Merge pull request #200 from ansible-lockdown/devel

Release to main for bug fixes and improvements

.ansible-lint

@@ -1,4 +1,5 @@
 ---
+
 parseable: true
 quiet: true
 skip_list:
@@ -7,6 +8,7 @@ skip_list:
     - 'var-spacing'
     - 'fqcn-builtins'
     - 'experimental'
+    - 'name[play]'
     - 'name[casing]'
     - 'name[template]'
     - 'fqcn[action]'

.github/workflows/linux_benchmark_testing.yml

@@ -5,7 +5,7 @@ name: linux_benchmark_pipeline
 # Controls when the action will run.
 # Triggers the workflow on push or pull request
 # events but only for the devel branch
-on:
+on:  # yamllint disable-line rule:truthy
   pull_request_target:
     types: [opened, reopened, synchronize]
     branches:

.yamllint

@@ -1,32 +1,33 @@
 ---
-ignore: |
-  tests/
-  molecule/
-  .github/
-  .gitlab-ci.yml
-  *molecule.yml
-
 extends: default
 
+ignore: |
+    tests/
+    molecule/
+    .github/
+    .gitlab-ci.yml
+    *molecule.yml
+
 rules:
-  indentation:
-    # Requiring 4 space indentation
-    spaces: 4
-    # Requiring consistent indentation within a file, either indented or not
-    indent-sequences: consistent
-    level: error
-  braces:
-    max-spaces-inside: 1
-    level: error
-  brackets:
-    max-spaces-inside: 1
-    level: error
-  line-length: disable
-  key-duplicates: enable
-  new-line-at-end-of-file: enable
-  new-lines:
-    type: unix
-  trailing-spaces: enable
-  truthy:
-    allowed-values: ['true', 'false']
-    check-keys: false
+    indentation:
+        # Requiring 4 space indentation
+        spaces: 4
+        # Requiring consistent indentation within a file, either indented or not
+        indent-sequences: consistent
+    braces:
+        max-spaces-inside: 1
+        level: error
+    brackets:
+        max-spaces-inside: 1
+        level: error
+    empty-lines:
+        max: 1
+    line-length: disable
+    key-duplicates: enable
+    new-line-at-end-of-file: enable
+    new-lines:
+        type: unix
+    trailing-spaces: enable
+    truthy:
+        allowed-values: ['true', 'false']
+        check-keys: false

Changelog.md

@@ -1,6 +1,27 @@
 # Changes to RHEL8STIG
 
-## Relase 2.8.3
+## Release 2.8.6
+
+- [#194](https://github.com/ansible-lockdown/RHEL8-STIG/issues/194) thanks to @JacobBuskirk
+- [#196](https://github.com/ansible-lockdown/RHEL8-STIG/issues/196) thanks to @jmalpede
+
+- [#195](https://github.com/ansible-lockdown/RHEL8-STIG/pull/195) thanks to PoundsOfFlesh
+- [#197](https://github.com/ansible-lockdown/RHEL8-STIG/pull/197) thanks to PoundsOfFlesh
+
+## Release 2.8.5
+
+- updated to /var/log mount check
+- added commnets for /mnt and removeable media on Azure systems
+
+## Release 2.8.4
+
+- ansible version updated to 2.10.1 minimum
+- updated to ansible user check for passwd rule 010380
+  - thanks to discord community member PoundsOfFlesh
+- update readme layout and latest audit example
+- changed disruptive back to false to allow users to control the settings
+
+## Release 2.8.3
 
 - improvements to openssh configs and seperated tasks
 

README.md

@@ -1,17 +1,52 @@
 # RHEL 8 DISA STIG
 
-![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL8-STIG/CommunityToDevel?label=Devel%20Build%20Status&style=plastic)
-![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL8-STIG/DevelToMain?label=Main%20Build%20Status&style=plastic)
-![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL8-STIG?style=plastic)
-
-Configure a RHEL/Rocky 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`.
+## Configure a RHEL8 based system to be complaint with Disa STIG
 
 This role is based on RHEL 8 DISA STIG: [Version 1, Rel 9 released on Jan 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R9_STIG.zip).
 
-## Join us
+---
+
+![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social)
+![Stars](https://img.shields.io/github/stars/ansible-lockdown/rhel8-stig?label=Repo%20Stars&style=social)
+![Forks](https://img.shields.io/github/forks/ansible-lockdown/rhel8-stig?style=social)
+![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
+[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
+
+![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56380?label=Quality&&logo=ansible)
+![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
+
+![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status)
+![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/rhel8-stig/devel?color=dark%20green&label=Devel%20Branch%20commits)
+
+![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) 
+![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Build%20Status)
+![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/rhel8-stig?label=Release%20Date)
+![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/rhel8-stig?label=Release%20Tag&&color=success)
+
+![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/rhel8-stig?label=Open%20Issues)
+![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/rhel8-stig?label=Closed%20Issues&&color=success)
+![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/rhel8-stig?label=Pull%20Requests)
+
+![License](https://img.shields.io/github/license/ansible-lockdown/rhel8-stig?label=License)
+
+---
+
+## Looking for support?
+
+[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH8_stig)
+
+[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH8_stig)
+
+### Community
 
 On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
 
+---
+
+Configure a RHEL/Rocky 8 system to be DISA STIG compliant.
+Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default.
+Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `true`.
+
 ## Updating
 
 Coming from a previous release.
@@ -21,41 +56,27 @@ This contains rewrites and ID reference changes as per STIG documentation.
 
 ## Auditing
 
-This can be turned on or off within the defaults/main.yml file with the variable rhel8stig_run_audit. The value is false by default, please refer to the wiki for more details.
+This can be turned on or off within the defaults/main.yml file with the variable rhel7cis_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role.
 
 This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings.
 
-A new form of auditing has been develeoped, by using a small (12MB) go binary called [goss](https://github.com/aelsabbahy/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling.
+A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling.
 This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process.
 
-Refer to [RHEL8-STIG-Audit](https://github.com/ansible-lockdown/RHEL8-STIG-Audit).
+## Documentation
+
+- [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/)
+- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_RH8_stig)
+- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_RH8_stig)
+- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_RH8_stig)
+- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_RH8_stig)
 
 ## Requirements
 
-- RHEL/Rocky/AlmaLinux 8 - Other versions are not supported.
+- RHEL/Rocky/AlmaLinux/OL 8 - Other versions are not supported.
 - Other OSs can be checked by changing the skip_os_check to true for testing purposes.
 - Access to download or add the goss binary and content to the system if using auditing. options are available on how to get the content to the system.
 
-### General
-
-- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
-
-  - [Main Ansible documentation page](https://docs.ansible.com)
-  - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
-  - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
-  - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
-- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
-- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/RHEL8-STIG/wiki/Main-Variables).
-
-## Documentation
-
-- [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL8-STIG/)
-- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
-- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
-- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
-- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)
-- [Wiki](https://github.com/ansible-lockdown/RHEL8-STIG/wiki)
-
 ## Dependencies
 
 The following packages must be installed on the controlling host/host where ansible is executed:
@@ -69,7 +90,7 @@ Package 'python-xmltodict' is required if you enable the OpenSCAP tool installat
 
 ## Role Variables
 
-This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/RHEL8-STIG/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions.
+This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc.
 
 ### Tags
 
@@ -91,18 +112,14 @@ This is based on a vagrant image with selections enabled. e.g. No Gui or firewal
 Note: More tests are run during audit as we check config and running state.
 
 ```sh
-ok: [rhel8test] => {
-    "msg": [
-        "The pre remediation results are: Count: 308, Failed: 156, Duration: 44.108s.",
-        "The post remediation results are: Count: 308, Failed: 14, Duration: 37.647s.",
-        "Full breakdown can be found in /var/tmp",
-        ""
-    ]
-}
-  ]
-}
+ok: [rocky8_efi] => 
+  msg:
+  - 'The pre remediation results are: Count: 804, Failed: 416, Duration: 6.488s.'
+  - 'The post remediation results are: Count: 804, Failed: 28, Duration: 68.687s.'
+  - Full breakdown can be found in /opt
+
 PLAY RECAP ****************************************************************************************************************
-rhel8test         : ok=369  changed=192  unreachable=0  failed=0  skipped=125  rescued=0  ignored=0  
+rocky8_efi                 : ok=482  changed=269  unreachable=0    failed=0    skipped=207  rescued=0    ignored=0   
 ```
 
 ## Branches

collections/requirements.yml

@@ -1,8 +1,8 @@
 ---
 
 collections:
-- name: community.general
+    - name: community.general
 
-- name: community.crypto
+    - name: community.crypto
 
-- name: ansible.posix
+    - name: ansible.posix

defaults/main.yml

@@ -26,11 +26,11 @@ rhel8stig_audit_complex: true
 # We've defined disruption-high to indicate items that are likely to cause
 # disruption in a normal workflow.  These items can be remediated automatically
 # but are disabled by default to avoid disruption.
-rhel8stig_disruption_high: true
+rhel8stig_disruption_high: false
 
 # Show "changed" for disruptive items not remediated per disruption-high
 # setting to make them stand out.
-rhel8stig_audit_disruptive: true
+rhel8stig_audit_disruptive: false
 
 rhel8stig_skip_for_travis: false
 
@@ -190,9 +190,12 @@ rhel_08_010571: true
 rhel_08_010572: true
 rhel_08_010580: true
 rhel_08_010590: true
+## Note Azure is currently default mounting /mnt for cloud-init this will cause issues with these controls
+## refer to https://github.com/Azure/WALinuxAgent/issues/1971
 rhel_08_010600: true
 rhel_08_010610: true
 rhel_08_010620: true
+##
 rhel_08_010630: true
 rhel_08_010640: true
 rhel_08_010650: true
@@ -477,13 +480,13 @@ rhel8stig_smartcard: false
 # Configure your smartcard driver
 rhel8stig_smartcarddriver: cackey
 
-#Whether or not system uses remote automounted home directories via autofs
+# Whether or not system uses remote automounted home directories via autofs
 rhel8stig_autofs_remote_home_dirs: false
 
-#The local mount point used by autofs to mount remote home directory to.  This location will be excluded during getent user enumeration, if rhel8stig_autofs_remote_home_dirs is true
+# The local mount point used by autofs to mount remote home directory to.  This location will be excluded during getent user enumeration, if rhel8stig_autofs_remote_home_dirs is true
 rhel8stig_auto_mount_home_dirs_local_mount_point: "/home/"
 
-#The default shell command to gather local interactive user directories
+# The default shell command to gather local interactive user directories
 ## NOTE: You will need to adjust the UID range in parenthesis below.
 ## ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below.
 local_interactive_user_dir_command: "getent passwd { {{ rhel8stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'"
@@ -533,7 +536,6 @@ rhel8stig_ssh_priv_key_perm: 0600
 rhel8stig_standard_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin"
 rhel8stig_change_user_path: false
 
-
 # RHEL-08-010700
 # rhel8stig_ww_dir_owner is the owenr of all world-writable directories
 # To conform to STIG standards this needs to be set to root, sys, bin, or an application group
@@ -794,7 +796,6 @@ rhel8stig_auditd_failure_flag: "{{ rhel8stig_availability_override | ternary(1,
 # REHL-08-010020
 rhel8stig_boot_part: "{{ rhel_08_boot_part.stdout }}"
 
-
 # RHEL-08-010740/RHEL-08-010750
 rhel8stig_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
 
@@ -878,7 +879,7 @@ rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-ctr,aes192-ctr,aes128-ct
 # RHEL-08-010295
 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions
 # to conform to STIG standards this variable must contain +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0
-rhel8stig_gnutls_encryption: "+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0"
+rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0"
 
 # RHEL-08-020070
 # This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less
@@ -889,7 +890,6 @@ rhel8stig_tmux_lock_after_time: 900
 # Value must be greater than 0 to conform to STIG standards
 rhel8stig_sudo_timestamp_timeout: 1
 
-
 #### Goss Configuration Settings ####
 # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
 audit_run_script_environment: