diff --git a/README.md b/README.md index feddcc62..4286e932 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,12 @@ Role Variables | `rhel8stig_password_complexity.maxrepeat` | `3` | Maximum number of allowed same consecutive characters in a new password. | | `rhel8stig_password_complexity.maxclassrepeat` | `4` | Maximum number of allowed same consecutive characters in the same **class** in the new password. | | `rhel8stig_password_complexity.minlen` | `15` | Minimum number of characters in a new password. | +| `rhel8stig_sssd_conf` | [see defaults/main.yml](./defaults/main.yml) | Default location for sssd.conf | +| `rhel8stig_sssd_domain` | testing.test | Domain to be used in sssd | +| `rhel8stig_sssd.certmap` | certmap/{{ rhel8stig_sssd_domain }}/rule_name | certmap rule for sssd | +| `rhel8stig_sssd.matchrule` | =.*EDIPI@mil | match rule in relationship to domain e.g. CN etc | +| `rhel8stig_sssd.maprule` | (userCertificate;binary={cert!bin}) | map cert auth requirements into sssd rule | +| `rhel8stig_sssd.domains` | testing.test | comma seperated list of domains using sssd | | `rhel8stig_shell_session_timeout` | `file: /etc/profile` `timeout: 600` | Dictionary of session timeout setting and file (TMOUT setting can be set in multiple files) | | `rhel8stig_interactive_uid_start` | `1000` | Interactive user start point (UID_MIN) from /etc/login.defs | | `rhel8stig_ntp_server_name: server.name` | `server.name` | The NTP Server Name | diff --git a/defaults/main.yml b/defaults/main.yml index 13816818..98ab2b5a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -518,6 +518,15 @@ rhel8stig_password_complexity: minlen: 15 dictcheck: 1 +# rhel_08_010400 or rhel_08_020090 or rhel_08_020250 or rhel_08_020290 +rhel8stig_sssd_conf: /etc/sssd/sssd.conf +rhel8stig_sssd_domain: testing.test +rhel8stig_sssd: + certmap: "certmap/{{ rhel8stig_sssd_domain }}/rule_name" + matchrule: "=.*EDIPI@mil" + maprule: (userCertificate;binary={cert!bin}) + domains: "{{ rhel8stig_sssd_domain }}" + # RHEL-08-020070 # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) diff --git a/handlers/main.yml b/handlers/main.yml index 29e79fbb..d6f21c68 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -17,7 +17,7 @@ name: sssd state: restarted when: - - rhel8stig_sssd_conf.stdout | length > 0 + - "'sssd' in ansible_facts.packages" - name: restart snmpd service: @@ -112,7 +112,10 @@ - name: dconf update command: dconf update - when: rhel8stig_has_dconf_command + when: + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + - name: prereport score debug: diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index a1d0352a..afd65723 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -263,7 +263,7 @@ - name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Remove nullok" replace: path: "{{ item }}" - regexp: 'nullok ' + regexp: ' nullok' replace: '' with_items: - /etc/pam.d/system-auth diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index ef9dcaaa..59595d09 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -76,7 +76,9 @@ notify: dconf update when: - rhel_08_010050 - - rhel8stig_dconf_available + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + tags: - RHEL-08-010050 @@ -437,8 +439,9 @@ - name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package" lineinfile: path: /etc/crypto-policies/back-ends/gnutls.config - regexp: '^\+VERS-ALL:' - line: "+VERS-ALL:{{ rhel8stig_gnutls_encryption }}" + regexp: '^(.*\+VERS-ALL:)' + line: '\1{{ rhel8stig_gnutls_encryption }}' + backrefs: true create: yes owner: root group: root @@ -680,7 +683,7 @@ - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." lineinfile: - path: '{{ rhel8stig_sssd_conf.stdout }}' + path: '{{ rhel8stig_sssd_conf }}' regexp: '^certificate_verification = {{ item }}' state: absent with_items: @@ -689,7 +692,8 @@ - no_verification notify: restart sssd when: - - rhel8stig_sssd_conf.stdout | length > 0 + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists - rhel_08_010400 tags: - RHEL-08-010400 @@ -1890,7 +1894,7 @@ lineinfile: path: "/etc/security/faillock.conf" regexp: '^fail_interval =|^\# fail_interval =' - line: "fail_interval = {{ rhel8stig_pam_faillock.interval }} }}" + line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" with_items: - system-auth - password-auth @@ -2377,7 +2381,9 @@ notify: dconf update when: - rhel_08_020030 - - rhel8stig_dconf_available + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + tags: - RHEL-08-020030 - gui @@ -2512,7 +2518,9 @@ when: rhel_08_020060_idle_delay_param.stdout | length > 0 when: - rhel_08_020060 - - rhel8stig_dconf_available + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + tags: - RHEL-08-020060 - gui @@ -2550,26 +2558,28 @@ - /org/gnome/desktop/lockdown/disable-lock-screen when: - rhel_08_020080 - # - rhel8stig_dconf_available + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf tags: - RHEL-08-020080 - name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." lineinfile: - path: "{{ rhel8stig_sssd_conf.stdout }}" + path: "{{ rhel8stig_sssd_conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" owner: root group: root mode: 0640 with_items: - - { regexp: '^\[certmap/testing.test/rule_name]', line: '[certmap/testing.test/rule_name]' } - - { regexp: '^matchrule =', line: 'matchrule =.*EDIPI@mil' } - - { regexp: '^maprule =', line: 'maprule = (userCertificate;binary={cert!bin})' } - - { regexp: 'dmains =', line: 'dmains = testing.test' } + - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } + - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } + - { regexp: '^maprule = {{ rhel8stig_sssd.maprule }}', line: 'maprule = {{ rhel8stig_sssd.maprule }}' } + - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains }}' } notify: restart sssd when: - - rhel8stig_sssd_conf.stdout | length > 0 + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists - rhel_08_020090 tags: - RHEL-08-020090 @@ -2878,13 +2888,13 @@ - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" lineinfile: - path: "{{ rhel8stig_sssd_conf.stdout }}" + path: "{{ rhel8stig_sssd_conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" owner: root group: root - mode: 0644 + mode: 0640 notify: restart sssd with_items: - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } @@ -2936,7 +2946,8 @@ notify: restart sssd when: rhel_08_020250_system_auth_sss.stdout | length > 0 when: - - rhel8stig_sssd_conf.stdout | length > 0 + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists - rhel_08_020250 tags: - RHEL-08-020250 @@ -2985,18 +2996,19 @@ - name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." lineinfile: - path: "{{ rhel8stig_sssd_conf.stdout }}" + path: "{{ rhel8stig_sssd_conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" owner: root group: root - mode: 0644 + mode: 0640 with_items: - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } when: - - rhel8stig_sssd_conf.stdout | length > 0 + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists - rhel_08_020290 tags: - RHEL-08-020290 @@ -5369,11 +5381,11 @@ tags: - RHEL-08-040330 -- name: "MEDIUM | RHEL-08-040340 | PATCH | Remote X connections for interactive users must be encrypted in RHEL 8." +- name: "MEDIUM | RHEL-08-040340 | PATCH | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements." lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?X11Forwarding' - line: 'X11Forwarding yes' + line: 'X11Forwarding no' create: yes owner: root group: root diff --git a/tasks/main.yml b/tasks/main.yml index dadcac28..9086f6cf 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -34,6 +34,12 @@ tags: - always +- name: Gather the package facts + package_facts: + manager: auto + tags: + - always + # - name: Install OpenSCAP and run a report # import_tasks: audit_oscap_scan_before.yml # when: rhel8stig_oscap_scan diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 7c821037..154e6988 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,20 +1,11 @@ --- - name: "PRELIM | dconf" block: - - name: "PRELIM | Check for dconf availability" - command: rpm -q dconf - args: - warn: no - changed_when: no - check_mode: no - failed_when: rhel8stig_dconf_audit.rc >= 2 - register: rhel8stig_dconf_audit - - name: "PRELIM | Install dconf" dnf: name: dconf when: - - rhel8stig_dconf_audit.rc == 1 + - "'dconf' not in ansible_facts.packages" - rhel8stig_gui - name: dconf directory structure @@ -58,6 +49,7 @@ dnf: name: grub2-tools when: + - "'grub2-tools' not in ansible_facts.packages" - rhel_08_010020 or rhel_08_010140 or rhel_08_010150 @@ -110,6 +102,7 @@ dnf: name: cronie when: + - "'cronie' not in ansible_facts.packages" - rhel_08_010360 tags: - cat2 @@ -233,6 +226,7 @@ changed_when: not rhel8stig_aide_db_status.stat.exists notify: "{{ rhel8stig_aide_handler }}" when: + - "'aide' not in ansible_facts.packages" - rhel_08_010360 or rhel_08_010380 or rhel_08_040310 @@ -247,11 +241,10 @@ - name: "PRELIM | RHEL-08-010170 | RHEL-08-010450 | Install SELinux related dependencies" dnf: - name: - - libselinux-utils - # - policycoreutils-python-utils - # - selinux-policy-targeted + name: libselinux-utils + state: present when: + - "'libselinux-utils' not in ansible_facts.packages" - rhel_08_010170 or rhel_08_010450 @@ -260,6 +253,9 @@ - name: "PRELIM | Install SSH" dnf: name: openssh-server + state: present + when: + - "'openssh-server' not in ansible_facts.packages" - name: PRELIM | Start SSH service: @@ -309,27 +305,33 @@ - RHEL-08-010770 - complexity-high -- name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location" +- name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | set sssd.conf location" block: - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location" - shell: find / -name sssd.conf - args: - warn: no - changed_when: false - failed_when: false - register: rhel8stig_sssd_conf + stat: + path: "{{ rhel8stig_sssd_conf }}" + register: rhel8stig_sssd_conf_present when: + - "'sssd' in ansible_facts.packages" - rhel_08_010400 or rhel_08_020090 or rhel_08_020250 or rhel_08_020290 + - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | sssd install status | Warning if not found" + debug: + msg: "Warning!! The package sssd is found not be be installed, some items will skip" + changed_when: true + when: + - "'sssd' not in ansible_facts.packages" + - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found" debug: - msg: "Warning!! sssd config file has not been found, some items will skip" + msg: "Warning!! The configured sssd config file {{ rhel8stig_sssd_conf }} has not been found, some items will skip" changed_when: true when: - - rhel8stig_sssd_conf.stdout | length == 0 + - "'sssd' in ansible_facts.packages" + - not rhel8stig_sssd_conf_present.stat.exists - name: "PRELIM | Gather interactive user ID min" block: @@ -361,3 +363,9 @@ rhel_08_040283 or rhel_08_040284 or rhel_08_040285 + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - always