diff --git a/.ansible-lint b/.ansible-lint index f2a7e7cc..7ca23137 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -7,5 +7,6 @@ skip_list: - '403' - '306' - '602' + - '208' use_default_rules: true verbosity: 0 diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars new file mode 100644 index 00000000..6017787b --- /dev/null +++ b/.github/workflows/OS.tfvars @@ -0,0 +1,9 @@ +#Ami Rocky 85 +ami_id = "ami-043ceee68871e0bb5" +ami_os = "rocky8" +ami_username = "rocky" +ami_user_home = "/home/rocky" +instance_tags = { + Name = "RHEL8-STIG" + Environment = "lockdown_github_repo_workflow" +} diff --git a/.github/workflows/communitytodevel.yml b/.github/workflows/communitytodevel.yml deleted file mode 100644 index ea378d8e..00000000 --- a/.github/workflows/communitytodevel.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: CommunityToDevel - -# Controls when the action will run. Triggers the workflow on push or pull request -# events but only for the devel branch -on: - pull_request: - branches: [ devel ] - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - # Refactr pipeline for devel pull request/merge - - name: Refactr - Run Pipeline (to devel) - # You may pin to the exact commit or the version. - # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53 - uses: refactr/action-run-pipeline@v0.1.2 - with: - # API token - api_token: '${{ secrets.REFACTR_KEY }}' - # Project ID - project_id: 5f47f0c4a13c7b18373e5556 - # Job ID - job_id: 5f933cbcf9c74e86b1609c00 - # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-STIG.git", "image": "ami-066df92ac6f03efca", "githubBranch": "${{ github.head_ref }}", "username": "ec2-user" }' - # Refactr API base URL - api_url: # optional diff --git a/.github/workflows/develtomaster.yml b/.github/workflows/develtomaster.yml deleted file mode 100644 index 1573b2f8..00000000 --- a/.github/workflows/develtomaster.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: DevelToMain - -# Controls when the action will run. Triggers the workflow on push or pull request -# events but only for the devel branch -on: - pull_request: - branches: [ main ] - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - # Refactr pipeline for devel pull request/merge - - name: Refactr - Run Pipeline (to master) - # You may pin to the exact commit or the version. - # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53 - uses: refactr/action-run-pipeline@v0.1.2 - with: - # API token - api_token: '${{ secrets.REFACTR_KEY }}' - # Project ID - project_id: 5f47f0c4a13c7b18373e5556 - # Job ID - job_id: 5f90ad90f9c74e6d1e606e33 - # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-STIG.git", "image": "ami-066df92ac6f03efca", "username": "ec2-user" }' - # Refactr API base URL - api_url: # optional diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf new file mode 100644 index 00000000..d5a0db02 --- /dev/null +++ b/.github/workflows/github_networks.tf @@ -0,0 +1,11 @@ +resource "aws_vpc" "Main" { + cidr_block = var.main_vpc_cidr + tags = var.instance_tags +} + +resource "aws_internet_gateway" "IGW" { + vpc_id = aws_vpc.Main.id + tags = { + Name = "${var.namespace}-IGW" + } +} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars new file mode 100644 index 00000000..38be3edc --- /dev/null +++ b/.github/workflows/github_vars.tfvars @@ -0,0 +1,12 @@ +// github_actions variables +// Resourced in github_networks.tf +// Declared in variables.tf +// + +namespace = "github_actions" + +// Matching pair name found in AWS for keypairs PEM key +ami_key_pair_name = "github_actions" +main_vpc_cidr = "172.22.0.0/24" +public_subnets = "172.22.0.128/26" +private_subnets = "172.22.0.192/26" \ No newline at end of file diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml new file mode 100644 index 00000000..3c4cf3f5 --- /dev/null +++ b/.github/workflows/linux_benchmark_testing.yml @@ -0,0 +1,120 @@ +# This is a basic workflow to help you get started with Actions + +name: linux_benchmark_pipeline + +# Controls when the action will run. +# Triggers the workflow on push or pull request +# events but only for the devel branch +on: + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + +# A workflow run is made up of one or more jobs +# that can run sequentially or in parallel +jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@v1.1.0 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well. + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + env: + ENABLE_DEBUG: false + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, + # so your job can access it + - uses: actions/checkout@v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + +### Build out the server + - name: Terraform_Init + working-directory: .github/workflows + run: terraform init + + - name: Terraform_Validate + working-directory: .github/workflows + run: terraform validate + + - name: Terraform_Apply + working-directory: .github/workflows + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + working-directory: .github/workflows + run: cat hosts.yml + +# Centos 7 images take a while to come up insert sleep or playbook fails + + - name: Check if test os is rhel7 + working-directory: .github/workflows + id: test_os + run: >- + echo "::set-output name=RHEL7::$( + grep -c RHEL7 OS.tfvars + )" + + - name: if RHEL7 - Sleep for 60 seconds + if: steps.test_os.outputs.RHEL7 >= 1 + run: sleep 60s + shell: bash + +# Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} +# verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + +# Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + working-directory: .github/workflows + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf new file mode 100644 index 00000000..9ad9240b --- /dev/null +++ b/.github/workflows/main.tf @@ -0,0 +1,83 @@ +provider "aws" { + profile = "" + region = var.aws_region +} + +// Create a security group with access to port 22 and port 80 open to serve HTTP traffic + +data "aws_vpc" "default" { + default = true +} + +resource "random_id" "server" { + keepers = { + # Generate a new id each time we switch to a new AMI id + ami_id = "${var.ami_id}" + } + + byte_length = 8 +} + +resource "aws_security_group" "github_actions" { + name = "${var.namespace}-${random_id.server.hex}" + vpc_id = data.aws_vpc.default.id + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + tags = { + Name = "${var.namespace}-SG" + } +} + +// instance setup + +resource "aws_instance" "testing_vm" { + ami = var.ami_id + associate_public_ip_address = true + key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs + instance_type = var.instance_type + tags = var.instance_tags + vpc_security_group_ids = [aws_security_group.github_actions.id] + root_block_device { + delete_on_termination = true + } +} + +// generate inventory file +resource "local_file" "inventory" { + filename = "./hosts.yml" + directory_permission = "0755" + file_permission = "0644" + content = < 1 when: + - not system_is_container - rhel_08_010020 tags: - RHEL-08-010020 @@ -136,6 +137,43 @@ - SV-230223r792855_rule - V-230223 +- name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords." + block: + - name: "HIGH | RHEL-08-010121 | AUDIT | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Get users with no pw set" + shell: "awk -F: '!$2 {print $1}' /etc/shadow" + changed_when: false + failed_when: false + check_mode: false + register: rhel_08_010121_no_pw_users + + - name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Warn on accounts with no passwords" + debug: + msg: + - "Alert! You have users that are not using passwords. Please either set a password, lock, or remove the accounts below:" + - "{{ rhel_08_010121_no_pw_users.stdout_lines }}" + when: + - rhel_08_010121_no_pw_users.stdout | length > 0 + - not rhel8stig_disruption_high + + - name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Lock accounts with no passwords, disruptive" + user: + name: "{{ item }}" + password_lock: yes + with_items: + - "{{ rhel_08_010121_no_pw_users.stdout_lines }}" + when: + - rhel_08_010121_no_pw_users.stdout | length > 0 + - rhel8stig_disruption_high + when: + - rhel_08_010121 + tags: + - RHEL-08-010121 + - CAT1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-251706r809342_rule + - V-251706 + - name: | "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance." "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes." @@ -153,6 +191,7 @@ mode: 0640 notify: confirm grub2 user cfg when: + - not system_is_container - not system_is_ec2 - rhel_08_010140 or rhel_08_010150 @@ -288,6 +327,7 @@ when: - rhel_08_020330 - rhel8stig_disruption_high + - rhel8stig_ssh_required tags: - RHEL-08-020330 - CAT1 @@ -373,6 +413,7 @@ notify: systemctl daemon-reload when: - rhel_08_040170 + - not system_is_container tags: - RHEL-08-040170 - CAT1 @@ -402,6 +443,8 @@ with_items: - { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' } - { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' } + loop_control: + label: "{{ item.line }}" when: rhel_08_040171_logout_settings_status.stdout | length == 0 - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Edit if exists" @@ -412,7 +455,7 @@ when: rhel_08_040171_logout_settings_status.stdout | length > 0 when: - rhel_08_040171 - - "'gnome-desktop' in ansible_facts.packages" + - "'gnome-desktop' in ansible_facts.packages or 'gnome-desktop3' in ansible_facts.packages" tags: - RHEL-08-040171 - CAT1 @@ -429,6 +472,7 @@ notify: systemctl daemon-reload when: - rhel_08_040172 + - not system_is_container tags: - RHEL-08-040172 - CAT1 diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 32f9142a..98a952a5 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -5,16 +5,18 @@ - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert no McAfee" debug: msg: - - "ALERT! You have no McAfee installed. To comply with STIG ID RHEL-08-010001 you need an AV tool" + - "WARNING!! You have no McAfee installed. To comply with STIG ID RHEL-08-010001 you need an AV tool" - "McAfee is the suggested by STIG" when: - - "'mcafeetp' or 'mfetpd' not in ansible_facts.packages" + - "'mcafeetp' not in ansible_facts.packages or + 'mfetpd' not in ansible_facts.packages" - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert on McAfee present" debug: msg: "Congratulations! You have McAfee installed" when: - - "'mcafeetp' or 'mfetpd' in ansible_facts.packages" + - "'mcafeetp' in ansible_facts.packages or + 'mfetpd' in ansible_facts.packages" when: - rhel_08_040286 - rhel8stig_av_sftw == 'mcafee' @@ -52,17 +54,18 @@ - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning" debug: msg: - - 'WARNING!! Below is partition layout. Please run the "sudo more /etc/crypttab" command to confirm' - - "every persistent disk partition has an entry. If partitions other than psuedo file systems (such as /var or /sys) this is a finding" + - 'WARNING!! Below is the partition layout. Please run the "sudo more /etc/crypttab" command to confirm every persistent disk partition has an entry.' + - "If partitions other than psuedo file systems (such as /var or /sys) this is a finding" - "{{ rhel_08_010030_partition_layout.stdout_lines }}" - when: rhel_08_010030 + when: + - rhel_08_010030 tags: - RHEL-08-010030 - CAT2 - CCI-001199 - SRG-OS-000185-GPOS-00079 - - SV-230224r627750_rule + - SV-230224r809268_rule - V-230224 - name: | @@ -76,6 +79,8 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?Banner' line: 'Banner /etc/issue' + when: + - rhel8stig_ssh_required - name: | "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" @@ -167,6 +172,7 @@ - SRG-OS-000032-GPOS-00013 - SV-230228r627750_rule - V-230228 + - rsyslog # This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm. - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." @@ -180,9 +186,9 @@ - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" debug: msg: - - "WARNING!!!!The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" + - "WARNING!! The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" - - "{{ rhel_08_010090_certs_list.stdout_lines }}" + - "{{ rhel_08_010090_certs_list.stdout_lines | default('None-found') }}" when: - rhel_08_010090 tags: @@ -190,7 +196,7 @@ - CAT2 - CCI-000185 - SRG-OS-000066-GPOS-00034 - - SV-230229r627750_rule + - SV-230229r809270_rule - V-230229 - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." @@ -206,6 +212,7 @@ path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" when: - rhel_08_010100 + - rhel8stig_ssh_required tags: - RHEL-08-010100 - CAT2 @@ -250,7 +257,7 @@ - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" debug: msg: - - "ALERT!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" + - "WARNING!! The following accounts do not have FIPS 140-2 hasing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" when: - not rhel8stig_disruption_high @@ -267,14 +274,11 @@ - V-230232 - disruption_high -- name: "MEDIUM | RHEL-08-010130 | PATCH | The RHEL 8 password-auth file must be configured to use a sufficient number of hashing rounds." - pamd: - name: password-auth - type: password - control: sufficient - module_path: pam_unix.so - module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" - state: args_present +- name: "MEDIUM | RHEL-08-010130 | PATCH | The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds." + lineinfile: + path: /etc/login.defs + regexp: ^.*SHA_CRYPT_MIN_ROUNDS\s + line: SHA_CRYPT_MIN_ROUNDS {{ rhel8stig_hashing_rounds }} when: - rhel_08_010130 tags: @@ -282,29 +286,10 @@ - CAT2 - CCI-000196 - SRG-OS-000073-GPOS-00041 - - SV-230233r743919_rule + - SV-230233r809273_rule - V-230233 - pamd -- name: "MEDIUM | RHEL-08-010131 | PATCH | The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds." - pamd: - name: system-auth - type: password - control: sufficient - module_path: pam_unix.so - module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" - state: args_present - when: - - rhel_08_010131 - tags: - - RHEL-08-010131 - - CAT2 - - CCI-000196 - - SRG-OS-000073-GPOS-00041 - - SV-244520r743809_rule - - V-244520 - - pamd - - name: | "MEDIUM | RHEL-08-010141 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance." "MEDIUM | RHEL-08-010149 | PATCH | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes." @@ -318,9 +303,11 @@ - { regexp: '^set superusers', line: 'set superusers="{{ rhel8stig_boot_superuser }}"', insertafter: '### BEGIN /etc/grub.d/01_users ###' } - { regexp: '^export superusers', line: 'export superusers', insertafter: '^set superusers' } - { regexp: '^password_pbkdf2', line: 'password_pbkdf2 {{ rhel8stig_boot_superuser }} ${GRUB2_PASSWORD}', insertafter: '^export superusers' } + loop_control: + label: "{{ item.line }}" when: - rhel_08_010141 or - rhel_08_010141 + rhel_08_010149 tags: - RHEL-08-010141 - RHEL-08-010149 @@ -331,6 +318,7 @@ - SV-244522r792984_rule - V-244521 - V-244522 + - grub - name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." lineinfile: @@ -387,11 +375,11 @@ - CAT2 - CCI-000803 - SRG-OS-000120-GPOS-00061 - - SV-244524r743821_rule + - SV-244524r809331_rule - V-244524 - pamd -- name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." +- name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." pamd: name: password-auth type: password @@ -406,7 +394,7 @@ - CAT2 - CCI-000803 - SRG-OS-000120-GPOS-00061 - - SV-230237r743931_rule + - SV-230237r809276_rule - V-230237 - pamd @@ -462,7 +450,7 @@ notify: change_requires_reboot when: - rhel_08_010170 or rhel_08_010450 - - not rhel8stig_system_is_container + - not system_is_container - rhel8stig_disruption_high tags: - CAT2 @@ -553,6 +541,7 @@ - rhel_08_010210 or rhel_08_010220 or rhel_08_010230 + - not system_is_container tags: - CAT2 - RHEL-08-010210 @@ -686,7 +675,7 @@ name: tmux state: present when: - - rhel_08_020032 + - rhel_08_020039 - "'tmux' not in ansible_facts.packages" tags: - RHEL-08-020039 @@ -772,12 +761,13 @@ notify: change_requires_reboot when: - rhel_08_010287 + - rhel8stig_ssh_required tags: - RHEL-08-010287 - CAT2 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-244526r743827_rule + - SV-244526r809334_rule - V-244526 - ssh @@ -790,7 +780,7 @@ "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Get current FIPS mode state" command: fips-mode-setup --check changed_when: false - failed_when: false + failed_when: rhel_08_010290_pre_fips_check.stdout is not defined register: rhel_08_010290_pre_fips_check - name: | @@ -829,7 +819,7 @@ - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" command: fips-mode-setup --check changed_when: false - failed_when: false + failed_when: rhel_08_010293_pre_fips_check.stdout is not defined register: rhel_08_010293_pre_fips_check - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" @@ -849,11 +839,25 @@ - fips - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." - lineinfile: - path: /etc/crypto-policies/back-ends/opensslcnf.config - regexp: '^MinProtocol =' - line: "MinProtocol = TLSv1.2" - notify: change_requires_reboot + block: + - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." + lineinfile: + path: /etc/crypto-policies/back-ends/opensslcnf.config + regexp: '^MinProtocol =' + line: "MinProtocol = TLSv1.2" + notify: change_requires_reboot + when: ansible_facts.packages['crypto-policies'][0].version | int < 20210617 + + - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." + lineinfile: + path: /etc/crypto-policies/back-ends/opensslcnf.config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: change_requires_reboot + with_items: + - { regexp: '^TLS.MinProtocol = ', line: "TLS.MinProtocol = TLSv1.2" } + - { regexp: '^DTLS.MinProtocol =', line: "DTLS.MinProtocol = DTLSv1.2" } + when: ansible_facts.packages['crypto-policies'][0].version | int >= 20210617 when: - rhel_08_010294 tags: @@ -861,7 +865,7 @@ - CAT2 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-230255r627750_rule + - SV-230255r809382_rule - V-230255 - openssl @@ -980,6 +984,141 @@ - V-230262 - permissions +- name: "MEDIUM | RHEL-08-010331 | PATCH | RHEL 8 library directories must have mode 755 or less permissive." + block: + - name: "MEDIUM | RHEL-08-010331 | AUDIT | RHEL 8 library directories must have mode 755 or less permissive. | Get directories" + shell: find /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type d + changed_when: false + failed_when: false + check_mode: false + register: rhel_08_010331_directories + + - name: "MEDIUM | RHEL-08-010331 | AUDIT | RHEL 8 library directories must have mode 755 or less permissive. | Alert on permissions" + debug: + msg: + - "Alert! There are library directories that have permessions set to more permissive than 755" + - "To conform to STIG standards, please review these directories and set to 755 or less permissive" + - "{{ rhel_08_010331_directories.stdout_lines }}" + when: + - not rhel8stig_disruption_high + - rhel_08_010331_directories.stdout | length > 0 + + - name: "MEDIUM | RHEL-08-010331 | PATCH | RHEL 8 library directories must have mode 755 or less permissive. | Set permissions" + file: + path: "{{ item }}" + state: directory + mode: "{{ rhel8stig_lib_dir_perms }}" + with_items: + - "{{ rhel_08_010331_directories.stdout_lines }}" + when: + - rhel8stig_disruption_high + - rhel_08_010331_directories.stdout | length > 0 + when: + - rhel_08_010331 + tags: + - RHEL-08-010331 + - CAT2 + - CCI-001499 + - SV-251707r809345_rule + - V-251707 + - permissions + +- name: "MEDIUM | RHEL-08-010341 | PATCH | RHEL 8 library directories must be owned by root." + block: + - name: "MEDIUM | RHEL-08-010341 | AUDIT | RHEL 8 library directories must be owned by root. | Get directories" + shell: find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d + changed_when: false + failed_when: false + check_mode: false + register: rhel_08_010341_directories + + - name: "MEDIUM | RHEL-08-010341 | AUDIT | RHEL 8 library directories must be owned by root. | Alert on permissions" + debug: + msg: + - "Alert! There are library directories that are not owned by root" + - "To conform to STIG standards, please review these directories and change owner to root" + - "{{ rhel_08_010341_directories.stdout_lines }}" + when: + - rhel_08_010341_directories.stdout | length > 0 + - not rhel8stig_disruption_high + + - name: "MEDIUM | RHEL-08-010341 | PATCH | RHEL 8 library directories must be owned by root. | Set permissions" + file: + path: "{{ item }}" + state: directory + owner: root + with_items: + - "{{ rhel_08_010341_directories.stdout_lines }}" + when: + - rhel_08_010341_directories.stdout | length > 0 + - rhel8stig_disruption_high + when: + - rhel_08_010341 + tags: + - RHEL-08-010341 + - CAT2 + - CCI-001499 + - SRG-OS-000259-GPOS-00100 + - SV-251708r810012_rule + - V-251708 + - permissions + +- name: "MEDIUM | RHEL-08-010351 | PATCH | RHEL 8 library directories must be group-owned by root or a system account." + block: + - name: "MEDIUM | RHEL-08-010351 | AUDIT | RHEL 8 library directories must be group-owned by root or a system account. | Get directories" + shell: find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d + changed_when: false + failed_when: false + check_mode: false + register: rhel_08_010351_directories + + - name: "MEDIUM | RHEL-08-010351 | AUDIT | RHEL 8 library directories must be group-owned by root or a system account. | Alert on permissions" + debug: + msg: + - "Alert! There are library directories that are not group owned by root." + - "To conform to STIG standards, please review these directories and change group owner to root" + - "{{ rhel_08_010351_directories.stdout_lines }}" + when: + - rhel_08_010351_directories.stdout | length > 0 + - not rhel8stig_disruption_high + + - name: "MEDIUM | RHEL-08-010351 | PATCH | RHEL 8 library directories must be group-owned by root or a system account. | Set permissions" + file: + path: "{{ item }}" + state: directory + group: root + with_items: + - "{{ rhel_08_010351_directories.stdout_lines }}" + when: + - rhel_08_010351_directories.stdout | length > 0 + - rhel8stig_disruption_high + when: + - rhel_08_010351 + tags: + - RHEL-08-010351 + - CAT2 + - CCI-001499 + - SRG-OS-000259-GPOS-00100 + - SV-251709r810014_rule + - V-251709 + - permissions + +- name: "MEDIUM | RHEL-08-010359 | PATCH | The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions." + package: + name: aide + state: present + when: + - rhel_08_010359 + - "'aide' not in ansible_facts.packages" + tags: + - RHEL-08-010359 + - CAT2 + - CCI-002696 + - SRG-OS-000445-GPOS-00199 + - SV-251710r809354_rule + - V-251710 + - aide + - name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." cron: name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' @@ -1004,6 +1143,7 @@ when: - rhel_08_010360 - rhel8stig_disruption_high + - "'crontabs' in ansible_facts.packages" tags: - RHEL-08-010360 - CAT2 @@ -1012,10 +1152,12 @@ - SV-230263r627750_rule - V-230263 - aide + - cron - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_010372 @@ -1030,7 +1172,8 @@ - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_010373 @@ -1045,7 +1188,8 @@ - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_010374 @@ -1058,6 +1202,23 @@ - V-230268 - sysctl +- name: "MEDIUM | RHEL-08-010379 | PATCH | RHEL 8 must specify the default 'include' directory for the /etc/sudoers file." + lineinfile: + path: /etc/sudoers + regex: '^#includedir' + line: '#includedir /etc/sudoers.d' + validate: '/usr/sbin/visudo -cf %s' + when: + - rhel_08_010379 + tags: + - RHEL-08-010379 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-251711r810015_rule + - V-251711 + - sudoers + - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." replace: path: "{{ item }}" @@ -1075,7 +1236,7 @@ - SRG-OS-000373-GPOS-00156 - SV-230271r627750_rule - V-230271 - - sudoers + - sudo - name: "MEDIUM | RHEL-08-010381 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation." replace: @@ -1094,7 +1255,7 @@ - SRG-OS-000373-GPOS-00156 - SV-230272r627750_rule - V-230272 - - sudoers + - sudo - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." package: @@ -1132,7 +1293,7 @@ - CAT2 - CCI-001948 - SRG-OS-000375-GPOS-00160 - - SV-230274r743945_rule + - SV-230274r809281_rule - V-230274 - multifactor @@ -1142,6 +1303,7 @@ state: present when: - rhel_08_010410 + - not system_is_container tags: - RHEL-08-010410 - CAT2 @@ -1169,7 +1331,7 @@ - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" debug: msg: - - "ALERT!! You do not have execute disable active. Please change the setting in your BIOS settings" + - "WARNING!! You do not have execute disable active. Please change the setting in your BIOS settings" when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' when: - rhel_08_010420 @@ -1217,7 +1379,7 @@ - CAT2 - CCI-001084 - SRG-OS-000134-GPOS-00068 - - SV-230277r792884_rule + - SV-230277r792884_rule - V-230277 - grub @@ -1303,7 +1465,8 @@ - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_010430 @@ -1335,6 +1498,8 @@ mode: "{{ rhel8stig_ssh_pub_key_perm }}" with_items: - "{{ rhel_08_010480_public_files.files }}" + loop_control: + label: "{{ item.path }}" notify: restart sshd when: - rhel_08_010480 @@ -1367,6 +1532,8 @@ mode: "{{ rhel8stig_ssh_priv_key_perm }}" with_items: - "{{ rhel_08_010490_private_host_key_files.files }}" + loop_control: + label: "{{ item.path }}" notify: restart sshd when: - rhel_08_010490 @@ -1442,6 +1609,7 @@ notify: restart sshd when: - rhel_08_010521 + - rhel8stig_ssh_required tags: - RHEL-08-010521 - CAT2 @@ -1458,6 +1626,7 @@ line: "GSSAPIAuthentication no" when: - rhel_08_010522 + - rhel8stig_ssh_required tags: - RHEL-08-010522 - CAT2 @@ -1469,12 +1638,11 @@ - name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." debug: - msg: "WARNING!!!! /tmp is not mounted on a separate partition" + msg: "WARNING!! /tmp is not mounted on a separate partition" changed_when: - rhel8stig_audit_complex when: - rhel_08_010543 - - not rhel8stig_system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 tags: @@ -1485,14 +1653,14 @@ - SV-230295r627750_rule - V-230295 - complexity-high - - mount + - mounts - tmp - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp." block: - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Alert on missing mount" debug: - msg: "Warning! /var/tmp does not exist, /var/tmp needs to use a sperate file system. This is a manual task" + msg: "WARNING!! /var/tmp does not exist, /var/tmp needs to use a sperate file system. This is a manual task" register: var_tmp_mount_absent changed_when: var_tmp_mount_absent.skipped is defined when: "'/var/tmp' not in mount_names" @@ -1530,23 +1698,6 @@ - V-230296 - ssh -- name: "MEDIUM | RHEL-08-010560 | PATCH | The auditd service must be running in RHEL 8." - service: - name: auditd - state: started - enabled: yes - when: - - rhel_08_010560 - - not rhel8stig_system_is_container - tags: - - RHEL-08-010560 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-230297r627750_rule - - V-230297 - - auditd - - name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." service: name: rsyslog.service @@ -1627,7 +1778,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-244530r743839_rule + - SV-244530r809336_rule - V-244530 - mounts - efi @@ -1670,6 +1821,8 @@ opts: "{{ item.opts }},nodev" with_items: - "{{ rhel8stig_010580_mounts | default([]) }}" + loop_control: + label: "{{ item.mpoint }}" when: - item.device != "/" - "'odev' not in item.opts" @@ -1721,7 +1874,6 @@ - rhel_08_010600 - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'nodev' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) vars: removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" @@ -1736,12 +1888,11 @@ - rhel_08_010600 - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'nodev' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) vars: removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" when: - rhel_08_010600 - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + - not (rhel8stig_system_is_chroot and system_is_container) tags: - RHEL-08-010600 - CAT2 @@ -1765,7 +1916,6 @@ - rhel_08_010600 - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'noexec' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) vars: removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" @@ -1780,12 +1930,11 @@ - rhel_08_010610 - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'noexec' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) vars: removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" when: - rhel_08_010610 - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + - not rhel8stig_system_is_chroot tags: - RHEL-08-010610 - CAT2 @@ -1809,7 +1958,6 @@ - rhel_08_010620 - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'nosuid' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) vars: removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" @@ -1824,12 +1972,11 @@ - rhel_08_010620 - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'nosuid' not in home_mount.options" - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) vars: removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" when: - rhel_08_010620 - - not (rhel8stig_system_is_chroot and rhel8stig_system_is_container) + - not rhel8stig_system_is_chroot tags: - RHEL-08-010620 - CAT2 @@ -1926,6 +2073,8 @@ register: rhel_08_010660_world_writable_files with_items: - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening" set_fact: @@ -1969,6 +2118,7 @@ state: stopped when: - rhel_08_010670 + - "'kexec-tools' in ansible_facts.packages" - not rhel8stig_kdump_needed tags: - RHEL-08-010670 @@ -1981,7 +2131,8 @@ - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_010671 @@ -2002,6 +2153,7 @@ notify: systemctl daemon-reload when: - rhel_08_010672 + - ansible_service_mgr == 'systemd' tags: - RHEL-08-010672 - CAT2 @@ -2036,6 +2188,7 @@ line: "Storage=none" when: - rhel_08_010674 + - "'systemd' in ansible_facts.packages" tags: - RHEL-08-010674 - CAT2 @@ -2052,6 +2205,7 @@ line: "ProcessSizeMax=0" when: - rhel_08_010675 + - "'systemd' in ansible_facts.packages" tags: - RHEL-08-010675 - CAT2 @@ -2125,7 +2279,7 @@ when: - rhel_08_010680 - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container + - not system_is_container - not system_is_ec2 tags: - RHEL-08-010680 @@ -2184,7 +2338,9 @@ owner: "{{ rhel8stig_ww_dir_owner }}" with_items: - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}" - when: rhel_08_010700_world_writable_directories.stdout | length > 0 + when: + - rhel_08_010700_world_writable_directories.stdout is defined + - rhel_08_010700_world_writable_directories.stdout | length > 0 when: - rhel_08_010700 tags: @@ -2210,7 +2366,9 @@ group: "{{ rhel8stig_ww_dir_grpowner }}" with_items: - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}" - when: rhel_08_010710_world_writable_directories.stdout | length > 0 + when: + - rhel_08_010710_world_writable_directories.stdout is defined + - rhel_08_010710_world_writable_directories.stdout | length > 0 when: - rhel_08_010710 tags: @@ -2239,9 +2397,11 @@ - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" debug: msg: - - "WARNING!!!!The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" + - "WARNING!! The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" - "{{ rhel_08_010720_user_list.stdout_lines }}" - when: rhel_08_010720_user_list.stdout | length > 0 + when: + - rhel_08_010720_user_list.stdout is defined + - rhel_08_010720_user_list.stdout | length > 0 when: - rhel_08_010720 tags: @@ -2425,7 +2585,7 @@ - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" debug: msg: - - "ALERT!!! There are files with no user assigned. Please review files listed below and assign owner" + - "WARNING!! There are files with no user assigned. Please review files listed below and assign owner" - "{{ rhel_08_010780_nouser_files.stdout_lines }}" when: rhel_08_010780_nouser_files.stdout | length > 0 when: @@ -2450,7 +2610,7 @@ - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" debug: msg: - - "ALERT!!!! There are files with no group assigned. Please review files listed below and assign group" + - "WARNING!! There are files with no group assigned. Please review files listed below and assign group" - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" when: rhel_08_010790_nogroup_files.stdout | length > 0 when: @@ -2466,12 +2626,11 @@ - name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." debug: - msg: "WARNING!!!! /home is not mounted on a separate partition" + msg: "WARNING!! /home is not mounted on a separate partition" changed_when: - rhel8stig_audit_complex when: - rhel_08_010800 - - not rhel8stig_system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length == 0 tags: @@ -2482,7 +2641,7 @@ - SV-230328r627750_rule - V-23032 - complexity-high - - mount + - mounts - home - name: "MEDIUM | RHEL-08-010830 | PATCH | RHEL 8 must not allow users to override SSH environment variables." @@ -2493,6 +2652,7 @@ notify: restart sshd when: - rhel_08_010830 + - rhel8stig_ssh_required - rhel8stig_disruption_high tags: - RHEL-08-010830 @@ -2508,7 +2668,7 @@ - name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." debug: msg: - - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." + - "WARNING!! Please check temporary accounts for expiration dates to be 72 hours or less." - "To do this please run sudo chage -l account_name for the accounts you need to check" - "The results will display the Account Expires information" - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name' @@ -2650,7 +2810,7 @@ - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so preauth' + regexp: '^auth\s+required pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd @@ -2661,7 +2821,7 @@ - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^auth required pam_faillock.so authfail' + regexp: '^auth\s+required pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} nlock_time={{ rhel8stig_pam_faillock.unlock_time }}' insertafter: '^auth' notify: restart sssd @@ -2672,7 +2832,7 @@ - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" lineinfile: path: "/etc/pam.d/{{ item }}" - regexp: '^account required pam_faillock.so' + regexp: '^account\s+required pam_faillock.so' line: 'account required pam_faillock.so' insertafter: '^account' notify: restart sssd @@ -2680,9 +2840,9 @@ - system-auth - password-auth when: - - rhel_08_020013 + - rhel_08_020014 tags: - - RHEL-08-020013 + - RHEL-08-020014 - CAT2 - CCI-000044 - SRG-OS-000021-GPOS-00005 @@ -2973,9 +3133,9 @@ "MEDIUM | RHEL-08-020027 | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. MEDIUM | RHEL-08-020028 | RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory." shell: "ls -Zd {{ rhel8stig_pam_faillock.dir }}| grep -c faillog_t" - register: faillock_secontext changed_when: false failed_when: false + register: faillock_secontext - name: | "MEDIUM | RHEL-08-020027 | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. @@ -2992,6 +3152,7 @@ when: - rhel_08_020027 or rhel_08_020028 + - not system_is_container tags: - RHEL-08-020027 - RHEL-08-020028 @@ -3002,6 +3163,7 @@ - SV-250316r793010_rule - V-250315 - V-250316 + - selinux - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." block: @@ -3074,11 +3236,17 @@ - V-230348 - tmux -- name: " MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization." - lineinfile: - path: /etc/bashrc - regexp: '^\[ -n "$PS1" -a -z "$TMUX" \]' - line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' +- name: "MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization. | Set tmux.sh if file exists" + blockinfile: + path: /etc/profile.d/tmux.sh + marker: "# " + block: | + if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in (sshd|login) exec tmux ;; esac + fi + create: true when: - rhel_08_020041 tags: @@ -3086,7 +3254,7 @@ - CAT2 - CCI-000056 - SRG-OS-000028-GPOS-00009 - - SV-230349r627750_rul + - SV-230349r810020_rule - V-230349 - tmux @@ -3278,29 +3446,141 @@ - V-230355 - authentication -- name: "MEDIUM | RHEL-08-020100 | PATCH RHEL 8 must ensure a password complexity module is enabled." +- name: "MEDIUM | RHEL-08-020100 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the password-auth file." lineinfile: - path: "{{ item.path }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" + path: /etc/pam.d/password-auth + regexp: '^password required pam_pwquality.so' + line: 'password required pam_pwquality.so' insertafter: '^password' owner: root group: root mode: 0640 - with_items: - - { path: /etc/pam.d/system-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } - - { path: /etc/pam.d/password-auth, regexp: '^password required pam_pwquality.so', line: 'password required pam_pwquality.so retry=3' } when: - rhel_08_020100 tags: - RHEL-08-020100 - CAT2 - - CCI-000192 + - CCI-000366 - SRG-OS-000069-GPOS-00037 - - SV-230356r627750_rule + - SV-230356r809379_rule - V-230356 - pamd +- name: "MEDIUM | RHEL-08-020101 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the system-auth file." + lineinfile: + path: /etc/pam.d/system-auth + regexp: '^password required pam_pwquality.so' + line: 'password required pam_pwquality.so' + insertafter: '^password' + owner: root + group: root + mode: 0640 + when: + - rhel_08_020101 + tags: + - RHEL-08-020101 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-251713r810407_rule + - V-251713 + - pamd + +- name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less." + block: + - name: "MEDIUM | RHEL-08-020102 | AUDIT | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Get pam_pwquality state" + shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwquality.so" + changed_when: false + failed_when: false + register: rhel_08_020102_pwquality_status + + - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" + lineinfile: + path: /etc/pam.d/system-auth + line: 'ppassword required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + insertafter: '^password' + owner: root + group: root + mode: 0640 + when: rhel_08_020102_pwquality_status.stdout | length == 0 + + - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Replace if already exists" + pamd: + name: system-auth + type: password + control: required + module_path: pam_pwquality.so + module_arguments: 'retry={{ rhel8stig_pam_pwquality_retry }}' + state: args_present + when: rhel_08_020102_pwquality_status.stdout | length > 0 + when: + - rhel_08_020102 + - ansible_distribution_version <= "8.4" + tags: + - RHEL-08-020102 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-251714r810410_rule + - V-251714 + - pamd + +- name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less." + block: + - name: "MEDIUM | RHEL-08-020103 | AUDIT | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Get pam_pwquality state" + shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwquality.so" + changed_when: false + failed_when: false + register: rhel_08_020103_pwquality_status + + - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" + lineinfile: + path: /etc/pam.d/password-auth + line: 'password required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' + insertafter: '^password' + owner: root + group: root + mode: 0640 + when: rhel_08_020103_pwquality_status.stdout | length == 0 + + - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Replace if already exists" + pamd: + name: password-auth + type: password + control: required + module_path: pam_pwquality.so + module_arguments: 'retry={{ rhel8stig_pam_pwquality_retry }}' + state: args_present + when: rhel_08_020103_pwquality_status.stdout | length > 0 + when: + - rhel_08_020103 + - ansible_distribution_version <= "8.4" + tags: + - RHEL-08-020103 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-251715r810412_rule + - V-251715 + - pamd + +- name: "MEDIUM | RHEL-08-020104 | PATCH | RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less." + lineinfile: + path: /etc/security/pwquality.conf + regexp: '^retry =|^#.*retry =' + line: retry = {{ rhel8stig_pam_pwquality_retry }} + when: + - rhel_08_020104 + - ansible_distribution_version >= "8.4" + tags: + - RHEL-08-020104 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-251716r809372_rule + - V-251716 + - pamd + - name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." lineinfile: path: /etc/security/pwquality.conf @@ -3364,12 +3644,12 @@ - name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." lineinfile: path: /etc/security/pwquality.conf + regexp: '^#?\s*maxclassrepeat' + line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" create: yes owner: root group: root mode: 0644 - regexp: '^#?\s*maxclassrepeat' - line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" when: - rhel_08_020140 tags: @@ -3377,7 +3657,7 @@ - CAT2 - CCI-000195 - SRG-OS-000072-GPOS-00040 - - SV-230360r627750_rule + - SV-230360r809289_rule - V-230360 - pwquality @@ -3533,47 +3813,33 @@ - disruption-high - password -- name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations." +- name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations." block: - - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory rule exists" - pamd: - name: "{{ item }}" - state: before - type: password - control: sufficient - module_path: pam_unix.so - new_type: password - new_control: required - new_module_path: pam_pwhistory.so - with_items: - - "system-auth" - - "password-auth" + - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Get pam_pwhistory status" + shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwhistory.so" + changed_when: false + failed_when: false + register: rhel_08_020220_pwhistory_status - # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent - - name: "MEDIUM | RHEL-08-020220 | AUDIT | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Check for existing password history reuse settings" - command: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel8stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" - check_mode: no - changed_when: no - failed_when: rhel_08_020220_pw_hist_settings.rc > 1 - register: rhel_08_020220_pw_hist_settings - with_items: - - "system-auth" - - "password-auth" + - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pw_history" + lineinfile: + path: /etc/pam.d/password-auth + line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" + insertafter: '^password' + owner: root + group: root + mode: 0640 + when: rhel_08_020220_pwhistory_status.stdout | length == 0 - # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. - - name: "MEDIUM | RHEL-08-020220 | PATCH | RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. | Ensure pam_pwhistory module arguments are set" + - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" pamd: - name: "{{ item.item }}" - state: updated + name: password-auth type: password control: required module_path: pam_pwhistory.so - module_arguments: - - use_authtok - - remember={{ rhel8stig_pam_pwhistory.remember | default(5) }} - - retry={{ rhel8stig_pam_pwhistory.retries | default(3) }} - with_items: "{{ rhel_08_020220_pw_hist_settings.results }}" - when: item.rc == 1 + module_arguments: 'remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}' + state: args_present + when: rhel_08_020220_pwhistory_status.stdout | length > 0 when: - rhel_08_020220 tags: @@ -3581,18 +3847,56 @@ - CAT2 - CCI-000200 - SRG-OS-000077-GPOS-00045 - - SV-230368r627750_rule + - SV-230368r810414_rule - V-230368 - pamd -- name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." - lineinfile: - path: /etc/security/pwquality.conf - create: yes - owner: root - group: root - mode: 0644 - regexp: '^#?\s*minlen' +- name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations." + block: + - name: "MEDIUM | RHEL-08-020221 | AUDIT | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Get pam_pwhistory state " + shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwhistory.so" + changed_when: false + failed_when: false + register: rhel_08_020221_pwhistory_status + + - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pwhistory" + lineinfile: + path: /etc/pam.d/system-auth + line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" + insertafter: '^password' + owner: root + group: root + mode: 0640 + when: rhel_08_020221_pwhistory_status.stdout | length == 0 + + - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" + pamd: + name: system-auth + type: password + control: required + module_path: pam_pwhistory.so + module_arguments: 'remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}' + state: args_present + when: rhel_08_020221_pwhistory_status.stdout | length > 0 + when: + - rhel_08_020221 + tags: + - RHEL-08-020221 + - CAT2 + - CCI-000200 + - SRG-OS-000077-GPOS-00045 + - SV-251717r810415_rule + - V-251717 + - pamd + +- name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." + lineinfile: + path: /etc/security/pwquality.conf + create: yes + owner: root + group: root + mode: 0644 + regexp: '^#?\s*minlen' line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" when: - rhel_08_020230 @@ -3635,7 +3939,7 @@ - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" debug: msg: - - "ALERT!!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" + - "WARNING!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" when: - rhel_08_020240 @@ -3757,7 +4061,7 @@ - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." debug: msg: - - "WARNING!!!Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" + - "WARNING!! Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" - "{{ rhel_08_020270_system_users.stdout_lines }}" when: - rhel_08_020270 @@ -3981,16 +4285,10 @@ - umask - name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv' } - - { regexp: '^-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv' } - - { regexp: '^-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv' } - - { regexp: '^-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv', line: '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv' } - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030000 tags: @@ -4017,6 +4315,7 @@ - SV-230387r743996_rule - V-230387 - cron + - rsyslog - name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." lineinfile: @@ -4070,22 +4369,6 @@ - V-230390 - auditd -- name: "MEDIUM | RHEL-08-030050 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted when the audit storage volume is full." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^max_log_file_action =' - line: "max_log_file_action = {{ rhel8stig_auditd_max_log_file_action }}" - when: - - rhel_08_030050 - tags: - - RHEL-08-030050 - - CAT2 - - CCI-000140 - - SRG-OS-000047-GPOS-00023 - - SV-230391r743998_rule - - V-230391 - - auditd - - name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." lineinfile: path: /etc/audit/auditd.conf @@ -4158,6 +4441,7 @@ - V-230396 - permissions - log + - auditd - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." block: @@ -4183,6 +4467,7 @@ - V-230397 - permissions - log + - auditd - name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access." lineinfile: @@ -4200,6 +4485,7 @@ - V-230398 - permissions - log + - auditd - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." block: @@ -4228,6 +4514,7 @@ - V-230399 - permissions - log + - auditd - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." block: @@ -4259,6 +4546,7 @@ - V-230400 - permissions - log + - auditd - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access." block: @@ -4285,6 +4573,7 @@ - V-230401 - permissions - log + - auditd - name: "MEDIUM | RHEL-08-030121 | PATCH | RHEL 8 audit system must protect auditing rules from unauthorized change." lineinfile: @@ -4478,11 +4767,10 @@ - auditd - name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - regexp: '^-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' - line: '-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change' - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030190 tags: @@ -4495,15 +4783,10 @@ - auditd - name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030200 tags: @@ -4511,99 +4794,15 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230413r627750_rule + - SV-230413r810463_rule - V-230413 - auditd -- name: "MEDIUM | RHEL-08-030210 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the removexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S removexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030210 - tags: - - RHEL-08-030210 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230414r627750_rule - - V-230414 - - auditd - -- name: "MEDIUM | RHEL-08-030220 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lsetxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030220 - tags: - - RHEL-08-030220 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230415r627750_rule - - V-230415 - - auditd - -- name: "MEDIUM | RHEL-08-030230 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fsetxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030230 - tags: - - RHEL-08-030230 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230416r627750_rule - - V-230416 - - auditd - -- name: "MEDIUM | RHEL-08-030240 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the fremovexattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030240 - tags: - - RHEL-08-030240 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230417r627750_rule - - V-230417 - - auditd - - name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030250 tags: @@ -4616,10 +4815,10 @@ - auditd - name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030260 tags: @@ -4631,32 +4830,11 @@ - V-230419 - auditd -- name: "MEDIUM | RHEL-08-030270 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the setxattr system call." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S setxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod - notify: restart auditd - when: - - rhel_08_030270 - tags: - - RHEL-08-030270 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230420r627750_rule - - V-230420 - - auditd - - name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030280 tags: @@ -4669,10 +4847,10 @@ - auditd - name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030290 tags: @@ -4684,37 +4862,27 @@ - V-230422 - auditd -- name: | - "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." - "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - - -a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - - -a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - notify: restart auditd +- name: "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - - rhel_08_030300 or - rhel_08_030302 + - rhel_08_030300 tags: - - CAT2 - RHEL-08-030300 - - RHEL-08-030302 + - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - SV-230423r627750_rule - - SV-230425r627750_rule - V-230423 - - V-230425 - auditd - name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030301 tags: @@ -4726,11 +4894,27 @@ - V-230424 - auditd +- name: "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel_08_030302 + tags: + - RHEL-08-030302 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-230425r627750_rule + - V-230425 + - auditd + - name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030310 tags: @@ -4743,10 +4927,10 @@ - auditd - name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030311 tags: @@ -4759,10 +4943,10 @@ - auditd - name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030312 tags: @@ -4775,10 +4959,10 @@ - auditd - name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030313 tags: @@ -4791,10 +4975,10 @@ - auditd - name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030314 tags: @@ -4807,10 +4991,10 @@ - auditd - name: "MEDIUM | RHEL-08-030315 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030315 tags: @@ -4823,10 +5007,10 @@ - auditd - name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030316 tags: @@ -4839,10 +5023,10 @@ - auditd - name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030317 tags: @@ -4855,10 +5039,10 @@ - auditd - name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030320 tags: @@ -4871,10 +5055,10 @@ - auditd - name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030330 tags: @@ -4887,10 +5071,10 @@ - auditd - name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030340 tags: @@ -4903,10 +5087,10 @@ - auditd - name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030350 tags: @@ -4919,13 +5103,10 @@ - auditd - name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S init_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030360 tags: @@ -4933,18 +5114,15 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230438r627750_rule + - SV-230438r810464_rule - V-230438 - auditd - name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S rename -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030361 tags: @@ -4952,91 +5130,15 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230439r627750_rule + - SV-230439r810465_rule - V-230439 - auditd -- name: "MEDIUM | RHEL-08-030362 | PATCH | Successful/unsuccessful uses of the renameat command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S renameat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030362 - tags: - - RHEL-08-030362 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230440r627750_rule - - V-230440 - - auditd - -- name: "MEDIUM | RHEL-08-030363 | PATCH | Successful/unsuccessful uses of the rmdir command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S rmdir -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030363 - tags: - - RHEL-08-030363 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230441r627750_rule - - V-230441 - - auditd - -- name: "MEDIUM | RHEL-08-030364 | PATCH | Successful/unsuccessful uses of the unlink command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S unlink -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030364 - tags: - - RHEL-08-030364 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230442r627750_rule - - V-230442 - - auditd - -- name: "MEDIUM | RHEL-08-030365 | PATCH | Successful/unsuccessful uses of the unlinkat command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - - -a always,exit -F arch=b64 -S unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete - notify: restart auditd - when: - - rhel_08_030365 - tags: - - RHEL-08-030365 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230443r627750_rule - - V-230443 - - auditd - - name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030370 tags: @@ -5048,33 +5150,11 @@ - V-230444 - auditd -- name: "MEDIUM | RHEL-08-030380 | PATCH | Successful/unsuccessful uses of the finit_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - notify: restart auditd - when: - - rhel_08_030380 - tags: - - RHEL-08-030380 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230445r627750_rule - - V-230445 - - auditd - - name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - - -a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030390 tags: @@ -5087,10 +5167,10 @@ - auditd - name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030400 tags: @@ -5103,10 +5183,10 @@ - auditd - name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030410 tags: @@ -5119,15 +5199,10 @@ - auditd - name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030420 tags: @@ -5135,123 +5210,15 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230449r627750_rule + - SV-230449r810455_rule - V-230449 - auditd -- name: "MEDIUM | RHEL-08-030430 | PATCH | Successful/unsuccessful uses of the openat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030430 - tags: - - RHEL-08-030430 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230450r627750_rule - - V-230450 - - auditd - -- name: "MEDIUM | RHEL-08-030440 | PATCH | Successful/unsuccessful uses of the open system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030440 - tags: - - RHEL-08-030440 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230451r627750_rule - - V-230451 - - auditd - -- name: "MEDIUM | RHEL-08-030450 | PATCH | Successful/unsuccessful uses of the open_by_handle_at system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030450 - tags: - - RHEL-08-030450 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230452r627750_rule - - V-230452 - - auditd - -- name: "MEDIUM | RHEL-08-030460 | PATCH | Successful/unsuccessful uses of the ftruncate command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030460 - tags: - - RHEL-08-030460 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230453r627750_rule - - V-230453 - - auditd - -- name: "MEDIUM | RHEL-08-030470 | PATCH | Successful/unsuccessful uses of the creat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access - notify: restart auditd - when: - - rhel_08_030470 - tags: - - RHEL-08-030470 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230454r627750_rule - - V-230454 - - auditd - - name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S chown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030480 tags: @@ -5259,18 +5226,15 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230455r627750_rule + - SV-230455r810459_rule - V-230455 - auditd - name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S chmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030490 tags: @@ -5278,110 +5242,15 @@ - CAT2 - CCI-000169 - SRG-OS-000062-GPOS-00031 - - SV-230456r627750_rule + - SV-230456r810462_rule - V-230456 - auditd -- name: "MEDIUM | RHEL-08-030500 | PATCH | Successful/unsuccessful uses of the lchown system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd - when: - - rhel_08_030500 - tags: - - RHEL-08-030500 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230457r627750_rule - - V-230457 - - auditd - -- name: "MEDIUM | RHEL-08-030510 | PATCH | Successful/unsuccessful uses of the fchownat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fchownat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd - when: - - rhel_08_030510 - tags: - - RHEL-08-030510 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230458r627750_rule - - V-230458 - - auditd - -- name: "MEDIUM | RHEL-08-030520 | PATCH | Successful/unsuccessful uses of the fchown system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd - when: - - rhel_08_030520 - tags: - - RHEL-08-030520 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230459r627750_rule - - V-230459 - - auditd - -- name: "MEDIUM | RHEL-08-030530 | PATCH | Successful/unsuccessful uses of the fchmodat system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd - when: - - rhel_08_030530 - tags: - - RHEL-08-030530 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230460r627750_rule - - V-230460 - - auditd - -- name: "MEDIUM | RHEL-08-030540 | PATCH | Successful/unsuccessful uses of the fchmod system call in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "{{ item }}" - with_items: - - -a always,exit -F arch=b32 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b64 -S fchmod -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd - when: - - rhel_08_030540 - tags: - - RHEL-08-030540 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-230461r627750_rule - - V-230461 - - auditd - - name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030550 tags: @@ -5394,10 +5263,10 @@ - auditd - name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030560 tags: @@ -5410,10 +5279,10 @@ - auditd - name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030570 tags: @@ -5426,10 +5295,10 @@ - auditd - name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030580 tags: @@ -5442,10 +5311,10 @@ - auditd - name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: "-w {{ rhel8stig_pam_faillock.dir }} -p wa -k logins" - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030590 tags: @@ -5458,10 +5327,10 @@ - auditd - name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." - lineinfile: - path: /etc/audit/rules.d/audit.rules - line: -w /var/log/lastlog -p wa -k logins - notify: restart auditd + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd when: - rhel_08_030600 tags: @@ -5490,6 +5359,7 @@ - SV-230471r627750_rule - V-230471 - permissions + - auditd - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." block: @@ -5515,6 +5385,7 @@ - SV-230472r627750_rule - V-230472 - permissions + - auditd - name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." file: @@ -5539,6 +5410,7 @@ - SV-230473r744008_rule - V-230473 - permissions + - auditd - name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." file: @@ -5563,6 +5435,7 @@ - SV-230474r627750_rule - V-230474 - permissions + - auditd - name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." lineinfile: @@ -5608,7 +5481,7 @@ - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" debug: msg: - - "ALERT!!!Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" + - "WARNING!! Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}" when: @@ -5618,7 +5491,7 @@ - CAT2 - CCI-001849 - SRG-OS-000341-GPOS-00132 - - SV-230476r627750_rule + - SV-230476r809313_rule - V-230476 - auditd @@ -5653,6 +5526,7 @@ - SV-230478r744011_rule - V-230478 - gnutls + - rsyslog - name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." lineinfile: @@ -5669,6 +5543,7 @@ - SV-230479r627750_rule - V-230479 - auditd + - rsyslog - name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." lineinfile: @@ -5709,6 +5584,7 @@ - SV-230481r627750_rule - V-230481 - auditd + - rsyslog - name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must authenticate the remote logging server for off-loading audit logs." lineinfile: @@ -5726,6 +5602,7 @@ - SV-230482r627750_rule - V-230482 - auditd + - rsyslog - name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." lineinfile: @@ -5767,6 +5644,7 @@ notify: restart {{ rhel8stig_time_service }} when: - rhel_08_030740 + - "'chrony' in ansible_facts.packages" tags: - RHEL-08-030740 - CAT2 @@ -5774,7 +5652,7 @@ - SRG-OS-000355-GPOS-00143 - SV-230484r627750_rule - V-230484 - - chronyd + - chrony - name: "MEDIUM | RHEL-08-040001 | PATCH | RHEL 8 must not have any automated bug reporting tools installed." shell: dnf remove abrt* @@ -5823,6 +5701,7 @@ notify: change_requires_reboot with_items: - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } + - { regexp: '^install uvcvideo', line: 'install uvcvideo /bin/true', insertafter: '##Disable WebCam' } - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } when: - rhel_08_040020 @@ -5831,7 +5710,7 @@ - CAT2 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230493r627750_rule + - SV-230493r809316_rule - V-230493 - camera @@ -5866,7 +5745,7 @@ when: - rhel_08_040030 - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container + - not system_is_container - rhel8stig_firewall_service == "firewalld" - rhel8stig_start_firewall_service tags: @@ -5901,7 +5780,7 @@ when: - rhel_08_040030 - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container + - not system_is_container - rhel8stig_firewall_service == "iptables" - rhel8stig_start_firewall_service tags: @@ -5921,7 +5800,8 @@ when: - rhel_08_040030 - not rhel8stig_system_is_chroot - - not rhel8stig_system_is_container + - rhel8stig_firewall_service != "not_required" + - rhel8stig_disruptive tags: - RHEL-08-040030 @@ -5959,17 +5839,17 @@ - name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." lineinfile: - path: "{{ item.path }}" + path: /etc/modprobe.d/blacklist.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" create: yes owner: root group: root mode: 0640 - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" with_items: - - { path: /etc/modprobe.d/usb-storage.conf, regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } - - { path: /etc/modprobe.d/blacklist.conf, regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} + - { regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } + - { regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} when: - rhel_08_040080 tags: @@ -5977,7 +5857,7 @@ - CAT2 - CCI-000778 - SRG-OS-000114-GPOS-00059 - - SV-230503r627750_rule + - SV-230503r809319_rule - V-230503 - usb_devices @@ -6002,6 +5882,7 @@ enabled: yes when: - rhel_08_040100 + - rhel8stig_firewall_service != "not_required" tags: - RHEL-08-040100 - CAT2 @@ -6051,7 +5932,8 @@ zone: "{{ rhel8stig_custom_firewall_zone }}" permanent: true state: enabled - service: "{{ item }}" + service: "{{ (item == (item | regex_search('^[a-z]+$'))) | bool | ternary(item, omit) }}" + port: "{{ (item == (item | regex_search('^[0-9]+/[a-z]+$'))) | bool | ternary(item, omit) }}" with_items: - "{{ rhel8stig_white_list_services }}" @@ -6068,12 +5950,13 @@ register: rhel_08_040090_default_zone_set when: - rhel_08_040090 + - rhel8stig_firewall_service != "not_required" tags: - RHEL-08-040090 - CAT2 - CCI-002314 - SRG-OS-000297-GPOS-00115 - - SV-230504r627750_rule + - SV-230504r809321_rule - V-230504 - firewall @@ -6123,6 +6006,7 @@ notify: change_requires_reboot when: - rhel_08_040111 + - not system_is_container tags: - RHEL-08-040111 - CAT2 @@ -6397,14 +6281,21 @@ - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." block: + - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Check for rules.d/ directory" + stat: + path: /etc/fapolicyd/rules.d/ + register: rhel_08_040137_rules_dir + - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " lineinfile: - path: /etc/fapolicyd/fapolicyd.rules + path: "{{ '/etc/fapolicyd/rules.d/99-stig.rules' if rhel_08_040137_rules_dir.stat.exists else '/etc/fapolicyd/fapolicyd.rules' }}" line: "{{ item }}" + create: yes with_items: - "allow exe={{ ansible_python.executable }} : ftype=text/x-python" - "{{ rhel8stig_fapolicy_white_list }}" notify: + - generate fapolicyd rules - restart fapolicyd - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" @@ -6421,7 +6312,7 @@ - CAT2 - CCI-001764 - SRG-OS-000368-GPOS-00154 - - SV-244546r743887_rule + - SV-244546r809339_rule - V-244546 - fapolicy @@ -6458,6 +6349,7 @@ - rhel_08_040139 or rhel_08_040140 or rhel_08_040141 + - not system_is_container tags: - RHEL-08-040139 - RHEL-08-040140 @@ -6480,6 +6372,7 @@ line: 'FirewallBackend=nftables' when: - rhel_08_040150 + - rhel8stig_firewall_service != "not_required" tags: - RHEL-08-040150 - CAT2 @@ -6513,6 +6406,7 @@ when: - rhel_08_040159 or rhel_08_040160 + - rhel8stig_ssh_required tags: - RHEL-08-040159 - RHEL-08-040160 @@ -6533,6 +6427,7 @@ notify: restart sshd when: - rhel_08_040161 + - rhel8stig_ssh_required tags: - RHEL-08-040161 - CAT2 @@ -6540,7 +6435,7 @@ - RG-OS-000033-GPOS-00014 - SV-230527r627750_rule - V-230527 - - sshd + - ssh - name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." systemd: @@ -6550,6 +6445,7 @@ masked: yes daemon_reload: yes when: + - ansible_service_mgr == 'systemd' - rhel_08_040180 tags: - RHEL-08-040180 @@ -6562,7 +6458,8 @@ - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040209 @@ -6577,7 +6474,8 @@ - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040210 @@ -6593,7 +6491,8 @@ - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040220 @@ -6608,7 +6507,8 @@ - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040230 @@ -6623,7 +6523,8 @@ - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040239 @@ -6638,7 +6539,8 @@ - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040240 @@ -6654,7 +6556,8 @@ - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040249 @@ -6669,7 +6572,8 @@ - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040250 @@ -6685,8 +6589,9 @@ - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sys + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true + notify: update sysctl when: - rhel_08_040259 - not rhel8stig_system_is_router @@ -6701,8 +6606,9 @@ - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sys + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true + notify: update sysctl when: - rhel_08_040260 - not rhel8stig_system_is_router @@ -6717,7 +6623,8 @@ - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040261 @@ -6734,7 +6641,8 @@ - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040262 @@ -6751,7 +6659,8 @@ - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040270 @@ -6766,7 +6675,8 @@ - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040279 @@ -6781,7 +6691,8 @@ - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040280 @@ -6797,7 +6708,8 @@ - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040281 @@ -6812,7 +6724,8 @@ - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040282 @@ -6827,7 +6740,8 @@ - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040283 @@ -6842,7 +6756,8 @@ - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040284 @@ -6857,7 +6772,8 @@ - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040285 @@ -6872,7 +6788,8 @@ - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + changed_when: true notify: update sysctl when: - rhel_08_040286 @@ -6900,21 +6817,42 @@ - name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." package: - name: xorg-x11-server-common + name: + - xorg-x11-server-Xorg + - xorg-x11-server-common + - xorg-x11-server-utils + - xorg-x11-server-Xwayland state: absent + notify: change_requires_reboot when: - rhel_08_040320 - not rhel8stig_gui - - "'xorg-x11-server-common' in ansible_facts.packages" + - "'xorg-x11-server-Xorg' in ansible_facts.packages or 'xorg-x11-server-common' in ansible_facts.packages or 'xorg-x11-server-utils' in ansible_facts.packages or 'xorg-x11-server-Xwayland' in ansible_facts.packages" tags: - RHEL-08-040320 - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230553r646886_rule + - SV-230553r809324_rule - V-230553 - gui +- name: "MEDIUM | RHEL-08-040321 | PATCH | The graphical display manager must not be the default target on RHEL 8 unless approved." + file: + src: /usr/lib/systemd/system/multi-user.target + dest: /etc/systemd/system/default.target + state: link + when: + - rhel_08_040321 + tags: + - RHEL-08-040321 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-251718r809378_rule + - V-251718 + - systemctl + - name: "MEDIUM | RHEL-08-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." block: - name: "MEDIUM | RHEL-08-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" @@ -6931,6 +6869,7 @@ when: - rhel_08_040330 - not rhel8stig_net_promisc_mode_required + - not system_is_container tags: - RHEL-08-040330 - CAT2 @@ -6969,6 +6908,7 @@ line: 'X11UseLocalhost yes' when: - rhel_08_040341 + - rhel8stig_ssh_required tags: - RHEL-08-040341 - CAT2 @@ -7164,7 +7104,7 @@ - CAT2 - CCI-002227 - SRG-OS-000480-GPOS-00227 - - SV-237642r646896_rule + - SV-237642r809326_rule - V-237642 - sudo @@ -7201,6 +7141,21 @@ - CAT2 - CCI-002038 - SRG-OS-000373-GPOS-00156 - - SV-237643r792980_rule + - SV-237643r809328_rule - V-237643 - sudo + +- name: "MEDIUM | RHEL-08-010385 | PATCH | The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation." + lineinfile: + path: /etc/pam.d/sudo + regex: 'pam_succeed_if' + state: absent + when: + - rhel_08_010385 + tags: + - RHEL-08-010385 + - CAT2 + - CCI-002038 + - SRG-OS-000373-GPOS-00156 + - SV-251712r810017_rule + - V-251712 diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 4ca813f8..5447ddcf 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -17,11 +17,12 @@ - name: "LOW | RHEL-08-010292 | PATCH | RHEL 8 must ensure the SSH server uses strong entropy." lineinfile: path: /etc/sysconfig/sshd - regexp: '^SSH_USE_STRONG_RNG=|^.*SSH_USE_STRONG_RNG=' + regexp: '^(#)?SSH_USE_STRONG_RNG=' line: SSH_USE_STRONG_RNG=32 notify: restart sshd when: - rhel_08_010292 + - rhel8stig_ssh_required tags: - RHEL-08-010292 - CAT3 @@ -29,11 +30,11 @@ - SRG-OS-000480-GPOS-00227 - SV-230253r627750_rule - V-230253 - - sshd + - ssh - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_010375 @@ -48,7 +49,7 @@ - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: update sysctl when: - rhel_08_010376 @@ -81,6 +82,8 @@ line: 'clean_requirements_on_remove=True' with_items: - "{{ rhel_08_010440_package_confs.files }}" + loop_control: + label: "{{ item.path }}" when: - rhel_08_010440 tags: @@ -114,6 +117,7 @@ when: - rhel_08_010471 or rhel_08_010472 + - not system_is_container tags: - RHEL-08-010471 - RHEL-08-010472 @@ -127,12 +131,11 @@ - name: "LOW | RHEL-08-010540 | AUDIT | The RHEL 8 must use a separate file system for /var." debug: - msg: "WARNING: /var is not mounted on a separate partition" + msg: "WARNING!! /var is not mounted on a separate partition" changed_when: - rhel8stig_audit_complex when: - rhel_08_010540 - - not rhel8stig_system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/var$') | list | length == 0 tags: @@ -143,7 +146,7 @@ - SV-230292r627750_rule - V-230292 - complexity-high - - mount + - mounts - var - name: "LOW | RHEL-08-010541 | AUDIT | RHEL 8 must use a separate file system for /var/log." @@ -154,7 +157,6 @@ - rhel8stig_audit_complex when: - rhel_08_010541 - - not rhel8stig_system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/var/log$') | list | length == 0 tags: @@ -165,8 +167,7 @@ - SV-230293r627750_rule - V-230293 - complexity_high - - mount - - auditd + - mounts - name: "LOW | RHEL-08-010542 | AUDIT | The RHEL 8 must use a separate file system for the system audit data path." debug: @@ -176,7 +177,6 @@ - rhel8stig_audit_complex when: - rhel_08_010542 - - not rhel8stig_system_is_container - rhel8stig_complex - ansible_mounts | selectattr('mount', 'match', '^/var/log/audit$') | list | length == 0 tags: @@ -187,7 +187,7 @@ - SV-230294r627750_rule - V-230294 - complexity_high - - mount + - mounts - auditd - name: "LOW | RHEL-08-020024 | PATCH | RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types." @@ -336,6 +336,7 @@ - SV-230469r792906_rule - V-230469 - grub + - auditd - name: "LOW | RHEL-08-030603 | PATCH | RHEL 8 must enable Linux audit logging for the USBGuard daemon" lineinfile: @@ -348,6 +349,7 @@ mode: 0600 when: - rhel_08_030603 + - "'usbguard' in ansible_facts.packages" tags: - RHEL-08-030603 - CAT3 diff --git a/tasks/main.yml b/tasks/main.yml index c79bb9a4..695a1aee 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,4 +1,5 @@ --- + - name: Gather distribution info setup: gather_subset: distribution,!all,!min @@ -9,16 +10,42 @@ - name: Check OS version and family assert: - that: ansible_os_family == 'RedHat' and ansible_distribution_major_version is version_compare('8', '==') - msg: "This role can only be run against RHEL/CENTOS 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') + fail_msg: "This role can only be run against RHEL/Rocky 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" + when: + - not skip_os_check tags: - always - name: Check ansible version assert: that: ansible_version.full is version_compare(rhel8stig_min_ansible_version, '>=') - msg: You must use Ansible {{ rhel8stig_min_ansible_version }} or greater + fail_msg: "You must use Ansible {{ rhel8stig_min_ansible_version }} or greater" + success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ rhel8stig_min_ansible_version }}" + tags: + - always + +- name: Setup rules if container + block: + - name: Discover and set container variable if required + set_fact: + system_is_container: true + + - name: Load variable for container + include_vars: + file: "{{ container_vars_file }}" + + - name: output if discovered is a container + debug: + msg: system has been discovered as a container + when: + - system_is_container + when: + - ansible_connection == 'docker' or + ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: + - container_discovery - always - name: Check rhel8stig_bootloader_password_hash variable has been changed @@ -28,8 +55,11 @@ when: - not system_is_ec2 + - not system_is_container - rhel_08_010140 or rhel_08_010150 + tags: + - grub - name: Check if using resolv.conf template settings are changed assert: @@ -84,10 +114,12 @@ - CAT3 - low -- name: trigger update sysctl +- name: trigger update sysctl command: /bin/true - notify: update sysctl + changed_when: rhel8stig_trigger_update_sysctl.rc == 0 check_mode: false + register: rhel8stig_trigger_update_sysctl + notify: update sysctl tags: - CAT1 - CAT2 @@ -129,3 +161,5 @@ msg: "{{ audit_results.split('\n') }}" when: - run_audit + tags: + - run_audit diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 17ef3f87..fec86d78 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,6 +2,8 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + changed_when: rhel8stig_run_post_remediation.rc == 0 + register: rhel8stig_run_post_remediation vars: warn: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 78728628..a4d40082 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,11 +1,11 @@ --- -- name: Pre Audit | Setup the audit +- name: "Pre Audit | Setup the audit" include_tasks: LE_audit_setup.yml when: - - setup_audit + - setup_audit tags: - - setup_audit + - setup_audit - name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" file: @@ -13,106 +13,112 @@ state: directory mode: '0755' -- name: Pre Audit | If using git for content set up +- name: "Pre Audit | If using git for content set up" block: - - name: Pre Audit | Install git (rh8 python3) - package: - name: git - state: present - when: ansible_distribution_major_version == 8 - - - name: Pre Audit | Install git (rh7 python2) - package: - name: git - state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == 7 - - - name: Pre Audit | retrieve audit content files from git - git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" + - name: Pre Audit | Install git (rh8 python3) + package: + name: git + state: present + when: + - ansible_distribution_major_version == "8" + - "'git' not in ansible_facts.packages" + + - name: "Pre Audit | Install git (rh7 python2)" + package: + name: git + state: present + vars: + ansible_python_interpreter: "{{ python2_bin }}" + when: + - ansible_distribution_major_version == "7" + - "'git' not in ansible_facts.packages" + +- name: "Pre Audit | retrieve audit content files from git" + git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - - audit_content == 'git' + - audit_content == 'git' -- name: Pre Audit | copy to audit content files to server +- name: "Pre Audit | copy to audit content files to server" copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dir }}" mode: 0644 when: - - audit_content == 'copy' + - audit_content == 'copy' -- name: Pre Audit | get audit content from url +- name: "Pre Audit | get audit content from url" get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" when: - - audit_content == 'get_url' + - audit_content == 'get_url' -- name: Pre Audit | Check Goss is available +- name: "Pre Audit | Check Goss is available" block: - - name: Pre Audit | Check for goss file - stat: - path: "{{ audit_bin }}" - register: goss_available - - - name: Pre Audit | If audit ensure goss is available - assert: - msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - not goss_available.stat.exists + - name: Pre Audit | Check for goss file + stat: + path: "{{ audit_bin }}" + register: goss_available + + - name: "Pre Audit | If audit ensure goss is available" + assert: + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" + when: + - not goss_available.stat.exists when: - - run_audit + - run_audit - name: "Pre Audit | Check whether machine is UEFI-based" stat: path: /sys/firmware/efi register: rhel8_efi_boot tags: - - goss_template + - goss_template -- name: Pre Audit | Copy ansible default vars values to test audit +- name: "Pre Audit | Copy ansible default vars values to test audit" template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: 0600 when: - - run_audit + - run_audit tags: - - goss_template + - goss_template - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + changed_when: rhel8stig_run_pre_remediation.rc == 0 + register: rhel8stig_run_pre_remediation vars: warn: false -- name: Pre Audit | Capture audit data if json format +- name: "Pre Audit | Capture audit data if json format" block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - command: "cat {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false - - - name: Pre Audit | Capture pre-audit result - set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}" - vars: - summary: 'summary."summary-line"' + - name: "Pre Audit | capture data {{ pre_audit_outfile }}" + command: "cat {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false + + - name: "Pre Audit | Capture pre-audit result" + set_fact: + pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}" + vars: + summary: 'summary."summary-line"' when: - - audit_format == "json" + - audit_format == "json" -- name: Pre Audit | Capture audit data if documentation format +- name: "Pre Audit | Capture audit data if documentation format" block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - command: "tail -2 {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false - - - name: Pre Audit | Capture pre-audit result - set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" + - name: "Pre Audit | capture data {{ pre_audit_outfile }}" + command: "tail -2 {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false + + - name: "Pre Audit | Capture pre-audit result" + set_fact: + pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: - - audit_format == "documentation" + - audit_format == "documentation" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 828ade65..ac98aaba 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -44,11 +44,13 @@ - cat2 - medium - RHEL-08-010380 + - sudo - name: "PRELIM | RHEL-08-010020 | RHEL-08-010140 | RHEL-08-010150| Install grub2-tools." dnf: name: grub2-tools when: + - not system_is_container - "'grub2-tools' not in ansible_facts.packages" - rhel_08_010020 or rhel_08_010140 or @@ -101,6 +103,7 @@ dnf: name: cronie when: + - not system_is_container - "'cronie' not in ansible_facts.packages" - rhel_08_010360 tags: @@ -150,6 +153,7 @@ dnf: name: rsyslog when: + - not system_is_container - rhel_08_010070 or rhel_08_030010 - "'rsyslog' not in ansible_facts.packages" @@ -177,6 +181,7 @@ dnf: name: audispd-plugins when: + - not system_is_container - rhel_08_030620 or rhel_08_030630 or rhel_08_030640 or @@ -230,6 +235,7 @@ changed_when: not rhel8stig_aide_db_status.stat.exists notify: "{{ rhel8stig_aide_handler }}" when: + - not system_is_container - rhel_08_010360 or rhel_08_010380 or rhel_08_040310 @@ -247,6 +253,7 @@ name: libselinux-utils state: present when: + - not system_is_container - "'libselinux-utils' not in ansible_facts.packages" - rhel_08_010170 or rhel_08_010450 @@ -275,7 +282,8 @@ command: ssh-keygen -N '' -f /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 when: not rhel8stig_ssh_host_rsa_key_stat.stat.exists notify: clean up ssh host key - when: rhel8stig_ssh_required + when: + - rhel8stig_ssh_required - name: "MEDIUM | RHEL-08-010660 | RHEL-08-010770 | AUDIT | Find ini files for interactive users." shell: find "{{ item }}" -maxdepth 1 -type f | awk -F"/" '$NF ~ /^\..*$/ {print $NF}' | grep -v history @@ -314,11 +322,6 @@ stat: path: "{{ rhel8stig_sssd_conf }}" register: rhel8stig_sssd_conf_present - when: - - rhel_08_010400 or - rhel_08_020090 or - rhel_08_020250 or - rhel_08_020290 - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found" debug: @@ -326,6 +329,11 @@ changed_when: true when: - not rhel8stig_sssd_conf_present.stat.exists + when: + - rhel_08_010400 or + rhel_08_020090 or + rhel_08_020250 or + rhel_08_020290 - name: "PRELIM | Gather interactive user ID min" block: @@ -404,8 +412,11 @@ mode: 0755 owner: root group: root + recurse: yes + setype: faillog_t register: faillock_dir when: + - not system_is_container - rhel_08_020017 - rhel_08_020027 - rhel_08_020028 diff --git a/templates/99-sysctl.conf.j2 b/templates/99-sysctl.conf.j2 index 17bb66cd..4adf6704 100644 --- a/templates/99-sysctl.conf.j2 +++ b/templates/99-sysctl.conf.j2 @@ -52,7 +52,7 @@ kernel.core_pattern = |/bin/false net.ipv4.conf.default.accept_redirects = 0 {% endif %} -{% if rhel_08_040210 %} +{% if rhel_08_040210 and rhel8stig_ipv6_required %} # RHEL-08-040210 net.ipv6.conf.default.accept_redirects = 0 {% endif %} @@ -82,27 +82,27 @@ net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 {% endif %} -{% if rhel_08_040250 %} +{% if rhel_08_040250 and rhel8stig_ipv6_required %} # RHEL-08-040250 net.ipv6.conf.default.accept_source_route = 0 {% endif %} -{% if rhel_08_040259 %} +{% if rhel_08_040259 and not rhel8stig_system_is_router %} # RHEL-08-040259 net.ipv4.ip_forward = 0 {% endif %} -{% if rhel_08_040260 %} +{% if rhel_08_040260 and not rhel8stig_system_is_router %} # RHEL-08-040260 net.ipv6.conf.all.forwarding = 0 {% endif %} -{% if rhel_08_040261 %} +{% if rhel_08_040261 and rhel8stig_ipv6_required and not rhel8stig_system_is_router %} # RHEL-08-040261 net.ipv6.conf.all.accept_ra = 0 {% endif %} -{% if rhel_08_040262 %} +{% if rhel_08_040262 and rhel8stig_ipv6_required and not rhel8stig_system_is_router %} # RHEL-08-040262 net.ipv6.conf.default.accept_ra = 0 {% endif %} @@ -117,7 +117,7 @@ net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 {% endif %} -{% if rhel_08_040280 %} +{% if rhel_08_040280 and rhel8stig_ipv6_required %} # RHEL-08-040280 net.ipv6.conf.all.accept_redirects = 0 {% endif %} diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ce2d32ae..56622e40 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -42,6 +42,7 @@ rhel8stig_bootloader_path: {{ rhel8stig_bootloader_path }} # Cat 1 rules RHEL_08_010000: {{ rhel_08_010000 }} RHEL_08_010020: {{ rhel_08_010020 }} +RHEL_08_010121: {{ rhel_08_010121 }} RHEL_08_010140: {{ rhel_08_010140 }} RHEL_08_010150: {{ rhel_08_010150 }} RHEL_08_010370: {{ rhel_08_010370 }} @@ -54,6 +55,7 @@ RHEL_08_020331: {{ rhel_08_020331 }} RHEL_08_020332: {{ rhel_08_020332 }} RHEL_08_040000: {{ rhel_08_040000 }} RHEL_08_040010: {{ rhel_08_040010 }} +RHEL_08_040060: {{ rhel_08_040060 }} RHEL_08_040170: {{ rhel_08_040170 }} RHEL_08_040171: {{ rhel_08_040171 }} RHEL_08_040172: {{ rhel_08_040172 }} @@ -76,7 +78,6 @@ RHEL_08_010100: {{ rhel_08_010100 }} RHEL_08_010110: {{ rhel_08_010110 }} RHEL_08_010120: {{ rhel_08_010120 }} RHEL_08_010130: {{ rhel_08_010130 }} -RHEL_08_010131: {{ rhel_08_010131 }} RHEL_08_010141: {{ rhel_08_010141 }} RHEL_08_010149: {{ rhel_08_010149 }} RHEL_08_010151: {{ rhel_08_010151 }} @@ -107,17 +108,23 @@ RHEL_08_010300: {{ rhel_08_010300 }} RHEL_08_010310: {{ rhel_08_010310 }} RHEL_08_010320: {{ rhel_08_010320 }} RHEL_08_010330: {{ rhel_08_010330 }} +RHEL_08_010331: {{ rhel_08_010331 }} RHEL_08_010340: {{ rhel_08_010340 }} +RHEL_08_010341: {{ rhel_08_010341 }} RHEL_08_010350: {{ rhel_08_010350 }} +RHEL_08_010351: {{ rhel_08_010351 }} +RHEL_08_010359: {{ rhel_08_010359 }} RHEL_08_010360: {{ rhel_08_010360 }} RHEL_08_010372: {{ rhel_08_010372 }} RHEL_08_010373: {{ rhel_08_010373 }} RHEL_08_010374: {{ rhel_08_010374 }} +RHEL_08_010379: {{ rhel_08_010379 }} RHEL_08_010380: {{ rhel_08_010380 }} RHEL_08_010381: {{ rhel_08_010380 }} RHEL_08_010382: {{ rhel_08_010382 }} RHEL_08_010383: {{ rhel_08_010383 }} RHEL_08_010384: {{ rhel_08_010384 }} +RHEL_08_010385: {{ rhel_08_010385 }} RHEL_08_010390: {{ rhel_08_010390 }} RHEL_08_010400: {{ rhel_08_010400 }} RHEL_08_010410: {{ rhel_08_010410 }} @@ -138,7 +145,6 @@ RHEL_08_010522: {{ rhel_08_010522 }} RHEL_08_010543: {{ rhel_08_010543 }} RHEL_08_010544: {{ rhel_08_010544 }} RHEL_08_010550: {{ rhel_08_010550 }} -RHEL_08_010560: {{ rhel_08_010560 }} RHEL_08_010561: {{ rhel_08_010561 }} RHEL_08_010570: {{ rhel_08_010570 }} RHEL_08_010571: {{ rhel_08_010571 }} @@ -174,7 +180,6 @@ RHEL_08_010780: {{ rhel_08_010780 }} RHEL_08_010790: {{ rhel_08_010790 }} RHEL_08_010800: {{ rhel_08_010800 }} RHEL_08_010830: {{ rhel_08_010830 }} - RHEL_08_020000: {{ rhel_08_020000 }} RHEL_08_020010: {{ rhel_08_020010 }} RHEL_08_020011: {{ rhel_08_020011 }} @@ -208,6 +213,10 @@ RHEL_08_020081: {{ rhel_08_020081 }} RHEL_08_020082: {{ rhel_08_020082 }} RHEL_08_020090: {{ rhel_08_020090 }} # TODO RHEL_08_020100: {{ rhel_08_020100 }} +RHEL_08_020101: {{ rhel_08_020101 }} +RHEL_08_020102: {{ rhel_08_020102 }} +RHEL_08_020103: {{ rhel_08_020103 }} +RHEL_08_020104: {{ rhel_08_020104 }} RHEL_08_020110: {{ rhel_08_020110 }} RHEL_08_020120: {{ rhel_08_020120 }} RHEL_08_020130: {{ rhel_08_020130 }} @@ -220,6 +229,7 @@ RHEL_08_020190: {{ rhel_08_020190 }} RHEL_08_020200: {{ rhel_08_020200 }} RHEL_08_020210: {{ rhel_08_020210 }} RHEL_08_020220: {{ rhel_08_020220 }} +RHEL_08_020221: {{ rhel_08_020221 }} RHEL_08_020230: {{ rhel_08_020230 }} RHEL_08_020231: {{ rhel_08_020231 }} RHEL_08_020240: {{ rhel_08_020240 }} @@ -240,7 +250,6 @@ RHEL_08_030010: {{ rhel_08_030010 }} RHEL_08_030020: {{ rhel_08_030020 }} RHEL_08_030030: {{ rhel_08_030030 }} RHEL_08_030040: {{ rhel_08_030040 }} -RHEL_08_030050: {{ rhel_08_030050 }} RHEL_08_030060: {{ rhel_08_030060 }} RHEL_08_030061: {{ rhel_08_030061 }} RHEL_08_030062: {{ rhel_08_030062 }} @@ -263,13 +272,8 @@ RHEL_08_030180: {{ rhel_08_030180 }} RHEL_08_030181: {{ rhel_08_030181 }} RHEL_08_030190: {{ rhel_08_030190 }} RHEL_08_030200: {{ rhel_08_030200 }} -RHEL_08_030210: {{ rhel_08_030210 }} -RHEL_08_030220: {{ rhel_08_030220 }} -RHEL_08_030230: {{ rhel_08_030230 }} -RHEL_08_030240: {{ rhel_08_030240 }} RHEL_08_030250: {{ rhel_08_030250 }} RHEL_08_030260: {{ rhel_08_030260 }} -RHEL_08_030270: {{ rhel_08_030270 }} RHEL_08_030280: {{ rhel_08_030280 }} RHEL_08_030290: {{ rhel_08_030290 }} RHEL_08_030300: {{ rhel_08_030300 }} @@ -289,28 +293,13 @@ RHEL_08_030340: {{ rhel_08_030340 }} RHEL_08_030350: {{ rhel_08_030350 }} RHEL_08_030360: {{ rhel_08_030360 }} RHEL_08_030361: {{ rhel_08_030361 }} -RHEL_08_030362: {{ rhel_08_030362 }} -RHEL_08_030363: {{ rhel_08_030363 }} -RHEL_08_030364: {{ rhel_08_030364 }} -RHEL_08_030365: {{ rhel_08_030365 }} RHEL_08_030370: {{ rhel_08_030370 }} -RHEL_08_030380: {{ rhel_08_030380 }} RHEL_08_030390: {{ rhel_08_030390 }} RHEL_08_030400: {{ rhel_08_030400 }} RHEL_08_030410: {{ rhel_08_030410 }} RHEL_08_030420: {{ rhel_08_030420 }} -RHEL_08_030430: {{ rhel_08_030430 }} -RHEL_08_030440: {{ rhel_08_030440 }} -RHEL_08_030450: {{ rhel_08_030450 }} -RHEL_08_030460: {{ rhel_08_030460 }} -RHEL_08_030470: {{ rhel_08_030470 }} RHEL_08_030480: {{ rhel_08_030480 }} RHEL_08_030490: {{ rhel_08_030490 }} -RHEL_08_030500: {{ rhel_08_030500 }} -RHEL_08_030510: {{ rhel_08_030510 }} -RHEL_08_030520: {{ rhel_08_030520 }} -RHEL_08_030530: {{ rhel_08_030530 }} -RHEL_08_030540: {{ rhel_08_030540 }} RHEL_08_030550: {{ rhel_08_030550 }} RHEL_08_030560: {{ rhel_08_030560 }} RHEL_08_030570: {{ rhel_08_030570 }} @@ -323,8 +312,8 @@ RHEL_08_030630: {{ rhel_08_030630 }} RHEL_08_030640: {{ rhel_08_030640 }} RHEL_08_030650: {{ rhel_08_030650 }} RHEL_08_030660: {{ rhel_08_030660 }} -RHEL_08_030670: {{ rhel_08_030370 }} -RHEL_08_030680: {{ rhel_08_030380 }} +RHEL_08_030670: {{ rhel_08_030670 }} +RHEL_08_030680: {{ rhel_08_030680 }} RHEL_08_030690: {{ rhel_08_030090 }} RHEL_08_030700: {{ rhel_08_030700 }} RHEL_08_030710: {{ rhel_08_030710 }} @@ -392,6 +381,7 @@ RHEL_08_040285: {{ rhel_08_040285 }} RHEL_08_040286: {{ rhel_08_040286 }} RHEL_08_040290: {{ rhel_08_040290 }} RHEL_08_040320: {{ rhel_08_040320 }} +RHEL_08_040321: {{ rhel_08_040321 }} RHEL_08_040330: {{ rhel_08_040330 }} RHEL_08_040340: {{ rhel_08_040340 }} RHEL_08_040341: {{ rhel_08_040341 }} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 new file mode 100644 index 00000000..3d9da0ea --- /dev/null +++ b/templates/audit/99_auditd.rules.j2 @@ -0,0 +1,127 @@ +# This template will set all of the auditd configurations via a handler in the role in one task instead of individually +{% if rhel_08_030000 %} +-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv +-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv +-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv +-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv +{% endif %} +{% if rhel_08_030190 %} +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-priv_change +{% endif %} +{% if rhel_08_030200 %} +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod +-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod +{% endif %} +{% if rhel_08_030250 %} +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-chage +{% endif %} +{% if rhel_08_030260 %} +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +{% endif %} +{% if rhel_08_030280 %} +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh +{% endif %} +{% if rhel_08_030290 %} +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-passwd +{% endif %} +{% if rhel_08_030300 %} +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +{% endif %} +{% if rhel_08_030301 %} +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +{% endif %} +{% if rhel_08_030302 %} +-a always,exit -F arch=b32 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +-a always,exit -F arch=b64 -S mount -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-mount +{% endif %} +{% if rhel_08_030310 %} +-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030311 %} +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030312 %} +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030313 %} +-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030314 %} +-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030315 %} +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030316 %} +-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030317 %} +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-unix-update +{% endif %} +{% if rhel_08_030320 %} +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-ssh +{% endif %} +{% if rhel_08_030330 %} +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +{% endif %} +{% if rhel_08_030340 %} +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-pam_timestamp_check +{% endif %} +{% if rhel_08_030350 %} +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +{% endif %} +{% if rhel_08_030360 %} +-a always,exit -F arch=b32 -S init_module,finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +-a always,exit -F arch=b64 -S init_module,finit_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +{% endif %} +{% if rhel_08_030361 %} +-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k delete +{% endif %} +{% if rhel_08_030370 %} +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-gpasswd +{% endif %} +{% if rhel_08_030390 %} +-a always,exit -F arch=b32 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +-a always,exit -F arch=b64 -S delete_module -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k module_chng +{% endif %} +{% if rhel_08_030400 %} +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-crontab +{% endif %} +{% if rhel_08_030410 %} +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +{% endif %} +{% if rhel_08_030420 %} +-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_access +{% endif %} +{% if rhel_08_030480 %} +-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +{% endif %} +{% if rhel_08_030490 %} +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +{% endif %} +{% if rhel_08_030550 %} +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k priv_cmd +{% endif %} +{% if rhel_08_030560 %} +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k privileged-usermod +{% endif %} +{% if rhel_08_030570 %} +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod +{% endif %} +{% if rhel_08_030580 %} +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules +{% endif %} +{% if rhel_08_030590 %} +-w {{ rhel8stig_pam_faillock.dir }} -p wa -k logins +{% endif %} +{% if rhel_08_030600 %} +-w /var/log/lastlog -p wa -k logins +{% endif %} diff --git a/vars/is_container.yml b/vars/is_container.yml new file mode 100644 index 00000000..37e1ef6d --- /dev/null +++ b/vars/is_container.yml @@ -0,0 +1,200 @@ +--- +# Container vars file + +rhel8stig_ssh_required: false + +# tmux +rhel_08_020039: false +rhel_08_020040: false +rhel_08_020041: false +rhel_08_020070: false + +# auditd +rhel_08_010560: false +rhel_08_030000: false +rhel_08_030020: false +rhel_08_030040: false +# rhel_08_030050: false +rhel_08_030060: false +rhel_08_030061: false +rhel_08_030062: false +rhel_08_030070: false +rhel_08_030080: false +rhel_08_030090: false +rhel_08_030100: false +rhel_08_030110: false +rhel_08_030120: false +rhel_08_030121: false +rhel_08_030122: false +rhel_08_030130: false +rhel_08_030140: false +rhel_08_030150: false +rhel_08_030160: false +rhel_08_030170: false +rhel_08_030171: false +rhel_08_030172: false +rhel_08_030180: false +rhel_08_030181: false +rhel_08_030190: false +rhel_08_030200: false +rhel_08_030210: false +rhel_08_030220: false +rhel_08_030230: false +rhel_08_030240: false +rhel_08_030250: false +rhel_08_030260: false +# rhel_08_030270: false +rhel_08_030280: false +rhel_08_030290: false +rhel_08_030300: false +rhel_08_030301: false +rhel_08_030302: false +rhel_08_030310: false +rhel_08_030311: false +rhel_08_030312: false +rhel_08_030313: false +rhel_08_030314: false +rhel_08_030315: false +rhel_08_030316: false +rhel_08_030317: false +rhel_08_030320: false +rhel_08_030330: false +rhel_08_030340: false +rhel_08_030350: false +rhel_08_030360: false +rhel_08_030361: false +rhel_08_030370: false +rhel_08_030390: false +rhel_08_030400: false +rhel_08_030410: false +rhel_08_030420: false +rhel_08_030480: false +rhel_08_030490: false +rhel_08_030550: false +rhel_08_030560: false +rhel_08_030570: false +rhel_08_030580: false +rhel_08_030590: false +rhel_08_030600: false +rhel_08_030610: false +rhel_08_030620: false +rhel_08_030630: false +rhel_08_030640: false +rhel_08_030660: false +# rhel_08_030690: false # Also rsyslog +rhel_08_030700: false +# rhel_08_030710: false # Also rsyslog +# rhel_08_030720: false # Also rsyslog +rhel_08_030730: false +rhel_08_030731: false +# rhel_08_010542: false # Also Rsyslog +rhel_08_030063: false +# rhel_08_030602: false # Also grub + + +# rsyslog +rhel_08_010070: false +rhel_08_010561: false +rhel_08_030010: false +rhel_08_030670: false +rhel_08_030680: false +rhel_08_030690: false +rhel_08_030710: false +rhel_08_030720: false + +## mounts +# /tmp +rhel_08_010543: false +rhel_08_040123: false +rhel_08_040124: false +rhel_08_040125: false +# /var/log +rhel_08_040126: false +rhel_08_040127: false +rhel_08_040128: false +rhel_08_010541: false +# /var/tmp +rhel_08_010544: false +rhel_08_040132: false +rhel_08_040133: false +rhel_08_040134: false +# /var/log/audit +rhel_08_040129: false +rhel_08_040130: false +rhel_08_040131: false +rhel_08_010542: false +# /home +rhel_08_010570: false +rhel_08_010590: false +rhel_08_010800: false +# /boot +rhel_08_010571: false +# /boot/efi +rhel_08_010572: false +# +rhel_08_010580: false +# /media +rhel_08_010610: false +# /mnt +rhel_08_010620: false +# NFS +rhel_08_010630: false +rhel_08_010640: false +rhel_08_010650: false +# /dev/shm +rhel_08_040120: false +rhel_08_040121: false +rhel_08_040122: false +# /var +rhel_08_010540: false + +# firewall +rhel8stig_firewall_service: not_required + +# fapolicy +rhel_08_040135: false +rhel_08_040136: false +rhel_08_040137: false + +# grub +rhel_08_010141: false +rhel_08_010149: false +rhel_08_010421: false +rhel_08_010422: false +rhel_08_010423: false +rhel_08_030601: false +rhel_08_030602: false +rhel_08_040004: false + +# modprobe +rhel_08_040021: false +rhel_08_040022: false +rhel_08_040023: false +rhel_08_040024: false +rhel_08_040025: false +rhel_08_040026: false + +# chrony +rhel_08_030740: false +rhel_08_030741: false +rhel_08_030742: false + +# fips +rhel_08_010290: false +rhel_08_010291: false +rhel_08_010293: false + +# aide +rhel_08_010359: false +rhel_08_010360: false +rhel_08_030650: false +rhel_08_040300: false +rhel_08_040310: false + +# sudo +rhel_08_010379: false +rhel_08_010380: false +rhel_08_010381: false +rhel_08_010382: false +rhel_08_010383: false +rhel_08_010384: false