update fix cat2

Signed-off-by: Mark Bolwell <[email protected]>
ansible-lockdown · Nov 4, 2021 · fb52efe · fb52efe
2 parents 1612735 + 1e8f9a3
commit fb52efe
Show file tree

Hide file tree

Showing 8 changed files with 1,117 additions and 747 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -477,13 +477,78 @@ rhel8stig_smartcard: false
 # Configure your smartcard driver
 rhel8stig_smartcarddriver: cackey
 
+# IPv6 required
+rhel8stig_ipv6_required: true
+
+# RHEL-08-010001
+# rhel8stig_av_sftw is the AV software package. When set to mcafee it enables the check for these packages
+# When set to anything other than mcafee it will skip this control assuming localized threat prevention management
+rhel8stig_av_sftw: mcafee
+
+# RHEL-08-010210
+# rhel8stig_var_log_messages_perm is the permissions the /var/log/messages file is set to.
+# To conform to STIG standards this needs to be 0640 or more restrictive
+rhel8stig_var_log_messages_perm: 0640
+
+# RHEL-08-010240
+# rhel8stig_var_log_perm is the permissions the /var/log file is set to.
+# To conform to STIG standards this needs to be 0755 or more restrictive
+rhel8stig_var_log_perm: 0755
+
+# RHEL-08-010300
+# rhel8stig_sys_commands_perm is the permissions the system comments will have
+# To conform to STIG standards this needs to be set to 0755 or more restrictive
+rhel8stig_sys_commands_perm: 0755
+
+# RHEL-08-010330
+# rhel8stig_lib_file_perm is the permissions teh library files will be set to
+# To conform to STIG standards this needs to be set to 0755 or more restrictive
+rhel8stig_lib_file_perm: 0755
+
+# RHEL-08-010480
+# rhel8stig_ssh_pub_key_perm are the permissions set to the SSH public host keys
+# To conform to STIG standards this needs to be set to 0644 or less permissive
+rhel8stig_ssh_pub_key_perm: 0644
+
+# RHEL-08-010490
+# rhel8stig_ssh_priv_key_perm are the permssions set to the SSH private host keys
+# To conform to STIG standards this needs to be set to 0600 or less permissive
+rhel8stig_ssh_priv_key_perm: 0600
+
 # RHEL-08-010690
 # Set standard user paths here
 # Also set whether we should automatically remediate paths in user ini files.
 # rhel_08_020720_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin"
 rhel8stig_standard_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin"
 rhel8stig_change_user_path: false
 
+
+# RHEL-08-010700
+# rhel8stig_ww_dir_owner is the owenr of all world-writable directories
+# To conform to STIG standards this needs to be set to root, sys, bin, or an application group
+rhel8stig_ww_dir_owner: root
+
+# RHEL-08-010710
+# rhel8stig_ww_dir_grpowner is the owenr of all world-writable directories
+# To conform to STIG standards this needs to be set to root, sys, bin, or an application group
+rhel8stig_ww_dir_grpowner: root
+
+# RHEL-08-010730
+# rhel8stig_local_int_home_perms is the permissions set to local interactive user home directories
+# To conform to STIG standards this needs to be set to 0750 more less permissive
+rhel8stig_local_int_home_perms: 0750
+
+# RHEL-08-010731
+# rhel8stig_local_int_home_file_perms is the permissions set to files in the local interactive
+# user home directories. These are only set when rhel8stig_disruption_high is set to true
+# All files users home directories that are less restrictive than 0750 will be set to this value
+rhel8stig_local_int_home_file_perms: 750
+
+# RHEL-08-010770
+# rhel8stig_local_int_perm is the permissions set to the local initialization files
+# To connform to STIG standards this needs to be set to 0740 or less permissive
+rhel8stig_local_int_perm: 0740
+
 # RHEL-08-020250
 # This is a check for a "supported release"
 # These are the minimum supported releases.
@@ -752,13 +817,13 @@ rhel8stig_path_to_sshkey: "/root/.ssh/"
 rhel8stig_sshd_compression: "no"
 
 # now in prelim
-rhel8stig_interactive_uid_start: 1000
+# rhel8stig_interactive_uid_start: '1000'
 
 # RHEL-08-030740
 # rhel8stig_ntp_server_name is the name of the NTP server
 rhel8stig_ntp_server_name: server.name
 
-# RHEL-08-040130
+# RHEL-08-040137
 # rhel8stig_fapolicy_white_list is the whitelist for fapolicyd, the last item in the list must be dyny all all
 rhel8stig_fapolicy_white_list:
     - deny all all

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -33,16 +33,17 @@
 
 - name: confirm grub2 user cfg
   stat:
-      path: /boot/grub2/user.cfg
+      path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg"
+  changed_when: rhel8stig_grub2_user_cfg.stat.exists
   register: rhel8stig_grub2_user_cfg
   notify: make grub2 config
 
 - name: make grub2 config
   command: /usr/sbin/grub2-mkconfig --output={{ rhel8stig_grub_cfg_path }}
   when:
-      - rhel7stig_grub2_user_cfg.stat.exists
-      - not rhel7stig_skip_for_travis
-      - not rhel7stig_system_is_container
+      - rhel8stig_grub2_user_cfg.stat.exists
+      - not rhel8stig_skip_for_travis
+      - not rhel8stig_system_is_container
 
 - name: copy grub2 config to BIOS/UEFI to satisfy benchmark
   listen: make grub2 config

diff --git a/site.yml b/site.yml
@@ -1,11 +1,7 @@
 ---
 - hosts: all
   become: true
-  vars:
-      is_container: false
 
   roles:
+
       - role: "{{ playbook_dir }}"
-        rhel8cis_system_is_container: "{{ is_container | default(false) }}"
-        rhel8cis_skip_for_travis: false
-        rhel8cis_oscap_scan: yes