diff --git a/LICENSE b/LICENSE index 4adeb7b..7e51eb7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ -# MIT License +MIT License -Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/galaxy.yml b/galaxy.yml index fbe31a8..d8f8900 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -33,7 +33,6 @@ license: # requirements as 'namespace' and 'name' tags: - ansible-lockdown -- mindpointgroup - stig - disa - devsecops @@ -41,6 +40,8 @@ tags: - rhel7-stig - rhel8 - rhel8-stig +- rhel9 +- rhel9-stig - ubuntu18 - ubuntu18-stig - ubuntu20 diff --git a/tasks/Cat2/RHEL-09-21xxxx.yml b/tasks/Cat2/RHEL-09-21xxxx.yml index 2db8718..2b96bf3 100644 --- a/tasks/Cat2/RHEL-09-21xxxx.yml +++ b/tasks/Cat2/RHEL-09-21xxxx.yml @@ -47,7 +47,7 @@ content: "{{ rhel9stig_logon_banner }}" dest: "{{ item }}" group: root - mode: '0644' + mode: 'u-x,go-wx' owner: root notify: Sshd_restart loop: @@ -158,7 +158,7 @@ owner: root src: "{{ item.file }}.j2" loop: - - { file: 'boot/grub2/user.cfg', mode: '0644' } + - { file: 'boot/grub2/user.cfg', mode: 'u-x,go-wx' } - name: "MEDIUM | RHEL-09-212010 | AUDIT | RHEL 9 must require a boot loader superuser password.| warning" when: not rhel9stig_set_bootloader_password diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index e67df39..4da54f5 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -871,7 +871,7 @@ - name: "MEDIUM | RHEL-09-232010 | PATCH | RHEL 9 system commands must have mode 755 or less permissive." when: rhel9stig_system_command_permissions.stdout | length > 0 ansible.builtin.file: - mode: '0755' + mode: 'u+x,go-w' path: "{{ item }}" loop: - "{{ rhel9stig_system_command_permissions.stdout_lines }}" @@ -898,7 +898,7 @@ - name: "MEDIUM | RHEL-09-232015 | PATCH | RHEL 9 library directories must have mode 755 or less permissive." when: rhel9stig_library_directory_perms.stdout | length > 0 ansible.builtin.file: - mode: '0755' + mode: 'u+x,go-w' path: "{{ item }}" loop: - "{{ rhel9stig_library_directory_perms.stdout_lines }}" @@ -925,7 +925,7 @@ - name: "MEDIUM | RHEL-09-232020 | PATCH | RHEL 9 library files must have mode 755 or less permissive." when: rhel9stig_library_directory_perms.stdout | length > 0 ansible.builtin.file: - mode: '0755' + mode: 'u+x,go-w' path: "{{ item }}" loop: "{{ rhel9stig_library_directory_perms.stdout_lines }}" @@ -942,7 +942,7 @@ - V-257885 - NIST800-53R4_SI-11 ansible.builtin.file: - mode: u=rwx,g-w,o-w + mode: 'u+x,go-w' modification_time: preserve path: /var/log state: directory @@ -960,7 +960,7 @@ - V-257886 - NIST800-53R4_SI-11 ansible.builtin.file: - mode: u=rw,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' modification_time: preserve path: /var/log/messages state: file @@ -977,7 +977,7 @@ - V-257887 - NIST800-53R4_AU-9 ansible.builtin.file: - mode: u=rwx,g-w,o-w + mode: 'u+x,go-w' modification_time: preserve owner: root path: "{{ item }}" @@ -1002,7 +1002,7 @@ - V-257888 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: u=rwx,go-rwx + mode: 'u+x,go-rwx' modification_time: preserve owner: root path: "/etc/{{ item }}" @@ -1039,7 +1039,7 @@ - name: "MEDIUM | RHEL-09-232045 | AUDIT | All RHEL 9 local initialization files must have mode 0740 or less permissive. | update permissions" ansible.builtin.file: path: "{{ item.path }}" - mode: g-wx,o-rwx + mode: 'g-wx,o-rwx' follow: false loop: "{{ user_dot_files.files }}" loop_control: @@ -1067,11 +1067,10 @@ - name: "MEDIUM | RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | amend if needed" when: - item.stat.path is defined - - item.stat.mode > '0750' ansible.builtin.file: path: "{{ item.stat.path }}" state: directory - mode: u=rwx,g-w,o-rwx + mode: 'u+x,g-w,o-rwx' loop: "{{ rhel9stig_home_dir_perms.results }}" loop_control: label: "{{ item }}" @@ -1117,7 +1116,7 @@ - V-257891 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: u=rw,go-wx + mode: 'u-x,go-wx' path: /etc/group - name: "MEDIUM | RHEL-09-232060 | PATCH | RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access." @@ -1132,7 +1131,7 @@ - V-257892 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: u=rw,go-wx + mode: 'u-x,go-wx' path: /etc/group- - name: "MEDIUM | RHEL-09-232065 | PATCH | RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access." @@ -1147,7 +1146,7 @@ - V-257893 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: '0000' + mode: 'ugo-rwx' path: /etc/gshadow - name: "MEDIUM | RHEL-09-232070 | PATCH | RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access." @@ -1162,7 +1161,7 @@ - V-257894 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: '0000' + mode: 'ugo-rwx' path: /etc/gshadow- - name: "MEDIUM | RHEL-09-232075 | PATCH | RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access." @@ -1177,7 +1176,7 @@ - V-257895 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: u=rw,go-wx + mode: 'u-x,go-wx' path: /etc/passwd - name: "MEDIUM | RHEL-09-232080 | PATCH | RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access." @@ -1192,7 +1191,7 @@ - V-257896 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: u=rw,go-wx + mode: 'u-x,go-wx' path: /etc/passwd- - name: "MEDIUM | RHEL-09-232085 | PATCH | RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access." @@ -1207,7 +1206,7 @@ - V-257897 - NIST800-53R4_CM-6 ansible.builtin.file: - mode: '0000' + mode: 'ugo-rwx' path: /etc/shadow- - name: "MEDIUM | RHEL-09-232090 | PATCH | RHEL 9 /etc/group file must be owned by root." @@ -1996,7 +1995,7 @@ - NIST800-53R4_CM-6 ansible.builtin.file: path: /etc/crontab - mode: '0600' + mode: 'u-x,go-rwx' - name: "MEDIUM | RHEL-09-232270 | PATCH | RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access." when: @@ -2011,4 +2010,4 @@ - NIST800-53R4_CM-6 ansible.builtin.file: path: /etc/shadow - mode: '0000' + mode: 'ugo-rwx' diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index df5d11d..f4cc416 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -297,7 +297,7 @@ ansible.builtin.template: dest: /etc/chrony.conf src: etc/chrony.conf.j2 - mode: '0644' + mode: 'u-x,go-wx' # Required before 252035 to set DNS value in NetworkManager - name: "MEDIUM | RHEL-09-252040 | PATCH | RHEL 9 must configure a DNS processing mode set be Network Manager." @@ -339,7 +339,7 @@ rhel9stig_network_manager_dns.stdout == 'unmanaged' ansible.builtin.template: dest: /etc/resolv.conf - mode: '0644' + mode: 'u-x,go-wx' src: etc/resolv.conf.j2 - name: "MEDIUM | RHEL-09-252035 | PATCH | RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured." @@ -1242,7 +1242,7 @@ - NIST800-53R4_CM-6 - ssh ansible.builtin.file: - mode: go-rwx + mode: 'u-x,go-rwx' path: "{{ rhel9stig_sshd_config_file }}" - name: "MEDIUM | RHEL-09-255120 | PATCH | RHEL 9 SSH private host key files must have mode 0640 or less permissive." @@ -1264,9 +1264,8 @@ register: rhel9stig_private_ssh_keys - name: "MEDIUM | RHEL-09-255120 | PATCH | RHEL 9 SSH private host key files must have mode 0640 or less permissive." - when: item.mode > '0640' ansible.builtin.file: - mode: u-x,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' path: "{{ item.path }}" loop: "{{ rhel9stig_private_ssh_keys.files }}" @@ -1289,9 +1288,8 @@ register: rhel9stig_pub_ssh_keys - name: "MEDIUM | RHEL-09-255125 | PATCH | RHEL 9 SSH public host key files must have mode 0644 or less permissive." - when: item.mode > '0644' ansible.builtin.file: - mode: u-x,g-wx,o-wx + mode: 'u-x,go-wx' path: "{{ item.path }}" loop: "{{ rhel9stig_pub_ssh_keys.files }}" diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index 5db9328..929e6a4 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -48,7 +48,7 @@ path: "/etc/dconf/db/{{ item }}.d/locks/session" line: /org/gnome/login-screen/banner-message-enable create: true - mode: '0644' + mode: 'u-x,go-wx' modification_time: preserve state: present loop: "{{ rhel9stig_dconf_db.stdout_lines }}" @@ -72,7 +72,7 @@ notify: Update_dconf community.general.ini_file: create: true - mode: '0644' + mode: 'u-x,go-wx' option: automount-open path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/media-handling' diff --git a/tasks/Cat2/RHEL-09-4xxxxx.yml b/tasks/Cat2/RHEL-09-4xxxxx.yml index 1f27ec8..17950f5 100644 --- a/tasks/Cat2/RHEL-09-4xxxxx.yml +++ b/tasks/Cat2/RHEL-09-4xxxxx.yml @@ -583,7 +583,7 @@ - name: "MEDIUM | RHEL-09-411115 | AUDIT | Local RHEL 9 initialization files must not execute world-writable programs." when: rhel9stig_user_exec_ww_files is defined ansible.builtin.file: - mode: go-w + mode: 'go-wx' path: "{{ item }}" loop: "{{ rhel9stig_user_exec_ww_files.stdout_lines }}" @@ -622,7 +622,7 @@ dest: /etc/profile.d/tmux.sh group: root owner: root - mode: '0755' + mode: 'u+x,go-w' src: etc/profile.d/tmux.sh.j2 - name: "MEDIUM | RHEL-09-412020 | PATCH | RHEL 9 must have the tmux package installed." @@ -641,7 +641,7 @@ regexp: "{{ item }}" line: "{{ item }}" create: true - mode: '0644' + mode: 'u-x,go-wx' state: present loop: - 'set -g lock-command vlock' @@ -664,7 +664,7 @@ dest: /etc/tmux.conf group: root owner: root - mode: '0644' + mode: 'u-x,go-wx' src: etc/tmux.conf.j2 - name: "MEDIUM | RHEL-09-412035 | PATCH | RHEL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity." @@ -685,7 +685,7 @@ dest: /etc/profile.d/tmout.sh group: root owner: root - mode: '0755' + mode: 'u+x,go-w' src: etc/profile.d/tmout.sh.j2 - name: "MEDIUM | RHEL-09-412045 | PATCH | RHEL 9 must log username information when unsuccessful logon attempts occur." diff --git a/tasks/Cat2/RHEL-09-61xxxx.yml b/tasks/Cat2/RHEL-09-61xxxx.yml index 95defdc..54cd3ea 100644 --- a/tasks/Cat2/RHEL-09-61xxxx.yml +++ b/tasks/Cat2/RHEL-09-61xxxx.yml @@ -890,7 +890,7 @@ group: root option: certificate_verification owner: root - mode: '0600' + mode: 'u-x,go-rwx' path: /etc/sssd/conf.d/certificate_verification.conf section: 'sssd' value: 'ocsp_dgst=sha512' diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml index f665a0d..d62ffa3 100644 --- a/tasks/Cat2/RHEL-09-65xxxx.yml +++ b/tasks/Cat2/RHEL-09-65xxxx.yml @@ -870,7 +870,7 @@ - auditd ansible.builtin.file: path: "{{ discovered_auditd_logfile.stdout }}" - mode: go-rwx + mode: 'go-rwx' - name: "MEDIUM | RHEL-09-653095 | PATCH | RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records." when: @@ -941,12 +941,12 @@ block: - name: "MEDIUM | RHEL-09-653110 | PATCH | RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." ansible.builtin.file: - mode: '0640' + mode: 'u-x,g-w,o-rwx' path: /etc/audit/auditd.conf - name: "MEDIUM | RHEL-09-653110 | PATCH | RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." ansible.builtin.file: - mode: '0640' + mode: 'u-x,g-w,o-rwx' path: "{{ item }}" with_fileglob: - "etc/audit/rules.d/*.rules" @@ -965,7 +965,7 @@ - auditd ansible.builtin.file: path: /etc/audit/auditd.conf - mode: u-x,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' - name: "MEDIUM | RHEL-09-653125 | PATCH | RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure." when: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 6c476ca..c274dcf 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -184,7 +184,7 @@ path: "{{ rhel9stig_sshd_config_file }}" owner: root group: root - mode: "0600" + mode: 'u-x,go-rwx' state: touch when: - rhel9stig_sshd_config_file != '/etc/ssh/sshd_config' diff --git a/templates/etc/aide.conf.j2 b/templates/etc/aide.conf.j2 index 755cfca..7e3b6e8 100644 --- a/templates/etc/aide.conf.j2 +++ b/templates/etc/aide.conf.j2 @@ -1,4 +1,4 @@ -## Aide Configuration provide by Ansible-lockdown sponsored by MindPoint Group +## Aide Configuration provide by Ansible-lockdown sponsored by Mindpoint Group - A Tyto Athene Company @@define DBDIR /var/lib/aide @@define LOGDIR /var/log/aide diff --git a/templates/etc/audit/rules.d/audit.rules.j2 b/templates/etc/audit/rules.d/audit.rules.j2 index 32df06c..d7ded76 100644 --- a/templates/etc/audit/rules.d/audit.rules.j2 +++ b/templates/etc/audit/rules.d/audit.rules.j2 @@ -1,5 +1,5 @@ ## Auditd Configured by ansible-lockdown RHEL9-STIG -# Sponsored by MindPoint Group +# Sponsored by Mindpoint Group - A Tyto Athene Company {% if rhel_09_654010 %} # RHEL9-STIG rule 654010 -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv diff --git a/templates/etc/chrony.conf.j2 b/templates/etc/chrony.conf.j2 index f916479..173d3dd 100644 --- a/templates/etc/chrony.conf.j2 +++ b/templates/etc/chrony.conf.j2 @@ -1,5 +1,5 @@ # Managed and updated via Ansible -# Part of https://github.com/ansible-lockdown by MindPointGroup +# Part of https://github.com/ansible-lockdown by Mindpoint Group - A Tyto Athene Company # Use public servers from the pool.ntp.org project. # Please consider joining the pool (https://www.pool.ntp.org/join.html). {% for server in rhel9stig_time_synchronization_servers -%} diff --git a/templates/etc/profile.d/tmout.sh.j2 b/templates/etc/profile.d/tmout.sh.j2 index 8f2a67b..db348bd 100644 --- a/templates/etc/profile.d/tmout.sh.j2 +++ b/templates/etc/profile.d/tmout.sh.j2 @@ -1,6 +1,6 @@ # Timeout profile script created by DISA STIG for RHEL9 ## Supplied by ansible-lockdown -## Sponsored by MindPointGroup.com +## Sponsored by Mindpoint Group - A Tyto Athene Company #!/bin/bash {% if rhel_09_412035 %} diff --git a/templates/etc/profile.d/tmux.sh.j2 b/templates/etc/profile.d/tmux.sh.j2 index 7e9a2e8..6af2843 100644 --- a/templates/etc/profile.d/tmux.sh.j2 +++ b/templates/etc/profile.d/tmux.sh.j2 @@ -1,6 +1,6 @@ # Tmux profile script created by DISA STIG for RHEL9 ## Supplied by ansible-lockdown -## Sponsored by MindPointGroup.com +## Sponsored by Mindpoint Group - A Tyto Athene Company #!/bin/bash {% if rhel_09_412015 %} diff --git a/templates/etc/resolv.conf.j2 b/templates/etc/resolv.conf.j2 index 2ed0377..fbf2da2 100644 --- a/templates/etc/resolv.conf.j2 +++ b/templates/etc/resolv.conf.j2 @@ -1,6 +1,6 @@ # Configured as Part of Ansible-Locksdown # https://github.com/ansible-lockdown -# Sponsored by MindPointGroup.com +# Sponsored by Mindpoint Group - A Tyto Athene Company {% if rhel9stig_resolv_domains is defined %} # Domains {% for domains in rhel9stig_resolv_domains %} diff --git a/templates/etc/tmux.conf.j2 b/templates/etc/tmux.conf.j2 index 009a7eb..9e7e8bd 100644 --- a/templates/etc/tmux.conf.j2 +++ b/templates/etc/tmux.conf.j2 @@ -1,6 +1,6 @@ # Tmux configuration created by DISA STIG for RHEL9 ## Supplied by ansible-lockdown -## Sponsored by MindPointGroup.com +## Sponsored by Mindpoint Group - A Tyto Athene Company {% if rhel_09_412020 %} # Initiate a session lock set -g lock-command vlock