From 17aed7d6a6f71cbcdf5475f420ee770620ddaefa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 24 Mar 2023 08:19:59 +0000 Subject: [PATCH 01/20] updated check for ansible user password Signed-off-by: Mark Bolwell --- tasks/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 685d2557..d616c996 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -26,20 +26,20 @@ tags: - always -- name: "Check password set for {{ ansible_user }}" +- name: "Check password set for connecting user" block: - - name: Capture current password state of "{{ ansible_user }}" - shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + - name: Capture current password state of connecting user" + shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: ansible_user_password_set - - name: "Assert that password set for {{ ansible_user }} and account not locked" + - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" assert: that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" - success_msg: "You a password set for the {{ ansible_user }}" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" + success_msg: "You a password set for the {{ ansible_env.SUDO_USER }}" vars: sudo_password_rule: RHEL-08-010380 when: From 9eb2ecbd2fe5df44583233c353698ad949bdde3a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 24 Mar 2023 09:29:33 +0000 Subject: [PATCH 02/20] updated layout and details Signed-off-by: Mark Bolwell --- README.md | 101 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 59 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index cb447591..e8f9012c 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,52 @@ # RHEL 8 DISA STIG -![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL8-STIG/CommunityToDevel?label=Devel%20Build%20Status&style=plastic) -![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL8-STIG/DevelToMain?label=Main%20Build%20Status&style=plastic) -![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL8-STIG?style=plastic) - -Configure a RHEL/Rocky 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`. +## Configure a RHEL8 based system to be complaint with Disa STIG This role is based on RHEL 8 DISA STIG: [Version 1, Rel 9 released on Jan 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R9_STIG.zip). -## Join us +--- + +![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social) +![Stars](https://img.shields.io/github/stars/ansible-lockdown/rhel8-stig?label=Repo%20Stars&style=social) +![Forks](https://img.shields.io/github/forks/ansible-lockdown/rhel8-stig?style=social) +![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) +[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) + +![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56380?label=Quality&&logo=ansible) +![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) + +![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/rhel8-stig/devel?color=dark%20green&label=Devel%20Branch%20commits) + +![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) +![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Build%20Status) +![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/rhel8-stig?label=Release%20Date) +![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/rhel8-stig?label=Release%20Tag&&color=success) + +![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/rhel8-stig?label=Open%20Issues) +![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/rhel8-stig?label=Closed%20Issues&&color=success) +![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/rhel8-stig?label=Pull%20Requests) + +![License](https://img.shields.io/github/license/ansible-lockdown/rhel8-stig?label=License) + +--- + +## Looking for support? + +[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH8_stig) + +[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH8_stig) + +### Community On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +--- + +Configure a RHEL/Rocky 8 system to be DISA STIG compliant. +Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. +Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `true`. + ## Updating Coming from a previous release. @@ -21,41 +56,27 @@ This contains rewrites and ID reference changes as per STIG documentation. ## Auditing -This can be turned on or off within the defaults/main.yml file with the variable rhel8stig_run_audit. The value is false by default, please refer to the wiki for more details. +This can be turned on or off within the defaults/main.yml file with the variable rhel7cis_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. -A new form of auditing has been develeoped, by using a small (12MB) go binary called [goss](https://github.com/aelsabbahy/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. +A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. -Refer to [RHEL8-STIG-Audit](https://github.com/ansible-lockdown/RHEL8-STIG-Audit). +## Documentation + +- [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/) +- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_RH8_stig) +- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_RH8_stig) +- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_RH8_stig) +- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_RH8_stig) ## Requirements -- RHEL/Rocky/AlmaLinux 8 - Other versions are not supported. +- RHEL/Rocky/AlmaLinux/OL 8 - Other versions are not supported. - Other OSs can be checked by changing the skip_os_check to true for testing purposes. - Access to download or add the goss binary and content to the system if using auditing. options are available on how to get the content to the system. -### General - -- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible - - - [Main Ansible documentation page](https://docs.ansible.com) - - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) - - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) -- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/RHEL8-STIG/wiki/Main-Variables). - -## Documentation - -- [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL8-STIG/) -- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown) -- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise) -- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration) -- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise) -- [Wiki](https://github.com/ansible-lockdown/RHEL8-STIG/wiki) - ## Dependencies The following packages must be installed on the controlling host/host where ansible is executed: @@ -69,7 +90,7 @@ Package 'python-xmltodict' is required if you enable the OpenSCAP tool installat ## Role Variables -This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/RHEL8-STIG/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions. +This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. ### Tags @@ -91,18 +112,14 @@ This is based on a vagrant image with selections enabled. e.g. No Gui or firewal Note: More tests are run during audit as we check config and running state. ```sh -ok: [rhel8test] => { - "msg": [ - "The pre remediation results are: Count: 308, Failed: 156, Duration: 44.108s.", - "The post remediation results are: Count: 308, Failed: 14, Duration: 37.647s.", - "Full breakdown can be found in /var/tmp", - "" - ] -} - ] -} +ok: [rocky8_efi] => + msg: + - 'The pre remediation results are: Count: 804, Failed: 416, Duration: 6.488s.' + - 'The post remediation results are: Count: 804, Failed: 28, Duration: 68.687s.' + - Full breakdown can be found in /opt + PLAY RECAP **************************************************************************************************************** -rhel8test : ok=369 changed=192 unreachable=0 failed=0 skipped=125 rescued=0 ignored=0 +rocky8_efi : ok=482 changed=269 unreachable=0 failed=0 skipped=207 rescued=0 ignored=0 ``` ## Branches From e9da00d71a2846578a4099b3c0707bfbe17d161d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 24 Mar 2023 09:30:03 +0000 Subject: [PATCH 03/20] changed default disruption to false Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 980ee84f..715615ce 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -26,11 +26,11 @@ rhel8stig_audit_complex: true # We've defined disruption-high to indicate items that are likely to cause # disruption in a normal workflow. These items can be remediated automatically # but are disabled by default to avoid disruption. -rhel8stig_disruption_high: true +rhel8stig_disruption_high: false # Show "changed" for disruptive items not remediated per disruption-high # setting to make them stand out. -rhel8stig_audit_disruptive: true +rhel8stig_audit_disruptive: false rhel8stig_skip_for_travis: false From 5d82afaa2057864b5e723998119f12e53964f0b7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 24 Mar 2023 09:30:11 +0000 Subject: [PATCH 04/20] updated Signed-off-by: Mark Bolwell --- Changelog.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index baa51bd2..08767226 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,12 @@ # Changes to RHEL8STIG -## Relase 2.8.3 +## Release 2.8.4 + +- updated to ansible user check for passwd rule 010380 +- update readme layout and latest audit example +- changed disruptive back to false to allow users to control the settings + +## Release 2.8.3 - improvements to openssh configs and seperated tasks From 1ff0df3ef939fe9ba5a36f9bb401aa4e45e4cc06 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 24 Mar 2023 09:31:49 +0000 Subject: [PATCH 05/20] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 08767226..3f2d3508 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,7 @@ ## Release 2.8.4 - updated to ansible user check for passwd rule 010380 + - thanks to discord community member PoundsOfFlesh - update readme layout and latest audit example - changed disruptive back to false to allow users to control the settings From cd8281db15d90fa8f2d0ac3b9ff268047afc5225 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 Mar 2023 10:06:17 +0100 Subject: [PATCH 06/20] Ansible version update Signed-off-by: Mark Bolwell --- meta/main.yml | 2 +- vars/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index a9cf5b99..f260b661 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,7 +6,7 @@ galaxy_info: license: MIT role_name: rhel8_stig namespace: mindpointgroup - min_ansible_version: '2.9.0' + min_ansible_version: '2.10.1' platforms: - name: EL versions: diff --git a/vars/main.yml b/vars/main.yml index 04f6eac4..3d2ab14d 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,5 @@ --- -rhel8stig_min_ansible_version: 2.9.0 +rhel8stig_min_ansible_version: 2.10.1 rhel8stig_dconf_available: "{{ rhel8stig_gui or rhel8stig_dconf_audit.rc == 0 or rhel8stig_always_configure_dconf }}" From 67d74cf5625b91cafc2b0ed34d683a9c9a3dab53 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 Mar 2023 10:06:32 +0100 Subject: [PATCH 07/20] removed unnecssary conditional Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c6af2480..bf42c7b8 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -69,7 +69,6 @@ gather_subset: chroot,!all,!min filter: ansible_is_chroot when: - - ansible_version.string is version_compare('2.7', '>=') - ansible_is_chroot is not defined tags: - always From c961d352252be2d228c5945272a644d551bfbab4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 29 Mar 2023 10:07:10 +0100 Subject: [PATCH 08/20] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 3f2d3508..9cdc4f21 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,7 @@ ## Release 2.8.4 +- ansible version updated to 2.10.1 minimum - updated to ansible user check for passwd rule 010380 - thanks to discord community member PoundsOfFlesh - update readme layout and latest audit example From 63d78f517cdd5ba2c6c2b01739f8cab8834b0127 Mon Sep 17 00:00:00 2001 From: Jacob Buskirk Date: Sun, 9 Apr 2023 16:30:13 -0400 Subject: [PATCH 09/20] Fix RHEL-08-020011 Conditional Signed-off-by: Jacob Buskirk --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 9e8a7c32..3a8dd0d3 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2799,7 +2799,7 @@ line: "deny = {{ rhel8stig_pam_faillock.attempts }}" when: - rhel_08_020011 - - ansible_distribution_version|int >= 8.2 + - ansible_distribution_version is version('8.2', '>=') tags: - RHEL-08-020011 - CAT2 From 5e9353315a7ec6de0ce7072fb7991e8cba28ac41 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Tue, 11 Apr 2023 14:33:45 -0400 Subject: [PATCH 10/20] Module Name Update, Module Command To Shell, Fixed " Issue, Yamllint Check, Ansilbe-lint Check Signed-off-by: Stephen Williams --- .ansible-lint | 2 + .github/workflows/linux_benchmark_testing.yml | 2 +- .yamllint | 57 +- collections/requirements.yml | 6 +- defaults/main.yml | 9 +- handlers/main.yml | 52 +- tasks/LE_audit_setup.yml | 4 +- tasks/audit_homedirinifiles.yml | 2 +- tasks/fix-cat1.yml | 80 +- tasks/fix-cat2.yml | 1077 ++++++++--------- tasks/fix-cat3.yml | 82 +- tasks/main.yml | 55 +- tasks/parse_etc_passwd.yml | 4 +- tasks/post_remediation_audit.yml | 16 +- tasks/pre_remediation_audit.yml | 32 +- tasks/prelim.yml | 12 +- vars/is_container.yml | 1 - 17 files changed, 745 insertions(+), 748 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 42cbe296..964eb052 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,4 +1,5 @@ --- + parseable: true quiet: true skip_list: @@ -7,6 +8,7 @@ skip_list: - 'var-spacing' - 'fqcn-builtins' - 'experimental' + - 'name[play]' - 'name[casing]' - 'name[template]' - 'fqcn[action]' diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 26ee32de..6ceb2cbb 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -5,7 +5,7 @@ name: linux_benchmark_pipeline # Controls when the action will run. # Triggers the workflow on push or pull request # events but only for the devel branch -on: +on: # yamllint disable-line rule:truthy pull_request_target: types: [opened, reopened, synchronize] branches: diff --git a/.yamllint b/.yamllint index a3c37e1c..ec469292 100644 --- a/.yamllint +++ b/.yamllint @@ -1,32 +1,33 @@ --- -ignore: | - tests/ - molecule/ - .github/ - .gitlab-ci.yml - *molecule.yml - extends: default +ignore: | + tests/ + molecule/ + .github/ + .gitlab-ci.yml + *molecule.yml + rules: - indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - level: error - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error - line-length: disable - key-duplicates: enable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - allowed-values: ['true', 'false'] - check-keys: false + indentation: + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + empty-lines: + max: 1 + line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: false diff --git a/collections/requirements.yml b/collections/requirements.yml index 4a418efa..23596ec0 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,8 +1,8 @@ --- collections: -- name: community.general + - name: community.general -- name: community.crypto + - name: community.crypto -- name: ansible.posix + - name: ansible.posix diff --git a/defaults/main.yml b/defaults/main.yml index 715615ce..c8803033 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -477,13 +477,13 @@ rhel8stig_smartcard: false # Configure your smartcard driver rhel8stig_smartcarddriver: cackey -#Whether or not system uses remote automounted home directories via autofs +# Whether or not system uses remote automounted home directories via autofs rhel8stig_autofs_remote_home_dirs: false -#The local mount point used by autofs to mount remote home directory to. This location will be excluded during getent user enumeration, if rhel8stig_autofs_remote_home_dirs is true +# The local mount point used by autofs to mount remote home directory to. This location will be excluded during getent user enumeration, if rhel8stig_autofs_remote_home_dirs is true rhel8stig_auto_mount_home_dirs_local_mount_point: "/home/" -#The default shell command to gather local interactive user directories +# The default shell command to gather local interactive user directories ## NOTE: You will need to adjust the UID range in parenthesis below. ## ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below. local_interactive_user_dir_command: "getent passwd { {{ rhel8stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'" @@ -533,7 +533,6 @@ rhel8stig_ssh_priv_key_perm: 0600 rhel8stig_standard_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin" rhel8stig_change_user_path: false - # RHEL-08-010700 # rhel8stig_ww_dir_owner is the owenr of all world-writable directories # To conform to STIG standards this needs to be set to root, sys, bin, or an application group @@ -794,7 +793,6 @@ rhel8stig_auditd_failure_flag: "{{ rhel8stig_availability_override | ternary(1, # REHL-08-010020 rhel8stig_boot_part: "{{ rhel_08_boot_part.stdout }}" - # RHEL-08-010740/RHEL-08-010750 rhel8stig_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" @@ -889,7 +887,6 @@ rhel8stig_tmux_lock_after_time: 900 # Value must be greater than 0 to conform to STIG standards rhel8stig_sudo_timestamp_timeout: 1 - #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_run_script_environment: diff --git a/handlers/main.yml b/handlers/main.yml index 2599f6c7..03ff8870 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,12 +1,12 @@ --- - name: systemctl daemon-reload - systemd: + ansible.builtin.systemd: daemon_reload: true when: - not system_is_container - name: update sysctl - template: + ansible.builtin.template: src: 99-sysctl.conf.j2 dest: /etc/sysctl.d/99-sysctl.conf owner: root @@ -16,11 +16,11 @@ when: "'procps-ng' in ansible_facts.packages" - name: sysctl system - command: sysctl --system + ansible.builtin.shell: sysctl --system when: "'procps-ng' in ansible_facts.packages" - name: restart sshd - service: + ansible.builtin.service: name: sshd state: restarted when: @@ -28,42 +28,42 @@ - "'openssh-server' in ansible_facts.packages" - name: restart sssd - service: + ansible.builtin.service: name: sssd state: restarted when: - "'sssd' in ansible_facts.packages" - name: restart snmpd - service: + ansible.builtin.service: name: snmpd state: restarted when: - not rhel8stig_system_is_chroot - name: restart rsyslog - service: + ansible.builtin.service: name: rsyslog state: restarted - name: generate fapolicyd rules - command: fagenrules --load + ansible.builtin.shell: fagenrules --load when: rhel_08_040137_rules_dir.stat.exists - name: restart fapolicyd - service: + ansible.builtin.service: name: fapolicyd state: restarted - name: confirm grub2 user cfg - stat: + ansible.builtin.stat: path: "/etc/grub.d/01_users" changed_when: rhel8stig_grub2_user_cfg.stat.exists register: rhel8stig_grub2_user_cfg notify: make grub2 config - name: make grub2 config - command: /usr/sbin/grub2-mkconfig --output={{ rhel8stig_bootloader_path }}/grub.cfg + ansible.builtin.shell: /usr/sbin/grub2-mkconfig --output={{ rhel8stig_bootloader_path }}/grub.cfg when: - rhel8stig_grub2_user_cfg.stat.exists - not rhel8stig_skip_for_travis @@ -71,7 +71,7 @@ - name: copy grub2 config to BIOS/UEFI to satisfy benchmark listen: make grub2 config - copy: + ansible.builtin.copy: src: "{{ rhel8stig_bootloader_path }}/grub.cfg" dest: "{{ rhel8stig_bootloader_path }}/grub.cfg" remote_src: true @@ -85,7 +85,7 @@ - not system_is_container - name: "restart {{ rhel8stig_time_service }}" - service: + ansible.builtin.service: name: "{{ rhel8stig_time_service }}" state: restarted when: @@ -94,7 +94,7 @@ - not system_is_container - name: update auditd - template: + ansible.builtin.template: src: audit/99_auditd.rules.j2 dest: /etc/audit/rules.d/99_auditd.rules owner: root @@ -103,7 +103,7 @@ notify: restart auditd - name: restart auditd - command: /usr/sbin/service auditd restart + ansible.builtin.shell: /usr/sbin/service auditd restart args: warn: false when: @@ -112,17 +112,17 @@ - not system_is_container - name: rebuild initramfs - command: dracut -f + ansible.builtin.shell: dracut -f - name: undo existing prelinking - command: prelink -ua + ansible.builtin.shell: prelink -ua - name: update running audit failure mode - command: auditctl -f {{ rhel8stig_auditd_failure_flag }} + ansible.builtin.shell: auditctl -f {{ rhel8stig_auditd_failure_flag }} failed_when: false - name: clean up ssh host key - file: + ansible.builtin.file: path: "{{ item }}" state: absent with_items: @@ -130,33 +130,33 @@ - /etc/ssh/ssh_host_rsa_key.pub - name: init aide and wait - command: /usr/sbin/aide --init -B 'database_out=file:{{ rhel8stig_aide_temp_db_file }}' + ansible.builtin.shell: /usr/sbin/aide --init -B 'database_out=file:{{ rhel8stig_aide_temp_db_file }}' notify: move aide db - name: init aide - shell: nohup /usr/sbin/aide --init -B 'database_out=file:{{ rhel8stig_aide_temp_db_file }}' > /dev/null & + ansible.builtin.shell: nohup /usr/sbin/aide --init -B 'database_out=file:{{ rhel8stig_aide_temp_db_file }}' > /dev/null & notify: move aide db - name: move aide db - command: "mv {{ rhel8stig_aide_temp_db_file }} {{ rhel8stig_aide_db_file }}" + ansible.builtin.shell: "mv {{ rhel8stig_aide_temp_db_file }} {{ rhel8stig_aide_db_file }}" when: not rhel8stig_aide_db_status.stat.exists or rhel8stig_overwrite_aide_db - name: dconf update - command: dconf update + ansible.builtin.shell: dconf update when: - "'dconf' in ansible_facts.packages" - rhel8stig_always_configure_dconf - name: prereport score - debug: + ansible.builtin.debug: msg: "Pre-run OpenSCAP score is {{ rhel8stig_prescanresults.Benchmark.TestResult.score['#text'] }}" when: rhel8stig_oscap_scan - name: postreport score - debug: + ansible.builtin.debug: msg: "Post-run OpenSCAP score is {{ rhel8stig_postscanresults.Benchmark.TestResult.score['#text'] }}" when: rhel8stig_oscap_scan - name: change_requires_reboot - set_fact: + ansible.builtin.set_fact: change_requires_reboot: true diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 61a4cdf1..b4ac4d25 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,7 +1,7 @@ --- - name: Download audit binary - get_url: + ansible.builtin.get_url: url: "{{ goss_url }}" dest: "{{ audit_bin }}" owner: root @@ -12,7 +12,7 @@ - get_goss_file == 'download' - name: copy audit binary - copy: + ansible.builtin.copy: src: dest: "{{ audit_bin }}" mode: 0555 diff --git a/tasks/audit_homedirinifiles.yml b/tasks/audit_homedirinifiles.yml index 9e365e21..cafc0457 100644 --- a/tasks/audit_homedirinifiles.yml +++ b/tasks/audit_homedirinifiles.yml @@ -1,6 +1,6 @@ --- - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs." - debug: + ansible.builtin.debug: msg: "You will need to audit {{ ini_item }} for reference to {{ item }}, which has been found with world-writable permissions. Those permissions will be changed in the next task to 0755." failed_when: false changed_when: false diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 5520f960..e265d327 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -1,7 +1,7 @@ --- - name: "HIGH | RHEL-08-010000 | AUDIT | The RHEL 8 must be a vendor-supported release." - debug: + ansible.builtin.debug: msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }} changed_when: ansible_distribution_version is not version_compare(rhel8stig_min_supported_os_ver[ansible_distribution], '>=') when: @@ -17,7 +17,7 @@ - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." block: - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | install FIPS" - package: + ansible.builtin.package: name: - dracut-fips - crypto-policies-scripts @@ -28,7 +28,7 @@ when: "'dracut-fips' not in ansible_facts.packages" - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Enables FIPS mode on kernel" - command: fips-mode-setup --enable + ansible.builtin.shell: fips-mode-setup --enable register: rhel_08_010020_kernel_fips_enable changed_when: rhel_08_010020_kernel_fips_enable.rc == 0 notify: change_requires_reboot @@ -37,7 +37,7 @@ (ansible_proc_cmdline.fips is defined and ansible_proc_cmdline.fips != '1') - name: "HIGH | RHEL-08-010020 | PATCH | Disable prelinking." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sysconfig/prelink regexp: ^#?PRELINKING line: PRELINKING=no @@ -45,14 +45,14 @@ notify: undo existing prelinking - name: "HIGH | RHEL-08-010020 | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" - command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub check_mode: false failed_when: false changed_when: rhel_08_010020_default_grub_missing_audit.rc > 0 register: rhel_08_010020_default_grub_missing_audit - name: "HIGH | RHEL-08-010020 | AUDIT | parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" - command: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline + ansible.builtin.shell: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline check_mode: false changed_when: false failed_when: rhel_08_010020_grub_cmdline_linux_audit.rc > 1 @@ -60,7 +60,7 @@ register: rhel_08_010020_grub_cmdline_linux_audit - name: "HIGH | RHEL-08-010020 | PATCH | Copy over a sane /etc/default/grub" - template: + ansible.builtin.template: src: etc_default_grub.j2 dest: /etc/default/grub owner: root @@ -71,7 +71,7 @@ when: rhel_08_010020_default_grub_missing_audit is changed - name: "HIGH | RHEL-08-010020 | PATCH | fips=1 must be in /etc/default/grub" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: "{{ rhel8stig_regexp_quoted_params }}" replace: "{{ rhel8stig_replace_quoted_params }}" @@ -88,7 +88,7 @@ - change_requires_reboot - name: "HIGH | RHEL-08-010020 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: "{{ rhel8stig_regexp_quoted_params }}" replace: "{{ rhel8stig_replace_quoted_params }}" @@ -108,7 +108,7 @@ register: result - name: "HIGH | RHEL-08-010020 | AUDIT | Verify kernel parameters in /etc/default/grub" - command: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub check_mode: false with_items: - fips=1 @@ -120,7 +120,7 @@ - not ansible_check_mode or rhel_08_010020_default_grub_missing_audit is not changed - rhel8stig_boot_part not in ['/', ''] or - 'boot=' not in item + "'boot=' not in item" changed_when: - ansible_check_mode - rhel_08_010020_audit is failed @@ -142,14 +142,14 @@ - name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords." block: - name: "HIGH | RHEL-08-010121 | AUDIT | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Get users with no pw set" - shell: "awk -F: '!$2 {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '!$2 {print $1}' /etc/shadow" changed_when: false failed_when: false check_mode: false register: rhel_08_010121_no_pw_users - name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Warn on accounts with no passwords" - debug: + ansible.builtin.debug: msg: - "Alert! You have users that are not using passwords. Please either set a password, lock, or remove the accounts below:" - "{{ rhel_08_010121_no_pw_users.stdout_lines }}" @@ -158,7 +158,7 @@ - not rhel8stig_disruption_high - name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords. | Lock accounts with no passwords, disruptive" - user: + ansible.builtin.user: name: "{{ item }}" password_lock: true with_items: @@ -183,7 +183,7 @@ - name: | "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set Grub Password" "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set Grub Password" - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel8stig_bootloader_path }}/user.cfg" create: true regexp: ^GRUB2_PASSWORD= @@ -213,23 +213,23 @@ - name: "HIGH | RHEL-08-010370 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." block: - name: "HIGH | RHEL-08-010370 | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Dnf Default" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dnf/dnf.conf regexp: '^gpgcheck=' line: gpgcheck=1 - name: "HIGH | RHEL-08-010370 | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Gather Repos" - find: + ansible.builtin.find: paths: /etc/yum.repos.d pattern: '*.repo' register: rhel_08_010370_repos_files_list_full - name: "HIGH | RHEL-08-010370 | AUDIT | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Flatten result" - set_fact: + ansible.builtin.set_fact: rhel_08_010370_repos_files_list: "{{ rhel_08_010370_repos_files_list_full.files | map(attribute='path') | flatten }}" - name: "HIGH | RHEL-08-010370 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Set gpgcheck" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^gpgcheck' line: gpgcheck=1 @@ -247,7 +247,7 @@ - yum - name: "HIGH | RHEL-08-010371 | PATCH | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization." - lineinfile: + ansible.builtin.lineinfile: path: /etc/dnf/dnf.conf regexp: '^localpkg_gpgcheck=' line: localpkg_gpgcheck=True @@ -263,7 +263,7 @@ - dnf - name: "HIGH | RHEL-08-010460 | PATCH | There must be no shosts.equiv files on the RHEL 8 operating system." - file: + ansible.builtin.file: path: /etc/ssh/shosts.equiv state: absent when: @@ -280,14 +280,14 @@ - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system." block: - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Find .shosts files" - find: + ansible.builtin.find: path: '/' recurse: true patterns: '*.shosts' register: rhel_08_010470_shost_files - name: "HIGH | RHEL-08-010470 | PATCH | There must be no .shosts files on the RHEL 8 operating system. | Remove .shosts files" - file: + ansible.builtin.file: path: "{{ item.path }}" state: absent with_items: @@ -304,7 +304,7 @@ - shosts - name: "HIGH | RHEL-08-010820 | PATCH | Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed." - lineinfile: + ansible.builtin.lineinfile: path: /etc/gdm/custom.conf regexp: (?i)automaticloginenable line: AutomaticLoginEnable=false @@ -321,7 +321,7 @@ - V-230329 - name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitEmptyPasswords' line: 'PermitEmptyPasswords no' @@ -340,7 +340,7 @@ - disruption_high - name: "HIGH | RHEL-08-020331 | PATCH | RHEL 8 must not allow blank or null passwords in the system-auth file." - replace: + ansible.builtin.replace: path: /etc/pam.d/system-auth regexp: ' nullok' replace: '' @@ -355,7 +355,7 @@ - V-244540 - name: "HIGH | RHEL-08-020332 | PATCH | RHEL 8 must not allow blank or null passwords in the password-auth file." - replace: + ansible.builtin.replace: path: /etc/pam.d/password-auth regexp: ' nullok' replace: '' @@ -370,7 +370,7 @@ - V-244541 - name: "HIGH | RHEL-08-040000 | PATCH | RHEL 8 must not have the telnet-server package installed." - package: + ansible.builtin.package: name: telnet-server state: absent when: @@ -385,7 +385,7 @@ - V-230487 - name: "HIGH | RHEL-08-040010 | PATCH | RHEL 8 must not have the rsh-server package installed." - package: + ansible.builtin.package: name: rsh-server state: absent when: @@ -402,13 +402,13 @@ - name: "HIGH | RHEL-08-040170 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8." block: - name: "HIGH | RHEL-08-040170 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Mask ctrl-alt-del.target" - systemd: + ansible.builtin.systemd: name: ctrl-alt-del.target masked: true notify: systemctl daemon-reload - name: "HIGH | RHEL-08-040170 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8. | Create symlink to /dev/null" - file: + ansible.builtin.file: src: /dev/null dest: /etc/systemd/system/ctrl-alt-del.target state: link @@ -427,13 +427,13 @@ - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed." block: - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Check for setting existing" - command: grep -s logout /etc/dconf/db/local.d/* + ansible.builtin.shell: grep -s logout /etc/dconf/db/local.d/* changed_when: false failed_when: false register: rhel_08_040171_logout_settings_status - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Add if missing" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/00-disable-CAD regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -450,7 +450,7 @@ when: rhel_08_040171_logout_settings_status.stdout | length == 0 - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Edit if exists" - replace: + ansible.builtin.replace: path: "{{ rhel_08_040171_logout_settings_status.stdout }}" regexp: '^[L|l]ogout=.*' replace: "logout=''" @@ -467,7 +467,7 @@ - V-230530 - name: "HIGH | RHEL-08-040172 | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled." - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/system.conf regexp: '^CtrlAltDelBurstAction=|^#CtrlAltDelBurstAction=' line: CtrlAltDelBurstAction=none @@ -484,7 +484,7 @@ - V-230531 - name: "HIGH | RHEL-08-040190 | PATCH | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support." - package: + ansible.builtin.package: name: tftp-server state: absent when: @@ -503,19 +503,19 @@ - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system." block: - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Get list of non-root accounts with UID of 0" - shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" + ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" changed_when: false failed_when: false register: rhel_08_040200_nonroot_uid - name: "HIGH | HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Lock non-root account with UID of 0" - command: "passwd -l {{ item }}" + ansible.builtin.shell: "passwd -l {{ item }}" with_items: - "{{ rhel_08_040200_nonroot_uid.stdout_lines }}" when: rhel_08_040200_nonroot_uid.stdout | length > 0 - name: "HIGH | RHEL-08-040200 | PATCH | The root account must be the only account having unrestricted access to the RHEL 8 system. | Display accounts that were locked" - debug: + ansible.builtin.debug: msg: - "WARNING!! The following accounts were locked since they had UID of 0 and were not the root user" - " {{ rhel_08_040200_nonroot_uid.stdout_lines }}" @@ -533,7 +533,7 @@ - disruption_high - name: "HIGH | RHEL-08-040360 | PATCH | A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8." - package: + ansible.builtin.package: name: vsftpd state: absent when: diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3a8dd0d3..63a9b43d 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3,7 +3,7 @@ - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool." block: - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert no McAfee" - debug: + ansible.builtin.debug: msg: - "WARNING!! You have no McAfee installed. To comply with STIG ID RHEL-08-010001 you need an AV tool" - "McAfee is the suggested by STIG" @@ -12,7 +12,7 @@ 'mfetpd' not in ansible_facts.packages" - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert on McAfee present" - debug: + ansible.builtin.debug: msg: "Congratulations! You have McAfee installed" when: - "'mcafeetp' in ansible_facts.packages or @@ -29,7 +29,7 @@ - V-245540 - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." - package: + ansible.builtin.package: name: "*" state: latest when: @@ -46,13 +46,13 @@ - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection." block: - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout" - command: lsblk + ansible.builtin.shell: lsblk changed_when: false failed_when: false register: rhel_08_010030_partition_layout - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning" - debug: + ansible.builtin.debug: msg: - 'WARNING!! Below is the partition layout. Please run the "sudo more /etc/crypttab" command to confirm every persistent disk partition has an entry.' - "If partitions other than pseudo file systems (such as /var or /sys) this is a finding" @@ -74,7 +74,7 @@ - name: | "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path"" "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path"" - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?Banner' line: 'Banner /etc/issue' @@ -84,7 +84,7 @@ - name: | "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" - copy: # noqa: template-instead-of-copy + ansible.builtin.copy: # noqa: template-instead-of-copy dest: "{{ item }}" content: "{{ rhel8stig_logon_banner }}" owner: root @@ -110,7 +110,7 @@ - V-230227 - name: "MEDIUM | RHEL-08-010049 | PATCH | RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/01-banner-message regexp: 'banner-message-enabled=' line: banner-message-enable=true @@ -132,7 +132,7 @@ - banner - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." - copy: # noqa: template-instead-of-copy + ansible.builtin.copy: # noqa: template-instead-of-copy dest: /etc/dconf/db/local.d/01-banner-message content: | [org/gnome/login-screen] @@ -157,7 +157,7 @@ - V-230226 - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf line: "auth.*;authpriv.*;daemon.* /var/log/secure" create: true @@ -178,13 +178,13 @@ - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor." block: - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs" - command: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem + ansible.builtin.shell: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem changed_when: false failed_when: false register: rhel_08_010090_certs_list - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs" - debug: + ansible.builtin.debug: msg: - "WARNING!! The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD" - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem" @@ -203,7 +203,7 @@ - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key." block: - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder" - file: + ansible.builtin.file: path: "{{ rhel8stig_path_to_sshkey }}" state: directory mode: '0700' @@ -223,7 +223,7 @@ - V-230230 - name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm." - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^ENCRYPT_METHOD.*' line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" @@ -241,13 +241,13 @@ - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords." block: - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing" - command: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' + ansible.builtin.shell: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:' changed_when: false failed_when: false register: rhel_08_010120_non_fips_hashed_accounts - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" - command: "passwd -l {{ item }}" + ansible.builtin.shell: "passwd -l {{ item }}" args: warn: false with_items: @@ -256,7 +256,7 @@ - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0 - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts" - debug: + ansible.builtin.debug: msg: - "WARNING!! The following accounts do not have FIPS 140-2 hashing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG" - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" @@ -276,7 +276,7 @@ - disruption_high - name: "MEDIUM | RHEL-08-010130 | PATCH | The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds." - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: ^.*SHA_CRYPT_MIN_ROUNDS\s line: SHA_CRYPT_MIN_ROUNDS {{ rhel8stig_hashing_rounds }} @@ -294,7 +294,7 @@ - name: | "MEDIUM | RHEL-08-010141 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance." "MEDIUM | RHEL-08-010149 | PATCH | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes." - template: + ansible.builtin.template: src: 01_users.j2 dest: /etc/grub.d/01_users owner: root @@ -317,7 +317,7 @@ - grub - name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes." - lineinfile: + ansible.builtin.lineinfile: path: /usr/lib/systemd/system/rescue.service regexp: '^ExecStart=' line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" @@ -337,7 +337,7 @@ - systemd - name: "MEDIUM | RHEL-08-010152 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency mode." - lineinfile: + ansible.builtin.lineinfile: path: /usr/lib/systemd/system/emergency.service regexp: '^ExecStart=' line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" @@ -357,7 +357,7 @@ - systemd - name: "MEDIUM | RHEL-08-010159 | PATCH | The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." - pamd: + community.general.pamd: name: system-auth type: password control: sufficient @@ -376,7 +376,7 @@ - pamd - name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication." - pamd: + community.general.pamd: name: password-auth type: password control: sufficient @@ -397,14 +397,14 @@ - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication." block: - name: "MEDIUM | RHEL-08-010161 | AUDIT | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files" - find: + ansible.builtin.find: path: / patterns: '*.keytab' recurse: true register: rhel8stig_010161_keytab_files - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Remove .keytab files" - file: + ansible.builtin.file: path: "{{ item.path }}" state: absent with_items: @@ -422,7 +422,7 @@ - kerberos - name: "MEDIUM | RHEL-08-010162 | PATCH | The krb5-workstation package must not be installed on RHEL 8." - package: + ansible.builtin.package: name: krb5-workstation state: absent when: @@ -439,7 +439,7 @@ - name: "| MEDIUM | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services. MEDIUM | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy." - selinux: + ansible.posix.selinux: state: enforcing policy: targeted check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}" @@ -466,13 +466,13 @@ - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources." block: - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories" - shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" + ansible.builtin.shell: "find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'" changed_when: false failed_when: false register: rhel_08_010190_world_writable_files - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files" - file: + ansible.builtin.file: path: "{{ item }}" mode: '1777' with_items: @@ -489,7 +489,7 @@ - permissions - name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?ClientAliveCountMax.*' line: ClientAliveCountMax 1 @@ -507,7 +507,7 @@ - ssh - name: "MEDIUM | RHEL-08-010201 | PATCH | The RHEL 8 SSH daemon must be configured with a timeout interval" - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?ClientAliveInterval.*' line: "ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}" @@ -528,7 +528,7 @@ "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive." "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root." "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root." - file: + ansible.builtin.file: path: /var/log/messages owner: root group: root @@ -556,7 +556,7 @@ - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file." block: - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -564,7 +564,7 @@ notify: restart sssd - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -572,7 +572,7 @@ notify: restart sssd - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' @@ -593,7 +593,7 @@ - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file." block: - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -601,7 +601,7 @@ notify: restart sssd - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -609,7 +609,7 @@ notify: restart sssd - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' @@ -628,7 +628,7 @@ - pamd - name: "MEDIUM | RHEL-08-020031 | PATCH | RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-screensaver_rhel_08_020031 content: | [org/gnome/desktop/screensaver] @@ -649,7 +649,7 @@ - dconf - name: "MEDIUM | RHEL-08-020032 | PATCH | RHEL 8 must disable the user list at logon for graphical user interfaces." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/02-login-screen_rhel_08_020032 content: | [org/gnome/login-screen] @@ -669,7 +669,7 @@ - dconf - name: "MEDIUM | RHEL-08-020039 | PATCH | RHEL 8 must have the tmux package installed." - package: + ansible.builtin.package: name: tmux state: present when: @@ -688,7 +688,7 @@ "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive." "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root." "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root." - file: + ansible.builtin.file: path: /var/log owner: root group: root @@ -713,7 +713,7 @@ - permissions - name: "MEDIUM | RHEL-08-020081 | PATCH | RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/locks/session_rhel_08_020081 content: | /org/gnome/desktop/session/idle-delay @@ -732,7 +732,7 @@ - V-244538 - name: "MEDIUM | RHEL-08-020082 | PATCH | RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/locks/session_rhel_08_020082 content: | /org/gnome/desktop/screensaver/lock-enabled @@ -752,7 +752,7 @@ - dconf - name: "MEDIUM | RHEL-08-010287 | PATCH | The RHEL 8 SSH daemon must be configured to use system-wide crypto policies." - lineinfile: + ansible.builtin.lineinfile: path: /etc/sysconfig/sshd regexp: '^CRYPTO_POLICY=' line: '# CRYPTO_POLICY=' @@ -771,17 +771,17 @@ - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add MACs" block: - - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs" - ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i MACs | sed s'/-o//g' - changed_when: false - register: rhel8stig_current_macs - - - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs" - ansible.builtin.lineinfile: - path: /etc/crypto-policies/back-ends/opensshserver.config - regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_macs.stdout }}(.*$)' - line: '\g<1>-o{{ rhel8stig_ssh_macs }}\g<2>' - backrefs: true + - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs" + ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i MACs | sed s'/-o//g' + changed_when: false + register: rhel8stig_current_macs + + - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs" + ansible.builtin.lineinfile: + path: /etc/crypto-policies/back-ends/opensshserver.config + regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_macs.stdout }}(.*$)' + line: '\g<1>-o{{ rhel8stig_ssh_macs }}\g<2>' + backrefs: true notify: change_requires_reboot when: - rhel_08_010290 @@ -796,17 +796,17 @@ - name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | Add Ciphers" block: - - name: "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers" - ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i Ciphers | sed s'/-o//g' - changed_when: false - register: rhel8stig_current_ciphers - - - name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers" - ansible.builtin.lineinfile: - path: /etc/crypto-policies/back-ends/opensshserver.config - regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_ciphers.stdout }}(.*$)' - line: '\g<1>-o{{ rhel8stig_ssh_ciphers }}\g<2>' - backrefs: true + - name: "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers" + ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i Ciphers | sed s'/-o//g' + changed_when: false + register: rhel8stig_current_ciphers + + - name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers" + ansible.builtin.lineinfile: + path: /etc/crypto-policies/back-ends/opensshserver.config + regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_ciphers.stdout }}(.*$)' + line: '\g<1>-o{{ rhel8stig_ssh_ciphers }}\g<2>' + backrefs: true notify: change_requires_reboot when: - rhel_08_010291 @@ -822,13 +822,13 @@ - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package." block: - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state" - command: fips-mode-setup --check + ansible.builtin.shell: fips-mode-setup --check changed_when: false failed_when: rhel_08_010293_pre_fips_check.stdout is not defined register: rhel_08_010293_pre_fips_check - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" - command: fips-mode-setup --enable + ansible.builtin.shell: fips-mode-setup --enable register: rhel_08_010290_fips_enable notify: change_requires_reboot when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' @@ -846,7 +846,7 @@ - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." block: - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." - lineinfile: + ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/opensslcnf.config regexp: '^MinProtocol =' line: "MinProtocol = TLSv1.2" @@ -854,7 +854,7 @@ when: ansible_facts.packages['crypto-policies'][0].version | int < 20210617 - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package." - lineinfile: + ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/opensslcnf.config regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -875,7 +875,7 @@ - openssl - name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package" - lineinfile: + ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/gnutls.config regexp: '^(.*)\+VERS-ALL:' line: '\1{{ rhel8stig_gnutls_encryption }}' @@ -901,7 +901,7 @@ "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive" "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root or a system account. | Get commands no group-owned by root" - shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" + ansible.builtin.shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" args: warn: false changed_when: false @@ -912,7 +912,7 @@ "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions" "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions" "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root or a system account. | Set permissions" - file: + ansible.builtin.file: path: "{{ item }}" owner: root group: root @@ -948,7 +948,7 @@ "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root. | Get library files not owned by root" "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root or a system account. | Get library files not group-owned by root" - shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" + ansible.builtin.shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" args: warn: false changed_when: false @@ -959,7 +959,7 @@ "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less" "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root" "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root or a system account. | Get library files not group-owned by root" - file: + ansible.builtin.file: path: "{{ item }}" owner: "{{ rhel_08_010340 | ternary('root',omit) }}" group: "{{ rhel_08_010350 | ternary('root',omit) }}" @@ -988,14 +988,14 @@ - name: "MEDIUM | RHEL-08-010331 | PATCH | RHEL 8 library directories must have mode 755 or less permissive." block: - name: "MEDIUM | RHEL-08-010331 | AUDIT | RHEL 8 library directories must have mode 755 or less permissive. | Get directories" - shell: find /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type d + ansible.builtin.shell: find /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type d changed_when: false failed_when: false check_mode: false register: rhel_08_010331_directories - name: "MEDIUM | RHEL-08-010331 | AUDIT | RHEL 8 library directories must have mode 755 or less permissive. | Alert on permissions" - debug: + ansible.builtin.debug: msg: - "Alert! There are library directories that have permessions set to more permissive than 755" - "To conform to STIG standards, please review these directories and set to 755 or less permissive" @@ -1005,7 +1005,7 @@ - rhel_08_010331_directories.stdout | length > 0 - name: "MEDIUM | RHEL-08-010331 | PATCH | RHEL 8 library directories must have mode 755 or less permissive. | Set permissions" - file: + ansible.builtin.file: path: "{{ item }}" state: directory mode: "{{ rhel8stig_lib_dir_perms }}" @@ -1027,14 +1027,14 @@ - name: "MEDIUM | RHEL-08-010341 | PATCH | RHEL 8 library directories must be owned by root." block: - name: "MEDIUM | RHEL-08-010341 | AUDIT | RHEL 8 library directories must be owned by root. | Get directories" - shell: find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d + ansible.builtin.shell: find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d changed_when: false failed_when: false check_mode: false register: rhel_08_010341_directories - name: "MEDIUM | RHEL-08-010341 | AUDIT | RHEL 8 library directories must be owned by root. | Alert on permissions" - debug: + ansible.builtin.debug: msg: - "Alert! There are library directories that are not owned by root" - "To conform to STIG standards, please review these directories and change owner to root" @@ -1044,7 +1044,7 @@ - not rhel8stig_disruption_high - name: "MEDIUM | RHEL-08-010341 | PATCH | RHEL 8 library directories must be owned by root. | Set permissions" - file: + ansible.builtin.file: path: "{{ item }}" state: directory owner: root @@ -1067,14 +1067,14 @@ - name: "MEDIUM | RHEL-08-010351 | PATCH | RHEL 8 library directories must be group-owned by root or a system account." block: - name: "MEDIUM | RHEL-08-010351 | AUDIT | RHEL 8 library directories must be group-owned by root or a system account. | Get directories" - shell: find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d + ansible.builtin.shell: find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d changed_when: false failed_when: false check_mode: false register: rhel_08_010351_directories - name: "MEDIUM | RHEL-08-010351 | AUDIT | RHEL 8 library directories must be group-owned by root or a system account. | Alert on permissions" - debug: + ansible.builtin.debug: msg: - "Alert! There are library directories that are not group owned by root." - "To conform to STIG standards, please review these directories and change group owner to root" @@ -1084,7 +1084,7 @@ - not rhel8stig_disruption_high - name: "MEDIUM | RHEL-08-010351 | PATCH | RHEL 8 library directories must be group-owned by root or a system account. | Set permissions" - file: + ansible.builtin.file: path: "{{ item }}" state: directory group: root @@ -1105,7 +1105,7 @@ - permissions - name: "MEDIUM | RHEL-08-010359 | PATCH | The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions. | pkg install" - package: + ansible.builtin.package: name: aide state: present when: @@ -1121,7 +1121,7 @@ - aide - name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency." - cron: + ansible.builtin.cron: name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}' user: "{{ rhel8stig_aide_cron.user }}" cron_file: "{{ rhel8stig_aide_cron.cron_file }}" @@ -1158,19 +1158,19 @@ - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution." block: - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl - name: "MEDIUM | RHEL-08-010372 | AUDIT | RHEL 8 must prevent the loading of a new kernel for later execution. | Find conflicting instances" - shell: grep -rs "kernel.kexec_load_disabled = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.kexec_load_disabled = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_010372_conflicting_settings - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^kernel.kexec_load_disabled = 0' state: absent @@ -1190,13 +1190,13 @@ - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks." block: - name: "MEDIUM | RHEL-08-010373 | AUDIT | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Find conflicting instances" - shell: grep -rs "fs.protected_symlinks = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "fs.protected_symlinks = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_010373_conflicting_settings - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^fs.protected_symlinks = 0' state: absent @@ -1204,7 +1204,7 @@ when: rhel_08_010373_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -1222,13 +1222,13 @@ - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." block: - name: "MEDIUM | RHEL-08-010374 | AUDIT | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Find conflicting instances" - shell: grep -rs "fs.protected_hardlinks = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "fs.protected_hardlinks = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_010374_conflicting_settings - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^fs.protected_hardlinks = 0' state: absent @@ -1236,7 +1236,7 @@ when: rhel_08_010374_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -1252,7 +1252,7 @@ - sysctl - name: "MEDIUM | RHEL-08-010379 | PATCH | RHEL 8 must specify the default 'include' directory for the /etc/sudoers file." - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regex: '^#includedir' line: '#includedir /etc/sudoers.d' @@ -1269,7 +1269,7 @@ - sudoers - name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation." - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' replace: '\1PASSWD\2' @@ -1288,7 +1288,7 @@ - sudo - name: "MEDIUM | RHEL-08-010381 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation." - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' @@ -1307,7 +1307,7 @@ - sudo - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed." - package: + ansible.builtin.package: name: openssl-pkcs11 state: present when: @@ -1323,7 +1323,7 @@ - multifactor - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." - lineinfile: + ansible.builtin.lineinfile: path: '{{ rhel8stig_sssd_conf }}' regexp: '^certificate_verification = {{ item.regexp }}' state: "{{ item.state }}" @@ -1347,7 +1347,7 @@ - multifactor - name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials." - package: + ansible.builtin.package: name: opensc state: present when: @@ -1366,19 +1366,19 @@ - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution." block: - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state" - shell: dmesg |grep "NX (" + ansible.builtin.shell: dmesg |grep "NX (" changed_when: false failed_when: false register: rhel_08_010420_nx_bit_state - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set" - debug: + ansible.builtin.debug: msg: - "Good News! You are setup with execute disable active." when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout' - name: "MEDIUM | RHEL-08-010420 | AUDIT | RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set" - debug: + ansible.builtin.debug: msg: - "WARNING!! You do not have execute disable active. Please change the setting in your BIOS settings" when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout' @@ -1395,7 +1395,7 @@ - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks." block: - name: "MEDIUM | RHEL-08-010421 | AUDIT | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' args: warn: false changed_when: false @@ -1403,20 +1403,20 @@ register: rhel8stig_010421_grub_cmdline_linux - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active" - shell: grubby --update-kernel=ALL --args="page_poison=1" + ansible.builtin.shell: grubby --update-kernel=ALL --args="page_poison=1" when: - (ansible_proc_cmdline.page_poison is defined and ansible_proc_cmdline.page_poison != '1') or (ansible_proc_cmdline.page_poison is not defined) - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010421_grub_cmdline_linux.stdout }} page_poison=1"' when: '"page_poison=" not in rhel8stig_010421_grub_cmdline_linux.stdout' - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if exists" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: 'page_poison=([^\s|"])+' replace: "page_poison=1" @@ -1435,7 +1435,7 @@ - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls." block: - name: "MEDIUM | RHEL-08-010422 | AUDIT | RHEL 8 must disable virtual syscalls. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' args: warn: false changed_when: false @@ -1443,20 +1443,20 @@ register: rhel8stig_010422_grub_cmdline_linux - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active" - shell: grubby --update-kernel=ALL --args="vsyscall=none" + ansible.builtin.shell: grubby --update-kernel=ALL --args="vsyscall=none" when: - (ansible_proc_cmdline.vsyscall is defined and ansible_proc_cmdline.vsyscall != 'none') or (ansible_proc_cmdline.vsyscall is not defined) - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010422_grub_cmdline_linux.stdout }} vsyscall=none"' when: '"vsyscall=" not in rhel8stig_010422_grub_cmdline_linux.stdout' - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if exists" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: 'vsyscall=([^\s|"])+' replace: "vsyscall=none" @@ -1475,7 +1475,7 @@ - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks." block: - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' args: warn: false changed_when: false @@ -1483,20 +1483,20 @@ register: rhel8stig_010423_grub_cmdline_linux - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active" - shell: grubby --update-kernel=ALL --args="slub_debug=P" + ansible.builtin.shell: grubby --update-kernel=ALL --args="slub_debug=P" when: - (ansible_proc_cmdline.slub_debug is defined and ansible_proc_cmdline.slub_debug != 'P') or (ansible_proc_cmdline.slub_debug is not defined) - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010423_grub_cmdline_linux.stdout }} slub_debug=P"' when: '"slub_debug=" not in rhel8stig_010423_grub_cmdline_linux.stdout' - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if exists" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: 'slub_debug=([^\s|"])+' replace: "slub_debug=P" @@ -1515,13 +1515,13 @@ - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution." block: - name: " MEDIUM | RHEL-08-010430 | AUDIT | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Find conflicting instances" - shell: grep -rs "kernel.randomize_va_space = [^2]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.randomize_va_space = [^2]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_010430_conflicting_settings - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: "kernel.randomize_va_space = [^2]" state: absent @@ -1529,7 +1529,7 @@ when: rhel_08_010430_conflicting_settings.stdout | length > 0 - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -1547,7 +1547,7 @@ - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive." block: - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files" - find: + ansible.builtin.find: paths: /etc/ssh recurse: true file_type: file @@ -1558,7 +1558,7 @@ register: rhel_08_010480_public_files - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions" - file: + ansible.builtin.file: path: "{{ item.path }}" mode: "{{ rhel8stig_ssh_pub_key_perm }}" with_items: @@ -1581,7 +1581,7 @@ - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive." block: - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Find files" - find: + ansible.builtin.find: paths: /etc/ssh recurse: true file_type: file @@ -1592,7 +1592,7 @@ register: rhel_08_010490_private_host_key_files - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions" - file: + ansible.builtin.file: path: "{{ item.path }}" mode: "{{ rhel8stig_ssh_priv_key_perm }}" with_items: @@ -1613,7 +1613,7 @@ - ssh - name: "MEDIUM | RHEL-08-010500 | PATCH | The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?StrictModes' line: 'StrictModes yes' @@ -1631,7 +1631,7 @@ - ssh - name: "MEDIUM | RHEL-08-010520 | PATCH | The RHEL 8 SSH daemon must not allow authentication using known host’s authentication." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?IgnoreUserKnownHosts' line: 'IgnoreUserKnownHosts yes' @@ -1649,7 +1649,7 @@ - ssh - name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?KerberosAuthentication' line: "KerberosAuthentication no" @@ -1667,7 +1667,7 @@ - ssh - name: "MEDIUM | RHEL-08-010522 | PATCH | The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?GSSAPIAuthentication' line: "GSSAPIAuthentication no" @@ -1684,7 +1684,7 @@ - ssh - name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory." - debug: + ansible.builtin.debug: msg: "WARNING!! /tmp is not mounted on a separate partition" changed_when: - rhel8stig_audit_complex @@ -1706,14 +1706,14 @@ - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp." block: - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Alert on missing mount" - debug: + ansible.builtin.debug: msg: "WARNING!! /var/tmp does not exist, /var/tmp needs to use a sperate file system. This is a manual task" register: var_tmp_mount_absent changed_when: var_tmp_mount_absent.skipped is defined when: "'/var/tmp' not in mount_names" - name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp. | Mount is present" - debug: + ansible.builtin.debug: msg: "Congratulations: /var/tmp does exist." when: "'/var/tmp' in mount_names" when: @@ -1728,7 +1728,7 @@ - mounts - name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitRootLogin' line: 'PermitRootLogin no' @@ -1746,7 +1746,7 @@ - ssh - name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8." - service: + ansible.builtin.service: name: rsyslog.service state: started enabled: true @@ -1762,7 +1762,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories." - mount: + ansible.posix.mount: path: /home state: mounted src: "{{ home_mount.device }}" @@ -1785,7 +1785,7 @@ - home - name: "MEDIUM | RHEL-08-010571 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory." - mount: + ansible.posix.mount: path: /boot state: mounted src: "{{ boot_mount.device }}" @@ -1808,7 +1808,7 @@ - boot - name: "MEDIUM | RHEL-08-010572 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory." - mount: + ansible.posix.mount: path: /boot/efi state: mounted src: "{{ boot_efi_mount.device }}" @@ -1833,7 +1833,7 @@ - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions." block: - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" - shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' + ansible.builtin.shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' args: warn: false changed_when: false @@ -1841,7 +1841,7 @@ register: rhel8stig_010580_mounts_nodev - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Split results" - set_fact: + ansible.builtin.set_fact: rhel8stig_010580_mounts: "{{ rhel8stig_010580_mounts_nodev.stdout_lines | map('regex_replace', ld_mount_regex, ld_mount_yaml) | map('from_yaml') | list }}" with_items: "{{ rhel8stig_010580_mounts_nodev.stdout_lines }}" @@ -1860,7 +1860,7 @@ when: rhel8stig_010580_mounts_nodev.stdout | length > 0 - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Set value" - mount: + ansible.posix.mount: path: "{{ item.mpoint }}" state: mounted src: "{{ item.device }}" @@ -1886,7 +1886,7 @@ - mounts - name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent code from being executed on file systems that contain user home directories." - mount: + ansible.posix.mount: path: /home state: mounted src: "{{ home_mount.device }}" @@ -1911,7 +1911,7 @@ - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media." block: - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /media" - mount: + ansible.posix.mount: path: /media state: mounted src: "{{ removable_mount.device }}" @@ -1925,7 +1925,7 @@ removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /mnt" - mount: + ansible.posix.mount: path: /mnt state: mounted src: "{{ removable_mount2.device }}" @@ -1953,7 +1953,7 @@ - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media." block: - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /media" - mount: + ansible.posix.mount: path: /media state: mounted src: "{{ removable_mount.device }}" @@ -1967,7 +1967,7 @@ removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /mnt" - mount: + ansible.posix.mount: path: /mnt state: mounted src: "{{ removable_mount2.device }}" @@ -1995,7 +1995,7 @@ - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." block: - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media" - mount: + ansible.posix.mount: path: /media state: mounted src: "{{ removable_mount.device }}" @@ -2009,7 +2009,7 @@ removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" - mount: + ansible.posix.mount: path: /mnt state: mounted src: "{{ removable_mount2.device }}" @@ -2035,7 +2035,7 @@ - media - name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)." - mount: + ansible.posix.mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" fstype: "{{ ansible_mounts | json_query(fstype_query) }}" @@ -2060,7 +2060,7 @@ - nfs - name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)." - mount: + ansible.posix.mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" fstype: "{{ ansible_mounts | json_query(fstype_query) }}" @@ -2085,7 +2085,7 @@ - nfs - name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)" - mount: + ansible.posix.mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" fstype: "{{ ansible_mounts | json_query(fstype_query) }}" @@ -2112,7 +2112,7 @@ - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs." block: - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions" - shell: find {{ item.mount }} -xdev -type f -perm -002 + ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm -002 args: warn: false changed_when: false @@ -2124,11 +2124,11 @@ label: "{{ item.mount }}" - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening" - set_fact: + ansible.builtin.set_fact: rhel_08_010660_change_perms: "{{ rhel_08_010660_world_writable_files.results | map(attribute='stdout_lines') | flatten }}" - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Compare to home directories" - include_tasks: audit_homedirinifiles.yml + ansible.builtin.include_tasks: audit_homedirinifiles.yml loop: - "{{ rhel_08_stig_interactive_homedir_inifiles }}" loop_control: @@ -2137,7 +2137,7 @@ - rhel_08_010660_change_perms != [] - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions" - file: + ansible.builtin.file: path: "{{ item }}" mode: '0755' state: file @@ -2159,7 +2159,7 @@ - permissions - name: "MEDIUM | RHEL-08-010670 | PATCH | RHEL 8 must disable kernel dumps unless needed." - service: + ansible.builtin.service: name: kdump enabled: false state: stopped @@ -2179,13 +2179,13 @@ - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." block: - name: "MEDIUM | RHEL-08-010671 | AUDIT | RHEL 8 must disable the kernel.core_pattern." - shell: grep -rs 'kernel.core_pattern\s+=\s*[? 0 - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -2209,7 +2209,7 @@ - sysctl - name: "MEDIUM | RHEL-08-010672 | PATCH | RHEL 8 must disable acquiring, saving, and processing core dumps." - systemd: + ansible.builtin.systemd: name: systemd-coredump.socket masked: true daemon_reload: true @@ -2227,7 +2227,7 @@ - systemd - name: "MEDIUM | RHEL-08-010673 | PATCH | RHEL 8 must disable core dumps for all users." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/limits.conf regexp: '^\*.*hard.*core' line: "* hard core 0" @@ -2245,7 +2245,7 @@ - limits - name: "MEDIUM | RHEL-08-010674 | PATCH | RHEL 8 must disable storing core dumps." - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf regexp: '^(S|s)torage=|#(S|s)torage=' line: "Storage=none" @@ -2262,7 +2262,7 @@ - systemd - name: "MEDIUM | RHEL-08-010675 | PATCH | RHEL 8 must disable core dump backtraces." - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf regexp: '^(P|p)rocess(S|s)ize(M|m)ax=|(P|p)rocess(S|s)ize(M|m)ax=' line: "ProcessSizeMax=0" @@ -2282,33 +2282,33 @@ - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured." block: - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf" - shell: grep "dns" /etc/nsswitch.conf | grep -v "#" + ansible.builtin.shell: grep "dns" /etc/nsswitch.conf | grep -v "#" changed_when: false failed_when: false check_mode: false register: rhel_08_010680_nsswitch_check - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf" - command: grep -c "# Generated by NetworkManager" /etc/resolv.conf + ansible.builtin.shell: grep -c "# Generated by NetworkManager" /etc/resolv.conf changed_when: false failed_when: false check_mode: false register: rhel_08_010680_networkmanager_check - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf" - shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l + ansible.builtin.shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l changed_when: false failed_when: false check_mode: false register: rhel_08_010680_nameserver_count - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf" - shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf + ansible.builtin.shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf when: - "'dns' not in rhel_08_010680_nsswitch_check.stdout" - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/resolv.conf regexp: "{{ item.regexp }}" line: "nameserver {{ item.line }}" @@ -2322,7 +2322,7 @@ - rhel_08_010680_nameserver_count.stdout | int >= 2 - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf using a template when not NetworkManager controlled" - template: + ansible.builtin.template: src: resolv.conf.j2 dest: /etc/resolv.conf owner: root @@ -2333,7 +2333,7 @@ - rhel8_stig_use_resolv_template - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp." - debug: + ansible.builtin.debug: msg: "The file /etc/resolv.conf is managed by network manager and/or shows less than two DNS servers configured. Please correct this in your DHCP configurations." changed_when: true when: @@ -2356,20 +2356,20 @@ - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." block: - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files" - shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath + ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath with_items: "{{ rhel_08_stig_interactive_homedir_results }}" register: rhel_08_010690_ini_path_grep_list changed_when: false failed_when: false - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." - debug: + ansible.builtin.debug: msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory. with_items: - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}" - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory." - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: "^PATH=" line: "{{ rhel_08_010690_user_path }}" @@ -2390,13 +2390,13 @@ - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group." block: - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories" - command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 + ansible.builtin.shell: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999 changed_when: false failed_when: false register: rhel_08_010700_world_writable_directories - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions" - file: + ansible.builtin.file: path: "{{ item }}" owner: "{{ rhel8stig_ww_dir_owner }}" with_items: @@ -2418,13 +2418,13 @@ - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group." block: - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories" - command: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 + ansible.builtin.shell: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999 changed_when: false failed_when: false register: rhel_08_010710_world_writable_directories - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions" - file: + ansible.builtin.file: path: "{{ item }}" group: "{{ rhel8stig_ww_dir_grpowner }}" with_items: @@ -2446,19 +2446,19 @@ - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file." block: - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory" - shell: pwck -r | grep user | cut -f2 -d"'" + ansible.builtin.shell: pwck -r | grep user | cut -f2 -d"'" changed_when: false failed_when: false register: rhel_08_010720_users_no_home_dir - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory" - shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' + ansible.builtin.shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}' changed_when: false failed_when: false register: rhel_08_010720_user_list - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list" - debug: + ansible.builtin.debug: msg: - "WARNING!! The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards" - "{{ rhel_08_010720_user_list.stdout_lines }}" @@ -2477,13 +2477,13 @@ - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." block: - name: "MEDIUM | RHEL-08-010730 | AUDIT | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) + ansible.builtin.shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) changed_when: false failed_when: false register: rhel_08_010730_home_directories - name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive." - file: + ansible.builtin.file: path: "{{ item }}" mode: "{{ rhel8stig_local_int_home_perms }}" with_items: @@ -2503,7 +2503,7 @@ - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive." block: - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Find out of compliance files" - shell: "find {{ item }} -perm -750 ! -perm 750" + ansible.builtin.shell: "find {{ item }} -perm -750 ! -perm 750" changed_when: false failed_when: false register: rhel_08_010731_files @@ -2511,7 +2511,7 @@ - "{{ rhel8stig_passwd | selectattr('uid', '>=', rhel8stig_interactive_uid_start | int) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Bring files into compliance" - file: + ansible.builtin.file: path: "{{ item }}" mode: "{{ rhel8stig_local_int_home_file_perms }}" with_items: @@ -2519,7 +2519,7 @@ when: rhel8stig_disruption_high - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Alert on out of compliance files" - debug: + ansible.builtin.debug: msg: - "Alert! Below are the files that are in interactive user folders but permissiosn less restrictiv than 0750." - "Please review the files to bring into STIG compliance" @@ -2537,7 +2537,7 @@ - permissions - name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group." - file: + ansible.builtin.file: path: "{{ item.dir }}" group: "{{ item.gid }}" state: directory @@ -2559,7 +2559,7 @@ - permissions - name: "MEDIUM | RHEL-08-010741 | PATCH | RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." - file: + ansible.builtin.file: path: "{{ item.dir }}" group: "{{ item.gid }}" state: directory @@ -2581,7 +2581,7 @@ - permissions - name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist." - file: + ansible.builtin.file: path: "{{ item.dir }}" state: directory with_items: "{{ rhel8stig_passwd }}" @@ -2601,7 +2601,7 @@ - permissions - name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '.*?CREATE_HOME.*' line: CREATE_HOME yes @@ -2618,7 +2618,7 @@ - home - name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive." - file: + ansible.builtin.file: path: "{{ item }}" mode: "{{ rhel8stig_local_int_perm }}" with_items: "{{ rhel_08_stig_interactive_homedir_inifiles }}" @@ -2638,7 +2638,7 @@ - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner." block: - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" - shell: find / -nouser + ansible.builtin.shell: find / -nouser args: warn: false changed_when: false @@ -2646,7 +2646,7 @@ register: rhel_08_010780_nouser_files - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files" - debug: + ansible.builtin.debug: msg: - "WARNING!! There are files with no user assigned. Please review files listed below and assign owner" - "{{ rhel_08_010780_nouser_files.stdout_lines }}" @@ -2665,13 +2665,13 @@ - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner." block: - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files" - shell: find / -nogroup + ansible.builtin.shell: find / -nogroup changed_when: false failed_when: false register: rhel_08_010790_nogroup_files - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files" - debug: + ansible.builtin.debug: msg: - "WARNING!! There are files with no group assigned. Please review files listed below and assign group" - "{{ rhel_08_010790_nogroup_files.stdout_lines }}" @@ -2688,7 +2688,7 @@ - permissions - name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)." - debug: + ansible.builtin.debug: msg: "WARNING!! /home is not mounted on a separate partition" changed_when: - rhel8stig_audit_complex @@ -2708,7 +2708,7 @@ - home - name: "MEDIUM | RHEL-08-010830 | PATCH | RHEL 8 must not allow users to override SSH environment variables." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitUserEnvironment' line: 'PermitUserEnvironment no' @@ -2729,7 +2729,7 @@ - disruption_high - name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less." - debug: + ansible.builtin.debug: msg: - "WARNING!! Please check temporary accounts for expiration dates to be 72 hours or less." - "To do this please run sudo chage -l account_name for the accounts you need to check" @@ -2749,7 +2749,7 @@ - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." block: - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -2760,7 +2760,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -2771,7 +2771,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' @@ -2793,7 +2793,7 @@ - pamd - name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur." - lineinfile: + ansible.builtin.lineinfile: path: "/etc/security/faillock.conf" regexp: '^deny =|^\# deny =' line: "deny = {{ rhel8stig_pam_faillock.attempts }}" @@ -2812,7 +2812,7 @@ - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." block: - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -2823,7 +2823,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -2834,7 +2834,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' @@ -2856,7 +2856,7 @@ - pamd - name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." - lineinfile: + ansible.builtin.lineinfile: path: "/etc/security/faillock.conf" regexp: '^fail_interval =|^\# fail_interval =' line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" @@ -2875,7 +2875,7 @@ - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period." block: - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -2886,7 +2886,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -2897,7 +2897,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account\s+requireds+pam_faillock.so' line: 'account required pam_faillock.so' @@ -2919,7 +2919,7 @@ - pamd - name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - lineinfile: + ansible.builtin.lineinfile: path: "/etc/security/faillock.conf" regexp: '^unlock_time =|^\# unlock_time =' line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}" @@ -2938,7 +2938,7 @@ - name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist." block: - name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist.| Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -2949,7 +2949,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth required pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -2960,7 +2960,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account required pam_faillock.so' line: 'account required pam_faillock.so' @@ -2982,7 +2982,7 @@ - pamd - name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist." - lineinfile: + ansible.builtin.lineinfile: path: "/etc/security/faillock.conf" regexp: '^dir =|^\# dir =' line: "dir = {{ rhel8stig_pam_faillock.dir }}" @@ -3001,7 +3001,7 @@ - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." block: - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -3012,7 +3012,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -3023,7 +3023,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' @@ -3045,7 +3045,7 @@ - pamd - name: "MEDIUM | RHEL-08-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur." - lineinfile: + ansible.builtin.lineinfile: path: "/etc/security/faillock.conf" regexp: '^silent|^\# silent' line: "silent" @@ -3064,7 +3064,7 @@ - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." block: - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -3075,7 +3075,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -3086,7 +3086,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' @@ -3108,7 +3108,7 @@ - pamd - name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur." - lineinfile: + ansible.builtin.lineinfile: path: "/etc/security/faillock.conf" regexp: '^audit|^\# audit' line: "audit" @@ -3127,7 +3127,7 @@ - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." block: - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so preauth' line: "auth required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}" @@ -3138,7 +3138,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^auth\s+required\s+pam_faillock.so authfail' line: 'auth required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}' @@ -3149,7 +3149,7 @@ - password-auth - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock" - lineinfile: + ansible.builtin.lineinfile: path: "/etc/pam.d/{{ item }}" regexp: '^account\s+required\s+pam_faillock.so' line: 'account required pam_faillock.so' @@ -3171,7 +3171,7 @@ - pamd - name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period." - lineinfile: + ansible.builtin.lineinfile: path: "/etc/security/faillock.conf" regexp: '^even_deny_root|^\# even_deny_root' line: "even_deny_root" @@ -3194,7 +3194,7 @@ - name: | "MEDIUM | RHEL-08-020027 | PATCH | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory MEDIUM | RHEL-08-020028 | PATCH | RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory." - sefcontext: + community.general.sefcontext: target: "{{ rhel8stig_pam_faillock.dir }}(/.*)?" ftype: a setype: faillog_t @@ -3205,7 +3205,7 @@ - name: | "MEDIUM | RHEL-08-020027 | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. MEDIUM | RHEL-08-020028 | RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory." - shell: "restorecon -irvF {{ rhel8stig_pam_faillock.dir }}" + ansible.builtin.shell: "restorecon -irvF {{ rhel8stig_pam_faillock.dir }}" when: add_faillock_secontext.changed when: - rhel_08_020027 or @@ -3226,13 +3226,13 @@ - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." block: - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" - command: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" + ansible.builtin.shell: "grep lock-enabled /etc/dconf/db/* -r | cut -f1 -d:" changed_when: false failed_when: false register: rhel_08_020030_lock_enabled - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel_08_020030_lock_enabled.stdout }}" regexp: '^lock-enabled' line: lock-enabled=true @@ -3240,7 +3240,7 @@ notify: dconf update - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/00-screensaver create: true regexp: '^lock-enabled' @@ -3269,13 +3269,13 @@ - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." block: - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" - package: + ansible.builtin.package: name: tmux state: present when: "'tmux' not in ansible_facts.packages" - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Configure tmux" - lineinfile: + ansible.builtin.lineinfile: path: /etc/tmux.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -3298,7 +3298,7 @@ - tmux - name: "MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization. | Set tmux.sh if file exists" - blockinfile: + ansible.builtin.blockinfile: path: /etc/profile.d/tmux.sh marker: "# " block: | @@ -3322,7 +3322,7 @@ - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." block: - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' + ansible.builtin.shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' args: warn: false changed_when: false @@ -3330,13 +3330,13 @@ register: rhel_08_020050_removal_action - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" + ansible.builtin.shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" changed_when: false failed_when: false register: rhel_08_020050_removal_action_file - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/distro.d/20-authselect create: true owner: root @@ -3349,7 +3349,7 @@ notify: dconf update - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel_08_020050_removal_action.stdout }}" regexp: ^removal-action= line: removal-action='lock-screen' @@ -3357,14 +3357,14 @@ notify: dconf update - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" - lineinfile: + ansible.builtin.lineinfile: path: '/etc/dconf/db/distro.d/locks/{{ rhel_08_020050_removal_action_file.stdout }}' line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action when: rhel_08_020050_removal_action_file.stdout | length > 0 notify: dconf update - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/distro.d/locks/20-authselect create: true line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action @@ -3388,7 +3388,7 @@ - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." block: - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" - shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' + ansible.builtin.shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' args: warn: false changed_when: false @@ -3396,7 +3396,7 @@ register: rhel_08_020060_idle_delay_param - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/00-screensaver create: true owner: root @@ -3411,7 +3411,7 @@ when: rhel_08_020060_idle_delay_param.stdout | length == 0 - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel_08_020060_idle_delay_param.stdout }}" regexp: '^idle-delay=' line: idle-delay=uint32 900 @@ -3436,13 +3436,13 @@ - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity." block: - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity. | Install tmux if needed" - package: + ansible.builtin.package: name: tmux state: present when: "'tmux' not in ansible_facts.packages" - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity. | Set tmux settings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/tmux.conf regexp: '^set -g lock-after-time' line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" @@ -3461,7 +3461,7 @@ - tmux - name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings." - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/locks/session create: true line: /org/gnome/desktop/screensaver/lock-delay @@ -3482,7 +3482,7 @@ - gui - name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel8stig_sssd_conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -3508,7 +3508,7 @@ - authentication - name: "MEDIUM | RHEL-08-020100 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the password-auth file." - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^password\s+required\s+pam_pwquality.so' line: 'password required pam_pwquality.so' @@ -3528,7 +3528,7 @@ - pamd - name: "MEDIUM | RHEL-08-020101 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the system-auth file." - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: '^password\s+required\s+pam_pwquality.so' line: 'password required pam_pwquality.so' @@ -3550,13 +3550,13 @@ - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less." block: - name: "MEDIUM | RHEL-08-020102 | AUDIT | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Get pam_pwquality state" - shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwquality.so" + ansible.builtin.shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwquality.so" changed_when: false failed_when: false register: rhel_08_020102_pwquality_status - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth line: 'password required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' insertafter: '^password' @@ -3566,7 +3566,7 @@ when: rhel_08_020102_pwquality_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Replace if already exists" - pamd: + community.general.pamd: name: system-auth type: password control: required @@ -3589,13 +3589,13 @@ - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less." block: - name: "MEDIUM | RHEL-08-020103 | AUDIT | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Get pam_pwquality state" - shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwquality.so" + ansible.builtin.shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwquality.so" changed_when: false failed_when: false register: rhel_08_020103_pwquality_status - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Set if no pw required pam_pwquality" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth line: 'password required pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}' insertafter: '^password' @@ -3605,7 +3605,7 @@ when: rhel_08_020103_pwquality_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Replace if already exists" - pamd: + community.general.pamd: name: password-auth type: password control: required @@ -3626,7 +3626,7 @@ - pamd - name: "MEDIUM | RHEL-08-020104 | PATCH | RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^retry =|^#.*retry =' line: retry = {{ rhel8stig_pam_pwquality_retry }} @@ -3643,10 +3643,10 @@ - pamd - name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*ucredit' - line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" + line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" owner: root group: root mode: 0644 @@ -3663,7 +3663,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*lcredit' line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}" @@ -3683,7 +3683,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*dcredit' line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}" @@ -3703,7 +3703,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*maxclassrepeat' line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}" @@ -3723,7 +3723,7 @@ - pwquality - name: "MEDIUM | RHEL-08-20150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*maxrepeat' line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}" @@ -3743,7 +3743,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*minclass' line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}" @@ -3763,7 +3763,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*difok' line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}" @@ -3785,13 +3785,13 @@ - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow." block: - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users" - command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" changed_when: false failed_when: false register: rhel_08_020180_users - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction" - command: chage -m 1 {{ item }} + ansible.builtin.shell: chage -m 1 {{ item }} with_items: "{{ rhel_08_020180_users.stdout_lines }}" when: - rhel_08_020180 @@ -3805,7 +3805,7 @@ - password - name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def." - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: ^#?PASS_MIN_DAYS line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}" @@ -3825,7 +3825,7 @@ - login - name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction." - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs create: true owner: root @@ -3847,18 +3847,18 @@ - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime." block: - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users" - command: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" check_mode: false changed_when: rhel_08_020210_users.stdout | length > 0 register: rhel_08_020210_users - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user." - command: chage -d '-1 day' {{ item }} + ansible.builtin.shell: chage -d '-1 day' {{ item }} check_mode: "{{ rhel8stig_disruptive_check_mode }}" with_items: "{{ rhel_08_020210_users.stdout_lines }}" - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime" - command: chage -M 60 {{ item }} + ansible.builtin.shell: chage -M 60 {{ item }} check_mode: "{{ rhel8stig_disruptive_check_mode }}" with_items: "{{ rhel_08_020210_users.stdout_lines }}" when: @@ -3877,13 +3877,13 @@ - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations." block: - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Get pam_pwhistory status" - shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwhistory.so" + ansible.builtin.shell: cat /etc/pam.d/password-auth | grep "password.*required.*pam_pwhistory.so" changed_when: false failed_when: false register: rhel_08_020220_pwhistory_status - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pw_history" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" insertafter: '^password' @@ -3893,7 +3893,7 @@ when: rhel_08_020220_pwhistory_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" - pamd: + community.general.pamd: name: password-auth type: password control: required @@ -3915,13 +3915,13 @@ - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations." block: - name: "MEDIUM | RHEL-08-020221 | AUDIT | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Get pam_pwhistory state " - shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwhistory.so" + ansible.builtin.shell: cat /etc/pam.d/system-auth | grep "password.*required.*pam_pwhistory.so" changed_when: false failed_when: false register: rhel_08_020221_pwhistory_status - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pwhistory" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth line: "password required pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}" insertafter: '^password' @@ -3931,7 +3931,7 @@ when: rhel_08_020221_pwhistory_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" - pamd: + community.general.pamd: name: system-auth type: password control: required @@ -3951,7 +3951,7 @@ - pamd - name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*minlen' line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}" @@ -3971,7 +3971,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020231 | PATCH | RHEL 8 passwords for new users must have a minimum of 15 characters." - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MIN_LEN|^#PASS_MIN_LEN' line: "PASS_MIN_LEN 15" @@ -3992,13 +3992,13 @@ - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users." block: - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users" - command: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd + ansible.builtin.shell: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd changed_when: false failed_when: false register: rhel_08_020240_duplicate_uid_users - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users" - debug: + ansible.builtin.debug: msg: - "WARNING!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user" - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}" @@ -4016,19 +4016,19 @@ - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts." block: - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth" - shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth + ansible.builtin.shell: grep 'auth sufficient pam_sss.so' /etc/pam.d/smartcard-auth changed_when: false failed_when: false register: rhel_08_020250_sc_auth_sss - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth" - shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth + ansible.builtin.shell: grep 'auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth changed_when: false failed_when: false register: rhel_08_020250_system_auth_sss - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel8stig_sssd_conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -4042,7 +4042,7 @@ - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' } - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/smartcard-auth line: auth sufficient pam_sss.so try_cert_auth owner: root @@ -4052,7 +4052,7 @@ when: rhel_08_020250_sc_auth_sss.stdout | length == 0 - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth" - pamd: + community.general.pamd: name: /etc/pam.d/smartcard-auth state: updated type: auth @@ -4063,7 +4063,7 @@ when: rhel_08_020250_sc_auth_sss.stdout | length > 0 - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth" - pamd: + community.general.pamd: name: /etc/pam.d/system-auth state: after type: auth @@ -4077,7 +4077,7 @@ when: rhel_08_020250_system_auth_sss.stdout | length == 0 - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth" - pamd: + community.general.pamd: name: /etc/pam.d/system-auth state: updated type: auth @@ -4099,7 +4099,7 @@ - pamd - name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity." - command: useradd -D -f 35 + ansible.builtin.shell: useradd -D -f 35 when: - rhel_08_020260 tags: @@ -4114,13 +4114,13 @@ - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." block: - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." - command: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" + ansible.builtin.shell: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd" changed_when: false failed_when: false register: rhel_08_020270_system_users - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." - debug: + ansible.builtin.debug: msg: - "WARNING!! Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours" - "{{ rhel_08_020270_system_users.stdout_lines }}" @@ -4136,7 +4136,7 @@ - user - name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*ocredit' line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}" @@ -4156,7 +4156,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." - lineinfile: + ansible.builtin.lineinfile: path: "{{ rhel8stig_sssd_conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -4180,7 +4180,7 @@ - sssd - name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: '^#?\s*dictcheck' line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" @@ -4200,7 +4200,7 @@ - pwquality - name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt." - lineinfile: + ansible.builtin.lineinfile: dest: /etc/login.defs regexp: ^#?FAIL_DELAY line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" @@ -4221,7 +4221,7 @@ - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts." block: - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts" - command: "grep '^{{ item }}:' /etc/passwd" + ansible.builtin.shell: "grep '^{{ item }}:' /etc/passwd" check_mode: false failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1 changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0 @@ -4229,7 +4229,7 @@ with_items: "{{ rhel8stig_unnecessary_accounts }}" - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts" - user: + ansible.builtin.user: name: "{{ item }}" state: absent remove: "{{ rhel8stig_remove_unnecessary_user_files }}" @@ -4253,7 +4253,7 @@ - accounts - name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^(#PrintLastLog yes?|^#?.rintLastLog no)' line: 'PrintLastLog yes' @@ -4272,7 +4272,7 @@ - ssh - name: "MEDIUM | RHEL-08-020351 | PATCH | RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: ^#?UMASK.* line: "UMASK {{ rhel8stig_login_defaults.umask | default('077') }}" @@ -4294,7 +4294,7 @@ - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts." block: - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Find umask files" - find: + ansible.builtin.find: paths: /home patterns: '^\.' contains: 'umask' @@ -4304,7 +4304,7 @@ register: rhel8stig_020352_files - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item.path }}" regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})" state: absent @@ -4323,7 +4323,7 @@ - umask - name: "MEDIUM | RHEL-08-020353 | PATCH | RHEL 8 must define default permissions for logon and non-logon shells." - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: 'umask\s\d\d\d' replace: "umask {{ rhel8stig_login_defaults.umask | default('077') }}" @@ -4343,7 +4343,7 @@ - umask - name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4359,7 +4359,7 @@ - auditd - name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8." - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf regexp: '^cron.*' line: 'cron.* /var/log/cron' @@ -4376,7 +4376,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^action_mail_acct =' line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}" @@ -4396,7 +4396,7 @@ - auditd - name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure." - lineinfile: + ansible.builtin.lineinfile: path: /etc/aliases regexp: '^postmaster:' line: 'postmaster: root' @@ -4412,7 +4412,7 @@ - aliases - name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^disk_error_action =' line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}" @@ -4428,7 +4428,7 @@ - auditd - name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^disk_full_action =' line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}" @@ -4444,7 +4444,7 @@ - auditd - name: "MEDIUM | RHEL-08-030061 | PATCH | The RHEL 8 audit system must audit local events." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^local_events =' line: "local_events = yes" @@ -4460,7 +4460,7 @@ - auditd - name: "MEDIUM | RHEL-08-030062 | PATCH | RHEL 8 must label all off-loaded audit logs before sending them to the central log server." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^name_format =' line: "name_format = hostname" @@ -4477,7 +4477,7 @@ - auditd - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^log_group =' line: "log_group = root" @@ -4497,13 +4497,13 @@ - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access." block: - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " + ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " changed_when: false failed_when: false register: rhel8stig_030080_audit_log_file - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner" - file: + ansible.builtin.file: path: "{{ rhel8stig_030080_audit_log_file.stdout }}" owner: root when: rhel8stig_030080_audit_log_file.stdout | length > 0 @@ -4521,7 +4521,7 @@ - auditd - name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^log_group' line: "log_group = root" @@ -4541,13 +4541,13 @@ - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access." block: - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' changed_when: false failed_when: false register: rhel_08_030100_audit_log_dir - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner" - file: + ansible.builtin.file: path: "{{ rhel_08_030100_audit_log_dir.stdout }}" owner: root state: directory @@ -4570,7 +4570,7 @@ - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access." block: - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' args: warn: false changed_when: false @@ -4578,7 +4578,7 @@ register: rhel_08_030110_audit_log_dir - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group" - file: + ansible.builtin.file: path: "{{ rhel_08_030110_audit_log_dir.stdout }}" group: root state: directory @@ -4602,13 +4602,13 @@ - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access." block: - name: "MEDIUM | RHEL-08-030120 | AUDIT | RHEL 8 audit log directories must have a mode of 700 or less permissive to prevent unauthorized read access. | Get audit log directory" - shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' + ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' changed_when: false failed_when: false register: rhel_08_030120_audit_log_dir - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" - file: + ansible.builtin.file: path: "{{ rhel_08_030120_audit_log_dir.stdout }}" mode: 0700 state: directory @@ -4627,7 +4627,7 @@ - auditd - name: "MEDIUM | RHEL-08-030121 | PATCH | RHEL 8 audit system must protect auditing rules from unauthorized change." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-e ' line: "-e 2" @@ -4643,7 +4643,7 @@ - auditd - name: "MEDIUM | RHEL-08-030122 | PATCH | RHEL 8 audit system must protect logon UIDs from unauthorized change." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^--loginuid-' line: "--loginuid-immutable" @@ -4659,7 +4659,7 @@ - auditd - name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-w /etc/shadow' line: '-w /etc/shadow -p wa -k identity' @@ -4676,7 +4676,7 @@ - auditd - name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-w /etc/security/opasswd' line: -w /etc/security/opasswd -p wa -k identity @@ -4693,7 +4693,7 @@ - auditd - name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-w /etc/passwd' line: -w /etc/passwd -p wa -k identity @@ -4710,7 +4710,7 @@ - auditd - name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-w /etc/gshadow' line: -w /etc/gshadow -p wa -k identity @@ -4727,7 +4727,7 @@ - auditd - name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-w /etc/group' line: -w /etc/group -p wa -k identity @@ -4744,7 +4744,7 @@ - auditd - name: "MEDIUM | RHEL-08-030171 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-w /etc/sudoers ' line: -w /etc/sudoers -p wa -k identity @@ -4761,7 +4761,7 @@ - auditd - name: "MEDIUM | RHEL-08-030172 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/rules.d/audit.rules regexp: '^-w /etc/sudoers.d/' line: -w /etc/sudoers.d/ -p wa -k identity @@ -4780,12 +4780,12 @@ - name: "MEDIUM | RHEL-08-030180 | PATCH | The RHEL 8 audit package must be installed." block: - name: "MEDIUM | RHEL-08-030180 | PATCH | The RHEL 8 audit package must be installed. | Install audit" - package: + ansible.builtin.package: name: audit state: present - name: "MEDIUM | RHEL-08-030180 | PATCH | The RHEL 8 audit package must be installed. | Enable and start service" - service: + ansible.builtin.service: name: auditd enabled: true state: started @@ -4802,7 +4802,7 @@ - auditd - name: "MEDIUM | RHEL-08-030181 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events." - service: + ansible.builtin.service: name: auditd state: started enabled: true @@ -4818,7 +4818,7 @@ - auditd - name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4834,7 +4834,7 @@ - auditd - name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4850,7 +4850,7 @@ - auditd - name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4866,7 +4866,7 @@ - auditd - name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4882,7 +4882,7 @@ - auditd - name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4898,7 +4898,7 @@ - auditd - name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4914,7 +4914,7 @@ - auditd - name: "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4930,7 +4930,7 @@ - auditd - name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4946,7 +4946,7 @@ - auditd - name: "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4962,7 +4962,7 @@ - auditd - name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4978,7 +4978,7 @@ - auditd - name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -4994,7 +4994,7 @@ - auditd - name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5010,7 +5010,7 @@ - auditd - name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5026,7 +5026,7 @@ - auditd - name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5042,7 +5042,7 @@ - auditd - name: "MEDIUM | RHEL-08-030315 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5058,7 +5058,7 @@ - auditd - name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5074,7 +5074,7 @@ - auditd - name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5090,7 +5090,7 @@ - auditd - name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5106,7 +5106,7 @@ - auditd - name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5122,7 +5122,7 @@ - auditd - name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5138,7 +5138,7 @@ - auditd - name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5154,7 +5154,7 @@ - auditd - name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5170,7 +5170,7 @@ - auditd - name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5186,7 +5186,7 @@ - auditd - name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5202,7 +5202,7 @@ - auditd - name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5218,7 +5218,7 @@ - auditd - name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5234,7 +5234,7 @@ - auditd - name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5250,7 +5250,7 @@ - auditd - name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5266,7 +5266,7 @@ - auditd - name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5282,7 +5282,7 @@ - auditd - name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5298,7 +5298,7 @@ - auditd - name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5314,7 +5314,7 @@ - auditd - name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5330,7 +5330,7 @@ - auditd - name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5346,7 +5346,7 @@ - auditd - name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5362,7 +5362,7 @@ - auditd - name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5378,7 +5378,7 @@ - auditd - name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" changed_when: true notify: update auditd @@ -5394,7 +5394,7 @@ - auditd - name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." - file: + ansible.builtin.file: path: "{{ item }}" mode: 0640 with_items: @@ -5415,13 +5415,13 @@ - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive." block: - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms" - shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " + ansible.builtin.shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" " changed_when: false failed_when: false register: rhel_08_030620_tools - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" - file: + ansible.builtin.file: path: "{{ item }}" mode: 0755 with_items: @@ -5439,7 +5439,7 @@ - auditd - name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root." - file: + ansible.builtin.file: path: "{{ item }}" owner: root with_items: @@ -5464,7 +5464,7 @@ - auditd - name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root." - file: + ansible.builtin.file: path: "{{ item }}" owner: root with_items: @@ -5489,7 +5489,7 @@ - auditd - name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools." - lineinfile: + ansible.builtin.lineinfile: path: /etc/aide.conf line: "{{ item }}" owner: root @@ -5518,19 +5518,19 @@ - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility." block: - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition" - shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' + ansible.builtin.shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|' changed_when: false failed_when: false register: rhel_08_030660_audit_log_path - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition" - shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" + ansible.builtin.shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}" changed_when: false failed_when: false register: rhel_08_030660_audit_log_partition - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size" - debug: + ansible.builtin.debug: msg: - "WARNING!! Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition" - "Path: {{ rhel_08_030660_audit_log_path.stdout }}" @@ -5547,7 +5547,7 @@ - auditd - name: "MEDIUM | RHEL-08-030670 | PATCH | RHEL 8 must have the packages required for offloading audit logs installed." - package: + ansible.builtin.package: name: rsyslog state: present when: @@ -5563,7 +5563,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-030680 | PATCH | RHEL 8 must have the packages required for encrypting offloaded audit logs installed." - package: + ansible.builtin.package: name: rsyslog-gnutls state: present when: @@ -5580,7 +5580,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited." - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf regexp: '^.*\@\@' line: "*.* @@{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" @@ -5597,7 +5597,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^overflow_action =' line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}' @@ -5614,7 +5614,7 @@ - auditd - name: "MEDIUM | RHEL-08-03710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited." - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf create: true owner: root @@ -5638,7 +5638,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must authenticate the remote logging server for off-loading audit logs." - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf regexp: '^\$ActionSendStreamDriverAuthMode' line: "$ActionSendStreamDriverAuthMode x509/name" @@ -5656,7 +5656,7 @@ - rsyslog - name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^space_left =' line: 'space_left = 25%' @@ -5672,7 +5672,7 @@ - auditd - name: "MEDIUM | RHEL-08-030731 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^space_left_action =' line: 'space_left_action = EMAIL' @@ -5688,7 +5688,7 @@ - auditd - name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)." - lineinfile: + ansible.builtin.lineinfile: path: /etc/chrony.conf regexp: '^server' line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16' @@ -5706,9 +5706,9 @@ - chrony - name: "MEDIUM | RHEL-08-040001 | PATCH | RHEL 8 must not have any automated bug reporting tools installed." - package: - name: "abrt*" - state: absent + ansible.builtin.package: + name: "abrt*" + state: absent when: - rhel_08_040001 tags: @@ -5722,7 +5722,7 @@ - abrt - name: "MEDIUM | RHEL-08-040002 | PATCH | RHEL 8 must not have the sendmail package installed." - package: + ansible.builtin.package: name: sendmail state: absent when: @@ -5739,7 +5739,7 @@ - sendmail - name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf create: true regexp: "{{ item.regexp }}" @@ -5769,7 +5769,7 @@ - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block" block: - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld" - shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u + ansible.builtin.shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u register: rhel8stig_ppsm_clsa_check_firewalld changed_when: false failed_when: false @@ -5781,7 +5781,7 @@ - firewall - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" - debug: + ansible.builtin.debug: msg: - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}." - "{{ rhel8stig_ppsm_clsa_check_firewalld.stdout_lines }}" @@ -5805,7 +5805,7 @@ - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block" block: - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables" - shell: iptables-save | grep -i accept | grep -i input + ansible.builtin.shell: iptables-save | grep -i accept | grep -i input register: rhel8stig_ppsm_clsa_check_iptables changed_when: false failed_when: false @@ -5816,7 +5816,7 @@ - firewall - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings" - debug: + ansible.builtin.debug: msg: - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}." - "{{ rhel8stig_ppsm_clsa_check_iptables.stdout_lines }}" @@ -5838,7 +5838,7 @@ - firewall - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use" - debug: + ansible.builtin.debug: msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments." changed_when: true when: @@ -5865,13 +5865,13 @@ - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required." block: - name: "MEDIUM | RHEL-08-040070 | AUDIT | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error" - shell: "systemctl show autofs | grep LoadState | cut -d= -f2" + ansible.builtin.shell: "systemctl show autofs | grep LoadState | cut -d= -f2" changed_when: false failed_when: false register: rhel_08_040070_autofs_status - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists" - service: + ansible.builtin.service: name: autofs state: stopped enabled: false @@ -5888,7 +5888,7 @@ - autofs - name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -5914,19 +5914,19 @@ - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." block: - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" - package: + ansible.builtin.package: name: firewalld.noarch state: present when: rhel8stig_firewall_service == "firewalld" - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" - package: + ansible.builtin.package: name: iptables-services state: present when: rhel8stig_firewall_service == "iptables" - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" - service: + ansible.builtin.service: name: "{{ rhel8stig_firewall_service }}" state: started enabled: true @@ -5946,13 +5946,13 @@ - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8" block: - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Install firewalld if needed" - package: + ansible.builtin.package: name: firewalld state: present when: "'firewalld' not in ansible_facts.packages" - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Enable the service" - systemd: + ansible.builtin.systemd: name: firewalld state: started enabled: true @@ -5972,13 +5972,13 @@ - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." block: - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" - firewalld: + ansible.posix.firewalld: zone: "{{ rhel8stig_custom_firewall_zone }}" permanent: true state: present - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh" - firewalld: + ansible.posix.firewalld: zone: "{{ rhel8stig_custom_firewall_zone }}" permanent: true state: enabled @@ -5988,7 +5988,7 @@ - "{{ rhel8stig_white_list_services }}" - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.10+" - firewalld: + ansible.posix.firewalld: zone: "{{ rhel8stig_custom_firewall_zone }}" permanent: true state: enabled @@ -5998,25 +5998,25 @@ - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.9" block: - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | current setting" - shell: "firewall-cmd --list-all --zone={{ rhel8stig_custom_firewall_zone }} | grep 'target: DROP'" + ansible.builtin.shell: "firewall-cmd --list-all --zone={{ rhel8stig_custom_firewall_zone }} | grep 'target: DROP'" changed_when: false failed_when: false register: rhel8stig_target_drop_set - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.9" - shell: firewall-cmd --permanent --zone={{ rhel8stig_custom_firewall_zone }} --set-target=DROP + ansible.builtin.shell: firewall-cmd --permanent --zone={{ rhel8stig_custom_firewall_zone }} --set-target=DROP when: - rhel8stig_target_drop_set.rc != 0 when: ansible_version.full is version_compare('2.10 | int', '<') - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones" - command: firewall-cmd --reload + ansible.builtin.shell: firewall-cmd --reload changed_when: rhel_08_040090_zone_reload.rc == 0 failed_when: rhel_08_040090_zone_reload.rc >= 2 register: rhel_08_040090_zone_reload - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default" - command: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" + ansible.builtin.shell: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}" changed_when: rhel_08_040090_default_zone_set.rc == 0 failed_when: rhel_08_040090_default_zone_set.rc >= 2 register: rhel_08_040090_default_zone_set @@ -6035,7 +6035,7 @@ - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." block: - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" - command: rpm -q NetworkManager + ansible.builtin.shell: rpm -q NetworkManager args: warn: false check_mode: false @@ -6044,7 +6044,7 @@ failed_when: false - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" - command: nmcli radio wifi + ansible.builtin.shell: nmcli radio wifi args: warn: false register: rhel_08_wifi_enabled @@ -6053,7 +6053,7 @@ when: rhel_08_nmcli_available.rc == 0 - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" - command: nmcli radio wifi off + ansible.builtin.shell: nmcli radio wifi off when: rhel_08_wifi_enabled is changed when: - rhel_08_040110 @@ -6069,7 +6069,7 @@ - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled." block: - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled. | Disable Bluetooth" - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/bluetooth.conf regexp: '^install bluetooth ' line: "install bluetooth /bin/true" @@ -6080,7 +6080,7 @@ notify: change_requires_reboot - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled. | Disable Bluetooth kernel module" - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf create: true regexp: "{{ item.regexp }}" @@ -6113,7 +6113,7 @@ "MEDIUM | RHEL-08-040120 | AUDIT | RHEL 8 must mount /dev/shm with the nodev option." "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option." "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option." - shell: mount | grep /dev/shm + ansible.builtin.shell: mount | grep /dev/shm args: warn: false changed_when: false @@ -6124,7 +6124,7 @@ "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option." "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option." "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option." - mount: + ansible.posix.mount: path: /dev/shm state: mounted src: tmpfs @@ -6159,7 +6159,7 @@ "MEDIUM | RHEL-08-040123 | AUDIT | RHEL 8 must mount /tmp with the nodev option." "MEDIUM | RHEL-08-040124 | AUDIT | RHEL 8 must mount /tmp with the nosuid option." "MEDIUM | RHEL-08-040125 | AUDIT | RHEL 8 must mount /tmp with the noexec option." - shell: mount | grep /tmp + ansible.builtin.shell: mount | grep /tmp changed_when: false failed_when: false register: rhel8stig_040123_dev_status @@ -6168,7 +6168,7 @@ "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option." "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option." "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option." - mount: + ansible.posix.mount: path: /tmp state: mounted src: "{{ tmp_mount.device }}" @@ -6206,7 +6206,7 @@ "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." - shell: mount | grep /var/log + ansible.builtin.shell: mount | grep /var/log changed_when: false failed_when: false register: rhel8stig_040126_var_log_status @@ -6215,7 +6215,7 @@ "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." - mount: + ansible.posix.mount: path: /var/log state: mounted src: "{{ var_log_mount.device }}" @@ -6252,7 +6252,7 @@ "MEDIUM | RHEL-08-040129 | AUDIT | RHEL 8 must mount /var/log/audit with the nodev option." "MEDIUM | RHEL-08-040130 | AUDIT | RHEL 8 must mount /var/log/audit with the nosuid option." "MEDIUM | RHEL-08-040131 | AUDIT | RHEL 8 must mount /var/log/audit with the noexec option." - shell: mount | grep /var/log/audit + ansible.builtin.shell: mount | grep /var/log/audit changed_when: false failed_when: false register: rhel8stig_040129_var_log_audit_status @@ -6261,7 +6261,7 @@ "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option." "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option." "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option." - mount: + ansible.posix.mount: path: /var/log/audit state: mounted src: "{{ audit_mount.device }}" @@ -6298,7 +6298,7 @@ "MEDIUM | RHEL-08-040132 | AUDIT | RHEL 8 must mount /var/tmp with the nodev option" "MEDIUM | RHEL-08-040133 | AUDIT | RHEL 8 must mount /var/tmp with the nosuid option." "MEDIUM | RHEL-08-040134 | AUDIT | RHEL 8 must mount /var/tmp with the noexec option." - shell: mount | grep /var/tmp + ansible.builtin.shell: mount | grep /var/tmp changed_when: false failed_when: false register: rhel8stig_040132_var_tmp_status @@ -6307,7 +6307,7 @@ "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option" "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option." "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option." - mount: + ansible.posix.mount: path: /var/tmp state: mounted src: "{{ var_tmp_mount.device }}" @@ -6336,7 +6336,7 @@ - mounts - name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be installed." - package: + ansible.builtin.package: name: fapolicyd state: present when: @@ -6352,7 +6352,7 @@ - fapolicy - name: "MEDIUM | RHEL-08-040136 | PATCH | The RHEL 8 fapolicy module must be enabled." - systemd: + ansible.builtin.systemd: name: fapolicyd state: started enabled: true @@ -6370,12 +6370,12 @@ - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." block: - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Check for rules.d/ directory" - stat: + ansible.builtin.stat: path: /etc/fapolicyd/rules.d/ register: rhel_08_040137_rules_dir - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist on newer than 8.4" - lineinfile: + ansible.builtin.lineinfile: path: '/etc/fapolicyd/rules.d/99-stig.rules' line: "{{ item }}" create: true @@ -6390,7 +6390,7 @@ - rhel_08_040137_rules_dir.stat.isdir - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist on older than 8.4" - lineinfile: + ansible.builtin.lineinfile: path: /etc/fapolicyd/fapolicyd.rules line: "{{ item }}" create: true @@ -6403,7 +6403,7 @@ when: ansible_distribution_version is version('8.3', '<=') - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0" - lineinfile: + ansible.builtin.lineinfile: path: /etc/fapolicyd/fapolicyd.conf regexp: '^permissive =' line: 'permissive = 0' @@ -6427,7 +6427,7 @@ "MEDIUM | RHEL-08-040141 | PATCH | RHEL 8 must enable the USBGuard." block: - name: "MEDIUM | RHEL-08-040139 | PATCH | RHEL 8 must have the USBGuard installed. | Install usbguard" - package: + ansible.builtin.package: name: usbguard state: present when: @@ -6435,14 +6435,14 @@ - "'usbguard' not in ansible_facts.packages" - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | generate policy" - shell: usbguard generate-policy > /etc/usbguard/rules.conf + ansible.builtin.shell: usbguard generate-policy > /etc/usbguard/rules.conf when: - rhel_08_040140 - rhel_08_040139 or "'usbguard' in ansible_facts.packages" - name: "MEDIUM | RHEL-08-040141 | PATCH | RHEL 8 must enable the USBGuard. | Start/Enable service" - service: + ansible.builtin.service: name: usbguard state: started enabled: true @@ -6471,7 +6471,7 @@ - usbguard - name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces." - lineinfile: + ansible.builtin.lineinfile: path: /etc/firewalld/firewalld.conf regexp: '^FirewallBackend=' line: 'FirewallBackend=nftables' @@ -6493,7 +6493,7 @@ "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission." block: - name: "MEDIUM | RHEL-08-040159 | PATCH | All RHEL 8 networked systems must have SSH installed. | Install openssh-server" - package: + ansible.builtin.package: name: openssh-server state: present when: @@ -6501,7 +6501,7 @@ - rhel_08_040159 - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server" - service: + ansible.builtin.service: name: sshd state: started enabled: true @@ -6525,7 +6525,7 @@ - ssh - name: "MEDIUM | RHEL-08-040161 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?RekeyLimit' line: 'RekeyLimit 1G 1h' @@ -6543,7 +6543,7 @@ - ssh - name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8." - systemd: + ansible.builtin.systemd: name: debug-shell.service state: stopped enabled: false @@ -6564,13 +6564,13 @@ - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted." block: - name: "MEDIUM | RHEL-08-040209 | AUDIT | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.default.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.default.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040209_conflicting_settings - name: "MEDIUM | RHEL-08-040209 | AUDIT | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.default.accept_redirects = [^0] state: absent @@ -6578,7 +6578,7 @@ when: rhel_08_040209_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6596,13 +6596,13 @@ - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted." block: - name: "MEDIUM | RHEL-08-040210 | AUDIT | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Find conflicting instances" - shell: grep -rs "net.ipv6.conf.default.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv6.conf.default.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040210_conflicting_settings - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv6.conf.default.accept_redirects = [^0] state: absent @@ -6610,7 +6610,7 @@ when: rhel_08_040210_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6630,13 +6630,13 @@ - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects." block: - name: "MEDIUM | RHEL-08-040220 | AUDIT | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.all.send_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.all.send_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040220_conflicting_settings - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.all.send_redirects = [^0] state: absent @@ -6644,7 +6644,7 @@ when: rhel_08_040220_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6662,13 +6662,13 @@ - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." block: - name: "MEDIUM | RHEL-08-040230 | AUDIT | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Find conflicting instances" - shell: grep -rs "net.ipv4.icmp_echo_ignore_broadcasts = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.icmp_echo_ignore_broadcasts = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040230_conflicting_settings - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.icmp_echo_ignore_broadcasts = [^1] state: absent @@ -6676,7 +6676,7 @@ when: rhel_08_040230_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6694,13 +6694,13 @@ - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets." block: - name: "MEDIUM | RHEL-08-040239 | AUDIT | RHEL 8 must not forward IPv4 source-routed packets. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.all.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.all.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040239_conflicting_settings - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.all.accept_source_route = [^0] state: absent @@ -6708,7 +6708,7 @@ when: rhel_08_040239_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6726,13 +6726,13 @@ - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets." block: - name: "MEDIUM | RHEL-08-040240 | AUDIT | RHEL 8 must not forward IPv6 source-routed packets. | Find conflicting instances" - shell: grep -rs "net.ipv6.conf.all.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv6.conf.all.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040240_conflicting_settings - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv6.conf.all.accept_source_route = [^0] state: absent @@ -6740,7 +6740,7 @@ when: rhel_08_040240_conflicting_settings.stdout |length > 0 - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6759,13 +6759,13 @@ - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default." block: - name: "MEDIUM | RHEL-08-040249 | AUDIT | RHEL 8 must not forward IPv4 source-routed packets by default. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.default.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.default.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040249_conflicting_settings - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.default.accept_source_route = [^0] state: absent @@ -6773,7 +6773,7 @@ when: rhel_08_040249_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6791,13 +6791,13 @@ - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default." block: - name: "MEDIUM | RHEL-08-040250 | AUDIT | RHEL 8 must not forward IPv6 source-routed packets by default. | Find conflicting instances" - shell: grep -rs "net.ipv6.conf.default.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv6.conf.default.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040250_conflicting_findings - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv6.conf.default.accept_source_route = [^0] state: absent @@ -6805,7 +6805,7 @@ when: rhel_08_040250_conflicting_findings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6824,21 +6824,21 @@ - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router." block: - name: "MEDIUM | RHEL-08-040259 | AUDIT | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.all.forwarding = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.all.forwarding = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040259_conflicting_settings - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.all.forwarding = [^0] state: absent loop: "{{ rhel_08_040259_conflicting_settings.stdout_lines }}" when: rhel_08_040259_conflicting_settings.stdout | length > 0 - + - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6857,13 +6857,13 @@ - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router." block: - name: "MEDIUM | RHEL-08-040260 | AUDIT | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Find conflicting instances" - shell: grep -rs "net.ipv6.conf.all.forwarding = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv6.conf.all.forwarding = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040260_conflicting_settings - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv6.conf.all.forwarding = [^0] state: absent @@ -6871,7 +6871,7 @@ when: rhel_08_040260_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6890,13 +6890,13 @@ - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces." block: - name: "MEDIUM | RHEL-08-040261 | AUDIT | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Find conflicting instances" - shell: grep -rs "net.ipv6.conf.all.accept_ra = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv6.conf.all.accept_ra = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040261_conflicting_settings - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv6.conf.all.accept_ra = [^0] state: absent @@ -6904,7 +6904,7 @@ when: rhel_08_040261_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6924,13 +6924,13 @@ - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default." block: - name: "MEDIUM | RHEL-08-040262 | AUDIT | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Find conflicting instances" - shell: grep -rs "net.ipv6.conf.default.accept_ra = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv6.conf.default.accept_ra = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false - failed_when: False + failed_when: false register: rhel_08_040262_conflicting_settings - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv6.conf.default.accept_ra = [^0] state: absent @@ -6938,7 +6938,7 @@ when: rhel_08_040262_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6958,13 +6958,13 @@ - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default." block: - name: "MEDIUM | RHEL-08-040270 | AUDIT | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.default.send_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.default.send_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040270_conflicting_settings - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.default.send_redirects = [^0] state: absent @@ -6972,7 +6972,7 @@ when: rhel_08_040270_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -6990,13 +6990,13 @@ - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages." block: - name: "MEDIUM | RHEL-08-040279 | AUDIT | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.all.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.all.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040279_conflicting_settings - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.all.accept_redirects = [^0] state: absent @@ -7004,7 +7004,7 @@ when: rhel_08_040279_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7022,13 +7022,13 @@ - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages." block: - name: "MEDIUM | RHEL-08-040280 | AUDIT | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Find conflicting instances" - shell: grep -rs "net.ipv6.conf.all.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv6.conf.all.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040280_conflicting_settings - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv6.conf.all.accept_redirects = [^0] state: absent @@ -7036,7 +7036,7 @@ when: rhel_08_040280_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7055,13 +7055,13 @@ - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes." block: - name: "MEDIUM | RHEL-08-040281 | AUDIT | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Find conflicting instances" - shell: grep -rs "kernel.unprivileged_bpf_disabled = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.unprivileged_bpf_disabled = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040281_conflicting_settings - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: kernel.unprivileged_bpf_disabled = [^1] state: absent @@ -7069,7 +7069,7 @@ when: rhel_08_040281_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7087,13 +7087,13 @@ - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." block: - name: "MEDIUM | RHEL-08-040282 | AUDIT | RHEL 8 must restrict usage of ptrace to descendant processes. | Find conflicting instances" - shell: grep -rs "kernel.yama.ptrace_scope = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.yama.ptrace_scope = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040282_conflicting_settings - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: kernel.yama.ptrace_scope = [^1] state: absent @@ -7101,7 +7101,7 @@ when: rhel_08_040282_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7119,13 +7119,13 @@ - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access." block: - name: "MEDIUM | RHEL-08-040283 | AUDIT | RHEL 8 must restrict exposed kernel pointer addresses access. | Find conflicting instances" - shell: grep -rs "kernel.kptr_restrict = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.kptr_restrict = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040283_conflicting_settings - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: kernel.kptr_restrict = [^1] state: absent @@ -7133,7 +7133,7 @@ when: rhel_08_040283_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7151,13 +7151,13 @@ - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces." block: - name: "MEDIUM | RHEL-08-040284 | AUDIT | RHEL 8 must disable the use of user namespaces. | Find conflicting instances" - shell: grep -rs "user.max_user_namespaces = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "user.max_user_namespaces = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040284_conflicting_settings - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: user.max_user_namespaces = [^0] state: absent @@ -7165,7 +7165,7 @@ when: rhel_08_040284_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7183,13 +7183,13 @@ - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces." block: - name: "MEDIUM | RHEL-08-040285 | AUDIT | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Find conflicting instances" - shell: grep -rs "net.ipv4.conf.all.rp_filter = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.conf.all.rp_filter = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040285_conflicting_settings - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.ipv4.conf.all.rp_filter = [^1] state: absent @@ -7197,7 +7197,7 @@ when: rhel_08_040285_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7215,13 +7215,13 @@ - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler." block: - name: "MEDIUM | RHEL-08-040286 | AUDIT | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Find conflicting instances" - shell: grep -rs "net.core.bpf_jit_harden = [^2]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.core.bpf_jit_harden = [^2]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040286_conflicting_settings - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Replace conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: net.core.bpf_jit_harden = [^2] state: absent @@ -7229,7 +7229,7 @@ when: rhel_08_040286_conflicting_settings.stdout | length > 0 - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Use template to create file" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -7244,7 +7244,7 @@ - V-244554 - name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction" - command: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" + ansible.builtin.shell: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'" when: - "'postfix' in ansible_facts.packages" - rhel_08_040290 @@ -7258,7 +7258,7 @@ - mail - name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved." - package: + ansible.builtin.package: name: - xorg-x11-server-Xorg - xorg-x11-server-common @@ -7280,7 +7280,7 @@ - gui - name: "MEDIUM | RHEL-08-040321 | PATCH | The graphical display manager must not be the default target on RHEL 8 unless approved." - file: + ansible.builtin.file: src: /usr/lib/systemd/system/multi-user.target dest: /etc/systemd/system/default.target state: link @@ -7298,7 +7298,7 @@ - name: "MEDIUM | RHEL-08-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode." block: - name: "MEDIUM | RHEL-08-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode" - shell: "ip link | grep -i promisc | cut -d ':' -f 2" + ansible.builtin.shell: "ip link | grep -i promisc | cut -d ':' -f 2" check_mode: false failed_when: false changed_when: rhel_08_040670_promisc_check.stdout != '' @@ -7306,7 +7306,7 @@ register: rhel_08_040670_promisc_check - name: "MEDIUM | RHEL-08-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode" - shell: "ip link set dev {{ item }} promisc off" + ansible.builtin.shell: "ip link set dev {{ item }} promisc off" with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}" when: - rhel_08_040330 @@ -7322,7 +7322,7 @@ - network - name: "MEDIUM | RHEL-08-040340 | PATCH | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?X11Forwarding' line: 'X11Forwarding no' @@ -7340,7 +7340,7 @@ - ssh - name: "MEDIUM | RHEL-08-040341 | PATCH | The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display." - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?X11UseLocalhost' line: 'X11UseLocalhost yes' @@ -7355,20 +7355,19 @@ - SV-230556r858723_rule - ssh - - name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | Add KEXs" block: - - name: "MEDIUM | RHEL-08-040342 | AUDIT | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" - ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g' - changed_when: false - register: rhel8stig_current_kex - - - name: MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" - ansible.builtin.lineinfile: - path: /etc/crypto-policies/back-ends/opensshserver.config - regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_kex.stdout }}(.*$)' - line: '\g<1>-o{{ rhel8stig_ssh_kex }}\g<2>' - backrefs: true + - name: "MEDIUM | RHEL-08-040342 | AUDIT | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" + ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g' + changed_when: false + register: rhel8stig_current_kex + + - name: MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" + ansible.builtin.lineinfile: + path: /etc/crypto-policies/back-ends/opensshserver.config + regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_kex.stdout }}(.*$)' + line: '\g<1>-o{{ rhel8stig_ssh_kex }}\g<2>' + backrefs: true notify: change_requires_reboot when: - rhel_08_040342 @@ -7382,7 +7381,7 @@ - fips - name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." - lineinfile: + ansible.builtin.lineinfile: path: /etc/xinetd.d/tftp regexp: "(?i)^.*server_args.*=" line: "\tserver_args\t\t= -s /var/lib/tftpboot" @@ -7406,7 +7405,7 @@ - tftp - name: "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8." - package: + ansible.builtin.package: name: gssproxy state: absent when: @@ -7423,7 +7422,7 @@ - gssproxy - name: "MEDIUM | RHEL-08-040380 | PATCH | The iprutils package must not be installed unless mission essential on RHEL 8." - package: + ansible.builtin.package: name: iprutils state: absent when: @@ -7439,7 +7438,7 @@ - iprutils - name: "MEDIUM | RHEL-08-040390 | PATCH | The tuned package must not be installed unless mission essential on RHEL 8." - package: + ansible.builtin.package: name: tuned state: absent when: @@ -7455,7 +7454,7 @@ - tuned - name: "MEDIUM | RHEL-08-040400 | AUDIT | RHEL 8 must prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures." - debug: + ansible.builtin.debug: msg: - "Warning! This task is a manual task" - "Please do the following to conform to STIG standards" @@ -7473,7 +7472,7 @@ - selinux - name: "MEDIUM | RHEL-08-010163 | PATCH | The krb5-server package must not be installed on RHEL 8." - package: + ansible.builtin.package: name: krb5-server state: absent when: @@ -7491,13 +7490,13 @@ - name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel." block: - name: "MEDIUM | RHEL-08-010382 | AUDIT | RHEL 8 must restrict privilege elevation to authorized personnel. | Get ALL settings" - shell: grep -iws 'ALL' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + ansible.builtin.shell: grep -iws 'ALL' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false register: rhel_08_010382_sudoers_all - name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel. | Remove format 1" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'ALL ALL=(ALL) ALL' state: absent @@ -7507,7 +7506,7 @@ when: rhel_08_010382_sudoers_all.stdout | length > 0 - name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel. | Remove format 2" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'ALL ALL=(ALL:ALL) ALL' state: absent @@ -7530,13 +7529,13 @@ - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo." block: - name: "MEDIUM | RHEL-08-010383 | AUDIT | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Get privilege escalation" - shell: egrep -is '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d ':' -f1 | sort --uniq + ansible.builtin.shell: egrep -is '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d ':' -f1 | sort --uniq changed_when: false failed_when: false register: rhel_08_010383_priv_escalation - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for no findings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers line: "{{ item }}" validate: '/usr/sbin/visudo -cf %s' @@ -7547,7 +7546,7 @@ when: rhel_08_010383_priv_escalation.stdout | length == 0 - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for targetpw with findings" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults !targetpw' line: 'Defaults !targetpw' @@ -7558,7 +7557,7 @@ - rhel_08_010383_priv_escalation.stdout | length > 0 - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for rootpw with findings" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults !rootpw' line: 'Defaults !rootpw' @@ -7569,7 +7568,7 @@ - rhel_08_010383_priv_escalation.stdout | length > 0 - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for runaspw with findings" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults !runaspw' line: 'Defaults !runaspw' @@ -7593,13 +7592,13 @@ - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command." block: - name: "MEDIUM | RHEL-08-010384 | AUDIT | RHEL 8 must require re-authentication when using the sudo command. | Get files with timeout set" - shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false register: rhel_08_010384_timeout_files - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command. | Set value if no results" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regexp: 'Defaults timestamp_timeout=' line: "Defaults timestamp_timeout={{ rhel8stig_sudo_timestamp_timeout }}" @@ -7607,7 +7606,7 @@ when: rhel_08_010384_timeout_files.stdout | length == 0 - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command. | Set value if has results" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'Defaults timestamp_timeout=' line: "Defaults timestamp_timeout={{ rhel8stig_sudo_timestamp_timeout }}" @@ -7628,7 +7627,7 @@ - sudo - name: "MEDIUM | RHEL-08-010385 | PATCH | The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation." - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/sudo regex: 'pam_succeed_if' state: absent diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 871333e8..0b41d7de 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -1,7 +1,7 @@ --- - name: "LOW | RHEL-08-010171 | PATCH | RHEL 8 must have policycoreutils package installed." - package: + ansible.builtin.package: name: policycoreutils when: - rhel_08_010171 @@ -15,7 +15,7 @@ - policycoreutils - name: "LOW | RHEL-08-010292 | PATCH | RHEL 8 must ensure the SSH server uses strong entropy." - lineinfile: + ansible.builtin.lineinfile: path: /etc/sysconfig/sshd regexp: '^(#)?SSH_USE_STRONG_RNG=' line: SSH_USE_STRONG_RNG=32 @@ -35,13 +35,13 @@ - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." block: - name: "LOW | RHEL-08-010375 | AUIDT | RHEL 8 must restrict access to the kernel message buffer. | Find conflicting instances" - shell: grep -rs "kernel.dmesg_restrict = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.dmesg_restrict = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_010375_conflicting_settings - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^kernel.dmesg_restrict = 0' state: absent @@ -49,7 +49,7 @@ when: rhel_08_010375_conflicting_settings.stdout | length > 0 - name: "LOW | RHEL-08-010375 | PATCH | RHEL 8 must restrict access to the kernel message buffer." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -67,13 +67,13 @@ - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." block: - name: "LOW | RHEL-08-010376 | AUDIT | RHEL 8 must prevent kernel profiling by unprivileged users. | Find conflicting instances" - shell: grep -rs "kernel.perf_event_paranoid = [^2]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.perf_event_paranoid = [^2]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_010376_conflicting_settings - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users. | Remove conflicting instances" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^kernel.perf_event_paranoid = [^2]' state: absent @@ -81,7 +81,7 @@ when: rhel_08_010376_conflicting_settings.stdout | length > 0 - name: "LOW | RHEL-08-010376 | PATCH | RHEL 8 must prevent kernel profiling by unprivileged users." - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" changed_when: true notify: update sysctl @@ -99,7 +99,7 @@ - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8." block: - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Find .conf files" - find: + ansible.builtin.find: paths: /etc recurse: true file_type: any @@ -110,7 +110,7 @@ register: rhel_08_010440_package_confs - name: "LOW | RHEL-08-010440 | PATCH | YUM must remove all software components after updated versions have been installed on RHEL 8. | Set settings" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item.path }}" regexp: '^.*clean_requirements_on_remove' line: 'clean_requirements_on_remove=True' @@ -133,7 +133,7 @@ LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service" block: - name: "LOW | RHEL-08-010472 | PATCH | RHEL 8 must have the packages required to use the hardware random number generator entropy gatherer service" - package: + ansible.builtin.package: name: rng-tools state: present when: @@ -141,7 +141,7 @@ - "'rng-tools' not in ansible_facts.packages" - name: "LOW | RHEL-08-010471 | PATCH | RHEL 8 must enable the hardware random number generator entropy gatherer service." - systemd: + ansible.builtin.systemd: name: rngd.service state: started enabled: true @@ -164,7 +164,7 @@ - V-244527 - name: "LOW | RHEL-08-010540 | AUDIT | The RHEL 8 must use a separate file system for /var." - debug: + ansible.builtin.debug: msg: "WARNING!! /var is not mounted on a separate partition" changed_when: - rhel8stig_audit_complex @@ -184,7 +184,7 @@ - var - name: "LOW | RHEL-08-010541 | AUDIT | RHEL 8 must use a separate file system for /var/log." - debug: + ansible.builtin.debug: msg: - "WARNING!! /var/log is not mounted on a separate partition" changed_when: @@ -204,7 +204,7 @@ - mounts - name: "LOW | RHEL-08-010542 | AUDIT | The RHEL 8 must use a separate file system for the system audit data path." - debug: + ansible.builtin.debug: msg: - "WARNING!! /var/log/audit is not mounted on a seperate partition" changed_when: @@ -225,7 +225,7 @@ - auditd - name: "LOW | RHEL-08-020024 | PATCH | RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types." - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/limits.conf regexp: '^\* hard maxlogins' line: '* hard maxlogins {{ rhel8stig_maxlogins }}' @@ -245,7 +245,7 @@ - V-230346 - name: "LOW | RHEL-08-020042 | PATCH | RHEL 8 must prevent users from disabling session control mechanisms." - lineinfile: + ansible.builtin.lineinfile: path: /etc/shells regexp: 'tmux' state: absent @@ -261,7 +261,7 @@ - tmux - name: "LOW | RHEL-08-020340 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon logon." - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/postlogin regexp: 'session.*required.*pam_lastlog\.so.*showfailed' line: "session required pam_lastlog.so showfailed" @@ -277,7 +277,7 @@ - V-230381 - name: "LOW | RHEL-08-030063 | PATCH | RHEL 8 must resolve audit information before writing to disk." - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^log_format =' line: "log_format = ENRICHED" @@ -296,27 +296,27 @@ - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon." block: - name: "LOW | RHEL-08-030601 | AUDIT | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false register: rhel8stig_030601_grub_cmdline_linux - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit to 1 as active" - shell: grubby --update-kernel=ALL --args="audit=1" + ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" args: warn: false when: (ansible_proc_cmdline.audit is defined and ansible_proc_cmdline.audit != '1') or (ansible_proc_cmdline.audit is not defined) - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if doesnt exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_030601_grub_cmdline_linux.stdout }} audit=1"' when: '"audit=" not in rhel8stig_030601_grub_cmdline_linux.stdout' - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit=1 for kernel updates if exists" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: 'audit=([^\s|"])+' replace: "audit=1" @@ -335,27 +335,27 @@ - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon." block: - name: "LOW | RHEL-08-030602 | AUDIT | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false register: rhel8stig_030602_grub_cmdline_linux - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | set audit_backlog_limit active" - shell: grubby --update-kernel=ALL --args="audit_backlog_limit=8192" + ansible.builtin.shell: grubby --update-kernel=ALL --args="audit_backlog_limit=8192" args: warn: false when: (ansible_proc_cmdline.audit_backlog_limit is defined and ansible_proc_cmdline.audit_backlog_limit != '8192') or (ansible_proc_cmdline.audit_backlog_limit is not defined) - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if doesn't exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_030602_grub_cmdline_linux.stdout }} audit_backlog_limit=8192"' when: '"audit_backlog_limit=" not in rhel8stig_030602_grub_cmdline_linux.stdout' - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Set audit audit_backlog_limit for kernel updates if exists" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: 'audit_backlog_limit=([^\s|"])+' replace: "audit_backlog_limit=8192" @@ -373,7 +373,7 @@ - auditd - name: "LOW | RHEL-08-030603 | PATCH | RHEL 8 must enable Linux audit logging for the USBGuard daemon" - lineinfile: + ansible.builtin.lineinfile: path: /etc/usbguard/usbguard-daemon.conf regexp: '^AuditBackend=' line: "AuditBackend=LinuxAudit" @@ -393,7 +393,7 @@ - usb - name: "LOW | RHEL-08-030741 | PATCH | RHEL 8 must disable the chrony daemon from acting as a server." - lineinfile: + ansible.builtin.lineinfile: path: /etc/chrony.conf regexp: '^port|#port' line: "port 0" @@ -410,7 +410,7 @@ - chrony - name: "LOW | RHEL-08-030742 | PATCH | RHEL 8 must disable network management of the chrony daemon." - lineinfile: + ansible.builtin.lineinfile: path: /etc/chrony.conf regexp: '^cmdport|#cmdport' line: "cmdport 0" @@ -428,14 +428,14 @@ - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities." block: - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti=on active" - shell: grubby --update-kernel=ALL --args="pti=on" + ansible.builtin.shell: grubby --update-kernel=ALL --args="pti=on" args: warn: false when: (ansible_proc_cmdline.pti is defined and ansible_proc_cmdline.pti != 'on') or (ansible_proc_cmdline.pti is not defined ) - name: "LOW | RHEL-08-040004 | AUDIT | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get GRUB_CMDLINE_LINUX settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' + ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' args: warn: false changed_when: false @@ -443,14 +443,14 @@ register: rhel8stig_040004_grub_cmdline_linux - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti if doesn't exist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_040004_grub_cmdline_linux.stdout }} pti=on"' when: '"pti=on" not in rhel8stig_040004_grub_cmdline_linux.stdout' - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti exists" - replace: + ansible.builtin.replace: path: /etc/default/grub regexp: 'pti=([^\s|"])+' replace: "pti=on" @@ -467,7 +467,7 @@ - grub - name: "LOW | RHEL-08-040021 | PATCH | RHEL 8 must disable the asynchronous transfer mode (ATM) protocol." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -493,7 +493,7 @@ - atm - name: "LOW | RHEL-08-040022 | PATCH | RHEL 8 must disable the controller area network (CAN) protocol." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -519,7 +519,7 @@ - can - name: "LOW | RHEL-08-040023 | PATCH | RHEL 8 must disable the stream control transmission (SCTP) protocol." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -545,7 +545,7 @@ - sctp - name: "LOW | RHEL-08-040024 | PATCH | RHEL 8 must disable the transparent inter-process communication (TIPC) protocol." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -571,7 +571,7 @@ - tipc - name: "LOW | RHEL-08-040025 | PATCH | RHEL 8 must disable mounting of cramfs." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -597,7 +597,7 @@ - cramfs - name: "LOW | RHEL-08-040026 | PATCH | RHEL 8 must disable IEEE 1394 (FireWire) Support." - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -625,7 +625,7 @@ - name: | "LOW | RHEL-08-040300 | PATCH | The RHEL 8 file integrity tool must be configured to verify extended attributes." "LOW | RHEL-08-040310 | PATCH | The RHEL 8 file integrity tool must be configured to verify Access Control Lists (ACLs)." - template: + ansible.builtin.template: src: aide.conf.j2 dest: /etc/aide.conf owner: root diff --git a/tasks/main.yml b/tasks/main.yml index d616c996..34fb84d2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Gather distribution info - setup: + ansible.builtin.setup: gather_subset: distribution,!all,!min when: - ansible_distribution is not defined @@ -9,7 +9,7 @@ - always - name: Check OS version and family - assert: + ansible.builtin.assert: that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') fail_msg: "This role can only be run against RHEL/Rocky 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" @@ -19,7 +19,7 @@ - always - name: Check ansible version - assert: + ansible.builtin.assert: that: ansible_version.full is version_compare(rhel8stig_min_ansible_version, '>=') fail_msg: "You must use Ansible {{ rhel8stig_min_ansible_version }} or greater" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ rhel8stig_min_ansible_version }}" @@ -29,14 +29,14 @@ - name: "Check password set for connecting user" block: - name: Capture current password state of connecting user" - shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" + ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: ansible_user_password_set - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" - assert: + ansible.builtin.assert: that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You a password set for the {{ ansible_env.SUDO_USER }}" @@ -51,14 +51,14 @@ - name: "Ensure superuser for grub does not match existing user" block: - name: "Ensure superuser for grub does not match existing user | capture users" - shell: cat /etc/passwd | cut -d':' -f1 + ansible.builtin.shell: cat /etc/passwd | cut -d':' -f1 changed_when: false failed_when: false check_mode: false register: rhel8stig_user_list - name: "Ensure superuser for grub does not match existing user" - assert: + ansible.builtin.assert: that: rhel8stig_boot_superuser not in rhel8stig_user_list.stdout_lines fail_msg: "A unique name must be used for bootloader access user='{{ rhel8stig_boot_superuser }}' already exists refer to variable rhel8stig_boot_superuser" when: @@ -71,15 +71,15 @@ - name: Setup rules if container block: - name: Discover and set container variable if required - set_fact: + ansible.builtin.set_fact: system_is_container: true - name: Load variable for container - include_vars: + ansible.builtin.include_vars: file: "{{ container_vars_file }}" - name: output if discovered is a container - debug: + ansible.builtin.debug: msg: system has been discovered as a container when: - system_is_container @@ -91,7 +91,7 @@ - always - name: Check rhel8stig_bootloader_password_hash variable has been changed - assert: + ansible.builtin.assert: that: rhel8stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' msg: "This role will not be able to run single user password commands as rhel8stig_bootloader_password_hash variable has not been set" @@ -104,7 +104,7 @@ - grub - name: Check if using resolv.conf template settings are changed - assert: + ansible.builtin.assert: that: - rhel8_stig_resolv_domain != 'example.com' - rhel8_stig_resolv_search | length > 0 @@ -117,19 +117,19 @@ - always - name: Gather the package facts - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always - name: Include prelim tasks - import_tasks: prelim.yml + ansible.builtin.import_tasks: prelim.yml tags: - prelim_tasks - run_audit - name: Include pre-remediation tasks - import_tasks: pre_remediation_audit.yml + ansible.builtin.import_tasks: pre_remediation_audit.yml when: - run_audit - setup_audit @@ -137,51 +137,50 @@ - run_audit - name: Include CAT I patches - import_tasks: fix-cat1.yml + ansible.builtin.import_tasks: fix-cat1.yml when: rhel8stig_cat1_patch tags: - CAT1 - high - name: Include CAT II patches - import_tasks: fix-cat2.yml + ansible.builtin.import_tasks: fix-cat2.yml when: rhel8stig_cat2_patch tags: - CAT2 - medium - name: Include CAT III patches - import_tasks: fix-cat3.yml + ansible.builtin.import_tasks: fix-cat3.yml when: rhel8stig_cat3_patch | bool tags: - CAT3 - low - name: flush handlers - meta: flush_handlers + ansible.builtin.meta: flush_handlers tags: - CAT1 - CAT2 - CAT3 - - name: reboot system if changes require it and not skipped - reboot: + ansible.builtin.reboot: when: - - change_requires_reboot - - not rhel8stig_skip_reboot + - change_requires_reboot + - not rhel8stig_skip_reboot tags: - CAT1 - CAT2 - CAT3 - name: Include post-remediation tasks - import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit - name: Show Audit Summary - debug: + ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" when: - run_audit @@ -189,12 +188,12 @@ - run_audit - name: Warning a reboot required but skip option set - debug: + ansible.builtin.debug: msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true when: - - change_requires_reboot - - rhel8stig_skip_reboot + - change_requires_reboot + - rhel8stig_skip_reboot tags: - CAT1 - CAT2 diff --git a/tasks/parse_etc_passwd.yml b/tasks/parse_etc_passwd.yml index c42159ea..ef4fbf6a 100644 --- a/tasks/parse_etc_passwd.yml +++ b/tasks/parse_etc_passwd.yml @@ -2,13 +2,13 @@ - name: "PRELIM | {{ rhel8stig_passwd_tasks }} | Parse /etc/passwd" block: - name: "PRELIM | {{ rhel8stig_passwd_tasks }} | Parse /etc/passwd" - command: cat /etc/passwd + ansible.builtin.shell: cat /etc/passwd changed_when: false check_mode: false register: rhel8stig_passwd_file_audit - name: "PRELIM | {{ rhel8stig_passwd_tasks }} | Split passwd entries" - set_fact: + ansible.builtin.set_fact: rhel8stig_passwd: "{{ rhel8stig_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" with_items: "{{ rhel8stig_passwd_file_audit.stdout_lines }}" diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 2249563c..821afd4d 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,7 +1,7 @@ --- - name: "Post Audit | Run post_remediation {{ benchmark }} audit" - shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" environment: "{{ audit_run_script_environment | default({}) }}" changed_when: rhel8stig_run_post_remediation.rc == 0 register: rhel8stig_run_post_remediation @@ -9,7 +9,7 @@ warn: false - name: Post Audit | ensure audit files readable by users - file: + ansible.builtin.file: path: "{{ item }}" mode: 0644 state: file @@ -19,13 +19,13 @@ - name: Post Audit | Capture audit data if json format block: - - name: "capture data {{ post_audit_outfile }}" - command: "cat {{ post_audit_outfile }}" + - name: Post Audit | "capture data {{ post_audit_outfile }}" + ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false - - name: Capture post-audit result - set_fact: + - name: Post Audit | Capture post-audit result + ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' @@ -35,12 +35,12 @@ - name: Post Audit | Capture audit data if documentation format block: - name: "Post Audit | capture data {{ post_audit_outfile }}" - command: "tail -2 {{ post_audit_outfile }}" + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false - name: Post Audit | Capture post-audit result - set_fact: + ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" when: - audit_format == "documentation" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index a72b60b1..c09253a3 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,14 +1,14 @@ --- - name: "Pre Audit | Setup the audit" - include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: LE_audit_setup.yml when: - setup_audit tags: - setup_audit - name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" - file: + ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' @@ -16,7 +16,7 @@ - name: "Pre Audit | If using git for content set up" block: - name: Pre Audit | Install git (rh8 python3) - package: + ansible.builtin.package: name: git state: present when: @@ -25,7 +25,7 @@ - "'git' not in ansible_facts.packages" - name: "Pre Audit | Install git (rh7 python2)" - package: + ansible.builtin.package: name: git state: present vars: @@ -36,7 +36,7 @@ - "'git' not in ansible_facts.packages" - name: "Pre Audit | retrieve audit content files from git" - git: + ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" @@ -44,7 +44,7 @@ - audit_content == 'git' - name: "Pre Audit | copy to audit content files to server" - copy: + ansible.builtin.copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dir }}" mode: 0644 @@ -52,7 +52,7 @@ - audit_content == 'copy' - name: "Pre Audit | get audit content from url" - get_url: + ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" when: @@ -61,12 +61,12 @@ - name: "Pre Audit | Check Goss is available" block: - name: Pre Audit | Check for goss file - stat: + ansible.builtin.stat: path: "{{ audit_bin }}" register: goss_available - name: "Pre Audit | If audit ensure goss is available" - assert: + ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" when: - not goss_available.stat.exists @@ -74,14 +74,14 @@ - run_audit - name: "Pre Audit | Check whether machine is UEFI-based" - stat: + ansible.builtin.stat: path: /sys/firmware/efi register: rhel8_efi_boot tags: - goss_template - name: "Pre Audit | Copy ansible default vars values to test audit" - template: + ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: 0600 @@ -91,7 +91,7 @@ - goss_template - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" environment: "{{ audit_run_script_environment | default({}) }}" changed_when: rhel8stig_run_pre_remediation.rc == 0 register: rhel8stig_run_pre_remediation @@ -101,12 +101,12 @@ - name: "Pre Audit | Capture audit data if json format" block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - command: "cat {{ pre_audit_outfile }}" + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false - name: "Pre Audit | Capture pre-audit result" - set_fact: + ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' @@ -116,12 +116,12 @@ - name: "Pre Audit | Capture audit data if documentation format" block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - command: "tail -2 {{ pre_audit_outfile }}" + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false - name: "Pre Audit | Capture pre-audit result" - set_fact: + ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: - audit_format == "documentation" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index bf42c7b8..17f6e7a8 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -119,19 +119,19 @@ block: - name: Ensure that rhel8stig_auto_mount_home_dirs_local_mount_point is defined and not length zero assert: - that: - - rhel8stig_auto_mount_home_dirs_local_mount_point is defined - - rhel8stig_auto_mount_home_dirs_local_mount_point | length > 0 + that: + - rhel8stig_auto_mount_home_dirs_local_mount_point is defined + - rhel8stig_auto_mount_home_dirs_local_mount_point | length > 0 - name: Modify local_interactive_user_dir_command to exclude remote automounted home directories set_fact: local_interactive_user_dir_command: "{{ local_interactive_user_dir_command }} | grep -v '{{ rhel8stig_auto_mount_home_dirs_local_mount_point }}" when: - - rhel8stig_autofs_remote_home_dirs + - rhel8stig_autofs_remote_home_dirs tags: - - RHEL-08-010690 - - complexity-high + - RHEL-08-010690 + - complexity-high - name: "PRELIM | RHEL-08-010690 | Gather local interactive user directories" shell: "{{ local_interactive_user_dir_command }}" diff --git a/vars/is_container.yml b/vars/is_container.yml index 37e1ef6d..5241528e 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -91,7 +91,6 @@ rhel_08_030731: false rhel_08_030063: false # rhel_08_030602: false # Also grub - # rsyslog rhel_08_010070: false rhel_08_010561: false From 703f2f50837d61fcfdb8b2ac60b21052186ed832 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Tue, 11 Apr 2023 14:46:09 -0400 Subject: [PATCH 11/20] Revert " Change Signed-off-by: Stephen Williams --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index e265d327..3c95362f 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -120,7 +120,7 @@ - not ansible_check_mode or rhel_08_010020_default_grub_missing_audit is not changed - rhel8stig_boot_part not in ['/', ''] or - "'boot=' not in item" + 'boot=' not in item changed_when: - ansible_check_mode - rhel_08_010020_audit is failed From a0dcca822ff19c3e5646e4dac2feb79e1b4bcea6 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Tue, 11 Apr 2023 15:22:03 -0400 Subject: [PATCH 12/20] Fixed " Change Signed-off-by: Stephen Williams --- tasks/fix-cat1.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 3c95362f..58217d32 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -119,8 +119,8 @@ when: - not ansible_check_mode or rhel_08_010020_default_grub_missing_audit is not changed - - rhel8stig_boot_part not in ['/', ''] or - 'boot=' not in item + - "rhel8stig_boot_part not in ['/', ''] or + 'boot=' not in item" changed_when: - ansible_check_mode - rhel_08_010020_audit is failed From fd602a38ed5969fb43bdcc3aa7ea4511785b3ab8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Apr 2023 10:39:52 +0100 Subject: [PATCH 13/20] updated /var/log check, comments on 10600 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 63a9b43d..c8322a00 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1908,6 +1908,9 @@ - mounts - home +## Note Azure is currently default mounting /mnt for cloud-init this will cause issues +## refer to https://github.com/Azure/WALinuxAgent/issues/1971 + - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media." block: - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /media" @@ -6206,7 +6209,7 @@ "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option." "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option." "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option." - ansible.builtin.shell: mount | grep /var/log + ansible.builtin.shell: mount | grep -w "/var/log " changed_when: false failed_when: false register: rhel8stig_040126_var_log_status From 03e41cf7d693723a9e96162f1f61d844efb51143 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Apr 2023 10:40:20 +0100 Subject: [PATCH 14/20] Added comments around 10600-10620 Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index c8803033..18e95201 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -190,9 +190,12 @@ rhel_08_010571: true rhel_08_010572: true rhel_08_010580: true rhel_08_010590: true +## Note Azure is currently default mounting /mnt for cloud-init this will cause issues with these controls +## refer to https://github.com/Azure/WALinuxAgent/issues/1971 rhel_08_010600: true rhel_08_010610: true rhel_08_010620: true +## rhel_08_010630: true rhel_08_010640: true rhel_08_010650: true From 9d13ccc8e875de4a5fc68024ad4818c7ec5e6541 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Apr 2023 10:41:16 +0100 Subject: [PATCH 15/20] updated Signed-off-by: Mark Bolwell --- Changelog.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog.md b/Changelog.md index 9cdc4f21..e3d7abdb 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ # Changes to RHEL8STIG +## Release 2.8.5 +- updated to /var/log mount check +- added commnets for /mnt and removeable media on Azure systems + ## Release 2.8.4 - ansible version updated to 2.10.1 minimum From a39ab69b53bfdf902fd3bc641e73ccaeeb4867a4 Mon Sep 17 00:00:00 2001 From: Jacob Buskirk Date: Mon, 24 Apr 2023 17:08:08 +0000 Subject: [PATCH 16/20] Remove warn from command and shell Signed-off-by: Jacob Buskirk --- handlers/main.yml | 2 -- tasks/fix-cat2.yml | 30 ------------------------------ tasks/fix-cat3.yml | 8 -------- tasks/prelim.yml | 4 ---- 4 files changed, 44 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 03ff8870..2f59864e 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -104,8 +104,6 @@ - name: restart auditd ansible.builtin.shell: /usr/sbin/service auditd restart - args: - warn: false when: - not rhel8stig_skip_for_travis - not rhel8stig_system_is_chroot diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 63a9b43d..82f70659 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -248,8 +248,6 @@ - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing" ansible.builtin.shell: "passwd -l {{ item }}" - args: - warn: false with_items: - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}" when: @@ -902,8 +900,6 @@ "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root" "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root or a system account. | Get commands no group-owned by root" ansible.builtin.shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root" - args: - warn: false changed_when: false failed_when: false register: rhel_08_010300_commands @@ -949,8 +945,6 @@ "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root. | Get library files not owned by root" "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root or a system account. | Get library files not group-owned by root" ansible.builtin.shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root" - args: - warn: false changed_when: false failed_when: false register: rhel_08_010330_library_files @@ -1396,8 +1390,6 @@ block: - name: "MEDIUM | RHEL-08-010421 | AUDIT | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: false changed_when: false failed_when: false register: rhel8stig_010421_grub_cmdline_linux @@ -1436,8 +1428,6 @@ block: - name: "MEDIUM | RHEL-08-010422 | AUDIT | RHEL 8 must disable virtual syscalls. | Get GRUB_CMDLINE_LINUX settings" ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: false changed_when: false failed_when: false register: rhel8stig_010422_grub_cmdline_linux @@ -1476,8 +1466,6 @@ block: - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings" ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: false changed_when: false failed_when: false register: rhel8stig_010423_grub_cmdline_linux @@ -1834,8 +1822,6 @@ block: - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts" ansible.builtin.shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g' - args: - warn: false changed_when: false check_mode: false register: rhel8stig_010580_mounts_nodev @@ -2113,8 +2099,6 @@ block: - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions" ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm -002 - args: - warn: false changed_when: false failed_when: false register: rhel_08_010660_world_writable_files @@ -2639,8 +2623,6 @@ block: - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files" ansible.builtin.shell: find / -nouser - args: - warn: false changed_when: false failed_when: false register: rhel_08_010780_nouser_files @@ -3323,8 +3305,6 @@ block: - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" ansible.builtin.shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' - args: - warn: false changed_when: false failed_when: false register: rhel_08_020050_removal_action @@ -3389,8 +3369,6 @@ block: - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" ansible.builtin.shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' - args: - warn: false changed_when: false failed_when: false register: rhel_08_020060_idle_delay_param @@ -4571,8 +4549,6 @@ block: - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory" ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,' - args: - warn: false changed_when: false failed_when: false register: rhel_08_030110_audit_log_dir @@ -6036,8 +6012,6 @@ block: - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available" ansible.builtin.shell: rpm -q NetworkManager - args: - warn: false check_mode: false changed_when: false register: rhel_08_nmcli_available @@ -6045,8 +6019,6 @@ - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled" ansible.builtin.shell: nmcli radio wifi - args: - warn: false register: rhel_08_wifi_enabled check_mode: false changed_when: rhel_08_wifi_enabled.stdout != "disabled" @@ -6114,8 +6086,6 @@ "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option." "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option." ansible.builtin.shell: mount | grep /dev/shm - args: - warn: false changed_when: false failed_when: false register: rhel8stig_040120_dev_shm_status diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 0b41d7de..974616f3 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -303,8 +303,6 @@ - name: "LOW | RHEL-08-030601 | PATCH | RHEL 8 must enable auditing of processes that start prior to the audit daemon. | Set audit to 1 as active" ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" - args: - warn: false when: (ansible_proc_cmdline.audit is defined and ansible_proc_cmdline.audit != '1') or (ansible_proc_cmdline.audit is not defined) @@ -342,8 +340,6 @@ - name: "LOW | RHEL-08-030602 | PATCH | RHEL 8 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | set audit_backlog_limit active" ansible.builtin.shell: grubby --update-kernel=ALL --args="audit_backlog_limit=8192" - args: - warn: false when: (ansible_proc_cmdline.audit_backlog_limit is defined and ansible_proc_cmdline.audit_backlog_limit != '8192') or (ansible_proc_cmdline.audit_backlog_limit is not defined) @@ -429,15 +425,11 @@ block: - name: "LOW | RHEL-08-040004 | PATCH | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Set pti=on active" ansible.builtin.shell: grubby --update-kernel=ALL --args="pti=on" - args: - warn: false when: (ansible_proc_cmdline.pti is defined and ansible_proc_cmdline.pti != 'on') or (ansible_proc_cmdline.pti is not defined ) - name: "LOW | RHEL-08-040004 | AUDIT | RHEL 8 must enable mitigations against processor-based vulnerabilities. | Get GRUB_CMDLINE_LINUX settings" ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"' - args: - warn: false changed_when: false failed_when: false register: rhel8stig_040004_grub_cmdline_linux diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 17f6e7a8..835f8ef7 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -166,8 +166,6 @@ - name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions" shell: df --output=target /boot | tail -n 1 - args: - warn: false changed_when: false check_mode: false register: rhel_08_boot_part @@ -288,8 +286,6 @@ - name: "MEDIUM | RHEL-08-010660 | RHEL-08-010770 | AUDIT | Find ini files for interactive users." shell: find "{{ item }}" -maxdepth 1 -type f | grep '/\.[^/]*' - args: - warn: false with_items: "{{ rhel_08_stig_interactive_homedir_results }}" register: rhel_08_010770_ini_file_list changed_when: false From ed2fa61d4b5d9e72152d197eefdaeea189230710 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Fri, 28 Apr 2023 12:50:40 -0400 Subject: [PATCH 17/20] Fixed lookbehind regex for rule RHEL-08-010671 Fixed the regular expression for finding lines containing the text "kernel.core_pattern" that do not end in /bin/false. Needed to add the -P option to enable look around expressions in grep. Signed-off-by: PoundsOfFlesh --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 56476096..c0ad277e 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2166,7 +2166,7 @@ - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." block: - name: "MEDIUM | RHEL-08-010671 | AUDIT | RHEL 8 must disable the kernel.core_pattern." - ansible.builtin.shell: grep -rs 'kernel.core_pattern\s+=\s*[? 0 From 82c2600fccce0a91237bf61dea4c37f3b10436e0 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Fri, 28 Apr 2023 12:02:14 -0400 Subject: [PATCH 18/20] Fix rule RHEL-08-040171 Add -l option to grep to produce a list of file names instead of a list of matches.66818F2AD22C537F Signed-off-by: PoundsOfFlesh --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 58217d32..c47855b2 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -427,7 +427,7 @@ - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed." block: - name: "HIGH | RHEL-08-040171 | PATCH | The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed. | Check for setting existing" - ansible.builtin.shell: grep -s logout /etc/dconf/db/local.d/* + ansible.builtin.shell: grep -sl logout /etc/dconf/db/local.d/* changed_when: false failed_when: false register: rhel_08_040171_logout_settings_status From 63c4c8406e7f6b49eeb94d787f258917e8716b0b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 09:35:54 +0100 Subject: [PATCH 19/20] fixed gnutls as per issue 196 thansk to @jmalpede Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 18e95201..b0bf82a8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -879,7 +879,7 @@ rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-ctr,aes192-ctr,aes128-ct # RHEL-08-010295 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions # to conform to STIG standards this variable must contain +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 -rhel8stig_gnutls_encryption: "+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" +rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" # RHEL-08-020070 # This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less From 4abd664894061d36bb427f063d7150322dacd713 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 May 2023 09:42:29 +0100 Subject: [PATCH 20/20] updated Signed-off-by: Mark Bolwell --- Changelog.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Changelog.md b/Changelog.md index e3d7abdb..bc2c27db 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,15 @@ # Changes to RHEL8STIG +## Release 2.8.6 + +- [#194](https://github.com/ansible-lockdown/RHEL8-STIG/issues/194) thanks to @JacobBuskirk +- [#196](https://github.com/ansible-lockdown/RHEL8-STIG/issues/196) thanks to @jmalpede + +- [#195](https://github.com/ansible-lockdown/RHEL8-STIG/pull/195) thanks to PoundsOfFlesh +- [#197](https://github.com/ansible-lockdown/RHEL8-STIG/pull/197) thanks to PoundsOfFlesh + ## Release 2.8.5 + - updated to /var/log mount check - added commnets for /mnt and removeable media on Azure systems