel8stig_interactive_uid_start: 1000 +# rhel8stig_interactive_uid_start: '1000' # RHEL-08-030740 # rhel8stig_ntp_server_name is the name of the NTP server diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index b15a8aad..4246a6ff 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -1,6 +1,6 @@ --- -- name: "RHEL-08-010000 | HIGH | AUDIT | The RHEL 8 must be a vendor-supported release." +- name: "HIGH | RHEL-08-010000 | AUDIT | The RHEL 8 must be a vendor-supported release." debug: msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} changed_when: ansible_distribution_version is not version_compare(rhel8stig_min_supported_os_ver[ansible_distribution], '>=') @@ -14,9 +14,9 @@ - SV-230221r743913_rule - V-230221 -- name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." +- name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." block: - - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | install FIPS" + - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | install FIPS" package: name: dracut-fips state: present @@ -25,7 +25,7 @@ - change_requires_reboot when: "'dracut-fips' not in ansible_facts.packages" - - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" + - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" command: fips-mode-setup --enable register: rhel_08_010020_kernel_fips_enable changed_when: rhel_08_010020_kernel_fips_enable.rc == 0 @@ -34,7 +34,7 @@ - ansible_proc_cmdline.fips is not defined or (ansible_proc_cmdline.fips is defined and ansible_proc_cmdline.fips != '1') - - name: "RHEL-08-010020 | HIGH | PATCH | Disable prelinking." + - name: "HIGH | RHEL-08-010020 | PATCH | Disable prelinking." lineinfile: dest: /etc/sysconfig/prelink regexp: ^#?PRELINKING @@ -42,14 +42,14 @@ when: "'prelink' in ansible_facts.packages" notify: undo existing prelinking - - name: "RHEL-08-010020 | HIGH | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" + - name: "HIGH | RHEL-08-010020 | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub check_mode: no failed_when: no changed_when: rhel_08_010020_default_grub_missing_audit.rc > 0 register: rhel_08_010020_default_grub_missing_audit - - name: "RHEL-08-010020 | HIGH | AUDIT | parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" + - name: "HIGH | RHEL-08-010020 | AUDIT | parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" command: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline check_mode: no changed_when: no @@ -57,7 +57,7 @@ when: rhel_08_010020_default_grub_missing_audit is changed register: rhel_08_010020_grub_cmdline_linux_audit - - name: "RHEL-08-010020 | HIGH | PATCH | Copy over a sane /etc/default/grub" + - name: "HIGH | RHEL-08-010020 | PATCH | Copy over a sane /etc/default/grub" template: src: etc_default_grub.j2 dest: /etc/default/grub @@ -68,7 +68,7 @@ grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}" when: rhel_08_010020_default_grub_missing_audit is changed - - name: "RHEL-08-010020 | HIGH | PATCH | fips=1 must be in /etc/default/grub" + - name: "HIGH | RHEL-08-010020 | PATCH | fips=1 must be in /etc/default/grub" replace: path: /etc/default/grub regexp: "{{ rhel8stig_regexp_quoted_params }}" @@ -85,7 +85,7 @@ - confirm grub2 user cfg - change_requires_reboot - - name: "RHEL-08-010020 | HIGH | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." + - name: "HIGH | RHEL-08-010020 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." replace: path: /etc/default/grub regexp: "{{ rhel8stig_regexp_quoted_params }}" @@ -105,7 +105,7 @@ notify: confirm grub2 user cfg register: result - - name: "RHEL-08-010020 | HIGH | AUDIT | Verify kernel parameters in /etc/default/grub" + - name: "HIGH | RHEL-08-010020 | AUDIT | Verify kernel parameters in /etc/default/grub" command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub check_mode: no with_items: @@ -137,12 +137,12 @@ - V-230223 - name: | - "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance." - "RHEL-08-010150 | HIGH |PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes." + "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance." + "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes." block: - name: | - "RHEL-08-010140 | HIGH | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set Grub Password" - "RHEL-08-010150 | HIGH | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set Grub Password" + "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set Grub Password" + "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set Grub Password" lineinfile: path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg" create: yes @@ -169,25 +169,25 @@ - grub - bootloader -- name: "RHEL-08-010370 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." +- name: "HIGH | RHEL-08-010370 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." block: - - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Dnf Default" + - name: "HIGH | RHEL-08-010370 | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Dnf Default" lineinfile: path: /etc/dnf/dnf.conf regexp: '^gpgcheck=' line: gpgcheck=1 - - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Gather Repos" + - name: "HIGH | RHEL-08-010370 | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Gather Repos" find: paths: /etc/yum.repos.d pattern: '*.repo' register: rhel_08_010370_repos_files_list_full - - name: "RHEL-08-010370 | HIGH | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Flatten result" + - name: "HIGH | RHEL-08-010370 | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Flatten result" set_fact: rhel_08_010370_repos_files_list: "{{ rhel_08_010370_repos_files_list_full.files | map(attribute='path') | flatten }}" - - name: "RHEL-08-010370 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Set gpgcheck" + - name: "HIGH | RHEL-08-010370 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Set gpgcheck" lineinfile: path: "{{ item }}" regexp: '^gpgcheck' @@ -205,7 +205,7 @@ - V-230264 - yum -- name: "RHEL-08-010371 | HIGH | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." +- name: "HIGH | RHEL-08-010371 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." lineinfile: path: /etc/dnf/dnf.conf regexp: '^localpkg_gpgcheck=' @@ -221,7 +221,7 @@ - V-230265 - dnf -- name: "RHEL-08-010460 | HIGH | PATCH | There must be no shosts.equiv files on the RHEL 8 operating system." +- name: "HIGH | RHEL-08-010460 | PATCH | There must be no shosts.equiv files on the RHEL 8 operating system." file: path: /etc/ssh/shosts.equiv state: absent @@ -236,16 +236,16 @@ - V-230283 - shosts -- name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system." +- name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system." block: - - name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Find .shosts files" + - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Find .shosts files" find: path: '/' recurse: yes patterns: '*.shosts' register: rhel_08_010470_shost_files - - name: "RHEL-08-010470 | HIGH | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Remove .shosts files" + - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Remove .shosts files" file: path: "{{ item.path }}" state: absent @@ -262,7 +262,7 @@ - V-230284 - shosts -- name: "RHEL-08-010820 | HIGH | PATCH | Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed." +- name: "HIGH | RHEL-08-010820 | PATCH | Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed." lineinfile: path: /etc/gdm/custom.conf regexp: (?i)automaticloginenable @@ -279,7 +279,7 @@ - SV-230329r627750_rule - V-230329 -- name: "RHEL-08-020330 | HIGH | PATCH | RHEL 8 must not have accounts configured with blank or null passwords." +- name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords." lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitEmptyPasswords' @@ -297,14 +297,11 @@ - V-230380 - disruption_high -- name: "RHEL-08-020331 | HIGH | PATCH | RHEL 8 must not allow blank or null passwords in the system-auth file." +- name: "HIGH | RHEL-08-020331 | PATCH | RHEL 8 must not allow blank or null passwords in the system-auth file." replace: - path: etc/pam.d/system-auth + path: /etc/pam.d/system-auth regexp: ' nullok' replace: '' - with_items: - - /etc/pam.d/system-auth - - /etc/pam.d/password-auth when: - rhel_08_020331 tags: @@ -315,9 +312,9 @@ - SV-244540r743869_rule - V-244540 -- name: "RHEL-08-020332 | HIGH | RHEL 8 must not allow blank or null passwords in the password-auth file." +- name: "HIGH | RHEL-08-020332 | PATCH | RHEL 8 must not allow blank or null passwords in the password-auth file." replace: - path: etc/pam.d/password-auth + path: /etc/pam.d/password-auth regexp: ' nullok' replace: '' when: @@ -330,7 +327,7 @@ - SV-244541r743872_rule - V-244541 -- name: "RHEL-08-040000 | HIGH | PATCH | RHEL 8 must not have the telnet-server package installed." +- name: "HIGH | RHEL-08-040000 | PATCH | RHEL 8 must not have the telnet-server package installed." package: name: telnet-server state: absent @@ -345,7 +342,7 @@ - SV-230487r627750_rule - V-230487 -- name: "RHEL-08-040010 | HIGH | PATCH | RHEL 8 must not have the rsh-server package installed." +- name: "HIGH | RHEL-08-040010 | PATCH | RHEL 8 must not have the rsh-server package installed." package: name: rsh-server state: absent @@ -360,15 +357,15 @@ - SV-230492r627750_rule - V-230492 -- name: "RHEL-08-040170 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8." +- name: "HIGH | RHEL-08-040170 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8." block: - - name: "RHEL-08-040170 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Mask ctrl-alt-del.target" + - name: "HIGH | RHEL-08-040170 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Mask ctrl-alt-del.target" systemd: name: ctrl-alt-del.target masked: yes notify: systemctl daemon-reload - - name: "RHEL-08-040170 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Create symlink to /dev/null" + - name: "HIGH | RHEL-08-040170 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Create symlink to /dev/null" file: src: /dev/null dest: /etc/systemd/system/ctrl-alt-del.target @@ -384,15 +381,15 @@ - SV-230529r627750_rule - V-230529 -- name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed." +- name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed." block: - - name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Check for setting existing" + - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Check for setting existing" command: grep -s logout /etc/dconf/db/local.d/* changed_when: false failed_when: false register: rhel_08_040171_logout_settings_status - - name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Add if missing" + - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Add if missing" lineinfile: path: /etc/dconf/db/local.d/00-disable-CAD regexp: "{{ item.regexp }}" @@ -407,7 +404,7 @@ - { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' } when: rhel_08_040171_logout_settings_status.stdout | length == 0 - - name: "RHEL-08-040171 | HIGH | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Edit if exists" + - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Edit if exists" replace: path: "{{ rhel_08_040171_logout_settings_status.stdout }}" regexp: '^[L|l]ogout=.*' @@ -424,7 +421,7 @@ - SV-230530r646883_rule - V-230530 -- name: "RHEL-08-040172 | HIGH | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled." +- name: "HIGH | RHEL-08-040172 | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled." lineinfile: path: /etc/systemd/system.conf regexp: '^CtrlAltDelBurstAction=|^#CtrlAltDelBurstAction=' @@ -440,7 +437,7 @@ - SV-230531r627750_rule - V-230531 -- name: "RHEL-08-040190 | HIGH | PATCH | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support." +- name: "HIGH | RHEL-08-040190 | PATCH | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support." package: name: tftp-server state: absent @@ -457,21 +454,21 @@ - V-230533 - tftp -- name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system." +- name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system." block: - - name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Get list of non-root accounts with UID of 0" + - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Get list of non-root accounts with UID of 0" shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" changed_when: false failed_when: false register: rhel_08_040200_nonroot_uid - - name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Lock non-root account with UID of 0" + - name: "HIGH | HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Lock non-root account with UID of 0" command: "passwd -l {{ item }}" with_items: - "{{ rhel_08_040200_nonroot_uid.stdout_lines }}" when: rhel_08_040200_nonroot_uid.stdout | length > 0 - - name: "RHEL-08-040200 | HIGH | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Display accounts that were locked" + - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Display accounts that were locked" debug: msg: - "WARNING!! The following accounts were locked since they had UID of 0 and were not the root user" @@ -489,7 +486,7 @@ - V-230534 - disruption_high -- name: "RHEL-08-040360 | HIGH | PATCH | A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8." +- name: "HIGH | RHEL-08-040360 | PATCH | A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8." package: name: vsftpd state: absent diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index ea8ba4bd..10d3cdd5 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -393,7 +393,7 @@ - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." pamd: - name: password-auth" + name: password-auth type: password control: sufficient module_path: pam_unix.so @@ -2380,7 +2380,7 @@ failed_when: false register: rhel_08_010731_files with_items: - - "{{ rhel8stig_passwd | selectattr('uid', '>=', rhel8stig_interactive_uid_start) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + - "{{ rhel8stig_passwd | selectattr('uid', '>=', rhel8stig_interactive_uid_start|int) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Bring files into compliance" file: @@ -2436,9 +2436,12 @@ state: directory recurse: true with_items: "{{ rhel8stig_passwd }}" + loop_control: + label: "{{ rhel8stig_passwd_label }}" when: - rhel_08_010741 - (item.uid >= rhel8stig_interactive_uid_start|int) + - item.uid != 65534 tags: - RHEL-08-010741 - CAT2 @@ -6597,7 +6600,7 @@ block: - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accept_redirects value 0 active" sysctl: - name: net.ipv4.conf.default.accept_redirect + name: net.ipv4.conf.default.accept_redirects state: present value: '0' notify: change_requires_reboot @@ -6605,8 +6608,8 @@ - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accept_redirects default value to 0 config" lineinfile: path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.default.accept_redirect=' - line: 'net.ipv4.conf.default.accept_redirect=0' + regexp: '^net.ipv4.conf.default.accept_redirects=' + line: 'net.ipv4.conf.default.accept_redirects=0' when: - rhel_08_040209 tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 68819373..d1396b54 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -114,7 +114,8 @@ vars: rhel8stig_passwd_tasks: "RHEL-08-010740 RHEL-08-010750 RHEL-08-020320" when: - - rhel_08_010740 or + - rhel_08_010731 or + rhel_08_010740 or rhel_08_010750 or rhel_08_020320 tags: From 1e8f9a3503e73db3d8db189337d79243aea7c327 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 18 Oct 2021 16:35:34 -0400 Subject: [PATCH 14/21] Issue #57, #58, #59 fixes and handler items from PR #51 Signed-off-by: George Nalen --- handlers/main.yml | 9 +++++---- tasks/fix-cat2.yml | 9 ++++++--- templates/aide.conf.j2 | 3 +-- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index ddeddfbd..cc5a0e13 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -33,16 +33,17 @@ - name: confirm grub2 user cfg stat: - path: /boot/grub2/user.cfg + path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg" + changed_when: rhel8stig_grub2_user_cfg.stat.exists register: rhel8stig_grub2_user_cfg notify: make grub2 config - name: make grub2 config command: /usr/sbin/grub2-mkconfig --output={{ rhel8stig_grub_cfg_path }} when: - - rhel7stig_grub2_user_cfg.stat.exists - - not rhel7stig_skip_for_travis - - not rhel7stig_system_is_container + - rhel8stig_grub2_user_cfg.stat.exists + - not rhel8stig_skip_for_travis + - not rhel8stig_system_is_container - name: copy grub2 config to BIOS/UEFI to satisfy benchmark listen: make grub2 config diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 10d3cdd5..6e54c953 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1194,11 +1194,12 @@ path: '{{ rhel8stig_sssd_conf }}' regexp: '^certificate_verification = {{ item.regexp }}' state: "{{ item.state }}" + line: "{{ item.line | default(omit) }}" with_items: - { regexp: 'no_ocsp, no_verification', state: absent } - { regexp: 'no_ocsp', state: absent } - { regexp: 'no_verification', state: absent } - - { regexp: 'ocsp_dgst=sha1', state: present } + - { regexp: 'ocsp_dgst=sha1', state: present, line: 'certificate_verification = ocsp_dgst=sha1' } notify: restart sssd when: - rhel8stig_sssd_conf_present.stat.exists @@ -1269,6 +1270,9 @@ - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active" shell: grubby --update-kernel=ALL --args="page_poison=1" + when: + - (ansible_proc_cmdline.page_poison is defined and ansible_proc_cmdline.page_poison != '1') or + (ansible_proc_cmdline.page_poison is not defined) - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist" lineinfile: @@ -5618,8 +5622,7 @@ - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 - - /usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 + - /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 when: - rhel_08_030650 diff --git a/templates/aide.conf.j2 b/templates/aide.conf.j2 index 8b808301..92ebb20a 100644 --- a/templates/aide.conf.j2 +++ b/templates/aide.conf.j2 @@ -314,8 +314,7 @@ DATAONLY = FIPSR /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 -/usr/sbin/audisp-remote p+i+n+u+g+s+b+acl+xattrs+sha512 -/usr/sbin/audisp-syslog p+i+n+u+g+s+b+acl+xattrs+sha512 +/usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 From dd16a78d7429f18bce8e5584ac88720a0859f256 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Nov 2021 09:59:03 +0000 Subject: [PATCH 15/21] added ec2 fix Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 882a8390..8ddf024e 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -836,7 +836,7 @@ - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." replace: path: "{{ item }}" - regexp: '^([^#].*)NOPASSWD(.*)' + regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' replace: '\1PASSWD\2' with_items: - "{{ rhel8stig_sudoers_files.stdout_lines }}" From b090157317196ace3a81b36be921437f743ec63e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Nov 2021 10:11:42 +0000 Subject: [PATCH 16/21] removed duplicate key Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 1d7df025..af88a7c6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -163,7 +163,6 @@ rhel_08_010422: true rhel_08_010423: true rhel_08_010430: true rhel_08_010450: true -rhel_08_010472: true rhel_08_010480: true rhel_08_010490: true rhel_08_010500: true From f323cfd3e5c34b952c88ea65e4b9d7afdc79969e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Nov 2021 10:11:58 +0000 Subject: [PATCH 17/21] fixed missing quote Signed-off-by: Mark Bolwell --- tasks/fix-cat3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 2c4a8e67..ed53bb28 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -129,7 +129,7 @@ "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service. LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service" block: - - name: "LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service + - name: "LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service" package: name: rng-tools state: present From 3608bd18d5c66b68dc25689f072501d75b2d0f47 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Nov 2021 10:14:15 +0000 Subject: [PATCH 18/21] added missing '/' Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index f0010a80..8ad06899 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -309,7 +309,7 @@ - name: "RHEL-08-020331 | HIGH | PATCH | RHEL 8 must not allow blank or null passwords in the system-auth file." replace: - path: etc/pam.d/system-auth + path: /etc/pam.d/system-auth regexp: ' nullok' replace: '' with_items: From 904c24abc472d12c2b32834e19fc87b6696a088c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Nov 2021 10:16:00 +0000 Subject: [PATCH 19/21] added '/' Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 8ad06899..6344df09 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -327,7 +327,7 @@ - name: "RHEL-08-020332 | HIGH | RHEL 8 must not allow blank or null passwords in the password-auth file." replace: - path: etc/pam.d/password-auth + path: /etc/pam.d/password-auth regexp: ' nullok' replace: '' when: From eb6c000a042e8ee153b44544236861dae6311a4d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Nov 2021 10:26:16 +0000 Subject: [PATCH 20/21] removed 040162 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8ddf024e..a18537c9 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6374,23 +6374,6 @@ - V-230527 - sshd -- name: "MEDIUM | RHEL-08-040162 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections by the client." - lineinfile: - path: /etc/ssh/ssh_config - regexp: '(?i)^#?RekeyLimit' - line: 'RekeyLimit 1G 1h' - notify: restart sshd - when: - - rhel_08_040162 - tags: - - RHEL-08-040162 - - CAT2 - - CCI-000068 - - SRG-OS-000033-GPOS-00014 - - SV-230528r627750_rule - - V-230528 - - sshd - - name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." systemd: name: debug-shell.service From 1612735fd7af4d504de61b5b47e3bf1eb6c6d03e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Nov 2021 11:29:33 +0000 Subject: [PATCH 21/21] #56 fixed nftables masked option Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index a18537c9..285594e4 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -6316,6 +6316,7 @@ name: nftables state: started enabled: yes + masked: no - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" lineinfile: