From 7e1bc757fb7c883feb98e0fc58f252e1c276c08d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 16:48:30 +0100 Subject: [PATCH 01/16] fixed spacing Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index c47855b2..5fd0c7dd 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -2,7 +2,7 @@ - name: "HIGH | RHEL-08-010000 | AUDIT | The RHEL 8 must be a vendor-supported release." ansible.builtin.debug: - msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} + msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} changed_when: ansible_distribution_version is not version_compare(rhel8stig_min_supported_os_ver[ansible_distribution], '>=') when: - rhel_08_010000 From 0e23594f890e9a369bdac1fc220ec9c78d4a5599 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 16:48:58 +0100 Subject: [PATCH 02/16] Added OS specific vars Signed-off-by: Mark Bolwell --- tasks/main.yml | 5 +++++ vars/AlmaLinux.yml | 9 +++++++++ vars/RedHat.yml | 13 +++++++++++++ vars/Rocky.yml | 9 +++++++++ 4 files changed, 36 insertions(+) create mode 100644 vars/AlmaLinux.yml create mode 100644 vars/RedHat.yml create mode 100644 vars/Rocky.yml diff --git a/tasks/main.yml b/tasks/main.yml index 34fb84d2..a7ab4fec 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -90,6 +90,11 @@ - container_discovery - always +- name: Include OS specific variables + ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" + tags: + - always + - name: Check rhel8stig_bootloader_password_hash variable has been changed ansible.builtin.assert: that: rhel8stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml new file mode 100644 index 00000000..1d3aa592 --- /dev/null +++ b/vars/AlmaLinux.yml @@ -0,0 +1,9 @@ +--- + +gpg_keys: + - name: 'AlmaLinux' + packager: "packager@almalinux.org" + fingerprint: "5E9B 8F56 17B5 066C E920 57C3 488F CF7C 3ABB 34F8" + +gpg_package: almalinux-release +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux diff --git a/vars/RedHat.yml b/vars/RedHat.yml new file mode 100644 index 00000000..7cb76337 --- /dev/null +++ b/vars/RedHat.yml @@ -0,0 +1,13 @@ +--- + +gpg_keys: + - name: 'release key 2' + packager: 'security@redhat.com' + fingerprint: '567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51' + + - name: 'auxiliary key' + packager: 'security@redhat.com' + fingerprint: '6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792' + +gpg_package: redhat-release +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution | lower }}-release diff --git a/vars/Rocky.yml b/vars/Rocky.yml new file mode 100644 index 00000000..0af890b7 --- /dev/null +++ b/vars/Rocky.yml @@ -0,0 +1,9 @@ +--- + +gpg_keys: + - name: 'Release Engineering' + packager: "infrastructure@rockylinux.org" + fingerprint: "7051 C470 A929 F454 CEBE 37B7 15AF 5DAC 6D74 5A60" + +gpg_package: rocky-gpg-keys +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial From ab72c9a58481e28f487dea6f46b5b51c6512ccdd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 16:49:13 +0100 Subject: [PATCH 03/16] fixed title naming Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 835f8ef7..816515a1 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -284,7 +284,7 @@ when: - rhel8stig_ssh_required -- name: "MEDIUM | RHEL-08-010660 | RHEL-08-010770 | AUDIT | Find ini files for interactive users." +- name: "PRELIM | RHEL-08-010660 | RHEL-08-010770 | AUDIT | Find ini files for interactive users." shell: find "{{ item }}" -maxdepth 1 -type f | grep '/\.[^/]*' with_items: "{{ rhel_08_stig_interactive_homedir_results }}" register: rhel_08_010770_ini_file_list From 1ccc0dc07f790f7425b82956c8b88f7a69d03264 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 17:40:42 +0100 Subject: [PATCH 04/16] Os specific vars Signed-off-by: Mark Bolwell --- vars/OracleLinux.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 vars/OracleLinux.yml diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml new file mode 100644 index 00000000..90639e13 --- /dev/null +++ b/vars/OracleLinux.yml @@ -0,0 +1,9 @@ +--- + +gpg_keys: + - name: 'Oracle OSS group' + packager: "build@oss.oracle.com" + fingerprint: "76FD 3DB1 3AB6 7410 B89D B10E 8256 2EA9 AD98 6DA3" + +gpg_package: oraclelinux-release +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle From 711f39e307581626efc6bc60a9f85e1809a0821c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 17:40:53 +0100 Subject: [PATCH 05/16] updated Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e6ff9daf..e1176058 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,9 +1,16 @@ ## metadata for Audit benchmark -benchmark_version: '1.9' +benchmark_version: '1.10' rhel8stig_os_distribution: {{ ansible_distribution | lower }} +gpg_keys: +{% for info in gpg_keys %} + - name: {{ info.name }} + fingerprint: {{ info.fingerprint }} +{% endfor %} +gpg_package: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ gpg_package }} + rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %} @@ -67,6 +74,7 @@ RHEL_08_040360: {{ rhel_08_040360 }} # Cat 2 rules RHEL_08_010001: {{ rhel_08_010001 }} RHEL_08_010010: {{ rhel_08_010010 }} +RHEL_08_010019: {{ rhel_08_010019 }} RHEL_08_010030: {{ rhel_08_010030 }} RHEL_08_010040: {{ rhel_08_010040 }} # Variable options below RHEL_08_010049: {{ rhel_08_010049 }} # Variable options below @@ -113,6 +121,7 @@ RHEL_08_010340: {{ rhel_08_010340 }} RHEL_08_010341: {{ rhel_08_010341 }} RHEL_08_010350: {{ rhel_08_010350 }} RHEL_08_010351: {{ rhel_08_010351 }} +RHEL_08_010358: {{ rhel_08_010358 }} RHEL_08_010359: {{ rhel_08_010359 }} RHEL_08_010360: {{ rhel_08_010360 }} RHEL_08_010372: {{ rhel_08_010372 }} From 06bebfffb0fac05375445cdb64da73bfefa82cdf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 17:41:00 +0100 Subject: [PATCH 06/16] updated Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e8f9012c..3b48ccf1 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL8 based system to be complaint with Disa STIG -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 9 released on Jan 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R9_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 10 released on April 24, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R10_STIG.zip). --- From 32df84df9af2982a989ffdb9cfa8f8ddd5756946 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 17:44:15 +0100 Subject: [PATCH 07/16] updated Signed-off-by: Mark Bolwell --- Changelog.md | 31 +++++++++++++++++++++++++++++++ defaults/main.yml | 6 ++++-- 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index e3d7abdb..67a65e77 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,37 @@ # Changes to RHEL8STIG +## 2.9.0 Stig V1R10 27th April 2023 + +- Added new controls + - RHEL-08-10019 + - RHEL-08-10358 +- updated control IDs + - RHEL-08-10360 + - RHEL-08-10540 + - RHEL-08-10541 + - RHEL-08-10544 + - RHEL-08-10800 + - RHEL-08-20040 + - RHEL-08-20100 + - RHEL-08-20101 + - RHEL-08-20102 + - RHEL-08-20103 + - RHEL-08-20220 + - RHEL-08-20221 + - RHEL-08-20270 + - RHEL-08-30070 + - RHEL-08-40150 + +## Release 2.8.6 + +- [#194](https://github.com/ansible-lockdown/RHEL8-STIG/issues/194) thanks to @JacobBuskirk +- [#196](https://github.com/ansible-lockdown/RHEL8-STIG/issues/196) thanks to @jmalpede + +- [#195](https://github.com/ansible-lockdown/RHEL8-STIG/pull/195) thanks to PoundsOfFlesh +- [#197](https://github.com/ansible-lockdown/RHEL8-STIG/pull/197) thanks to PoundsOfFlesh + ## Release 2.8.5 + - updated to /var/log mount check - added commnets for /mnt and removeable media on Azure systems diff --git a/defaults/main.yml b/defaults/main.yml index 18e95201..73f94b26 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r9' +benchmark_version: 'v1r10' ## Benchmark name used by audting control role # The audit variable found at the base @@ -108,6 +108,7 @@ rhel_08_040360: true # CAT 2 rules rhel_08_010001: true rhel_08_010010: true +rhel_08_010019: true rhel_08_010030: true rhel_08_010040: true rhel_08_010049: true @@ -154,6 +155,7 @@ rhel_08_010340: true rhel_08_010341: true rhel_08_010350: true rhel_08_010351: true +rhel_08_010358: true rhel_08_010359: true rhel_08_010360: true rhel_08_010372: true @@ -614,7 +616,7 @@ rhel8stig_aide_cron: special_time: daily # Disable the notification check rule to disable mailing notifications notify_by_mail: true - notify_cmd: ' | /var/spool/mail -s "$(hostname) - Daily aide integrity check run" root@localhost' + notify_cmd: ' | /bin/mail -s "$(hostname) - Daily aide integrity check run" root@localhost' rhel8stig_cron_special_disable: "{{ rhel8stig_workaround_for_disa_benchmark or From 530ca02af0dd79ac69c62700a5d975fa574ac476 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 17:44:27 +0100 Subject: [PATCH 08/16] new controls and rule updates Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 161 +++++++++++++++++++++++++++++++-------------- 1 file changed, 112 insertions(+), 49 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c0ad277e..0817bd69 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -43,6 +43,40 @@ - SV-230222r627750_rule - V-230222 +- name: "MEDIUM | RHEL-08-010019 | PATCH | RHEL 8 must ensure cryptographic verification of vendor software packages." + block: + - name: "MEDIUM | RHEL-08-010019 | PATCH | RHEL 8 must ensure cryptographic verification of vendor software packages. | package installed" + ansible.builtin.package: + name: "{{ gpg_package }}" + state: present + when: "gpg_package not in ansible_facts.packages" + + - name: "MEDIUM | RHEL-08-010019 | AUDIT | RHEL 8 must ensure cryptographic verification of vendor software packages. | Confirm keys" + ansible.builtin.shell: "gpg -q --keyid-format short --with-fingerprint {{ rpm_gpg_key }} | grep -B1 '{{ item.name }}' | grep '{{ item.fingerprint }}'" + changed_when: false + failed_when: rhel_08_010019_gpg_info.rc not in [ 0, 1] + register: rhel_08_010019_gpg_info + loop: "{{ gpg_keys }}" + loop_control: + label: item.name + + - name: "MEDIUM | RHEL-08-010019 | AUDIT | RHEL 8 must ensure cryptographic verification of vendor software packages. | warn" + ansible.builtin.debug: + msg: + - "WARNING!! Please investigate the vendor gpgkeys match expected values" + loop: "{{ rhel_08_010019_gpg_info.results }}" + when: item.rc != 0 + when: + - not system_is_ec2 + - rhel_08_010019 + tags: + - RHEL-08-010019 + - CAT2 + - CCI-001749 + - SRG-OS-000366-GPOS-00153 + - SV-256973r902752_rule + - V-256973 + - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection." block: - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout" @@ -1098,6 +1132,22 @@ - V-251709 - permissions +- name: "MEDIUM | RHEL-08-010358 | PATCH | RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel. | pkg install" + ansible.builtin.package: + name: mailx + state: present + when: + - "'mailx' not in ansible_facts.packages" + - rhel_08_010358 + tags: + - RHEL-08-010358 + - CAT2 + - CCI-001744 + - SRG-OS-000363-GPOS-00150 + - SV-251710r880730_rule + - V-256974 + - mailx + - name: "MEDIUM | RHEL-08-010359 | PATCH | The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions. | pkg install" ansible.builtin.package: name: aide @@ -1144,7 +1194,9 @@ - CAT2 - CCI-001744 - SRG-OS-000363-GPOS-00150 - - SV-230263r880708_rule + - SRG-OS-000446-GPOS-00200 + - SRG-OS-000447-GPOS-00201 + - SV-230263r902716_rule - V-230263 - aide - cron @@ -1692,26 +1744,21 @@ - tmp - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp." - block: - - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Alert on missing mount" - ansible.builtin.debug: - msg: "WARNING!! /var/tmp does not exist, /var/tmp needs to use a sperate file system. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is defined - when: "'/var/tmp' not in mount_names" - - - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Mount is present" - ansible.builtin.debug: - msg: "Congratulations: /var/tmp does exist." - when: "'/var/tmp' in mount_names" + ansible.builtin.debug: + msg: + - "WARNING!! /var/tmp is not mounted on a seperate partition" + changed_when: + - rhel8stig_audit_complex when: - rhel_08_010544 + - rhel8stig_complex + - ansible_mounts | selectattr('mount', 'match', '^/var/tmp$') | list | length == 0 tags: - RHEL-08-010544 - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-244529r743836_rule + - SV-244529r902737_rule - V-244529 - mounts @@ -2686,7 +2733,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230328r627750_rule + - SSV-230328r902723_rule - V-23032 - complexity-high - mounts @@ -3278,7 +3325,7 @@ - CAT2 - CCI-000056 - SRG-OS-000028-GPOS-00009 - - SV-230348r880720_rule + - SV-230348r902725_rule - V-230348 - tmux @@ -3491,8 +3538,8 @@ - name: "MEDIUM | RHEL-08-020100 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the password-auth file." ansible.builtin.lineinfile: path: /etc/pam.d/password-auth - regexp: '^password\s+required\s+pam_pwquality.so' - line: 'password required pam_pwquality.so' + regexp: '^password\s+(required|requisite)\s+pam_pwquality.so' + line: 'password requisite pam_pwquality.so' insertafter: '^password' owner: root group: root @@ -3504,15 +3551,15 @@ - CAT2 - CCI-000366 - SRG-OS-000069-GPOS-00037 - - SV-230356r809379_rule + - SV-230356r902728_rule - V-230356 - pamd - name: "MEDIUM | RHEL-08-020101 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the system-auth file." ansible.builtin.lineinfile: path: /etc/pam.d/system-auth - regexp: '^password\s+required\s+pam_pwquality.so' - line: 'password required pam_pwquality.so' + regexp: '^password\s+(required|requisite)\s+pam_pwquality.so' + line: 'password requisite pam_pwquality.so' insertafter: '^password' owner: root group: root @@ -3524,14 +3571,14 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-251713r810407_rule + - SV-251713r902740_rule - V-251713 - pamd - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less." block: - name: "MEDIUM | RHEL-08-020102 | AUDIT | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Get pam_pwquality state" - ansible.builtin.shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwquality.so" + ansible.builtin.shell: cat /etc/pam.d/system-auth | grep "password.*requisite.*pam_pwquality.so" changed_when: false failed_when: false register: rhel_08_020102_pwquality_status @@ -3539,7 +3586,8 @@ - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" ansible.builtin.lineinfile: path: /etc/pam.d/system-auth - line: 'password required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + regexp: '^password\s+(required|requisite)\s+pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + line: 'password requisite pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' insertafter: '^password' owner: root group: root @@ -3550,7 +3598,7 @@ community.general.pamd: name: system-auth type: password - control: required + control: requisite module_path: pam_pwquality.so module_arguments: 'retry={{ rhel8stig_pam_pwquality_retry }}' state: args_present @@ -3563,14 +3611,14 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-251714r810410_rule + - SV-251714r902743_rule - V-251714 - pamd - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less." block: - name: "MEDIUM | RHEL-08-020103 | AUDIT | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Get pam_pwquality state" - ansible.builtin.shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwquality.so" + ansible.builtin.shell: cat /etc/pam.d/password-auth | grep "password.*requisite.*pam_pwquality.so" changed_when: false failed_when: false register: rhel_08_020103_pwquality_status @@ -3578,7 +3626,8 @@ - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" ansible.builtin.lineinfile: path: /etc/pam.d/password-auth - line: 'password required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + regexp: '^password\s+(required|requisite)\s+pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + line: 'password requisite pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' insertafter: '^password' owner: root group: root @@ -3589,7 +3638,7 @@ community.general.pamd: name: password-auth type: password - control: required + control: requisite module_path: pam_pwquality.so module_arguments: 'retry={{ rhel8stig_pam_pwquality_retry }}' state: args_present @@ -3602,7 +3651,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-251715r810412_rule + - SV-251715r902746_rule - V-251715 - pamd @@ -3858,7 +3907,7 @@ - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations." block: - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Get pam_pwhistory status" - ansible.builtin.shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwhistory.so" + ansible.builtin.shell: cat /etc/pam.d/password-auth | grep "password.*requisite.*pam_pwhistory.so" changed_when: false failed_when: false register: rhel_08_020220_pwhistory_status @@ -3866,7 +3915,8 @@ - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pw_history" ansible.builtin.lineinfile: path: /etc/pam.d/password-auth - line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" + regexp: 'password\s+(required|requisite)\s+pam_pwhistory.so use_authtok remember=' + line: "password requisite pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" insertafter: '^password' owner: root group: root @@ -3877,7 +3927,7 @@ community.general.pamd: name: password-auth type: password - control: required + control: requisite module_path: pam_pwhistory.so module_arguments: 'remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}' state: args_present @@ -3889,14 +3939,14 @@ - CAT2 - CCI-000200 - SRG-OS-000077-GPOS-00045 - - SV-230368r810414_rule + - SV-230368r902759_rule - V-230368 - pamd - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations." block: - name: "MEDIUM | RHEL-08-020221 | AUDIT | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Get pam_pwhistory state " - ansible.builtin.shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwhistory.so" + ansible.builtin.shell: cat /etc/pam.d/system-auth | grep "password.*requisite.*pam_pwhistory.so" changed_when: false failed_when: false register: rhel_08_020221_pwhistory_status @@ -3904,7 +3954,8 @@ - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pwhistory" ansible.builtin.lineinfile: path: /etc/pam.d/system-auth - line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" + regexp: 'password\s+(required|requisite)\s+pam_pwhistory.so use_authtok remember=' + line: "password requisite pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" insertafter: '^password' owner: root group: root @@ -3915,7 +3966,7 @@ community.general.pamd: name: system-auth type: password - control: required + control: requisite module_path: pam_pwhistory.so module_arguments: 'remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}' state: args_present @@ -3927,7 +3978,7 @@ - CAT2 - CCI-000200 - SRG-OS-000077-GPOS-00045 - - SV-251717r858745_rule + - SV-251717r902749_rule - V-251717 - pamd @@ -4092,15 +4143,15 @@ - V-230373 - useradd -- name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." +- name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 must automatically expire temporary accounts within 72 hours." block: - - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 must automatically expire temporary accounts within 72 hours." ansible.builtin.shell: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" changed_when: false failed_when: false register: rhel_08_020270_system_users - - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." + - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 must automatically expire temporary accounts within 72 hours." ansible.builtin.debug: msg: - "WARNING!! Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" @@ -4112,7 +4163,7 @@ - CAT2 - CCI-001682 - SRG-OS-000123-GPOS-00064 - - SV-230374r627750_rule + - SV-230374r903129_rule - V-230374 - user @@ -4458,10 +4509,22 @@ - auditd - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." - ansible.builtin.lineinfile: - path: /etc/audit/auditd.conf - regexp: '^log_group =' - line: "log_group = root" + block: + - name: "MEDIUM | RHEL-08-030070 | AUDIT | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | logfile location" + ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | awk '{print $NF}' + register: rhel08_030070_auditlog_location + changed_when: false + + - name: "MEDIUM | RHEL-08-030070 | AUDIT | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | check file exists" + ansible.builtin.stat: + path: "{{ rhel08_030070_auditlog_location.stdout }}" + register: rhel08_030070_auditlog + + - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | logfile location" + ansible.builtin.file: + path: "{{ rhel08_030070_auditlog_location.stdout }}" + state: "{{ (rhel08_030070_auditlog.stat.exists) | ternary('file', 'touch') }}" + mode: '0600' when: - rhel_08_030070 tags: @@ -4469,7 +4532,7 @@ - CAT2 - CCI-000162 - SRG-OS-000057-GPOS-00027 - - SV-230396r627750_rule + - SV-230396r902733_rule - V-230396 - permissions - log @@ -5592,7 +5655,7 @@ - V-230480 - auditd -- name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." +- name: "MEDIUM | RHEL-08-030710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." ansible.builtin.lineinfile: path: /etc/rsyslog.conf create: true @@ -6456,7 +6519,7 @@ - CAT2 - CCI-002385 - SRG-OS-000420-GPOS-00186 - - SV-230525r744029_rule + - SV-230525r902735_rule - V-230525 - firewall - nftables From 83ce12d3716f1362bc3dce8b7010d63e03bfd77a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 17:44:34 +0100 Subject: [PATCH 09/16] rule updates Signed-off-by: Mark Bolwell --- tasks/fix-cat3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 974616f3..4dadae25 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -177,7 +177,7 @@ - CAT3 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230292r627750_rule + - SV-230292r902718_rule - V-230292 - complexity-high - mounts @@ -198,7 +198,7 @@ - CAT3 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230293r627750_rule + - SV-230293r902720_rule - V-230293 - complexity_high - mounts From b86d7c5937d0acbb920fa20e5473901cb81097ec Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 3 May 2023 08:59:27 +0100 Subject: [PATCH 10/16] tidy spacing Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 5fd0c7dd..59c223f4 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -2,7 +2,7 @@ - name: "HIGH | RHEL-08-010000 | AUDIT | The RHEL 8 must be a vendor-supported release." ansible.builtin.debug: - msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} + msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} changed_when: ansible_distribution_version is not version_compare(rhel8stig_min_supported_os_ver[ansible_distribution], '>=') when: - rhel_08_010000 From 3fdd0009c5b8496c022d70bf884fc0b57ed53ed0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 3 May 2023 08:59:40 +0100 Subject: [PATCH 11/16] Added OracleLinux Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index 6ac940ce..2e444387 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -573,6 +573,7 @@ rhel8stig_min_supported_os_ver: CentOS: "8.7" Rocky: "8.7" AlmaLinux: "8.7" + OracleLinux: "8.7" # RHEL-08-040260 # If system is not router, run tasks that disable router functions. From c5009e5659afd801ecf1c387073d90b11b58a04a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 3 May 2023 08:59:52 +0100 Subject: [PATCH 12/16] Updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 67a65e77..a49d2bcd 100644 --- a/Changelog.md +++ b/Changelog.md @@ -22,6 +22,8 @@ - RHEL-08-30070 - RHEL-08-40150 +- OracleLinux tested and added + ## Release 2.8.6 - [#194](https://github.com/ansible-lockdown/RHEL8-STIG/issues/194) thanks to @JacobBuskirk From cc4e3007cdb0388cac5572f314577ff511223159 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 3 May 2023 09:01:16 +0100 Subject: [PATCH 13/16] lint Signed-off-by: Mark Bolwell --- vars/AlmaLinux.yml | 6 +++--- vars/OracleLinux.yml | 6 +++--- vars/RedHat.yml | 12 ++++++------ vars/Rocky.yml | 6 +++--- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index 1d3aa592..676316f6 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -1,9 +1,9 @@ --- gpg_keys: - - name: 'AlmaLinux' - packager: "packager@almalinux.org" - fingerprint: "5E9B 8F56 17B5 066C E920 57C3 488F CF7C 3ABB 34F8" + - name: 'AlmaLinux' + packager: "packager@almalinux.org" + fingerprint: "5E9B 8F56 17B5 066C E920 57C3 488F CF7C 3ABB 34F8" gpg_package: almalinux-release rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml index 90639e13..9c205dfd 100644 --- a/vars/OracleLinux.yml +++ b/vars/OracleLinux.yml @@ -1,9 +1,9 @@ --- gpg_keys: - - name: 'Oracle OSS group' - packager: "build@oss.oracle.com" - fingerprint: "76FD 3DB1 3AB6 7410 B89D B10E 8256 2EA9 AD98 6DA3" + - name: 'Oracle OSS group' + packager: "build@oss.oracle.com" + fingerprint: "76FD 3DB1 3AB6 7410 B89D B10E 8256 2EA9 AD98 6DA3" gpg_package: oraclelinux-release rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 7cb76337..e5c0c7bc 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,13 +1,13 @@ --- gpg_keys: - - name: 'release key 2' - packager: 'security@redhat.com' - fingerprint: '567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51' + - name: 'release key 2' + packager: 'security@redhat.com' + fingerprint: '567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51' - - name: 'auxiliary key' - packager: 'security@redhat.com' - fingerprint: '6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792' + - name: 'auxiliary key' + packager: 'security@redhat.com' + fingerprint: '6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792' gpg_package: redhat-release rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution | lower }}-release diff --git a/vars/Rocky.yml b/vars/Rocky.yml index 0af890b7..0e8502c7 100644 --- a/vars/Rocky.yml +++ b/vars/Rocky.yml @@ -1,9 +1,9 @@ --- gpg_keys: - - name: 'Release Engineering' - packager: "infrastructure@rockylinux.org" - fingerprint: "7051 C470 A929 F454 CEBE 37B7 15AF 5DAC 6D74 5A60" + - name: 'Release Engineering' + packager: "infrastructure@rockylinux.org" + fingerprint: "7051 C470 A929 F454 CEBE 37B7 15AF 5DAC 6D74 5A60" gpg_package: rocky-gpg-keys rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial From cadd4c3ccf68b593196b6aaf05932a73b3c69491 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 4 May 2023 12:09:37 +0100 Subject: [PATCH 14/16] updated checkout version Signed-off-by: Mark Bolwell --- .github/workflows/update_galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 5d41affe..21a888ef 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -14,7 +14,7 @@ jobs: update_role: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: hspaans/ansible-galaxy-action@master with: api_key: ${{ secrets.GALAXY_API_KEY }} From a06adc4ab77243a698d4a75a96bd950c5a9515ab Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 4 May 2023 12:29:13 +0100 Subject: [PATCH 15/16] fixed var naming Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e1176058..93f210e6 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -9,7 +9,7 @@ gpg_keys: - name: {{ info.name }} fingerprint: {{ info.fingerprint }} {% endfor %} -gpg_package: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ gpg_package }} +rpm_gpg_key: {{ rpm_gpg_key }} rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %} From 48580c0466dc202d75dceeac860622901d51f27b Mon Sep 17 00:00:00 2001 From: Phenix66 <34311559+Phenix66@users.noreply.github.com> Date: Mon, 8 May 2023 11:55:53 -0400 Subject: [PATCH 16/16] Update main.yml Fixed typo in user password assertion Signed-off-by: Phenix66 <34311559+Phenix66@users.noreply.github.com> --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index a7ab4fec..7a6b91f6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -39,7 +39,7 @@ ansible.builtin.assert: that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" - success_msg: "You a password set for the {{ ansible_env.SUDO_USER }}" + success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }}" vars: sudo_password_rule: RHEL-08-010380 when: