Merge pull request #60 from ansible-lockdown/stig_v1r3_incl_metadata

Stig v1r3 incl metadata
Signed-off-by: George Nalen <[email protected]>

README.md

@@ -7,7 +7,7 @@ RHEL 8 DISA STIG
 
 Configure a RHEL 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`.
 
-This role is based on RHEL 8 DISA STIG: [Version 1, Rel 2 released on  April 23, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R2_STIG.zip).
+This role is based on RHEL 8 DISA STIG: [Version 1, Rel 3 released on  July 23, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R3_STIG.zip).
 
 Updating
 --------

defaults/main.yml

@@ -86,6 +86,8 @@ rhel_08_010460: true
 rhel_08_010470: true
 rhel_08_010820: true
 rhel_08_020330: true
+rhel_08_020331: true
+rhel_08_020332: true
 rhel_08_040000: true
 rhel_08_040010: true
 rhel_08_040060: true
@@ -97,9 +99,11 @@ rhel_08_040200: true
 rhel_08_040360: true
 
 # CAT 2 rules
+rhel_08_010001: true
 rhel_08_010010: true
 rhel_08_010030: true
 rhel_08_010040: true
+rhel_08_010049: true
 rhel_08_010050: true
 rhel_08_010060: true
 rhel_08_010070: true
@@ -108,7 +112,12 @@ rhel_08_010100: true
 rhel_08_010110: true
 rhel_08_010120: true
 rhel_08_010130: true
+rhel_08_010131: true
+rhel_08_010141: true
+rhel_08_010149: true
 rhel_08_010151: true
+rhel_08_010152: true
+rhel_08_010159: true
 rhel_08_010160: true
 rhel_08_010161: true
 rhel_08_010162: true
@@ -117,12 +126,14 @@ rhel_08_010170: true
 rhel_08_010180: true
 rhel_08_010190: true
 rhel_08_010200: true
+rhel_08_010201: true
 rhel_08_010210: true
 rhel_08_010220: true
 rhel_08_010230: true
 rhel_08_010240: true
 rhel_08_010250: true
 rhel_08_010260: true
+rhel_08_010287: true
 rhel_08_010290: true
 rhel_08_010291: true
 rhel_08_010293: true
@@ -158,12 +169,15 @@ rhel_08_010500: true
 rhel_08_010510: true
 rhel_08_010520: true
 rhel_08_010521: true
+rhel_08_010522: true
 rhel_08_010543: true
+rhel_08_010544: true
 rhel_08_010550: true
 rhel_08_010560: true
 rhel_08_010561: true
 rhel_08_010570: true
 rhel_08_010571: true
+rhel_08_010572: true
 rhel_08_010580: true
 rhel_08_010590: true
 rhel_08_010600: true
@@ -185,7 +199,9 @@ rhel_08_010700: true
 rhel_08_010710: true
 rhel_08_010720: true
 rhel_08_010730: true
+rhel_08_010731: true
 rhel_08_010740: true
+rhel_08_010741: true
 rhel_08_010750: true
 rhel_08_010760: true
 rhel_08_010770: true
@@ -208,13 +224,20 @@ rhel_08_020020: true
 rhel_08_020021: true
 rhel_08_020022: true
 rhel_08_020023: true
+rhel_08_020025: true
+rhel_08_020026: true
 rhel_08_020030: true
+rhel_08_020031: true
+rhel_08_020032: true
+rhel_08_020039: true
 rhel_08_020040: true
 rhel_08_020041: true
 rhel_08_020050: true
 rhel_08_020060: true
 rhel_08_020070: true
 rhel_08_020080: true
+rhel_08_020081: true
+rhel_08_020082: true
 rhel_08_020090: true
 rhel_08_020100: true
 rhel_08_020110: true
@@ -269,6 +292,7 @@ rhel_08_030170: true
 rhel_08_030171: true
 rhel_08_030172: true
 rhel_08_030180: true
+rhel_08_030181: true
 rhel_08_030190: true
 rhel_08_030200: true
 rhel_08_030210: true
@@ -338,6 +362,7 @@ rhel_08_030700: true
 rhel_08_030710: true
 rhel_08_030720: true
 rhel_08_030730: true
+rhel_08_030731: true
 rhel_08_030740: true
 rhel_08_040001: true
 rhel_08_040002: true
@@ -348,6 +373,7 @@ rhel_08_040070: true
 rhel_08_040080: true
 rhel_08_040090: true
 rhel_08_040100: true
+rhel_08_040101: true
 rhel_08_040110: true
 rhel_08_040111: true
 rhel_08_040120: true
@@ -366,27 +392,36 @@ rhel_08_040132: true
 rhel_08_040133: true
 rhel_08_040134: true
 rhel_08_040135: true
+rhel_08_040136: true
+rhel_08_040137: true
+rhel_08_040139: true
 rhel_08_040140: true
+rhel_08_040141: true
 rhel_08_040150: true
+rhel_08_040159: true
 rhel_08_040160: true
 rhel_08_040161: true
-rhel_08_040162: true
 rhel_08_040180: true
+rhel_08_040209: true
 rhel_08_040210: true
 rhel_08_040220: true
 rhel_08_040230: true
+rhel_08_040239: true
 rhel_08_040240: true
+rhel_08_040249: true
 rhel_08_040250: true
 rhel_08_040260: true
 rhel_08_040261: true
 rhel_08_040262: true
 rhel_08_040270: true
+rhel_08_040279: true
 rhel_08_040280: true
 rhel_08_040281: true
 rhel_08_040282: true
 rhel_08_040283: true
 rhel_08_040284: true
 rhel_08_040285: true
+rhel_08_040286: true
 rhel_08_040290: true
 rhel_08_040320: true
 rhel_08_040330: true
@@ -404,6 +439,7 @@ rhel_08_010375: true
 rhel_08_010376: true
 rhel_08_010440: true
 rhel_08_010471: true
+rhel_08_010472: true
 rhel_08_010540: true
 rhel_08_010541: true
 rhel_08_010542: true
@@ -441,13 +477,78 @@ rhel8stig_smartcard: false
 # Configure your smartcard driver
 rhel8stig_smartcarddriver: cackey
 
+# IPv6 required
+rhel8stig_ipv6_required: true
+
+# RHEL-08-010001
+# rhel8stig_av_sftw is the AV software package. When set to mcafee it enables the check for these packages
+# When set to anything other than mcafee it will skip this control assuming localized threat prevention management
+rhel8stig_av_sftw: mcafee
+
+# RHEL-08-010210
+# rhel8stig_var_log_messages_perm is the permissions the /var/log/messages file is set to.
+# To conform to STIG standards this needs to be 0640 or more restrictive
+rhel8stig_var_log_messages_perm: 0640
+
+# RHEL-08-010240
+# rhel8stig_var_log_perm is the permissions the /var/log file is set to.
+# To conform to STIG standards this needs to be 0755 or more restrictive
+rhel8stig_var_log_perm: 0755
+
+# RHEL-08-010300
+# rhel8stig_sys_commands_perm is the permissions the system comments will have
+# To conform to STIG standards this needs to be set to 0755 or more restrictive
+rhel8stig_sys_commands_perm: 0755
+
+# RHEL-08-010330
+# rhel8stig_lib_file_perm is the permissions teh library files will be set to
+# To conform to STIG standards this needs to be set to 0755 or more restrictive
+rhel8stig_lib_file_perm: 0755
+
+# RHEL-08-010480
+# rhel8stig_ssh_pub_key_perm are the permissions set to the SSH public host keys
+# To conform to STIG standards this needs to be set to 0644 or less permissive
+rhel8stig_ssh_pub_key_perm: 0644
+
+# RHEL-08-010490
+# rhel8stig_ssh_priv_key_perm are the permssions set to the SSH private host keys
+# To conform to STIG standards this needs to be set to 0600 or less permissive
+rhel8stig_ssh_priv_key_perm: 0600
+
 # RHEL-08-010690
 # Set standard user paths here
 # Also set whether we should automatically remediate paths in user ini files.
 # rhel_08_020720_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin"
 rhel8stig_standard_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin"
 rhel8stig_change_user_path: false
 
+
+# RHEL-08-010700
+# rhel8stig_ww_dir_owner is the owenr of all world-writable directories
+# To conform to STIG standards this needs to be set to root, sys, bin, or an application group
+rhel8stig_ww_dir_owner: root
+
+# RHEL-08-010710
+# rhel8stig_ww_dir_grpowner is the owenr of all world-writable directories
+# To conform to STIG standards this needs to be set to root, sys, bin, or an application group
+rhel8stig_ww_dir_grpowner: root
+
+# RHEL-08-010730
+# rhel8stig_local_int_home_perms is the permissions set to local interactive user home directories
+# To conform to STIG standards this needs to be set to 0750 more less permissive
+rhel8stig_local_int_home_perms: 0750
+
+# RHEL-08-010731
+# rhel8stig_local_int_home_file_perms is the permissions set to files in the local interactive
+# user home directories. These are only set when rhel8stig_disruption_high is set to true
+# All files users home directories that are less restrictive than 0750 will be set to this value
+rhel8stig_local_int_home_file_perms: 750
+
+# RHEL-08-010770
+# rhel8stig_local_int_perm is the permissions set to the local initialization files
+# To connform to STIG standards this needs to be set to 0740 or less permissive
+rhel8stig_local_int_perm: 0740
+
 # RHEL-08-020250
 # This is a check for a "supported release"
 # These are the minimum supported releases.
@@ -716,13 +817,13 @@ rhel8stig_path_to_sshkey: "/root/.ssh/"
 rhel8stig_sshd_compression: "no"
 
 # now in prelim
-rhel8stig_interactive_uid_start: 1000
+# rhel8stig_interactive_uid_start: '1000'
 
 # RHEL-08-030740
 # rhel8stig_ntp_server_name is the name of the NTP server
 rhel8stig_ntp_server_name: server.name
 
-# RHEL-08-040130
+# RHEL-08-040137
 # rhel8stig_fapolicy_white_list is the whitelist for fapolicyd, the last item in the list must be dyny all all
 rhel8stig_fapolicy_white_list:
     - deny all all

handlers/main.yml

@@ -33,16 +33,17 @@
 
 - name: confirm grub2 user cfg
   stat:
-      path: /boot/grub2/user.cfg
+      path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg"
+  changed_when: rhel8stig_grub2_user_cfg.stat.exists
   register: rhel8stig_grub2_user_cfg
   notify: make grub2 config
 
 - name: make grub2 config
   command: /usr/sbin/grub2-mkconfig --output={{ rhel8stig_grub_cfg_path }}
   when:
-      - rhel7stig_grub2_user_cfg.stat.exists
-      - not rhel7stig_skip_for_travis
-      - not rhel7stig_system_is_container
+      - rhel8stig_grub2_user_cfg.stat.exists
+      - not rhel8stig_skip_for_travis
+      - not rhel8stig_system_is_container
 
 - name: copy grub2 config to BIOS/UEFI to satisfy benchmark
   listen: make grub2 config

site.yml

@@ -1,11 +1,7 @@
 ---
 - hosts: all
   become: true
-  vars:
-      is_container: false
 
   roles:
+
       - role: "{{ playbook_dir }}"
-        rhel8cis_system_is_container: "{{ is_container | default(false) }}"
-        rhel8cis_skip_for_travis: false
-        rhel8cis_oscap_scan: yes