diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 1a6e6e0..9887dca 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -109,20 +109,11 @@ { "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ - ".config/.gitleaks-report.json" + ".config/.gitleaks-report.json", + "tasks/parse_etc_passwd.yml" ] } ], - "results": { - "tasks/parse_etc_passwd.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_passwd.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 19 - } - ] - }, - "generated_at": "2023-09-18T09:16:50Z" + "results": {}, + "generated_at": "2023-09-20T12:31:28Z" } diff --git a/.gitattributes b/.gitattributes index 9a24540..b2daffb 100644 --- a/.gitattributes +++ b/.gitattributes @@ -3,4 +3,4 @@ *.yml linguist-detectable=true *.ps1 linguist-detectable=true *.j2 linguist-detectable=true -*.md linguist-documentation \ No newline at end of file +*.md linguist-documentation diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index 24daeca..e773d1b 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -1,7 +1,7 @@ // github_actions variables // Resourced in github_networks.tf // Declared in variables.tf -// +// namespace = "github_actions" environment = "lockdown_github_repo_workflow" diff --git a/README.md b/README.md index 617b92f..d458a29 100644 --- a/README.md +++ b/README.md @@ -14,20 +14,20 @@ ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61237?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) +![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) +![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/UBUNTU20-STIG) +![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/UBUNTU20-STIG) -![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/ubuntu20-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/ubuntu20-stig/devel?color=dark%20green&label=Devel%20Branch%20Commits) +[![Main Pipeline Status](https://github.com/ansible-lockdown/UBUNTU20-STIG/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/UBUNTU20-STIG/actions/workflows/main_pipeline_validation.yml) -![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/ubuntu20-stig/linux_benchmark_testing.yml?label=Build%20Status) -![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/ubuntu20-stig?label=Release%20Date) -![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/ubuntu20-stig?label=Release%20Tag&&color=success) +[![Devel Pipeline Status](https://github.com/ansible-lockdown/UBUNTU20-STIG/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/UBUNTU20-STIG/actions/workflows/devel_pipeline_validation.yml) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/UBUNTU20-STIG/devel?color=dark%20green&label=Devel%20Branch%20Commits) -![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/ubuntu20-stig?label=Open%20Issues) -![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/ubuntu20-stig?label=Closed%20Issues&&color=success) -![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/ubuntu20-stig?label=Pull%20Requests) +![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/UBUNTU20-STIG?label=Open%20Issues) +![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/UBUNTU20-STIG?label=Closed%20Issues&&color=success) +![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/UBUNTU20-STIG?label=Pull%20Requests) -![License](https://img.shields.io/github/license/ansible-lockdown/ubuntu20-stig?label=License) +![License](https://img.shields.io/github/license/ansible-lockdown/UBUNTU20-STIG?label=License) --- diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index ecbdd9b..8793837 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -78,7 +78,8 @@ - "'password' in ubtu_20_010009_bootloader_hash_check.stdout" - name: "HIGH | UBTU-20-010009 | AUDIT | The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication. | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010009' when: @@ -125,7 +126,8 @@ when: not ubtu20_auto_remove_sudoers - name: "HIGH | UBTU-20-010012 | AUDIT | The Ubuntu operating system must ensure only users who need access to security functions are part of sudo group. | Set Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010012' when: not ubtu20_auto_remove_sudoers @@ -244,7 +246,8 @@ - "A subscription to the Ubuntu Pro plan is required to obtain the FIPS Kernel cryptographic modules and enable FIPS" - name: "HIGH | UBTU-20-010442 | AUDIT | The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010442' when: @@ -319,7 +322,8 @@ - not ubtu20stig_disruption_high - name: "HIGH | UBTU-20-010462 | PATCH | The Ubuntu operating system must not have accounts configured with blank or null passwords. | Set warning count" - import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-18-010522' when: diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 9b1eb47..7cef326 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -35,7 +35,8 @@ - ubtu20_temp_account not in ubtu20stig_passwd | map(attribute='id') | list - name: "MEDIUM | UBTU-20-010000 | AUDIT | The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less. | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010000' when: @@ -150,7 +151,8 @@ when: ubtu_20_010010_duplicate_uid_users.stdout | length > 0 - name: "MEDIUM | UBTU-20-010010 | AUDIT | The Ubuntu operating system must uniquely identify interactive users. | Set warning count" - import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010010' when: ubtu_20_010010_duplicate_uid_users.stdout | length > 0 @@ -727,7 +729,8 @@ - ubtu20stig_aide_sha1_current_daily.stdout | length > 0 - name: "MEDIUM | UBTU-20-010074 | AUDIT | The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010074' when: @@ -771,7 +774,8 @@ - ubtu20stig_aide_sha1_current_monthly.stdout | length > 0 - name: "MEDIUM | UBTU-20-010074 | AUDIT | The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010074' when: @@ -813,7 +817,8 @@ - ubtu20stig_aide_sha1_current_daily.stdout | length > 0 - name: "MEDIUM | UBTU-20-010074 | AUDIT | The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010074' when: @@ -2020,7 +2025,8 @@ msg: "Warning!! Please make sure your UFW allow/deny settings conform to PPSM CAL vulnerability assessments" - name: The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010407' when: @@ -2165,7 +2171,8 @@ when: ubtu_20_010414_crypttab_status.stdout | length == 0 - name: "MEDIUM | UBTU-20-010414 | AUDIT | Ubuntu operating systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010414' when: ubtu_20_010414_crypttab_status.stdout | length == 0 @@ -2178,7 +2185,8 @@ when: ubtu_20_010414_crypttab_status.stdout | length > 0 - name: "MEDIUM | UBTU-20-010414 | AUDIT | Ubuntu operating systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010414' when: ubtu_20_010414_crypttab_status.stdout | length > 0 @@ -2666,7 +2674,8 @@ - "All configurations will be based on the actual system setup and organization and normally are on a per role basis." - name: "MEDIUM | UBTU-20-010439 | PATCH | The Ubuntu operating system must be configured to use AppArmor. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010439' when: @@ -2693,7 +2702,8 @@ - 'For example: "chage -d 0 [UserName]" or "passwd -e [UserName]"' - name: "MEDIUM | UBTU-20-010440 | AUDIT | The Ubuntu operating system must allow the use of a temporary password for system logons with an immediate change to a permanent password. | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010440' when: @@ -2717,7 +2727,8 @@ - "Please use at least one DoD certificate authority to the '/usr/local/share/ca-certificates' directory in the PEM format." - name: "MEDIUM | UBTU-20-010443 | AUDIT | The Ubuntu operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010443' when: @@ -2754,7 +2765,8 @@ - name: | "MEDIUM | UBTU-20-010444 | AUDIT | Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest. | Set warning count" "MEDIUM | UBTU-20-010445 | AUDIT | Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest. | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010444 | UBTU-20-010445' when: ubtu_20_010444_crypttab_status.stdout | length == 0 @@ -2771,7 +2783,8 @@ - name: | "MEDIUM | UBTU-20-010444 | AUDIT | Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest. | Set warning count" "MEDIUM | UBTU-20-010445 | AUDIT | Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest. | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010444 | UBTU-20-010445' when: ubtu_20_010444_crypttab_status.stdout | length > 0 @@ -2844,7 +2857,8 @@ - "'nx' not in ubtu_20_010447_cpuinfo_settings.stdout or '[ 0.000000] NX (Execute Disable) protection: active' not in ubtu_20_010447_nx_dmesg.stdout" - name: "MEDIUM | UBTU-20-010447 | AUDIT | The Ubuntu operating system must implement nonexecutable data to protect its memory from unauthorized code execution. | Warning Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010447' when: @@ -2959,7 +2973,8 @@ - "a manual check and verify it conforms to site policies." - name: "MEDIUM | UBTU-20-010450 | AUDIT | The Ubuntu operating system must use a file integrity tool to verify correct operation of all security functions. | Warning Out." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010450' when: diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 28b5238..ba56f6c 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -307,7 +307,8 @@ - "Disk Space: {{ ubtu_20_010215_audit_log_partition.stdout }}" - name: "LOW | UBTU-20-010215 | AUDIT | The Ubuntu operating system must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility. | Set warning count" - import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010215' when: @@ -390,7 +391,8 @@ - ubtu20stig_auditd_action_mail_acct != "root" - name: "LOW | UBTU-20-010217 | PATCH | The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010217' when: @@ -448,7 +450,8 @@ - "{{ ubtu_20_010300_cron_weekly.stdout_lines }}" - name: "LOW | UBTU-20-010300 | AUDIT | The Ubuntu operating system must have a crontab script running weekly to offload audit events of standalone systems. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010300' when: @@ -519,7 +522,8 @@ - ubtu20_emergency_account not in ubtu20stig_passwd | map(attribute='id') | list - name: "MEDIUM | UBTU-20-010410 | AUDIT | The Ubuntu operating system must automatically remove or disable emergency accounts after 72 hours. | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010410' when: @@ -569,7 +573,8 @@ - ubtu_20_mcafeetp_daemon_status.stdout | length == 0 - name: "MEDIUM | UBTU-20-010415 | AUDIT | The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP). | Set warning count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'UBTU-20-010415' when: diff --git a/tasks/main.yml b/tasks/main.yml index a8da99d..c089d00 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -15,7 +15,8 @@ - always - name: Include prelim tasks - ansible.builtin.import_tasks: prelim.yml + ansible.builtin.import_tasks: + file: prelim.yml tags: - prelim_tasks @@ -26,21 +27,24 @@ - always - name: Include CAT I patches - ansible.builtin.import_tasks: fix-cat1.yml + ansible.builtin.import_tasks: + file: fix-cat1.yml when: ubtu20stig_cat1_patch tags: - cat1 - high - name: Include CAT II patches - ansible.builtin.import_tasks: fix-cat2.yml + ansible.builtin.import_tasks: + file: fix-cat2.yml when: ubtu20stig_cat2_patch tags: - cat2 - medium - name: Include CAT III patches - ansible.builtin.import_tasks: fix-cat3.yml + ansible.builtin.import_tasks: + file: fix-cat3.yml when: ubtu20stig_cat3_patch tags: - cat3 diff --git a/templates/audit/99_stig_auditd.rules.j2 b/templates/audit/99_stig_auditd.rules.j2 index ca48e4b..f4f0244 100644 --- a/templates/audit/99_stig_auditd.rules.j2 +++ b/templates/audit/99_stig_auditd.rules.j2 @@ -113,13 +113,13 @@ -a always,exit -F arch=b64 -S finit_module -F auid>={{ ubtu20stig_int_gid }} -F auid!=4294967295 -k module_chng {% endif %} {% if ubtu_20_010181 %} --a always,exit -F arch=b32 -S delete_module -F auid>={{ ubtu20stig_int_gid }} -F auid!=4294967295 -k module_chng +-a always,exit -F arch=b32 -S delete_module -F auid>={{ ubtu20stig_int_gid }} -F auid!=4294967295 -k module_chng -a always,exit -F arch=b64 -S delete_module -F auid>={{ ubtu20stig_int_gid }} -F auid!=4294967295 -k module_chng {% endif %} {% if ubtu_20_010211 %} --a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv --a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv --a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv +-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv +-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv +-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv {% endif %} {% if ubtu_20_010244 %} @@ -146,4 +146,4 @@ {% endif %} {% if ubtu_20_010298 %} -w /bin/fdisk -p x -k fdisk -{% endif %} +{% endif %} diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2 index 69ed0dd..f576c99 100644 --- a/templates/pam_pkcs11.conf.j2 +++ b/templates/pam_pkcs11.conf.j2 @@ -9,7 +9,7 @@ pam_pkcs11 { nullok = true; # Enable debugging support. - debug = true; + debug = true; # Do not prompt the user for the passwords but take them from the # PAM_ items instead. @@ -62,7 +62,7 @@ pam_pkcs11 { # constant slot numbering. # # slot_description = "xxxx" - # The slot is specified by the slot description, for example, + # The slot is specified by the slot description, for example, # slot_description = "Sun Crypto Softtoken". The default value is # "none" which means to use the first slot with an available token. # @@ -76,29 +76,29 @@ pam_pkcs11 { # Where are CA certificates stored? # You can setup this value to: # 1- A directory with openssl hash-links to all certificates - # 2- A CA file in PEM (.pem) or ASN1 (.cer) format, + # 2- A CA file in PEM (.pem) or ASN1 (.cer) format, # containing all allowed CA certs # The default value is /etc/pam_pkcs11/cacerts. ca_dir = /etc/pam_pkcs11/cacerts; - + # Path to the directory where the local (offline) CRLs are stored. # Same convention as above is applied: you can choose either # hash-link directory or CRL file # The default value is /etc/pam_pkcs11/crls. crl_dir = /etc/pam_pkcs11/crls; - - # Some pcks#11 libraries can handle multithreading. So - # set it to true to properly call C_Initialize() + + # Some pcks#11 libraries can handle multithreading. So + # set it to true to properly call C_Initialize() support_threads = false; - # Sets the Certificate verification policy. + # Sets the Certificate verification policy. # "none" Performs no verification # "ca" Does CA check # "crl_online" Downloads the CRL form the location given by the # CRL distribution point extension of the certificate # "crl_offline" Uses the locally stored CRLs - # "crl_auto" Is a combination of online and offline; it first - # tries to download the CRL from a possibly given CRL + # "crl_auto" Is a combination of online and offline; it first + # tries to download the CRL from a possibly given CRL # distribution point and if this fails, uses the local # CRLs # "signature" Does also a signature check to ensure that private @@ -167,10 +167,10 @@ pam_pkcs11 { # When no absolute path or module info is provided, use this # value as module search path # TODO: - # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH + # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH mapper_search_path = @libdir@/pam_pkcs11; - # + # # Generic certificate contents mapper mapper generic { debug = true; @@ -289,7 +289,7 @@ pam_pkcs11 { module = internal; # module = @libdir@/pam_pkcs11/mail_mapper.so; # Declare mapfile or - # leave empty "" or "none" to use no map + # leave empty "" or "none" to use no map mapfile = file:///etc/pam_pkcs11/mail_mapping; # Some certs store email in uppercase. take care on this ignorecase = true; @@ -341,4 +341,4 @@ pam_pkcs11 { # mapfile = "none"; } -} \ No newline at end of file +} diff --git a/tests/inventory b/tests/inventory index 878877b..2fbb50c 100644 --- a/tests/inventory +++ b/tests/inventory @@ -1,2 +1 @@ localhost - diff --git a/tests/test.yml b/tests/test.yml index 781cfcc..9a2a70d 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -5,4 +5,3 @@ remote_user: root roles: - . -