Skip to content

Commit

Permalink
Merge pull request #34 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
Devel to main
Signed-off-by: George Nalen <[email protected]>
  • Loading branch information
georgenalen authored Jul 12, 2021
2 parents cf84c5c + ed4dc79 commit fe50d2a
Show file tree
Hide file tree
Showing 16 changed files with 600 additions and 219 deletions.
11 changes: 11 additions & 0 deletions .ansible-lint
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
parseable: true
quiet: true
skip_list:
- '204'
- '305'
- '303'
- '403'
- '306'
- '602'
use_default_rules: true
verbosity: 0
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
.env
*.log
*.retry
.cache
.vagrant
tests/*redhat-subscription
tests/Dockerfile
Expand Down
24 changes: 24 additions & 0 deletions .yamllint
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
---
ignore: |
tests/
molecule/
.github/
.gitlab-ci.yml
*molecule.yml

extends: default

rules:
indentation:
# Requiring 4 space indentation
spaces: 4
# Requiring consistent indentation within a file, either indented or not
indent-sequences: consistent
truthy: disable
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
15 changes: 11 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ Requirements

RHEL 8 or CentOS 8 - Other versions are not supported.


Dependencies
------------

Expand All @@ -25,10 +24,12 @@ The following packages must be installed on the controlling host/host where ansi

Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible.


Role Variables
--------------

- some found below
- please refer to defaults/main.yml for a full breakdown

| Name | Default Value | Description |
|-------------------|---------------------|----------------------|
| `rhel8stig_oscap_scan` | `no` | Install and run an OpenSCAP report before and after the application of this role |
Expand Down Expand Up @@ -56,6 +57,12 @@ Role Variables
| `rhel8stig_password_complexity.maxrepeat` | `3` | Maximum number of allowed same consecutive characters in a new password. |
| `rhel8stig_password_complexity.maxclassrepeat` | `4` | Maximum number of allowed same consecutive characters in the same **class** in the new password. |
| `rhel8stig_password_complexity.minlen` | `15` | Minimum number of characters in a new password. |
| `rhel8stig_sssd_conf` | [see defaults/main.yml](./defaults/main.yml) | Default location for sssd.conf |
| `rhel8stig_sssd_domain` | testing.test | Domain to be used in sssd |
| `rhel8stig_sssd.certmap` | certmap/{{ rhel8stig_sssd_domain }}/rule_name | certmap rule for sssd |
| `rhel8stig_sssd.matchrule` | =.*EDIPI@mil | match rule in relationship to domain e.g. CN etc |
| `rhel8stig_sssd.maprule` | (userCertificate;binary={cert!bin}) | map cert auth requirements into sssd rule |
| `rhel8stig_sssd.domains` | testing.test | comma seperated list of domains using sssd |
| `rhel8stig_shell_session_timeout` | `file: /etc/profile` `timeout: 600` | Dictionary of session timeout setting and file (TMOUT setting can be set in multiple files) |
| `rhel8stig_interactive_uid_start` | `1000` | Interactive user start point (UID_MIN) from /etc/login.defs |
| `rhel8stig_ntp_server_name: server.name` | `server.name` | The NTP Server Name |
Expand All @@ -64,9 +71,10 @@ Role Variables
| `rhel8stig_sshd_compression` | `no` | The Compression parameter in /etc/ssh/sshd_config needs to be set to no or delayed |
| `rhel8stig_path_to_sshkey` | `/root/.ssh/` | Custom path to the ssh key |
| `rhel8stig_hashing_rounds` | `5000` | The rounds parameter goes into pamd configs and needs to be set to now lower than 5000 |
| `rhel8stig_dns_servers` | `9.9.9.9 and 149.112.112.112` | To conform to STIG standards you need two DNS servers, parameter is in list form |
| `rhel8stig_dns_servers` | `8.8.8.8 and 8.8.4.4` | To conform to STIG standards you need two DNS servers, parameter is in list form |
| `rhel8stig_nfs_mounts` | `vars` | NFS file system mounts pull automatcially with prelim task |
| `rhel8stig_nfs_mounts_query` | `[?starts_with(fstype, 'nfs')].mount` | The query for mounts |
| `rhel8stig_skip_reboot` | `false` | Whether or not to skip the reboot |


Example Playbook
Expand All @@ -78,4 +86,3 @@ Example Playbook
when:
- ansible_os_family == 'RedHat'
- ansible_distribution_major_version | version_compare('8', '=')

34 changes: 28 additions & 6 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@ rhel8stig_system_is_container: false
# system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
system_is_ec2: false

# Whether to skip the reboot
rhel8stig_skip_reboot: false

# These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.
# PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group
# in order for the variables below to take effect.
Expand Down Expand Up @@ -515,6 +518,15 @@ rhel8stig_password_complexity:
minlen: 15
dictcheck: 1

# rhel_08_010400 or rhel_08_020090 or rhel_08_020250 or rhel_08_020290
rhel8stig_sssd_conf: /etc/sssd/sssd.conf
rhel8stig_sssd_domain: testing.test
rhel8stig_sssd:
certmap: "certmap/{{ rhel8stig_sssd_domain }}/rule_name"
matchrule: "=.*EDIPI@mil"
maprule: (userCertificate;binary={cert!bin})
domains: "{{ rhel8stig_sssd_domain }}"

# RHEL-08-020070
# Session timeout setting file (TMOUT setting can be set in multiple files)
# Timeout value is in seconds. (60 seconds * 10 = 600)
Expand Down Expand Up @@ -567,7 +579,7 @@ rhel8stig_audisp_disk_full_action: single
# rhel8stig_audisp_network_failure_action optoins are syslog, halt, and single
rhel8stig_audisp_network_failure_action: single

# RHEL-08-030060
# RHEL-08-030060
# rhel8stig_auditd_disk_full_action options are SYSLOG, HALT, and SINGLE to fit STIG standards
rhel8stig_auditd_disk_full_action: HALT

Expand Down Expand Up @@ -625,7 +637,7 @@ rhel8stig_auditd_failure_flag: "{{ rhel8stig_availability_override | ternary(1,
# REHL-08-010020
rhel8stig_boot_part: "{{ rhel_08_boot_part.stdout }}"

#
#
rhel8stig_machine_uses_uefi: "{{ rhel_08_sys_firmware_efi.stat.exists }}"
rhel8stig_grub_cfg_path: "{{ rhel8stig_machine_uses_uefi | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}"
rhel8stig_grub_cfg_path_invalid: "{{ (not rhel8stig_machine_uses_uefi) | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}"
Expand All @@ -638,15 +650,25 @@ rhel8stig_nfs_mounts: "{{ ansible_mounts | to_json | from_json | json_query(rhel
rhel8stig_nfs_mounts_query: "[?starts_with(fstype, 'nfs')].mount"

# RHEL-08-010680
rhel8stig_dns_servers:
# This can be managed using a template ensure settings are correct
rhel8_stig_use_resolv_template: false
rhel8_stig_resolv_domain: example.com
rhel8_stig_resolv_search:
# - 'example.com'
# - 'blah'
rhel8_stig_resolv_options:
# - 'rotate 2'
# - 'timeout:1'

rhel8stig_dns_servers: # The order needs to be set as expected. If you have 3 you will need to amend playbook (not ideal)
- 8.8.8.8
- 8.8.4.4

rhel8stig_int_gid: 1000

# RHEL-08-010130
# The rounds parameter goes into the password sufficient pam_unix.so element of the password-auth and system-auth files. The value shoudl be set no lower than 5000
rhel8stig_hashing_rounds: 5000
rhel8stig_hashing_rounds: 5000

# RHEL-08-010100
rhel8stig_path_to_sshkey: "/root/.ssh/"
Expand All @@ -673,7 +695,7 @@ rhel8stig_custom_firewall_zone: "new_fw_zone"

# RHEL-08-040090
# rhel8stig_white_list_services is the services that you want to allow through initially for teh new firewall zone
# http and ssh need to be enabled for the role to run.
# http and ssh need to be enabled for the role to run.
rhel8stig_white_list_services:
- http
- https
Expand All @@ -698,4 +720,4 @@ rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1

# RHEL-08-020070
# This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less
rhel8stig_tmux_lock_after_time: 900
rhel8stig_tmux_lock_after_time: 900
13 changes: 11 additions & 2 deletions handlers/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@
service:
name: sssd
state: restarted
when:
- "'sssd' in ansible_facts.packages"

- name: restart snmpd
service:
Expand Down Expand Up @@ -48,6 +50,9 @@
src: "{{ rhel8stig_grub_cfg_path | dirname }}/{{ item }}"
dest: "{{ rhel8stig_grub_cfg_path_invalid | dirname }}/{{ item }}"
remote_src: yes
owner: root
group: root
mode: 0755
with_items:
- grub.cfg
- user.cfg
Expand Down Expand Up @@ -107,7 +112,10 @@

- name: dconf update
command: dconf update
when: rhel8stig_has_dconf_command
when:
- "'dconf' in ansible_facts.packages"
- rhel8stig_always_configure_dconf


- name: prereport score
debug:
Expand All @@ -122,4 +130,5 @@
- name: reboot system
shell: sleep 3; reboot
async: 15
poll: 0
poll: 0
when: not rhel8stig_skip_reboot
8 changes: 3 additions & 5 deletions meta/main.yml
Original file line number Diff line number Diff line change
@@ -1,20 +1,18 @@
---
galaxy_info:
author: "Sam Doran, Josh Springer, Daniel Shepherd, James Cassell, Mike Renfro, DFed, George Nalen"
author: "Sam Doran, Josh Springer, Daniel Shepherd, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell"
description: "Apply the DISA RHEL 8 STIG"
company: "MindPoint Group"
license: MIT
min_ansible_version: 2.8.0

role_name: rhel8_stig
min_ansible_version: 2.9.0
platforms:
- name: EL
versions:
- 8

galaxy_tags:
- system
- security
- stig
- hardening

dependencies: []
2 changes: 1 addition & 1 deletion site.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@
- role: "{{ playbook_dir }}"
rhel8cis_system_is_container: "{{ is_container | default(false) }}"
rhel8cis_skip_for_travis: false
rhel8cis_oscap_scan: yes
rhel8cis_oscap_scan: yes
2 changes: 2 additions & 0 deletions tasks/audit_oscap_scan_after.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@
ignore_errors: true
changed_when: false
failed_when: false
tags:
- skip_ansible_lint

- name: Get the second scan result from the XML
slurp:
Expand Down
2 changes: 2 additions & 0 deletions tasks/audit_oscap_scan_before.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@
ignore_errors: true
changed_when: false
failed_when: false
tags:
- skip_ansible_lint

- name: Get the scan result from the XML
slurp:
Expand Down
26 changes: 17 additions & 9 deletions tasks/fix-cat1.yml
Original file line number Diff line number Diff line change
Expand Up @@ -129,12 +129,14 @@
"HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance."
"HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes."
block:
# the createuser.cfg task is a workaround for the the ansible bug https://github.com/ansible/ansible/pull/59823
# the createuser.cfg task is a workaround for the the ansible bug https://github.com/ansible/ansible/pull/59823
- name: |
"HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Create user.cfg"
"HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Create user.cfg"
shell: test -f {{ file_q }} && echo exists || {{ create_cmd }}
check_mode: ansible_check_mode is not defined
args:
warn: no
check_mode: "{{ ansible_check_mode is not defined }}"
register: rhel8stig_create_grub_user_cfg
changed_when:
- rhel8stig_create_grub_user_cfg.stdout == "created"
Expand All @@ -153,6 +155,9 @@
create: yes
regexp: ^GRUB2_PASSWORD=
line: GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}
owner: root
group: root
mode: 0640
notify: confirm grub2 user cfg
- name: |
Expand Down Expand Up @@ -258,7 +263,7 @@
- name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Remove nullok"
replace:
path: "{{ item }}"
regexp: 'nullok '
regexp: ' nullok'
replace: ''
with_items:
- /etc/pam.d/system-auth
Expand All @@ -267,7 +272,7 @@
- name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Set PermitEmptyPasswords to no"
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^.*PermitEmptyPasswords'
regexp: '(?i)^#?PermitEmptyPasswords'
line: 'PermitEmptyPasswords no'
notify: restart sshd
when:
Expand Down Expand Up @@ -342,17 +347,20 @@
line: "{{ item.line }}"
insertafter: "{{ item.insertafter }}"
create: yes
owner: root
group: root
mode: 0644
with_items:
- { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' }
- { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' }
when: rhel_08_040171_logout_settings_status.stdout == ""
when: rhel_08_040171_logout_settings_status.stdout | length == 0

- name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Edit if exists"
replace:
path: "{{ rhel_08_040171_logout_settings_status.stdout }}"
regexp: '^[L|l]ogout=.*'
replace: "logout=''"
when: rhel_08_040171_logout_settings_status.stdout != ""
when: rhel_08_040171_logout_settings_status.stdout | length > 0
when:
- rhel_08_040171
tags:
Expand Down Expand Up @@ -387,19 +395,19 @@
changed_when: false
failed_when: false
register: rhel_08_040200_nonroot_uid

- name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Lock non-root account with UID of 0"
command: "passwd -l {{ item }}"
with_items:
- "{{ rhel_08_040200_nonroot_uid.stdout_lines }}"
when: rhel_08_040200_nonroot_uid.stdout != ""
when: rhel_08_040200_nonroot_uid.stdout | length > 0

- name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Display accounts that were locked"
debug:
msg:
- "WARNING!! The following accounts were locked since they had UID of 0 and were not the root user"
- " {{ rhel_08_040200_nonroot_uid.stdout_lines }}"
when: rhel_08_040200_nonroot_uid.stdout != ""
when: rhel_08_040200_nonroot_uid.stdout | length > 0
when:
- rhel_08_040200
- rhel8stig_disruption_high
Expand Down
Loading

0 comments on commit fe50d2a

Please sign in to comment.