diff --git a/.ansible-lint b/.ansible-lint index 057c65e0..b717f678 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,10 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' - 'key-order[task]' - '204' - '305' diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 41368ff4..2ad77429 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -113,78 +109,12 @@ { "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ - ".config/.gitleaks-report.json" + ".config/.gitleaks-report.json", + "tasks/parse_etc_passwd.yml", + "templates/pam_pkcs11.conf.j2" ] } ], - "results": { - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 600, - "is_secret": false - } - ], - "tasks/fix-cat2.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/fix-cat2.yml", - "hashed_secret": "8458c0f07cce6d8c92d030b23562f791e57e30d6", - "is_verified": false, - "line_number": 4277, - "is_secret": false - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "8eab8633ccf31cc656649638e6d6b45bd7235ffe", - "is_verified": false, - "line_number": 66, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 101, - "is_secret": false - } - ], - "tasks/parse_etc_passwd.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_passwd.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ], - "tasks/prelim.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/prelim.yml", - "hashed_secret": "43c1e0cadc7daa65d95fbf97f335a9896c8e58c6", - "is_verified": false, - "line_number": 124, - "is_secret": false - } - ], - "templates/pam_pkcs11.conf.j2": [ - { - "type": "Secret Keyword", - "filename": "templates/pam_pkcs11.conf.j2", - "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "is_verified": false, - "line_number": 173, - "is_secret": false - } - ] - }, - "generated_at": "2023-09-15T08:39:31Z" + "results": {}, + "generated_at": "2023-09-25T15:48:01Z" } diff --git a/.gitattributes b/.gitattributes index 9a24540b..b2daffb9 100644 --- a/.gitattributes +++ b/.gitattributes @@ -3,4 +3,4 @@ *.yml linguist-detectable=true *.ps1 linguist-detectable=true *.j2 linguist-detectable=true -*.md linguist-documentation \ No newline at end of file +*.md linguist-documentation diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index dba39dc0..9fbe7aa8 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -29,7 +29,7 @@ Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -44,13 +44,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -74,7 +74,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -82,7 +82,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -90,7 +90,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -111,9 +111,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 0b149fb3..67ee9d90 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,7 +18,7 @@ # that can run sequentially or in parallel jobs: - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -33,13 +33,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -63,7 +63,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -71,7 +71,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -79,7 +79,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -100,9 +100,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 951a53cb..f9352800 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,11 +1,7 @@ --- -# This is a basic workflow to help you get started with Actions - name: update galaxy -# Controls when the action will run. -# Triggers the workflow on merge request events to the main branch on: push: branches: @@ -14,8 +10,10 @@ jobs: update_role: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: robertdebock/galaxy-action@master + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} - git_branch: main + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 97c79434..873f2757 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 + rev: v4.5.0 hooks: # Safety - id: detect-aws-credentials @@ -37,13 +37,13 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.17.0 + rev: v8.18.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.17.2 + rev: v24.2.0 hooks: - id: ansible-lint name: Ansible-lint @@ -62,6 +62,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint diff --git a/.yamllint b/.yamllint index ec469292..65faae6c 100644 --- a/.yamllint +++ b/.yamllint @@ -30,4 +30,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true diff --git a/Changelog.md b/Changelog.md index 73a22b0f..9dd2c8df 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,8 +1,23 @@ # Changes to RHEL8STIG -## Stig V1R11 - 26th July 2023 +## 3.0.3 - Stig V1R11 - 26th July 2023 +q +- updates to collections since galaxy updated +- updates to audit -### 3.0.1 +- #229 thanks to @JacobBuskirk + +## 3.0.2 - Stig V1R11 - 26th July 2023 + +- workflow and pipeline updates +- links updates in documentation +- #222 thanks to @BJSmithIEEE +- #226 thanks to @jmalpede +- lint config updates +- lint updates +- precommit added and configured + +### 3.0.1 - Stig V1R11 - 26th July 2023 Issues: diff --git a/README.md b/README.md index 7593de99..8d27ce4a 100644 --- a/README.md +++ b/README.md @@ -12,22 +12,23 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56380?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/rhel8-stig/devel?color=dark%20green&label=Devel%20Branch%20Commits) - ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Build%20Status) -![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/rhel8-stig?label=Release%20Date) -![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/rhel8-stig?label=Release%20Tag&&color=success) +![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL8-STIG) +![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL8-STIG) + +[![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/main_pipeline_validation.yml) + +[![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/devel_pipeline_validation.yml) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL8-STIG/devel?color=dark%20green&label=Devel%20Branch%20Commits) -![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/rhel8-stig?label=Open%20Issues) -![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/rhel8-stig?label=Closed%20Issues&&color=success) -![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/rhel8-stig?label=Pull%20Requests) +![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL8-STIG?label=Open%20Issues) +![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL8-STIG?label=Closed%20Issues&&color=success) +![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL8-STIG?label=Pull%20Requests) + +![License](https://img.shields.io/github/license/ansible-lockdown/RHEL8-STIG?label=License) -![License](https://img.shields.io/github/license/ansible-lockdown/rhel8-stig?label=License) --- @@ -189,3 +190,9 @@ This repo originated from work done by [Sam Doran](https://github.com/samdoran/a ```sh pre-commit run ``` + +## Credits and Thanks + +Massive thanks to the fantastic community and all its members. +This includes a huge thanks and credit to the original authors and maintainers. +Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell diff --git a/ansible.cfg b/ansible.cfg index dbe143da..8b4596ec 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -18,6 +18,7 @@ record_host_keys=False [ssh_connection] transfer_method=scp +ssh_args = -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no [accelerate] diff --git a/collections/requirements.yml b/collections/requirements.yml index 23596ec0..8ebc6180 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -2,7 +2,13 @@ collections: - name: community.general + source: https://github.com/ansible-collections/community.general + type: git - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git diff --git a/defaults/main.yml b/defaults/main.yml index 8b68badf..e3c36861 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -484,6 +484,9 @@ rhel8stig_smartcard: false # Configure your smartcard driver rhel8stig_smartcarddriver: cackey +# Set the file that sysctl should write to +rhel8stig_sysctl_file: /etc/sysctl.d/99_stig_sysctl.conf + # Whether or not system uses remote automounted home directories via autofs rhel8stig_autofs_remote_home_dirs: false @@ -597,7 +600,7 @@ rhel8stig_tftp_required: false # RHEL-08-010140 and RHEL-08-020280 # Password protect the boot loader -rhel8stig_bootloader_password_hash: grub.pbkdf2.sha512.changethispassword +rhel8stig_bootloader_password_hash: grub.pbkdf2.sha512.changethispassword # pragma: allowlist secret rhel8stig_boot_superuser: bootloader_admin # AIDE settings @@ -842,10 +845,6 @@ rhel8stig_path_to_sshkey: "/root/.ssh/" # To conform to STIG standards these directories need to be 755 or less permissive rhel8stig_lib_dir_perms: 0755 -# RHEL-08-010510 -# rhel8stig_sshd_compression to meet STIG requirements needs to be set to "no" or "delayed" -rhel8stig_sshd_compression: "no" - # now in prelim # rhel8stig_interactive_uid_start: '1000' @@ -891,7 +890,7 @@ rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-ctr,aes192-ctr,aes128-ct # RHEL-08-010295 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions # to conform to STIG standards this variable must contain +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 -rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" +rhel8stig_gnutls_encryption: "+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" # RHEL-08-020070 # This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less diff --git a/handlers/main.yml b/handlers/main.yml index e7f323d7..3e6ff61d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -5,16 +5,6 @@ when: - not system_is_container -- name: update sysctl - ansible.builtin.template: - src: 99-sysctl.conf.j2 - dest: /etc/sysctl.d/99-sysctl.conf - owner: root - group: root - mode: 0644 - notify: sysctl system - when: "'procps-ng' in ansible_facts.packages" - - name: sysctl system ansible.builtin.shell: sysctl --system when: "'procps-ng' in ansible_facts.packages" diff --git a/meta/main.yml b/meta/main.yml index f260b661..a9a9978b 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,6 +1,6 @@ --- galaxy_info: - author: "Sam Doran, Josh Springer, Daniel Shepherd, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell" + author: "MindPoint Group" description: "Apply the DISA RHEL 8 STIG" company: "MindPoint Group" license: MIT diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 4ef8469f..c8222b8e 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -7,7 +7,7 @@ owner: root group: root checksum: "{{ audit_bin_version.checksum }}" - mode: 0555 + mode: '0555' when: - get_audit_binary_method == 'download' @@ -15,8 +15,8 @@ ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: 0555 owner: root group: root + mode: '0555' when: - get_audit_binary_method == 'copy' diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4acccb0e..035503f3 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -836,7 +836,7 @@ regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_macs.stdout }}(.*$)' line: '\g<1>-o{{ rhel8stig_ssh_macs }}\g<2>' backrefs: true - notify: change_requires_reboot + notify: change_requires_reboot when: - rhel_08_010290 tags: @@ -861,7 +861,7 @@ regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_ciphers.stdout }}(.*$)' line: '\g<1>-o{{ rhel8stig_ssh_ciphers }}\g<2>' backrefs: true - notify: change_requires_reboot + notify: change_requires_reboot when: - rhel_08_010291 tags: @@ -1202,10 +1202,13 @@ - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." block: - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.kexec_load_disabled + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" - name: "MEDIUM | RHEL-08-010372 | AUDIT | RHEL 8 must prevent the loading of a new kernel for later execution. | Find conflicting instances" ansible.builtin.shell: grep -rs "kernel.kexec_load_disabled = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 @@ -1247,11 +1250,14 @@ loop: "{{ rhel_08_010373_conflicting_settings.stdout_lines }}" when: rhel_08_010373_conflicting_settings.stdout | length > 0 - - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set sysctl" + ansible.posix.sysctl: + name: fs.protected_symlinks + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010373 tags: @@ -1280,10 +1286,13 @@ when: rhel_08_010374_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: fs.protected_hardlinks + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010374 tags: @@ -1566,10 +1575,13 @@ when: rhel_08_010430_conflicting_settings.stdout | length > 0 - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.randomize_va_space + value: 2 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010430 tags: @@ -2224,10 +2236,13 @@ when: rhel_08_010671_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.core_pattern + value: "|/bin/false" + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010671 tags: @@ -3245,7 +3260,7 @@ - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." block: - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" - ansible.builtin.shell: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" + ansible.builtin.shell: "grep lock-enabled /etc/dconf/db/* -rI | sort -u | tail -n 1 | cut -f1 -d:" changed_when: false failed_when: false register: rhel_08_020030_lock_enabled @@ -3340,7 +3355,7 @@ if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) tmux ;; esac + case "$name" in (sshd|login) exec tmux ;; esac fi create: true when: @@ -4274,7 +4289,7 @@ - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" ansible.builtin.include_tasks: parse_etc_passwd.yml vars: - rhel8stig_passwd_tasks: "RHEL-08-020320" + rhel8stig_passwd_tasks: "RHEL-08-020320" # pragma: allowlist secret when: rhel_08_020320_accounts_removed is changed # noqa no-handler when: - rhel_08_020320 @@ -6615,10 +6630,13 @@ when: rhel_08_040209_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.default.accept_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040209 tags: @@ -6647,10 +6665,13 @@ when: rhel_08_040210_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.default.accept_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040210 @@ -6681,10 +6702,13 @@ when: rhel_08_040220_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.send_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040220 tags: @@ -6713,10 +6737,13 @@ when: rhel_08_040230_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.icmp_echo_ignore_broadcasts + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040230 tags: @@ -6745,10 +6772,13 @@ when: rhel_08_040239_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040239 tags: @@ -6777,10 +6807,13 @@ when: rhel_08_040240_conflicting_settings.stdout |length > 0 - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040240 - rhel8stig_ipv6_required @@ -6810,10 +6843,13 @@ when: rhel_08_040249_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.default.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040249 tags: @@ -6842,10 +6878,13 @@ when: rhel_08_040250_conflicting_findings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.default.accept_source_route + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040250 - rhel8stig_ipv6_required @@ -6875,10 +6914,13 @@ when: rhel_08_040259_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.forwarding + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040259 - not rhel8stig_system_is_router @@ -6908,10 +6950,13 @@ when: rhel_08_040260_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.forwarding + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040260 - not rhel8stig_system_is_router @@ -6941,10 +6986,13 @@ when: rhel_08_040261_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.accept_ra + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040261 - rhel8stig_ipv6_required @@ -6975,10 +7023,13 @@ when: rhel_08_040262_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.default.accept_ra + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040262 - rhel8stig_ipv6_required @@ -7009,10 +7060,13 @@ when: rhel_08_040270_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.default.send_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040270 tags: @@ -7041,10 +7095,13 @@ when: rhel_08_040279_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.send_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040279 tags: @@ -7073,10 +7130,13 @@ when: rhel_08_040280_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv6.conf.all.accept_redirects + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040280 - rhel8stig_ipv6_required @@ -7106,10 +7166,13 @@ when: rhel_08_040281_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.unprivileged_bpf_disabled + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040281 tags: @@ -7138,10 +7201,13 @@ when: rhel_08_040282_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.yama.ptrace_scope + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040282 tags: @@ -7170,10 +7236,13 @@ when: rhel_08_040283_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.kptr_restrict + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040283 tags: @@ -7202,10 +7271,13 @@ when: rhel_08_040284_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: user.max_user_namespaces + value: 0 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040284 tags: @@ -7234,10 +7306,13 @@ when: rhel_08_040285_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.ipv4.conf.all.rp_filter + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040285 tags: @@ -7266,10 +7341,13 @@ when: rhel_08_040286_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Use template to create file" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: net.core.bpf_jit_harden + value: 2 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040286 tags: @@ -7323,6 +7401,7 @@ state: link when: - rhel_08_040321 + - not rhel8stig_gui tags: - RHEL-08-040321 - CAT2 @@ -7407,8 +7486,7 @@ when: - rhel8stig_current_kex is defined - rhel8stig_current_kex.stdout | length > 0 - - notify: change_requires_reboot + notify: change_requires_reboot when: - rhel_08_040342 - rhel8stig_ssh_required diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 39c12a56..66c817ca 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -49,10 +49,13 @@ when: rhel_08_010375_conflicting_settings.stdout | length > 0 - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.dmesg_restrict + value: 1 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010375 tags: @@ -81,10 +84,13 @@ when: rhel_08_010376_conflicting_settings.stdout | length > 0 - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - changed_when: true - notify: update sysctl + ansible.posix.sysctl: + name: kernel.perf_event_paranoid + value: 2 + state: present + reload: "{{ rhel8stig_sysctl_reload }}" + sysctl_set: true + sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_010376 tags: diff --git a/tasks/main.yml b/tasks/main.yml index 36cb7639..c516e703 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -63,7 +63,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }}" vars: - sudo_password_rule: RHEL-08-010380 + sudo_password_rule: RHEL-08-010380 # pragma: allowlist secret when: - rhel_08_010380 - ansible_env.SUDO_USER is defined @@ -98,8 +98,8 @@ - name: Check rhel8stig_bootloader_password_hash variable has been changed ansible.builtin.assert: - that: rhel8stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' - msg: "This role will not be able to run single user password commands as rhel8stig_bootloader_password_hash variable has not been set" + that: rhel8stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret + msg: "This role will not be able to run single user password commands as rhel8stig_bootloader_password_hash variable has not been set" # pragma: allowlist secret when: - not system_is_ec2 diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index f0a7664e..fa9614b6 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,24 +1,16 @@ --- -- name: "Post Audit | Run post_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - -- name: Post Audit | ensure audit files readable by users - ansible.builtin.file: - path: "{{ item }}" - mode: 0644 - state: file - loop: - - "{{ post_audit_outfile }}" - - "{{ pre_audit_outfile }}" - - name: Post Audit | Capture audit data if json format block: + + - name: "Post Audit | Run post_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "capture data {{ post_audit_outfile }}" ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit @@ -34,6 +26,15 @@ - name: Post Audit | Capture audit data if documentation format block: + + - name: "Post Audit | Run post_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }} -f documentation" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "Post Audit | capture data {{ post_audit_outfile }}" ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit @@ -44,3 +45,12 @@ post_audit_summary: "{{ post_audit.stdout_lines }}" when: - audit_format == "documentation" + +- name: Post Audit | ensure audit files readable by users + ansible.builtin.file: + path: "{{ item }}" + mode: '0644' + state: file + loop: + - "{{ post_audit_outfile }}" + - "{{ pre_audit_outfile }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index fc9ed887..290170d6 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,7 +1,8 @@ --- - name: Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml when: - setup_audit tags: @@ -15,19 +16,11 @@ - name: Pre Audit Setup | If using git for content set up block: - - name: Pre Audit Setup | Install git (rh8 python3) + - name: Pre Audit Setup | Install git ansible.builtin.package: name: git state: present - when: ansible_distribution_major_version == '8' - - - name: Pre Audit Setup | Install git (rh7 python2) - ansible.builtin.package: - name: git - state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == '7' + when: "'git' not in ansible_facts.packages" - name: Pre Audit Setup | retrieve audit content files from git ansible.builtin.git: @@ -68,9 +61,8 @@ - name: Pre Audit Setup | If audit ensure goss is available ansible.builtin.assert: + that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - not goss_available.stat.exists when: - run_audit @@ -78,22 +70,22 @@ ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: 0600 + mode: '0600' when: - run_audit tags: - goss_template -- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - - name: Pre Audit | Capture audit data if json format block: + - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "capture data {{ pre_audit_outfile }}" ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit @@ -109,6 +101,15 @@ - name: Pre Audit | Capture audit data if documentation format block: + + - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }} -f documentation" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" + - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 20435f73..4a04d26d 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -121,7 +121,7 @@ - name: "PRELIM | RHEL-08-010740 | RHEL-08-010750 | RHEL-08-020320 | Parse /etc/passwd" ansible.builtin.import_tasks: parse_etc_passwd.yml vars: - rhel8stig_passwd_tasks: "RHEL-08-010740 RHEL-08-010750 RHEL-08-020320" + rhel8stig_passwd_tasks: "RHEL-08-010740 RHEL-08-010750 RHEL-08-020320" # pragma: allowlist secret when: - rhel_08_010141 or rhel_08_010149 or @@ -386,7 +386,7 @@ rhel8stig_legacy_boot: false when: - rhel8_efi_boot.stat.exists - - ansible_distribution == 'Oracle Linux' + - ansible_distribution == 'OracleLinux' - name: "PRELIM | set if not UEFI boot" ansible.builtin.set_fact: diff --git a/templates/01-banner-message.j2 b/templates/01-banner-message.j2 index 23974c01..1a1a581b 100644 --- a/templates/01-banner-message.j2 +++ b/templates/01-banner-message.j2 @@ -1,4 +1,4 @@ -[org/gnome/login-screen] +[org/gnome/login-screen] banner-message-enable=true banner-message-text='{{ rhel8stig_logon_banner }}' diff --git a/templates/99-sysctl.conf.j2 b/templates/99-sysctl.conf.j2 deleted file mode 100644 index 3958c9f2..00000000 --- a/templates/99-sysctl.conf.j2 +++ /dev/null @@ -1,153 +0,0 @@ -# sysctl settings are defined through files in -# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. -# -# Vendors settings live in /usr/lib/sysctl.d/. -# To override a whole file, create a new file with the same in -# /etc/sysctl.d/ and put new settings there. To override -# only specific settings, add a file with a lexically later -# name in /etc/sysctl.d/ and put new settings there. -# -# For more information, see sysctl.conf(5) and sysctl.d(5). - -# sysctl file Added via stig ansible remediation -# Each line is added if set - -{% if rhel_08_010372 %} -# RHEL-08-010372 -kernel.kexec_load_disabled = 1 -{% endif %} - -{% if rhel_08_010373 %} -# RHEL-08-010373 -fs.protected_symlinks = 1 -{% endif %} - -{% if rhel_08_010374 %} -# RHEL-08-010374 -fs.protected_hardlinks = 1 -{% endif %} - -{% if rhel_08_010375 %} -# RHEL-08-010375 -kernel.dmesg_restrict = 1 -{% endif %} - -{% if rhel_08_010376 %} -# RHEL-08-010376 -kernel.perf_event_paranoid = 2 -{% endif %} - -{% if rhel_08_010430 %} -# RHEL-08-010430 -kernel.randomize_va_space = 2 -{% endif %} - -{% if rhel_08_010671 %} -# RHEL-08-010671 -kernel.core_pattern = |/bin/false -{% endif %} - -{% if rhel_08_040209 %} -# RHEL-08-040209 -net.ipv4.conf.default.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040210 and rhel8stig_ipv6_required %} -# RHEL-08-040210 -net.ipv6.conf.default.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040220 %} -# RHEL-08-040220 -net.ipv4.conf.all.send_redirects = 0 -{% endif %} - -{% if rhel_08_040230 %} -# RHEL-08-040230 -net.ipv4.icmp_echo_ignore_broadcasts = 1 -{% endif %} - -{% if rhel_08_040239 %} -# RHEL-08-040239 -net.ipv4.conf.all.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040240 %} -# RHEL-08-040240 -net.ipv6.conf.all.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040249 %} -# RHEL-08-040249 -net.ipv4.conf.default.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040250 and rhel8stig_ipv6_required %} -# RHEL-08-040250 -net.ipv6.conf.default.accept_source_route = 0 -{% endif %} - -{% if rhel_08_040259 and not rhel8stig_system_is_router %} -# RHEL-08-040259 -net.ipv4.conf.all.forwarding = 0 -{% endif %} - -{% if rhel_08_040260 and not rhel8stig_system_is_router %} -# RHEL-08-040260 -net.ipv6.conf.all.forwarding = 0 -{% endif %} - -{% if rhel_08_040261 and rhel8stig_ipv6_required and not rhel8stig_system_is_router %} -# RHEL-08-040261 -net.ipv6.conf.all.accept_ra = 0 -{% endif %} - -{% if rhel_08_040262 and rhel8stig_ipv6_required and not rhel8stig_system_is_router %} -# RHEL-08-040262 -net.ipv6.conf.default.accept_ra = 0 -{% endif %} - -{% if rhel_08_040270 %} -# RHEL-08-040270 -net.ipv4.conf.default.send_redirects = 0 -{% endif %} - -{% if rhel_08_040279 %} -# RHEL-08-040279 -net.ipv4.conf.all.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040280 and rhel8stig_ipv6_required %} -# RHEL-08-040280 -net.ipv6.conf.all.accept_redirects = 0 -{% endif %} - -{% if rhel_08_040281 %} -# RHEL-08-040281 -kernel.unprivileged_bpf_disabled = 1 -{% endif %} - -{% if rhel_08_040282 %} -# RHEL-08-040282 -kernel.yama.ptrace_scope = 1 -{% endif %} - -{% if rhel_08_040283 %} -# RHEL-08-040283 -kernel.kptr_restrict = 1 -{% endif %} - -{% if rhel_08_040284 %} -# RHEL-08-040284 -user.max_user_namespaces = 0 -{% endif %} - -{% if rhel_08_040285 %} -# RHEL-08-040285 -net.ipv4.conf.all.rp_filter = 1 -{% endif %} - -{% if rhel_08_040286 %} -# RHEL-08-040286 -net.core.bpf_jit_harden = 2 -{% endif %} diff --git a/templates/aide.conf.j2 b/templates/aide.conf.j2 index 92ebb20a..fc93abe9 100644 --- a/templates/aide.conf.j2 +++ b/templates/aide.conf.j2 @@ -319,4 +319,4 @@ DATAONLY = FIPSR # Ditto /var/log/sa/ same reason... -!/var/log/httpd/ \ No newline at end of file +!/var/log/httpd/ diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e81f9658..69484221 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -14,7 +14,7 @@ rpm_gpg_key: {{ rpm_gpg_key }} rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %} -# Some tests may need to scan every filesystem or have an impact on a system +# Some tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact also ability to set a timeout if taking too long run_heavy_tests: {{ audit_run_heavy_tests }} timeout_ms: {{ audit_cmd_timeout }} diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2 index febf193e..32c441b5 100644 --- a/templates/pam_pkcs11.conf.j2 +++ b/templates/pam_pkcs11.conf.j2 @@ -9,7 +9,7 @@ pam_pkcs11 { nullok = true; # Enable debugging support. - debug = false; + debug = false; # If the smart card is inserted, only use it card_only = true; @@ -32,7 +32,7 @@ pam_pkcs11 { screen_savers = gnome-screensaver,xscreensaver,kscreensaver pkcs11_module {{ rhel08stig_smartcarddriver }} { - {% if rhel08stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel08stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} + {% if rhel08stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel08stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} module = /usr/lib64/libcackey.so; description = "{{ rhel08stig_smartcarddriver }}"; slot_num = 0; @@ -54,7 +54,7 @@ pam_pkcs11 { # you can mange the certs in this database with the certutil command in # the package nss-tools nss_dir = /etc/pki/nssdb; - + # Sets the Certificate Policy, (see above) cert_policy = ca, signature; } @@ -96,10 +96,10 @@ pam_pkcs11 { # When no absolute path or module info is provided, use this # value as module search path # TODO: - # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH + # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH mapper_search_path = /usr/$LIB/pam_pkcs11; - # + # # Generic certificate contents mapper mapper generic { debug = true; @@ -194,7 +194,7 @@ pam_pkcs11 { module = internal; # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; # Declare mapfile or - # leave empty "" or "none" to use no map + # leave empty "" or "none" to use no map mapfile = file:///etc/pam_pkcs11/mail_mapping; # Some certs store email in uppercase. take care on this ignorecase = true; diff --git a/templates/resolv.conf.j2 b/templates/resolv.conf.j2 index 483018cd..8f214a7b 100644 --- a/templates/resolv.conf.j2 +++ b/templates/resolv.conf.j2 @@ -11,4 +11,4 @@ nameserver {{ server }} {% endif %} {% if rhel8_stig_resolv_options is iterable %} options {{ rhel8_stig_resolv_options | join(' ') }} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/test_plugins/rhel8_stig_ansible_backport.py b/test_plugins/rhel8_stig_ansible_backport.py index 87b412b9..343b5bdc 100644 --- a/test_plugins/rhel8_stig_ansible_backport.py +++ b/test_plugins/rhel8_stig_ansible_backport.py @@ -19,4 +19,4 @@ def tests(self): return { # set theory 'contains': contains, - } \ No newline at end of file + } diff --git a/test_plugins/rhel8_stig_jinja_compat.py b/test_plugins/rhel8_stig_jinja_compat.py index 10bc9409..979aded8 100644 --- a/test_plugins/rhel8_stig_jinja_compat.py +++ b/test_plugins/rhel8_stig_jinja_compat.py @@ -38,4 +38,4 @@ def tests(self): 'lessthan': operator.lt, '<=': operator.le, 'le': operator.le, - } \ No newline at end of file + } diff --git a/vars/main.yml b/vars/main.yml index f01c9ff9..92b42958 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -10,7 +10,7 @@ rhel8stig_service_started: "{{ rhel8stig_system_is_chroot | ternary(omit, 'start # !!!!!!!!possibly delete # rhel8stig_systemd_daemon_reload: "{{ not rhel8stig_system_is_chroot }}" -rhel8stig_sysctl_reload: "{{ not rhel8stig_system_is_container }}" +rhel8stig_sysctl_reload: "{{ not system_is_container }}" # these variables are for enabling tasks to run that will be further controled # by check_mode to prevent the remediation task from making changes as