diff --git a/defaults/main.yml b/defaults/main.yml index 6a30c7b5..09c32227 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,9 +1,4 @@ --- -# If you would like a report at the end accordin to OpenSCAP as to the report results -# then you should set rhel8stig_oscap_scan to true/yes. -# NOTE: This requires the python_xmltojson package on the control host. -rhel8stig_oscap_scan: no -rhel8stig_report_dir: /tmp rhel8stig_cat1_patch: true rhel8stig_cat2_patch: true @@ -108,9 +103,8 @@ rhel_08_010360: true rhel_08_010372: true rhel_08_010373: true rhel_08_010374: true -# !!!!!!!!!!!!!!!--------------!!!!!!!!!!!!!!!!!!CHANGE TO TRUE BEFORE FINALIZATION. SET TO FALSE TO PREVENT THE VAGRANT USER FROM AUTHENTICATING WHEN USING SUDO (380/381) -rhel_08_010380: false -rhel_08_010381: false +rhel_08_010380: true +rhel_08_010381: true rhel_08_010390: true rhel_08_010400: true rhel_08_010410: true @@ -155,7 +149,7 @@ rhel_08_010720: true rhel_08_010730: true rhel_08_010740: true rhel_08_010750: true -rhel_01_010760: true +rhel_08_010760: true rhel_08_010770: true rhel_08_010780: true rhel_08_010790: true diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 0ce1cbe2..681aa534 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -44,12 +44,15 @@ "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" copy: - dest: /etc/issue + dest: "{{ item }}" content: "{{ rhel8stig_logon_banner }}" owner: root group: root mode: '0644' notify: restart sshd + with_items: + - /etc/issue + - /etc/issue.net when: # - not system_is_ec2 - rhel_08_010040 or @@ -247,8 +250,8 @@ - kerberos - name: | - "HIGH | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services." - "HIGH | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." + "MEDIUM | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services." + "MEDIUM | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." selinux: state: enforcing policy: targeted @@ -296,7 +299,7 @@ file: path: "{{ item }}" mode: '1777' - with_items: + with_items: - "{{ rhel_08_010190_world_writable_files.stdout_lines }}" when: - rhel_08_010190 @@ -651,7 +654,7 @@ name: esc state: present when: rhel8stig_gui - + - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" dnf: name: openssl-pkcs11 @@ -1575,15 +1578,15 @@ tags: - RHEL-08-010750 -- name: "MEDIUM | REHL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." +- name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." lineinfile: path: /etc/login.defs regexp: '.*?CREATE_HOME.*' line: CREATE_HOME yes when: - - rhel_01_010760 + - rhel_08_010760 tags: - - REHL-08-010760 + - RHEL-08-010760 - login - home @@ -1597,7 +1600,7 @@ - rhel_08_010770 - rhel8stig_disruption_high - rhel_08_stig_interactive_homedir_inifiles is defined - tags: + tags: - RHEL-08-010770 - complexity-high @@ -1671,7 +1674,7 @@ - name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." debug: - msg: + msg: - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less." - "To do this please run sudo chage -l account_name for the accounts you need to check" - "The results will display the Account Expires information" @@ -2218,7 +2221,7 @@ lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}sfail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" insertafter: '^auth' notify: restart sssd with_items: @@ -2881,7 +2884,7 @@ path: /etc/security/pwquality.conf create: yes regexp: '^#?\s*dictcheck' - line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" + line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" when: - rhel_08_020300 tags: @@ -3373,7 +3376,7 @@ with_items: - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod notify: restart auditd when: @@ -3406,7 +3409,7 @@ - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod - - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod + - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod notify: restart auditd when: - rhel_08_030240 @@ -3623,7 +3626,7 @@ tags: - RHEL-08-030340 - auditd - + - name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." lineinfile: path: /etc/audit/rules.d/audit.rules @@ -4319,7 +4322,7 @@ - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" debug: - msg: + msg: - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." - "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}" changed_when: true @@ -4487,7 +4490,7 @@ - rhel_08_040090 tags: - RHEL-08-040090 - - firewall + - firewall - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." block: @@ -5177,7 +5180,7 @@ tags: - RHEL-08-040330 -- name: "HIGH | RHEL-08-040340 | PATCH | Remote X connections for interactive users must be encrypted in RHEL 8." +- name: "MEDIUM | RHEL-08-040340 | PATCH | Remote X connections for interactive users must be encrypted in RHEL 8." lineinfile: path: /etc/ssh/sshd_config regexp: '^.*X11Forwarding'