diff --git a/defaults/main.yml b/defaults/main.yml index 905dbd6a..27239908 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -163,7 +163,6 @@ rhel_08_010422: true rhel_08_010423: true rhel_08_010430: true rhel_08_010450: true -rhel_08_010472: true rhel_08_010480: true rhel_08_010490: true rhel_08_010500: true diff --git a/site.yml b/site.yml index f3207c8b..379549f7 100644 --- a/site.yml +++ b/site.yml @@ -1,11 +1,7 @@ --- - hosts: all become: true - vars: - is_container: false roles: + - role: "{{ playbook_dir }}" - rhel8cis_system_is_container: "{{ is_container | default(false) }}" - rhel8cis_skip_for_travis: false - rhel8cis_oscap_scan: yes diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index f7d24436..b15a8aad 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -20,9 +20,9 @@ package: name: dracut-fips state: present - notify: - - rebuild initramfs - - change_requires_reboot + notify: + - rebuild initramfs + - change_requires_reboot when: "'dracut-fips' not in ansible_facts.packages" - name: "RHEL-08-010020 | HIGH | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 737f0d96..ea8ba4bd 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1,5 +1,31 @@ --- +- name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool." + block: + - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert no McAfee" + debug: + msg: + - "ALERT! You have no McAfee installed. To comply with STIG ID RHEL-08-010001 you need an AV tool" + - "McAfee is the suggested by STIG" + when: + - "'mcafeetp' or 'mfetpd' not in ansible_facts.packages" + + - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert on McAfee present" + debug: + msg: "Congratulations! You have McAfee installed" + when: + - "'mcafeetp' or 'mfetpd' in ansible_facts.packages" + when: + - rhel_08_040286 + - rhel8stig_av_sftw == 'mcafee' + tags: + - RHEL-08-010001 + - CAT2 + - CCI-001233 + - SRG-OS-000191-GPOS-00080 + - SV-245540r754730_rule + - V-245540 + - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." package: name: "*" @@ -79,6 +105,28 @@ - V-230225 - V-230227 +- name: "MEDIUM | RHEL-08-010049 | PATCH | RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon" + lineinfile: + path: /etc/dconf/db/local.d/01-banner-message + regexp: 'banner-message-enabled=' + line: banner-message-enable=true + create: true + mode: '0644' + owner: root + group: root + insertafter: '[org/gnome/login-screen]' + notify: dconf update + when: + - rhel_08_010049 + tags: + - RHEL-08-010049 + - CAT2 + - CCI-000048 + - SRG-OS-000023-GPOS-00006 + - SV-244519r743806_rule + - V-244519 + - banner + - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." copy: dest: /etc/dconf/db/local.d/01-banner-message @@ -106,7 +154,6 @@ - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." lineinfile: path: /etc/rsyslog.conf - # regexp: "{{ item.regexp }}" line: "auth.*;authpriv.*;daemon.* /var/log/secure" create: yes mode: '0644' @@ -239,6 +286,52 @@ - V-230233 - pamd +- name: "MEDIUM | RHEL-08-010131 | PATCH | The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds." + pamd: + name: system-auth + type: password + control: sufficient + module_path: pam_unix.so + module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" + state: args_present + when: + - rhel_08_010131 + tags: + - RHEL-08-010131 + - CAT2 + - CCI-000196 + - SRG-OS-000073-GPOS-00041 + - SV-244520r743809_rule + - V-244520 + - pamd + +- name: | + "MEDIUM | RHEL-08-010141 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance." + "MEDIUM | RHEL-08-010149 | PATCH | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes." + lineinfile: + dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + notify: confirm grub2 user cfg + with_items: + - { regexp: '^set superusers', line: 'set superusers="{{ rhel8stig_boot_superuser }}"', insertafter: '### BEGIN /etc/grub.d/01_users ###' } + - { regexp: '^export superusers', line: 'export superusers', insertafter: '^set superusers' } + - { regexp: '^password_pbkdf2', line: 'password_pbkdf2 {{ rhel8stig_boot_superuser }} ${GRUB2_PASSWORD}', insertafter: '^export superusers' } + when: + - rhel_08_010141 or + rhel_08_010141 + tags: + - RHEL-08-010141 + - RHEL-08-010149 + - CAT2 + - CCI-000213 + - SRG-OS-000080-GPOS-00048 + - SV-244521r743812_rule + - SV-244522r743815_rule + - V-244521 + - V-244522 + - name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." lineinfile: path: /usr/lib/systemd/system/rescue.service @@ -259,6 +352,45 @@ - V-230236 - systemd +- name: "MEDIUM | RHEL-08-010152 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency mode." + lineinfile: + path: /usr/lib/systemd/system/emergency.service + regexp: '^ExecStart=' + line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" + create: yes + owner: root + group: root + mode: 0644 + when: + - rhel_08_010152 + tags: + - RHEL-08-010152 + - CAT2 + - CCI-000213 + - SRG-OS-000080-GPOS-00048 + - SV-244523r743818_rule + - V-244523 + - systemd + +- name: "MEDIUM | RHEL-08-010159 | PATCH | The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." + pamd: + name: system-auth + type: password + control: sufficient + module_path: pam_unix.so + module_arguments: sha512 + state: args_present + when: + - rhel_08_010159 + tags: + - RHEL-08-010159 + - CAT2 + - CCI-000803 + - SRG-OS-000120-GPOS-00061 + - SV-244524r743821_rule + - V-244524 + - pamd + - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." pamd: name: password-auth" @@ -416,6 +548,24 @@ - V-230244 - ssh +- name: "MEDIUM | RHEL-08-010201 | PATCH | The RHEL 8 SSH daemon must be configured with a timeout interval" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?ClientAliveInterval.*' + line: ClientAliveCountMax 0 + notify: restart sshd + when: + - rhel_08_010201 + - rhel8stig_ssh_required + tags: + - RHEL-08-010201 + - CAT2 + - CCI-001133 + - SRG-OS-000163-GPOS-00072 + - SV-244525r743824_rule + - V-244525 + - ssh + - name: | "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." @@ -444,71 +594,256 @@ - V-230247 - permissions -- name: | - "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." - "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." - "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." - file: - path: /var/log - owner: root - group: root - mode: "{{ rhel8stig_var_log_perm }}" +- name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file." + block: + - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set preauth" + lineinfile: + path: /etc/pam.d/system-auth + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd + + - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set authfail" + lineinfile: + path: /etc/pam.d/system-auth + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd + + - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set account faillock" + lineinfile: + path: /etc/pam.d/system-auth + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd when: - - rhel_08_010240 or - rhel_08_010250 or - rhel_08_010260 + - rhel_08_020025 tags: + - RHEL-08-020025 - CAT2 - - RHEL-08-010240 - - RHEL-08-010250 - - RHEL-08-010260 - - CCI-001314 - - SRG-OS-000206-GPOS-00084 - - SV-230248r627750_rule - - SV-230249r627750_rule - - SV-230250r627750_rule - - V-230248 - - V-230249 - - V-230250 - - permissions + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-244533r743848_rule + - V-244533 + - pamd -- name: | - "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms." - "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections." +- name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file." block: - - name: | - "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" - "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Get current FIPS mode state" - command: fips-mode-setup --check - changed_when: false - failed_when: false - register: rhel_08_010290_pre_fips_check + - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set preauth" + lineinfile: + path: /etc/pam.d/password-auth + regexp: '^auth required pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" + insertafter: '^auth' + notify: restart sssd - - name: | - "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" - "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Enable FIPS" - command: fips-mode-setup --enable - register: rhel_08_010290_fips_enable - notify: change_requires_reboot - when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' + - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set authfail" + lineinfile: + path: /etc/pam.d/password-auth + regexp: '^auth required pam_faillock.so authfail' + line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' + insertafter: '^auth' + notify: restart sssd - - name: | - "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" - "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Add ssh ciphers" + - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set account faillock" lineinfile: - path: /etc/crypto-policies/back-ends/opensshserver.config - regexp: '^CRYPTO_POLICY=' - line: CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}' - notify: change_requires_reboot + path: /etc/pam.d/password-auth + regexp: '^account required pam_faillock.so' + line: 'account required pam_faillock.so' + insertafter: '^account' + notify: restart sssd when: - - rhel_08_010290 or - rhel_08_010291 + - rhel_08_020026 tags: + - RHEL-08-020026 - CAT2 - - RHEL-08-010290 - - RHEL-08-010291 - - CCI-001453 - - SRG-OS-000250-GPOS-00093 + - CCI-000044 + - SRG-OS-000021-GPOS-00005 + - SV-244534r743851_rule + - V-244534 + - pamd + +- name: "MEDIUM | RHEL-08-020031 | PATCH | RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated." + copy: + dest: /etc/dconf/db/local.d/00-screensaver_rhel_08_020031 + content: | + [org/gnome/desktop/screensaver] + lock-delay=uint32 5 + mode: '0644' + notify: dconf update + when: + - rhel_08_020031 + - rhel8stig_always_configure_dconf + - rhel8stig_gui + tags: + - RHEL-08-020031 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-244535r743854_rule + - V-244535 + - dconf + +- name: "MEDIUM | RHEL-08-020032 | PATCH | RHEL 8 must disable the user list at logon for graphical user interfaces." + copy: + dest: /etc/dconf/db/local.d/02-login-screen_rhel_08_020032 + content: | + [org/gnome/login-screen] + disable-user-list=true + mode: '0644' + when: + - rhel_08_020032 + - rhel8stig_always_configure_dconf + - rhel8stig_gui + tags: + - RHEL-08-020032 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244536r743857_rule + - V-244536 + - dconf + +- name: "MEDIUM | RHEL-08-020039 | PATCH | RHEL 8 must have the tmux package installed." + package: + name: tmux + state: present + when: + - rhel_08_020032 + - "'tmux' not in ansible_facts.packages" + tags: + - RHEL-08-020039 + - CAT2 + - CCI-000056 + - SRG-OS-000028-GPOS-00009 + - SV-244537r743860_rule + - V-244537 + - tmux + +- name: | + "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." + "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." + "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." + file: + path: /var/log + owner: root + group: root + mode: "{{ rhel8stig_var_log_perm }}" + when: + - rhel_08_010240 or + rhel_08_010250 or + rhel_08_010260 + tags: + - CAT2 + - RHEL-08-010240 + - RHEL-08-010250 + - RHEL-08-010260 + - CCI-001314 + - SRG-OS-000206-GPOS-00084 + - SV-230248r627750_rule + - SV-230249r627750_rule + - SV-230250r627750_rule + - V-230248 + - V-230249 + - V-230250 + - permissions + +- name: "MEDIUM | RHEL-08-020081 | PATCH | RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface." + copy: + dest: /etc/dconf/db/local.d/locks/session_rhel_08_020081 + content: | + /org/gnome/desktop/session/idle-delay + mode: '0644' + notify: dconf update + when: + - rhel_08_020081 + - rhel8stig_always_configure_dconf + - rhel8stig_gui + tags: + - RHEL-08-020081 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-244538r743863_rule + - V-244538 + +- name: "MEDIUM | RHEL-08-020082 | PATCH | RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." + copy: + dest: /etc/dconf/db/local.d/locks/session_rhel_08_020082 + content: | + /org/gnome/desktop/screensaver/lock-enabled + mode: '0644' + notify: dconf update + when: + - rhel_08_020082 + - rhel8stig_always_configure_dconf + - rhel8stig_gui + tags: + - RHEL-08-020082 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-244539r743866_rule + - V-244539 + - dconf + +- name: "MEDIUM | RHEL-08-010287 | PATCH | The RHEL 8 SSH daemon must be configured to use system-wide crypto policies." + lineinfile: + path: /etc/sysconfig/sshd + regexp: '^CRYPTO_POLICY=' + line: '# CRYPTO_POLICY=' + notify: change_requires_reboot + when: + - rhel_08_010287 + tags: + - RHEL-08-010287 + - CAT2 + - CCI-001453 + - SRG-OS-000250-GPOS-00093 + - SV-244526r743827_rule + - V-244526 + - ssh + +- name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms." + "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections." + block: + - name: | + "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state" + "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Get current FIPS mode state" + command: fips-mode-setup --check + changed_when: false + failed_when: false + register: rhel_08_010290_pre_fips_check + + - name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS" + "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Enable FIPS" + command: fips-mode-setup --enable + register: rhel_08_010290_fips_enable + notify: change_requires_reboot + when: '"disabled" in rhel_08_010290_pre_fips_check.stdout' + + - name: | + "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" + "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Add ssh ciphers" + lineinfile: + path: /etc/crypto-policies/back-ends/opensshserver.config + regexp: '^CRYPTO_POLICY=' + line: CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}' + notify: change_requires_reboot + when: + - rhel_08_010290 or + rhel_08_010291 + tags: + - CAT2 + - RHEL-08-010290 + - RHEL-08-010291 + - CCI-001453 + - SRG-OS-000250-GPOS-00093 - SV-230251r743937_rule - SV-230252r743940_rule - V-230251 @@ -838,16 +1173,7 @@ - V-230272 - sudoers -# !!!!!New version does not have GUI packages included in fix text. I removed it for now but I might add it back later - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." - # block: - # - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install GUI related packages" - # package: - # name: esc - # state: present - # when: rhel8stig_gui - - # - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages" package: name: openssl-pkcs11 state: present @@ -1203,6 +1529,22 @@ - V-230291 - ssh +- name: "MEDIUM | RHEL-08-010522 | PATCH | The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements." + lineinfile: + path: /etc/ssh/sshd_config + regexp: '(?i)^#?GSSAPIAuthentication' + line: "GSSAPIAuthentication no" + when: + - rhel_08_010522 + tags: + - RHEL-08-010522 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244528r743833_rule + - V-244528 + - ssh + - name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." debug: msg: "WARNING!!!! /tmp is not mounted on a separate partition" @@ -1224,6 +1566,30 @@ - mount - tmp +- name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp." + block: + - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Alert on missing mount" + debug: + msg: "Warning! /var/tmp does not exist, /var/tmp needs to use a sperate file system. This is a manual task" + register: var_tmp_mount_absent + changed_when: var_tmp_mount_absent.skipped is defined + when: "'/var/tmp' not in mount_names" + + - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Mount is present" + debug: + msg: "Congratulations: /var/tmp does exist." + when: "'/var/tmp' in mount_names" + when: + - rhel_08_010544 + tags: + - RHEL-08-010544 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244529r743836_rule + - V-244529 + - mounts + - name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." lineinfile: path: /etc/ssh/sshd_config @@ -1321,6 +1687,29 @@ - mounts - boot +- name: "MEDIUM | RHEL-08-010572 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory." + mount: + path: /boot/efi + state: mounted + src: "{{ boot_efi_mount.device }}" + fstype: "{{ boot_efi_mount.fstype }}" + opts: "{{ boot_efi_mount.options }},nosuid" + when: + - rhel_08_010572 + - ansible_mounts | selectattr('mount', 'match', '^/boot/efi$') | list | length != 0 + - "'nosuid' not in boot_efi_mount.options" + vars: + boot_efi_mount: "{{ ansible_mounts | json_query('[?mount == `/boot/efi`] | [0]') }}" + tags: + - RHEL-08-010572 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244530r743839_rule + - V-244530 + - mounts + - efi + - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions." block: - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" @@ -1805,7 +2194,6 @@ with_items: # Written as lineinfile replaces last found so reverse logic to keep order of servers - { regexp: ^nameserver, line: '{{ rhel8stig_dns_servers.1 }}', after: ^search } - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }})', line: '{{ rhel8stig_dns_servers.0 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } - # - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }}|{{ rhel8stig_dns_servers.0 }})', line: '{{ rhel8stig_dns_servers.2 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' } when: - not rhel8_stig_use_resolv_template - rhel_08_010680_networkmanager_check.stdout == '0' @@ -1984,16 +2372,52 @@ - V-230321 - permissions -- name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." - file: - path: "{{ item.dir }}" - group: "{{ item.gid }}" - state: directory - with_items: "{{ rhel8stig_passwd }}" - loop_control: - label: "{{ rhel8stig_passwd_label }}" - when: - - rhel_08_010740 +- name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive." + block: + - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Find out of compliance files" + shell: "find {{ item }} -perm -750 ! -perm 750" + changed_when: false + failed_when: false + register: rhel_08_010731_files + with_items: + - "{{ rhel8stig_passwd | selectattr('uid', '>=', rhel8stig_interactive_uid_start) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + + - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Bring files into compliance" + file: + path: "{{ item }}" + mode: "{{ rhel8stig_local_int_home_file_perms }}" + with_items: + - "{{ rhel_08_010731_files.results | map(attribute='stdout_lines') | flatten }}" + when: rhel8stig_disruption_high + + - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Alert on out of compliance files" + debug: + msg: + - "Alert! Below are the files that are in interactive user folders but permissiosn less restrictiv than 0750." + - "Please review the files to bring into STIG compliance" + - "{{ rhel_08_010731_files.results | map(attribute='stdout_lines') | flatten }}" + when: not rhel8stig_disruption_high + when: + - rhel_08_010731 + tags: + - RHEL-08-010731 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244531r743842_rule + - V-244531 + - permissions + +- name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." + file: + path: "{{ item.dir }}" + group: "{{ item.gid }}" + state: directory + with_items: "{{ rhel8stig_passwd }}" + loop_control: + label: "{{ rhel8stig_passwd_label }}" + when: + - rhel_08_010740 - (item.uid >= rhel8stig_interactive_uid_start|int) tags: - skip_ansible_lint @@ -2005,6 +2429,25 @@ - V-230322 - permissions +- name: "MEDIUM | RHEL-08-010741 | PATCH | RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." + file: + path: "{{ item.dir }}" + group: "{{ item.gid }}" + state: directory + recurse: true + with_items: "{{ rhel8stig_passwd }}" + when: + - rhel_08_010741 + - (item.uid >= rhel8stig_interactive_uid_start|int) + tags: + - RHEL-08-010741 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244532r743845_rule + - V-244532 + - permissions + - name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." file: path: "{{ item.dir }}" @@ -2217,43 +2660,7 @@ - V-230332 - pamd -# !!!!!!Remove commented items. Leaveing incase they are referrenced later - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." - # block: - # - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so preauth' - # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so authfail' - # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^account required pam_faillock.so' - # line: 'account required pam_faillock.so' - # insertafter: '^account' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set deny in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^deny =|^\# deny =' @@ -2314,43 +2721,7 @@ - V-230334 - pamd -# !!!!!!!!!!!Remve commented items. Leaving for reference if used later - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." - # block: - # - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so preauth' - # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so authfail' - # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^account required pam_faillock.so' - # line: 'account required pam_faillock.so' - # insertafter: '^account' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set fail_interval in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^fail_interval =|^\# fail_interval =' @@ -2411,43 +2782,7 @@ - V-230336 - pamd -# !!!!!!!!!! Remove commented items. Leaving in as referrence if used later - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - # block: - # - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so preauth' - # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020015 | PATCH |RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so authfail' - # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^account required pam_faillock.so' - # line: 'account required pam_faillock.so' - # insertafter: '^account' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set unlock_time in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^unlock_time =|^\# unlock_time =' @@ -2508,43 +2843,7 @@ - V-230338 - pamd -# !!!!!!! Remove comments, leaving just as referrence if needed later - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist." - # block: - # - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set preauth" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so preauth' - # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so authfail' - # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^account required pam_faillock.so' - # line: 'account required pam_faillock.so' - # insertafter: '^account' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist. | Set dir in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^dir =|^\# dir =' @@ -2605,43 +2904,7 @@ - V-230340 - pamd -# !!!!! Remove comments, leaving in as referrence if needed later - name: "MEDIUM | RHEL-08-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." - # block: - # - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set preauth" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so preauth' - # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so authfail' - # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^account required pam_faillock.so' - # line: 'account required pam_faillock.so' - # insertafter: '^account' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020019 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set silent in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^silent|^\# silent' @@ -2702,43 +2965,7 @@ - V-230342 - pamd -# !!!!!! Remove comments, leaving in to referrence if needed later - name: "MEDIUM | RHEL-08-020021| PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." - # block: - # - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so preauth' - # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so authfail' - # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^account required pam_faillock.so' - # line: 'account required pam_faillock.so' - # insertafter: '^account' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set audit in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^audit|^\# audit' @@ -2799,43 +3026,7 @@ - V-230344 - pamd -# !!!! - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - # block: - # - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so preauth' - # line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^auth required pam_faillock.so authfail' - # line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - # insertafter: '^auth' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - # lineinfile: - # path: "/etc/pam.d/{{ item }}" - # regexp: '^account required pam_faillock.so' - # line: 'account required pam_faillock.so' - # insertafter: '^account' - # notify: restart sssd - # with_items: - # - system-auth - # - password-auth - - # - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set audit in faillock.conf" lineinfile: path: "/etc/security/faillock.conf" regexp: '^even_deny_root|^\# even_deny_root' @@ -3053,7 +3244,7 @@ - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." block: - - name: ""MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity. | Install tmux if needed" + - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity. | Install tmux if needed" package: name: tmux state: present @@ -4307,6 +4498,22 @@ - dnf - auditd +- name: "MEDIUM | RHEL-08-030181 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." + service: + name: auditd + state: started + enabled: true + when: + - rhel_08_030181 + tags: + - RHEL-08-030181 + - CAT2 + - CCI-000169 + - SRG-OS-000062-GPOS-00031 + - SV-244542r743875_rule + - V-244542 + - auditd + - name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." lineinfile: path: /etc/audit/rules.d/audit.rules @@ -5574,6 +5781,22 @@ - V-230483 - auditd +- name: "MEDIUM | RHEL-08-030731 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization." + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^space_left_action =' + line: 'space_left_action = EMAIL' + when: + - rhel_08_030731 + tags: + - RHEL-08-030731 + - CAT2 + - CCI-001855 + - SRG-OS-000343-GPOS-00134 + - SV-244543r743878_rule + - V-244543 + - auditd + - name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." lineinfile: path: /etc/chrony.conf @@ -5827,6 +6050,32 @@ - firewall - "{{ rhel8stig_firewall_service }}" +- name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8" + block: + - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Install firewalld if needed" + package: + name: firewalld + state: present + when: "'firewalld' not in ansible_facts.packages" + + - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Enable the service" + systemd: + name: firewalld + state: started + enabled: true + when: + - rhel_08_040101 + - rhel8stig_firewall_service == "firewalld" + tags: + - RHEL-08-040101 + - CAT2 + - CCI-002314 + - SRG-OS-000297-GPOS-00115 + - SV-244544r743881_rule + - V-244544 + - firewalld + - firewall + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." block: - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" @@ -6152,34 +6401,10 @@ - V-230522 - mounts -# !!!!! Remove comments, leaving for reference later - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be installed." package: name: fapolicyd state: present - # - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy mounts" - # shell: mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf "%s\n", $3 }' >> /etc/fapolicyd/fapolicyd.mounts - # changed_when: false - # failed_when: false - - # - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Start/enable fapolicy" - # service: - # name: fapolicyd - # state: started - # enabled: yes - - # - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " - # lineinfile: - # path: /etc/fapolicyd/fapolicyd.rules - # line: "{{ item }}" - # with_items: - # - "{{ rhel8stig_fapolicy_white_list }}" - - # - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" - # lineinfile: - # path: /etc/fapolicyd/fapolicyd.conf - # regexp: '^permissive =' - # line: 'permissive = 0' when: - rhel_08_040135 - "'fapolicyd' not in ansible_facts.packages" @@ -6192,6 +6417,47 @@ - V-230523 - fapolicyd +- name: "MEDIUM | RHEL-08-040136 | PATCH | The RHEL 8 fapolicy module must be enabled." + systemd: + name: fapolicyd + state: started + enabled: true + when: + - rhel_08_040136 + tags: + - RHEL-08-040136 + - CAT2 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-244545r743884_rule + - V-244545 + - fapolicy + +- name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." + block: + - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " + lineinfile: + path: /etc/fapolicyd/fapolicyd.rules + line: "{{ item }}" + with_items: + - "{{ rhel8stig_fapolicy_white_list }}" + + - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" + lineinfile: + path: /etc/fapolicyd/fapolicyd.conf + regexp: '^permissive =' + line: 'permissive = 0' + when: + - rhel_08_040137 + tags: + - RHEL-08-040137 + - CAT2 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-244546r743887_rule + - V-244546 + - fapolicy + - name: | "MEDIUM | RHEL-08-040139 | PATCH | RHEL 8 must have the USBGuard installed." "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection." @@ -6209,8 +6475,8 @@ shell: usbguard generate-policy > /etc/usbguard/rules.conf when: - rhel_08_040140 - - "'usbguard' in ansible_facts.packages" or - rhel_08_040139 + - rhel_08_040139 or + "'usbguard' in ansible_facts.packages" - name: "MEDIUM | RHEL-08-040141 | PATCH | RHEL 8 must enable the USBGuard. | Start/Enable service" service: @@ -6219,8 +6485,8 @@ enabled: yes when: - rhel_08_040141 - - "'usbguard' in ansible_facts.packages" or - rhel_08_040139 + - rhel_08_040139 or + "'usbguard' in ansible_facts.packages" when: - rhel_08_040139 or rhel_08_040140 or @@ -6240,21 +6506,7 @@ - V-244548 - usbguard -# !!!!!!Remove comments. Leaving for future reference. - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." - # block: - # - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Install nftables" - # package: - # name: nftables - # state: present - - # - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Start/Enable nftables" - # systemd: - # name: nftables - # state: started - # enabled: yes - - # - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces. | Configure FirewallBackend" lineinfile: path: /etc/firewalld/firewalld.conf regexp: '^FirewallBackend=' @@ -6289,8 +6541,8 @@ state: started enabled: yes when: - - "'openssh-server' in ansible_facts.packages" or - rhel_08_040159 + - rhel_08_040159 or + "'openssh-server' in ansible_facts.packages" when: - rhel_08_040159 or rhel_08_040160 @@ -6323,24 +6575,6 @@ - V-230527 - sshd -# !!!!!! Possibly remove, leaving for reference if needed -# - name: "MEDIUM | RHEL-08-040162 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections by the client." -# lineinfile: -# path: /etc/ssh/ssh_config -# regexp: '(?i)^#?RekeyLimit' -# line: 'RekeyLimit 1G 1h' -# notify: restart sshd -# when: -# - rhel_08_040162 -# tags: -# - RHEL-08-040162 -# - CAT2 -# - CCI-000068 -# - SRG-OS-000033-GPOS-00014 -# - SV-230528r627750_rule -# - V-230528 -# - sshd - - name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." systemd: name: debug-shell.service @@ -6359,7 +6593,31 @@ - V-230532 - debug-shell -# !!!!!!!! Remove comments, leaving there for reference. +- name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted." + block: + - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accept_redirects value 0 active" + sysctl: + name: net.ipv4.conf.default.accept_redirect + state: present + value: '0' + notify: change_requires_reboot + + - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accept_redirects default value to 0 config" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.default.accept_redirect=' + line: 'net.ipv4.conf.default.accept_redirect=0' + when: + - rhel_08_040209 + tags: + - RHEL-08-040209 + - CAT2 + - CI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244550r743899_rule + - V-244550 + - ipv4 + - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted." block: - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects in sysctl" @@ -6368,18 +6626,12 @@ state: present value: '0' notify: change_requires_reboot - # with_items: - # - net.ipv4.conf.default.accept_redirects - # - net.ipv6.conf.default.accept_redirects - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accpet_redirects default value to 0" lineinfile: path: /etc/sysctl.conf regexp: '^net.ipv6.conf.default.accept_redirects=' line: 'net.ipv6.conf.default.accept_redirects=0' - # with_items: - # - { regexp: '^net.ipv4.conf.default.accept_redirects=', line: 'net.ipv4.conf.default.accept_redirects=0' } - # - { regexp: '^net.ipv6.conf.default.accept_redirects=', line: 'net.ipv6.conf.default.accept_redirects=0' } when: - rhel_08_040210 - rhel8stig_ipv6_required @@ -6442,7 +6694,31 @@ - V-230537 - icmp -# !!!!!!Remove Comments, leaving for later reference. +- name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets." + block: + - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Set accept_source_route in sysctl" + sysctl: + name: net.ipv4.conf.all.accept_source_route + state: present + value: '0' + notify: change_requires_reboot + + - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Set accept_source_route default value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.all.accept_source_routes=' + line: 'net.ipv4.conf.all.accept_source_route=0' + when: + - rhel_08_040239 + tags: + - RHEL-08-040239 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244551r743902_rule + - V-244551 + - ip4 + - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets." block: - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Set conf.all accept_source_route in sysctl" @@ -6451,18 +6727,12 @@ state: present value: '0' notify: change_requires_reboot - # with_items: - # - net.ipv4.conf.all.accept_source_route - # - net.ipv6.conf.all.accept_source_route - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Set conf.all accept_source_route default value to 0" lineinfile: path: /etc/sysctl.conf regexp: '^net.ipv6.conf.all.accept_source_route' line: 'net.ipv6.conf.all.accept_source_route=0' - # with_items: - # - { regexp: '^net.ipv4.conf.all.accept_source_route', line: 'net.ipv4.conf.all.accept_source_route=0' } - # - { regexp: '^net.ipv6.conf.all.accept_source_route', line: 'net.ipv6.conf.all.accept_source_route=0' } when: - rhel_08_040240 - rhel8stig_ipv6_required @@ -6475,6 +6745,31 @@ - V-230538 - icmp +- name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default." + block: + - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Set accept_source_route in sysctl" + sysctl: + name: net.ipv4.conf.default.accept_source_route + state: present + value: '0' + notify: change_requires_reboot + + - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Set accept_source_route value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.default.accept_source_route=' + line: 'net.ipv4.conf.default.accept_source_route=0' + when: + - rhel_08_040249 + tags: + - RHEL-08-040249 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244552r743905_rule + - V-244552 + - ipv4 + - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default." block: - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Set conf.default accept_source_route in sysctl" @@ -6483,18 +6778,12 @@ state: present value: '0' notify: change_requires_reboot - # with_items: - # - net.ipv4.conf.default.accept_source_route - # - net.ipv6.conf.default.accept_source_route - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Set conf.default accept_source_route value to 0" lineinfile: path: /etc/sysctl.conf regexp: '^net.ipv6.conf.default.accept_source_route' line: 'net.ipv6.conf.default.accept_source_route=0' - # with_items: - # - { regexp: '^net.ipv4.conf.default.accept_source_route', line: 'net.ipv4.conf.default.accept_source_route=0' } - # - { regexp: '^net.ipv6.conf.default.accept_source_route', line: 'net.ipv6.conf.default.accept_source_route=0' } when: - rhel_08_040250 - rhel8stig_ipv6_required @@ -6627,7 +6916,30 @@ - V-230543 - icmp -# !!!!!!!! Remove comments, leaving for reference. +- name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages." + block: + - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Set accept_redirects in sysctl" + sysctl: + name: net.ipv4.conf.all.accept_redirects + state: present + value: '0' + + - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Set accept_redirects value to 0" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv4.conf.all.accept_redirects=' + line: 'net.ipv4.conf.all.accept_redirects=0' + when: + - rhel_08_040279 + tags: + - RHEL-08-040279 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244553r743908_rule + - V-244553 + - ipv4 + - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages." block: - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects in sysctl" @@ -6636,18 +6948,12 @@ state: present value: '0' notify: change_requires_reboot - # with_items: - # - net.ipv4.conf.all.accept_redirects - # - net.ipv6.conf.all.accept_redirects - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Set all.accept_redirects default value" lineinfile: path: /etc/sysctl.conf regexp: '^net.ipv6.conf.all.accept_redirects' line: 'net.ipv6.conf.all.accept_redirects=0' - # with_items: - # - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects=0' } - # - { regexp: '^net.ipv6.conf.all.accept_redirects', line: 'net.ipv6.conf.all.accept_redirects=0' } when: - rhel_08_040280 - rhel8stig_ipv6_required @@ -6751,6 +7057,22 @@ - V-230549 - sysctl +- name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler." + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.core.bpf_jit_harden=' + line: 'net.core.bpf_jit_harden=2' + notify: sysctl system + when: + - rhel_08_040286 + tags: + - RHEL-08-040286 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-244554r743911_rule + - V-244554 + - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" when: @@ -7071,671 +7393,3 @@ - SV-237643r646899_rule - V-237643 - sudo -# ----------------NEW------------ -- name: "MEDIUM | RHEL-08-010049 | PATCH | RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon" - lineinfile: - path: /etc/dconf/db/local.d/01-banner-message - regexp: 'banner-message-enabled=' - line: banner-message-enable=true - create: true - mode: '0644' - owner: root - group: root - insertafter: '[org/gnome/login-screen]' - notify: dconf update - when: - - rhel_08_010049 - tags: - - RHEL-08-010049 - - CAT2 - - CCI-000048 - - SRG-OS-000023-GPOS-00006 - - SV-244519r743806_rule - - V-244519 - - banner - -- name: "MEDIUM | RHEL-08-010131 | PATCH | The RHEL 8 system-auth file must be configured to use a sufficient number of hashing rounds." - pamd: - name: system-auth - type: password - control: sufficient - module_path: pam_unix.so - module_arguments: "rounds={{ rhel8stig_hashing_rounds }}" - state: args_present - when: - - rhel_08_010131 - tags: - - RHEL-08-010131 - - CAT2 - - CCI-000196 - - SRG-OS-000073-GPOS-00041 - - SV-244520r743809_rule - - V-244520 - - pamd - -- name: | - "MEDIUM | RHEL-08-010141 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance." - "MEDIUM | RHEL-08-010149 | PATCH | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes." - lineinfile: - dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - notify: confirm grub2 user cfg - with_items: - - { regexp: '^set superusers', line: 'set superusers="{{ rhel8stig_boot_superuser }}"', insertafter: '### BEGIN /etc/grub.d/01_users ###' } - - { regexp: '^export superusers', line: 'export superusers', insertafter: '^set superusers' } - - { regexp: '^password_pbkdf2', line: 'password_pbkdf2 {{ rhel8stig_boot_superuser }} ${GRUB2_PASSWORD}', insertafter: '^export superusers' } - when: - - rhel_08_010141 or - rhel_08_010141 - tags: - - RHEL-08-010141 - - RHEL-08-010149 - - CAT2 - - CCI-000213 - - SRG-OS-000080-GPOS-00048 - - SV-244521r743812_rule - - SV-244522r743815_rule - - V-244521 - - V-244522 - -- name: "MEDIUM | RHEL-08-010152 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency mode." - lineinfile: - path: /usr/lib/systemd/system/emergency.service - regexp: '^ExecStart=' - line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency - create: yes - owner: root - group: root - mode: 0644 - when: - - rhel_08_010152 - tags: - - RHEL-08-010152 - - CAT2 - - CCI-000213 - - SRG-OS-000080-GPOS-00048 - - SV-244523r743818_rule - - V-244523 - - systemd - -- name: "MEDIUM | RHEL-08-010159 | PATCH | The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." - pamd: - name: system-auth - type: password - control: sufficient - module_path: pam_unix.so - module_arguments: sha512 - state: args_present - when: - - rhel_08_010159 - tags: - - RHEL-08-010159 - - CAT2 - - CCI-000803 - - SRG-OS-000120-GPOS-00061 - - SV-244524r743821_rule - - V-244524 - - pamd - -- name: "MEDIUM | RHEL-08-010201 | PATCH | The RHEL 8 SSH daemon must be configured with a timeout interval" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?ClientAliveInterval.*' - line: ClientAliveCountMax 0 - notify: restart sshd - when: - - rhel_08_010201 - - rhel8stig_ssh_required - tags: - - RHEL-08-010201 - - CAT2 - - CCI-001133 - - SRG-OS-000163-GPOS-00072 - - SV-244525r743824_rule - - V-244525 - - ssh - -- name: "MEDIUM | RHEL-08-010287 | PATCH | The RHEL 8 SSH daemon must be configured to use system-wide crypto policies." - lineinfile: - path: /etc/sysconfig/sshd - regexp: '^CRYPTO_POLICY=' - line: '# CRYPTO_POLICY=' - notify: change_requires_reboot - when: - - rhel_08_010287 - tags: - - RHEL-08-010287 - - CAT2 - - CCI-001453 - - SRG-OS-000250-GPOS-00093 - - SV-244526r743827_rule - - V-244526 - - ssh - -- name: "MEDIUM | RHEL-08-010522 | PATCH | The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements." - lineinfile: - path: /etc/ssh/sshd_config - regexp: '(?i)^#?GSSAPIAuthentication' - line: "GSSAPIAuthentication no" - when: - - rhel_08_010522 - tags: - - RHEL-08-010522 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244528r743833_rule - - V-244528 - - ssh - -- name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp." - block: - - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Alert on missing mount" - debug: - msg: "Warning! /var/tmp does not exist, /var/tmp needs to use a sperate file system. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is defined - when: "'/var/tmp' not in mount_names" - - - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Mount is present" - debug: - msg: "Congratulations: /var/tmp does exist." - when: "'/var/tmp' in mount_names" - when: - - rhel_08_010544 - tags: - - RHEL-08-010544 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244529r743836_rule - - V-244529 - - mounts - -- name: "MEDIUM | RHEL-08-010572 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory." - mount: - path: /boot/efi - state: mounted - src: "{{ boot_efi_mount.device }}" - fstype: "{{ boot_efi_mount.fstype }}" - opts: "{{ boot_efi_mount.options }},nosuid" - when: - - rhel_08_010572 - - ansible_mounts | selectattr('mount', 'match', '^/boot/efi$') | list | length != 0 - - "'nosuid' not in boot_efi_mount.options" - vars: - boot_efi_mount: "{{ ansible_mounts | json_query('[?mount == `/boot/efi`] | [0]') }}" - tags: - - RHEL-08-010572 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244530r743839_rule - - V-244530 - - mounts - - efi - -- name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive." - block: - - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Find out of compliance files" - shell: "find {{ item }} -perm -750 ! -perm 750" - changed_when: false - failed_when: false - register: rhel_08_010731_files - with_items: - - "{{ rhel8stig_passwd | selectattr('uid', '>=', rhel8stig_interactive_uid_start) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - - - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Bring files into compliance" - file: - path: "{{ item }}" - mode: "{{ rhel8stig_local_int_home_file_perms }}" - with_items: - - "{{ rhel_08_010731_files.results | map(attribute='stdout_lines') | flatten }}" - when: rhel8stig_disruption_high - - - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Alert on out of compliance files" - debug: - msg: - - "Alert! Below are the files that are in interactive user folders but permissiosn less restrictiv than 0750." - - "Please review the files to bring into STIG compliance" - - "{{ rhel_08_010731_files.results | map(attribute='stdout_lines') | flatten }} - when: not rhel8stig_disruption_high - when: - - rhel_08_010572 - tags: - - RHEL-08-010731 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244531r743842_rule - - V-244531 - - permissions - -- name: "MEDIUM | RHEL-08-010741 | PATCH | RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." - file: - path: "{{ item.dir }}" - group: "{{ item.gid }}" - state: directory - recurse: true - with_items: "{{ rhel8stig_passwd }}" - when: - - rhel_08_010572 - - (item.uid >= rhel8stig_interactive_uid_start|int) - tags: - - RHEL-08-010741 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244532r743845_rule - - V-244532 - - permissions - -- name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file." - block: - - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set preauth" - lineinfile: - path: /etc/pam.d/system-auth - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - - - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set authfail" - lineinfile: - path: /etc/pam.d/system-auth - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - - - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set account faillock" - lineinfile: - path: /etc/pam.d/system-auth - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - when: - - rhel_08_020025 - tags: - - RHEL-08-020025 - - CAT2 - - CCI-000044 - - SRG-OS-000021-GPOS-00005 - - SV-244533r743848_rule - - V-244533 - - pamd - -- name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file." - block: - - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set preauth" - lineinfile: - path: /etc/pam.d/password-auth - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" - insertafter: '^auth' - notify: restart sssd - - - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set authfail" - lineinfile: - path: /etc/pam.d/password-auth - regexp: '^auth required pam_faillock.so authfail' - line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' - insertafter: '^auth' - notify: restart sssd - - - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set account faillock" - lineinfile: - path: /etc/pam.d/password-auth - regexp: '^account required pam_faillock.so' - line: 'account required pam_faillock.so' - insertafter: '^account' - notify: restart sssd - when: - - rhel_08_020026 - tags: - - RHEL-08-020026 - - CAT2 - - CCI-000044 - - SRG-OS-000021-GPOS-00005 - - SV-244534r743851_rule - - V-244534 - - pamd - -- name: "MEDIUM | RHEL-08-020031 | PATCH | RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated." - copy: - dest: /etc/dconf/db/local.d/00-screensaver_rhel_08_020031 - content: | - [org/gnome/desktop/screensaver] - lock-delay=uint32 5 - mode: '0644' - notify: dconf update - when: - - rhel_08_020026 - - rhel8stig_always_configure_dconf - - rhel8stig_gui - tags: - - RHEL-08-020031 - - CAT2 - - CCI-000057 - - SRG-OS-000029-GPOS-00010 - - SV-244535r743854_rule - - V-244535 - - dconf - -- name: "MEDIUM | RHEL-08-020032 | PATCH | RHEL 8 must disable the user list at logon for graphical user interfaces." - copy: - dest: /etc/dconf/db/local.d/02-login-screen_rhel_08_020032 - content: | - [org/gnome/login-screen] - disable-user-list=true - when: - - rhel_08_020032 - - rhel8stig_always_configure_dconf - - rhel8stig_gui - tags: - - RHEL-08-020032 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244536r743857_rule - - V-244536 - - dconf - -- name: "MEDIUM | RHEL-08-020039 | PATCH | RHEL 8 must have the tmux package installed." - package: - name: tmux - state: present - when: - - rhel_08_020032 - - "'tmux' not in ansible_facts.packages" - tags: - - RHEL-08-020039 - - CAT2 - - CCI-000056 - - SRG-OS-000028-GPOS-00009 - - SV-244537r743860_rule - - V-244537 - - tmux - -- name: "MEDIUM | RHEL-08-020081 | PATCH | RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface." - copy: - dest: /etc/dconf/db/local.d/locks/session_rhel_08_020081 - content: | - /org/gnome/desktop/session/idle-delay - mode: '0644' - notify: dconf update - when: - - rhel_08_020081 - - rhel8stig_always_configure_dconf - - rhel8stig_gui - tags: - - RHEL-08-020081 - - CAT2 - - CCI-000057 - - SRG-OS-000029-GPOS-00010 - - SV-244538r743863_rule - - V-244538 - -- name: "MEDIUM | RHEL-08-020082 | PATCH | RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." - copy: - dest: /etc/dconf/db/local.d/locks/session_rhel_08_020082 - content: | - /org/gnome/desktop/screensaver/lock-enabled - mode: '0644' - notify: dconf update - when: - when: - - rhel_08_020082 - - rhel8stig_always_configure_dconf - - rhel8stig_gui - tags: - - RHEL-08-020082 - - CAT2 - - CCI-000057 - - SRG-OS-000029-GPOS-00010 - - SV-244539r743866_rule - - V-244539 - - dconf - -- name: "MEDIUM | RHEL-08-030181 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." - service: - name: auditd - state: started - enabled: true - when: - - rhel_08_030181 - tags: - - RHEL-08-030181 - - CAT2 - - CCI-000169 - - SRG-OS-000062-GPOS-00031 - - SV-244542r743875_rule - - V-244542 - - auditd - -- name: "MEDIUM | RHEL-08-030731 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization." - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^space_left_action =' - line: 'space_left_action = EMAIL' - when: - - rhel_08_030731 - tags: - - RHEL-08-030731 - - CAT2 - - CCI-001855 - - SRG-OS-000343-GPOS-00134 - - SV-244543r743878_rule - - V-244543 - - auditd - -- name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8" - block: - - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Install firewalld if needed" - package: - name: firewalld - state: present - when: "'firewalld' not in ansible_facts.packages" - - - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Enable the service" - systemd: - name: firewalld - state: started - enabled: true - when: - - rhel_08_040101 - - rhel8stig_firewall_service == "firewalld" - tags: - - RHEL-08-040101 - - CAT2 - - CCI-002314 - - SRG-OS-000297-GPOS-00115 - - SV-244544r743881_rule - - V-244544 - - firewalld - - firewall - -- name: "MEDIUM | RHEL-08-040136 | PATCH | The RHEL 8 fapolicy module must be enabled." - systemd: - name: fapolicyd - state: started - enabled: true - when: - - rhel_08_040136 - tags: - - RHEL-08-040136 - - CAT2 - - CCI-001764 - - SRG-OS-000368-GPOS-00154 - - SV-244545r743884_rule - - V-244545 - - fapolicy - -- name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." - block: - - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist " - lineinfile: - path: /etc/fapolicyd/fapolicyd.rules - line: "{{ item }}" - with_items: - - "{{ rhel8stig_fapolicy_white_list }}" - - - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" - lineinfile: - path: /etc/fapolicyd/fapolicyd.conf - regexp: '^permissive =' - line: 'permissive = 0' - when: - - rhel_08_040137 - tags: - - RHEL-08-040137 - - CAT2 - - CCI-001764 - - SRG-OS-000368-GPOS-00154 - - SV-244546r743887_rule - - V-244546 - - fapolicy - -- name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted." - block: - - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accept_redirects value 0 active" - sysctl: - name: net.ipv4.conf.default.accept_redirect - state: present - value: '0' - notify: change_requires_reboot - - - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Set accept_redirects default value to 0 config" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.default.accept_redirect=' - line: 'net.ipv4.conf.default.accept_redirect=0' - when: - - rhel_08_040209 - - CAT2 - - CI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244550r743899_rule - - V-244550 - - ipv4 - -- name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets." - block: - - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Set accept_source_route in sysctl" - sysctl: - name: net.ipv4.conf.all.accept_source_route - state: present - value: '0' - notify: change_requires_reboot - - - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Set accept_source_route default value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.all.accept_source_routes=' - line: 'net.ipv4.conf.all.accept_source_route=0' - when: - - rhel_08_040239 - tags: - - RHEL-08-040239 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244551r743902_rule - - V-244551 - - ip4 - -- name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default." - block: - - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Set accept_source_route in sysctl" - sysctl: - name: net.ipv4.conf.default.accept_source_route - state: present - value: '0' - notify: change_requires_reboot - - - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Set accept_source_route value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.default.accept_source_route=' - line: 'net.ipv4.conf.default.accept_source_route=0' - when: - - rhel_08_040249 - tags: - - RHEL-08-040249 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244552r743905_rule - - V-244552 - - ipv4 - -- name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages." - block: - - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Set accept_redirects in sysctl" - sysctl: - name: net.ipv4.conf.all.accept_redirects - state: present - value: '0' - - - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Set accept_redirects value to 0" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv4.conf.all.accept_redirects=' - line: 'net.ipv4.conf.all.accept_redirects=0' - when: - - rhel_08_040279 - tags: - - RHEL-08-040279 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244553r743908_rule - - V-244553 - - ipv4 - -- name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler." - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.core.bpf_jit_harden=' - line: 'net.core.bpf_jit_harden=2' - notify: sysctl system - when: - - rhel_08_040286 - tags: - - RHEL-08-040286 - - CAT2 - - CCI-000366 - - SRG-OS-000480-GPOS-00227 - - SV-244554r743911_rule - - V-244554 - -- name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool." - block: - - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert no McAfee" - debug: - msg: - - "ALERT! You have no McAfee installed. To comply with STIG ID RHEL-08-010001 you need an AV tool" - - "McAfee is the suggested by STIG" - when: - - "'mcafeetp' not in ansible_facts.packages or - "'mfetpd' not in ansible_facts.packages - - - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert on McAfee present" - debug: - msg: "Congratulations! You have McAfee installed" - when: - - "'mcafeetp' in ansible_facts.packages or - "'mfetpd' in ansible_facts.packages - when: - - rhel_08_040286 - - rhel8stig_av_sftw == 'mcafee' - tags: - - RHEL-08-010001 - - CAT2 - - CCI-001233 - - SRG-OS-000191-GPOS-00080 - - SV-245540r754730_rule - - V-245540 \ No newline at end of file diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 2c4a8e67..ed53bb28 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -129,7 +129,7 @@ "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service. LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service" block: - - name: "LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service + - name: "LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service" package: name: rng-tools state: present diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c907f621..68819373 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -448,7 +448,7 @@ shell: "semanage fcontext -m -t faillog_t -s system_u {{ rhel8stig_pam_faillock.dir }}" register: modify_secontext when: faillock_secontext.stdout != '1' - + - name: "PRELIM | RHEL-08-020017 | Set {{ rhel8stig_pam_faillock.dir }} selinux context" shell: "restorecon -irv {{ rhel8stig_pam_faillock.dir }}" when: modify_secontext.changed diff --git a/testing.yml b/testing.yml deleted file mode 100644 index f3207c8b..00000000 --- a/testing.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- hosts: all - become: true - vars: - is_container: false - - roles: - - role: "{{ playbook_dir }}" - rhel8cis_system_is_container: "{{ is_container | default(false) }}" - rhel8cis_skip_for_travis: false - rhel8cis_oscap_scan: yes