Merge pull request #33 from ansible-lockdown/updates_and_fixes

Updates and fixes

README.md

@@ -57,6 +57,12 @@ Role Variables
 | `rhel8stig_password_complexity.maxrepeat` | `3` | Maximum number of allowed same consecutive characters in a new password. |
 | `rhel8stig_password_complexity.maxclassrepeat` | `4` | Maximum number of allowed same consecutive characters in the same **class** in the new password. |
 | `rhel8stig_password_complexity.minlen` | `15` | Minimum number of characters in a new password. |
+| `rhel8stig_sssd_conf` | [see defaults/main.yml](./defaults/main.yml)  | Default location for sssd.conf |
+| `rhel8stig_sssd_domain` | testing.test | Domain to be used in sssd |
+| `rhel8stig_sssd.certmap` | certmap/{{ rhel8stig_sssd_domain }}/rule_name | certmap rule for sssd |
+| `rhel8stig_sssd.matchrule` | =.*EDIPI@mil | match rule in relationship to domain e.g. CN etc |
+| `rhel8stig_sssd.maprule` | (userCertificate;binary={cert!bin}) | map cert auth requirements into sssd rule |
+| `rhel8stig_sssd.domains` | testing.test | comma seperated list of domains using sssd |
 | `rhel8stig_shell_session_timeout` | `file: /etc/profile` `timeout: 600` | Dictionary of session timeout setting and file (TMOUT setting can be set in multiple files) |
 | `rhel8stig_interactive_uid_start` | `1000` | Interactive user start point (UID_MIN) from /etc/login.defs |
 | `rhel8stig_ntp_server_name: server.name` | `server.name` | The NTP Server Name |

defaults/main.yml

@@ -518,6 +518,15 @@ rhel8stig_password_complexity:
     minlen: 15
     dictcheck: 1
 
+# rhel_08_010400 or rhel_08_020090 or rhel_08_020250 or rhel_08_020290
+rhel8stig_sssd_conf: /etc/sssd/sssd.conf
+rhel8stig_sssd_domain: testing.test
+rhel8stig_sssd:
+    certmap: "certmap/{{ rhel8stig_sssd_domain }}/rule_name"
+    matchrule: "=.*EDIPI@mil"
+    maprule: (userCertificate;binary={cert!bin})
+    domains: "{{ rhel8stig_sssd_domain }}"
+
 # RHEL-08-020070
 # Session timeout setting file (TMOUT setting can be set in multiple files)
 # Timeout value is in seconds. (60 seconds * 10 = 600)

handlers/main.yml

@@ -17,7 +17,7 @@
       name: sssd
       state: restarted
   when:
-      - rhel8stig_sssd_conf.stdout | length > 0
+      - "'sssd' in ansible_facts.packages" 
 
 - name: restart snmpd
   service:
@@ -112,7 +112,10 @@
 
 - name: dconf update
   command: dconf update
-  when: rhel8stig_has_dconf_command
+  when: 
+  - "'dconf' in ansible_facts.packages"
+  - rhel8stig_always_configure_dconf
+
 
 - name: prereport score
   debug:

tasks/fix-cat1.yml

@@ -263,7 +263,7 @@
       - name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Remove nullok"
         replace:
             path: "{{ item }}"
-            regexp: 'nullok '
+            regexp: ' nullok'
             replace: ''
         with_items:
             - /etc/pam.d/system-auth

tasks/fix-cat2.yml

@@ -76,7 +76,9 @@
   notify: dconf update
   when:
       - rhel_08_010050
-      - rhel8stig_dconf_available
+      - "'dconf' in ansible_facts.packages"
+      - rhel8stig_always_configure_dconf
+
   tags:
       - RHEL-08-010050
 
@@ -437,8 +439,9 @@
 - name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package"
   lineinfile:
       path: /etc/crypto-policies/back-ends/gnutls.config
-      regexp: '^\+VERS-ALL:'
-      line: "+VERS-ALL:{{ rhel8stig_gnutls_encryption }}"
+      regexp: '^(.*\+VERS-ALL:)'
+      line: '\1{{ rhel8stig_gnutls_encryption }}'
+      backrefs: true
       create: yes
       owner: root
       group: root
@@ -680,7 +683,7 @@
 
 - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication."
   lineinfile:
-      path: '{{ rhel8stig_sssd_conf.stdout }}'
+      path: '{{ rhel8stig_sssd_conf }}'
       regexp: '^certificate_verification = {{ item }}'
       state: absent
   with_items:
@@ -689,7 +692,8 @@
       - no_verification
   notify: restart sssd
   when:
-      - rhel8stig_sssd_conf.stdout | length > 0
+      - "'sssd' in ansible_facts.packages" 
+      - rhel8stig_sssd_conf_present.stat.exists
       - rhel_08_010400
   tags:
       - RHEL-08-010400
@@ -1890,7 +1894,7 @@
         lineinfile:
             path: "/etc/security/faillock.conf"
             regexp: '^fail_interval =|^\# fail_interval ='
-            line: "fail_interval = {{ rhel8stig_pam_faillock.interval }} }}"
+            line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}"
         with_items:
             - system-auth
             - password-auth
@@ -2377,7 +2381,9 @@
         notify: dconf update
   when:
       - rhel_08_020030
-      - rhel8stig_dconf_available
+      - "'dconf' in ansible_facts.packages"
+      - rhel8stig_always_configure_dconf
+
   tags:
       - RHEL-08-020030
       - gui
@@ -2512,7 +2518,9 @@
         when: rhel_08_020060_idle_delay_param.stdout | length > 0
   when:
       - rhel_08_020060
-      - rhel8stig_dconf_available
+      - "'dconf' in ansible_facts.packages"
+      - rhel8stig_always_configure_dconf
+
   tags:
       - RHEL-08-020060
       - gui
@@ -2550,26 +2558,28 @@
       - /org/gnome/desktop/lockdown/disable-lock-screen
   when:
       - rhel_08_020080
-      # - rhel8stig_dconf_available
+      - "'dconf' in ansible_facts.packages"
+      - rhel8stig_always_configure_dconf
   tags:
       - RHEL-08-020080
 
 - name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication."
   lineinfile:
-      path: "{{ rhel8stig_sssd_conf.stdout }}"
+      path: "{{ rhel8stig_sssd_conf }}"
       regexp: "{{ item.regexp }}"
       line: "{{ item.line }}"
       owner: root
       group: root
       mode: 0640
   with_items:
-      - { regexp: '^\[certmap/testing.test/rule_name]', line: '[certmap/testing.test/rule_name]' }
-      - { regexp: '^matchrule =', line: 'matchrule =<SAN>.*EDIPI@mil' }
-      - { regexp: '^maprule =', line: 'maprule = (userCertificate;binary={cert!bin})' }
-      - { regexp: 'dmains =', line: 'dmains = testing.test' }
+      - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' }
+      - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' }
+      - { regexp: '^maprule = {{ rhel8stig_sssd.maprule }}', line: 'maprule = {{ rhel8stig_sssd.maprule }}' }
+      - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains }}' }
   notify: restart sssd
   when:
-      - rhel8stig_sssd_conf.stdout | length > 0
+      - "'sssd' in ansible_facts.packages" 
+      - rhel8stig_sssd_conf_present.stat.exists
       - rhel_08_020090
   tags:
       - RHEL-08-020090
@@ -2878,13 +2888,13 @@
 
       - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf"
         lineinfile:
-            path: "{{ rhel8stig_sssd_conf.stdout }}"
+            path: "{{ rhel8stig_sssd_conf }}"
             regexp: "{{ item.regexp }}"
             line: "{{ item.line }}"
             insertafter: "{{ item.insertafter }}"
             owner: root
             group: root
-            mode: 0644
+            mode: 0640
         notify: restart sssd
         with_items:
             - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' }
@@ -2936,7 +2946,8 @@
         notify: restart sssd
         when: rhel_08_020250_system_auth_sss.stdout | length > 0
   when:
-      - rhel8stig_sssd_conf.stdout | length > 0
+      - "'sssd' in ansible_facts.packages" 
+      - rhel8stig_sssd_conf_present.stat.exists
       - rhel_08_020250
   tags:
       - RHEL-08-020250
@@ -2985,18 +2996,19 @@
 
 - name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day."
   lineinfile:
-      path: "{{ rhel8stig_sssd_conf.stdout }}"
+      path: "{{ rhel8stig_sssd_conf }}"
       regexp: "{{ item.regexp }}"
       line: "{{ item.line }}"
       insertafter: "{{ item.insertafter }}"
       owner: root
       group: root
-      mode: 0644
+      mode: 0640
   with_items:
       - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' }
       - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' }
   when:
-      - rhel8stig_sssd_conf.stdout | length > 0
+      - "'sssd' in ansible_facts.packages" 
+      - rhel8stig_sssd_conf_present.stat.exists
       - rhel_08_020290
   tags:
       - RHEL-08-020290
@@ -5369,11 +5381,11 @@
   tags:
       - RHEL-08-040330
 
-- name: "MEDIUM | RHEL-08-040340 | PATCH | Remote X connections for interactive users must be encrypted in RHEL 8."
+- name: "MEDIUM | RHEL-08-040340 | PATCH | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements."
   lineinfile:
       path: /etc/ssh/sshd_config
       regexp: '(?i)^#?X11Forwarding'
-      line: 'X11Forwarding yes'
+      line: 'X11Forwarding no'
       create: yes
       owner: root
       group: root

tasks/main.yml

@@ -34,6 +34,12 @@
   tags:
       - always
 
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - always
+
 # - name: Install OpenSCAP and run a report
 #   import_tasks: audit_oscap_scan_before.yml
 #   when: rhel8stig_oscap_scan

tasks/prelim.yml

@@ -1,20 +1,11 @@
 ---
 - name: "PRELIM | dconf"
   block:
-      - name: "PRELIM | Check for dconf availability"
-        command: rpm -q dconf
-        args:
-            warn: no
-        changed_when: no
-        check_mode: no
-        failed_when: rhel8stig_dconf_audit.rc >= 2
-        register: rhel8stig_dconf_audit
-
       - name: "PRELIM | Install dconf"
         dnf:
             name: dconf
         when:
-            - rhel8stig_dconf_audit.rc == 1
+            - "'dconf' not in ansible_facts.packages"
             - rhel8stig_gui
 
       - name: dconf directory structure
@@ -58,6 +49,7 @@
   dnf:
       name: grub2-tools
   when:
+      - "'grub2-tools' not in ansible_facts.packages"
       - rhel_08_010020 or
         rhel_08_010140 or
         rhel_08_010150
@@ -110,6 +102,7 @@
   dnf:
       name: cronie
   when:
+      - "'cronie' not in ansible_facts.packages"
       - rhel_08_010360
   tags:
       - cat2
@@ -233,6 +226,7 @@
         changed_when: not rhel8stig_aide_db_status.stat.exists
         notify: "{{ rhel8stig_aide_handler }}"
   when:
+      - "'aide' not in ansible_facts.packages"
       - rhel_08_010360 or
         rhel_08_010380 or
         rhel_08_040310
@@ -247,11 +241,10 @@
 
 - name: "PRELIM | RHEL-08-010170 | RHEL-08-010450 | Install SELinux related dependencies"
   dnf:
-      name:
-          - libselinux-utils
-          # - policycoreutils-python-utils
-          # - selinux-policy-targeted
+      name: libselinux-utils
+      state: present
   when:
+      - "'libselinux-utils' not in ansible_facts.packages"
       - rhel_08_010170 or
         rhel_08_010450
 
@@ -260,6 +253,9 @@
       - name: "PRELIM | Install SSH"
         dnf:
             name: openssh-server
+            state: present
+        when:
+           - "'openssh-server' not in ansible_facts.packages"
 
       - name: PRELIM | Start SSH
         service:
@@ -309,27 +305,33 @@
       - RHEL-08-010770
       - complexity-high
 
-- name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location"
+- name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | set sssd.conf location"
   block:
       - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location"
-        shell: find / -name sssd.conf
-        args:
-            warn: no
-        changed_when: false
-        failed_when: false
-        register: rhel8stig_sssd_conf
+        stat: 
+            path: "{{ rhel8stig_sssd_conf }}"
+        register: rhel8stig_sssd_conf_present
         when:
+            - "'sssd' in ansible_facts.packages"
             - rhel_08_010400 or
               rhel_08_020090 or
               rhel_08_020250 or
               rhel_08_020290
 
+      - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | sssd install status | Warning if not found"
+        debug:
+            msg: "Warning!! The package sssd is found not be be installed, some items will skip"
+        changed_when: true
+        when:
+            -  "'sssd' not in ansible_facts.packages"
+
       - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found"
         debug:
-            msg: "Warning!! sssd config file has not been found, some items will skip"
+            msg: "Warning!! The configured sssd config file {{ rhel8stig_sssd_conf }} has not been found, some items will skip"
         changed_when: true
         when:
-            - rhel8stig_sssd_conf.stdout | length == 0
+            - "'sssd' in ansible_facts.packages"
+            -  not rhel8stig_sssd_conf_present.stat.exists
 
 - name: "PRELIM | Gather interactive user ID min"
   block:
@@ -361,3 +363,9 @@
         rhel_08_040283 or
         rhel_08_040284 or
         rhel_08_040285
+
+- name: Gather the package facts
+  package_facts:
+    manager: auto
+  tags:
+  - always