Merge pull request #53 from ansible-lockdown/v1r2_updates

V1r2 updates
ansible-lockdown · Oct 8, 2024 · 409b654 · 409b654
2 parents 3847b22 + a97be7b
commit 409b654
Show file tree

Hide file tree

Showing 8 changed files with 54 additions and 53 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -740,9 +740,9 @@ rhel9stig_postfix_client_conf: permit_mynetworks,reject
 ### ACCOUNTS and AUTH ###
 ## PAM and password settings
 rhel9stig_pass:
-  max_days: '60'
-  min_days: '1'
-  minlen: '15'
+  max_days: 60
+  min_days: 1
+  minlen: 15
 
 rhel9stig_user_inactive_days: '35'
 
@@ -778,13 +778,13 @@ rhel9stig_pam:
   rounds: '5000'
 
 rhel9stig_pwquality:
-  dcredit: '-1'
-  dictcheck: '1'
-  difok: '8'
-  lcredit: '-1'
-  maxclassrepeat: '4'
-  maxrepeat: '3'
-  minclass: '4'
+  dcredit: -1
+  dictcheck: 1
+  difok: 8
+  lcredit: -1
+  maxclassrepeat: 4
+  maxrepeat: 3
+  minclass: 4
   ocredit: -1
   ucredit: -1
 

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -4,10 +4,6 @@
   ansible.builtin.systemd:
     daemon_reload: true
 
-- name: Change_requires_reboot
-  ansible.builtin.set_fact:
-    reboot_required: true
-
 - name: Sshd_restart
   ansible.builtin.systemd:
     name: sshd
@@ -96,6 +92,10 @@
   ansible.builtin.debug:
     msg: "Reboot required for auditd to apply new rules as immutable set"
 
+- name: Change_requires_reboot
+  ansible.builtin.set_fact:
+    change_requires_reboot: true
+
 - name: Restart_auditd
   tags:
     - skip_ansible_lint

diff --git a/tasks/Cat2/RHEL-09-4xxxxx.yml b/tasks/Cat2/RHEL-09-4xxxxx.yml
@@ -452,9 +452,9 @@
         line: "{{ item.line }}"
         insertbefore: "{{ item.before }}"
       loop:
-        - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth            required       pam_faillock.so preauth silent deny={{ rhel9stig_faillock.deny }} unlock_time={{ rhel9stig_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'}
-        - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth            required       pam_faillock.so authfail deny={{ rhel9stig_faillock.deny }} unlock_time={{ rhel9stig_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'}
-        - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account      required       pam_faillock.so', 'before':'^account     required      pam_unix.so'}
+        - { regexp: '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', line: 'auth            required       pam_faillock.so preauth silent deny={{ rhel9stig_faillock.deny }} unlock_time={{ rhel9stig_faillock.unlock_time }}', before: '^auth\s+sufficient\s+pam_unix.so try_first_pass'}
+        - { regexp: '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', line: 'auth            required       pam_faillock.so authfail deny={{ rhel9stig_faillock.deny }} unlock_time={{ rhel9stig_faillock.unlock_time }}', before: '^auth\s+required\s+pam_deny.so'}
+        - { regexp: '^account\s+required\s+pam_faillock.so', line: 'account      required       pam_faillock.so', before: '^account     required      pam_unix.so'}
 
     - name: "MEDIUM | RHEL-09-411090 | AUDIT | RHEL 9 must maintain an account lock until the locked account is released by an administrator. | not auth select profile"
       ansible.builtin.lineinfile:
@@ -464,9 +464,9 @@
         insertbefore: "{{ item.before | default(omit)}}"
         insertafter: "{{ item.after | default(omit)}}"
       loop:
-        - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line':'auth        required      pam_faillock.so preauth silent deny={{ rhel9stig_faillock.deny }} unlock_time={{ rhel9stig_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'}
-        - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth        required      pam_faillock.so authfail deny={{ rhel9stig_faillock.deny }} unlock_time={{ rhel9stig_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'}
-        - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account     required      pam_faillock.so', 'before':'^account     required      pam_unix.so'}
+        - { regexp: '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', line: 'auth        required      pam_faillock.so preauth silent deny={{ rhel9stig_faillock.deny }} unlock_time={{ rhel9stig_faillock.unlock_time }}', before: '^auth\s+sufficient\s+pam_unix.so try_first_pass'}
+        - { regexp: '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', line: 'auth        required      pam_faillock.so authfail deny={{ rhel9stig_faillock.deny }} unlock_time={{ rhel9stig_faillock.unlock_time }}', before: '^auth\s+required\s+pam_deny.so'}
+        - { regexp: '^account\s+required\s+pam_faillock.so', line: 'account     required      pam_faillock.so', before: '^account     required      pam_unix.so'}
 
 - name: "MEDIUM | RHEL-09-411095 | PATCH | RHEL 9 must not have unauthorized accounts."
   when:

diff --git a/tasks/Cat2/RHEL-09-61xxxx.yml b/tasks/Cat2/RHEL-09-61xxxx.yml
@@ -24,7 +24,7 @@
       ansible.builtin.lineinfile:
         path: /etc/pam.d/system-auth
         regexp: '^(password\s+)(required|requisite)(\s+pam_pwquality.so.*)\sretry=\d(.*)'
-        line: '\1required\3 retry="{{ rhel9stig_pam.retry }}"\4'
+        line: '"\1required\3 retry={{ rhel9stig_pam.retry }}\4"'
         insertafter: '^password'
         backrefs: true
 
@@ -380,7 +380,7 @@
   ansible.builtin.lineinfile:
     path: "{{ item }}"
     regexp: \s*lcredit =
-    line: lcredit = "{{ rhel9stig_pwquality.lcredit }}"
+    line: "lcredit = {{ rhel9stig_pwquality.lcredit }}"
     backrefs: true
   loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}"
 
@@ -399,7 +399,7 @@
   ansible.builtin.lineinfile:
     path: "{{ item }}"
     regexp: \s*dcredit =
-    line: dcredit = "{{ rhel9stig_pwquality.dcredit }}"
+    line: "dcredit = {{ rhel9stig_pwquality.dcredit }}"
     backrefs: true
   loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}"
 
@@ -418,7 +418,7 @@
   ansible.builtin.lineinfile:
     path: /etc/login.defs
     regexp: \s*PASS_MIN_DAYS\s*
-    line: PASS_MIN_DAYS "{{ rhel9stig_pass.min_days }}"
+    line: "PASS_MIN_DAYS {{ rhel9stig_pass.min_days }}"
     backrefs: true
 
 - name: "MEDIUM | RHEL-09-611080 | PATCH | RHEL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow."
@@ -526,8 +526,8 @@
     - NIST800-53R4_IA-11
   ansible.builtin.lineinfile:
     path: /etc/security/pwquality.conf
-    regexp: \s*minlen\s*=\s*([0-9]|1[0-4])
-    line: minlen = "{{ rhel9stig_pass.minlen }}"
+    regexp: \s*minlen\s*=\s*
+    line: "minlen = {{ rhel9stig_pass.minlen }}"
     backrefs: true
 
 - name: "MEDIUM | RHEL-09-611095 | PATCH | RHEL 9 passwords for new users must have a minimum of 15 characters."
@@ -544,7 +544,7 @@
   ansible.builtin.lineinfile:
     path: /etc/login.defs
     regexp: PASS_MIN_LEN
-    line: PASS_MIN_LEN "{{ rhel9stig_pass.minlen }}"
+    line: "PASS_MIN_LEN {{ rhel9stig_pass.minlen }}"
     backrefs: true
 
 - name: "MEDIUM | RHEL-09-611100 | PATCH | RHEL 9 must enforce password complexity by requiring that at least one special character be used."
@@ -562,7 +562,7 @@
   ansible.builtin.lineinfile:
     path: "{{ item }}"
     regexp: \s*ocredit =
-    line: ocredit = "{{ rhel9stig_pwquality.ocredit }}"
+    line: "ocredit = {{ rhel9stig_pwquality.ocredit }}"
     backrefs: true
   loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}"
 
@@ -581,7 +581,7 @@
   ansible.builtin.lineinfile:
     path: "{{ item }}"
     regexp: \s*dictcheck\s*=\s*
-    line: dictcheck="{{ rhel9stig_pwquality.dictcheck }}"
+    line: "dictcheck = {{ rhel9stig_pwquality.dictcheck }}"
     backrefs: true
   loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}"
 
@@ -600,7 +600,7 @@
   ansible.builtin.lineinfile:
     path: "{{ item }}"
     regexp: \s*ucredit\s*=\s*
-    line: ucredit = "{{ rhel9stig_pwquality.ucredit }}"
+    line: "ucredit = {{ rhel9stig_pwquality.ucredit }}"
     backrefs: true
   loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}"
 
@@ -619,7 +619,7 @@
   ansible.builtin.lineinfile:
     path: "{{ item }}"
     regexp: \s*difok\s*=\s*
-    line: difok = "{{ rhel9stig_pwquality.difok }}"
+    line: "difok = {{ rhel9stig_pwquality.difok }}"
     backrefs: true
   loop: "{{ rhel9stig_pwquality_conf_files.stdout_lines }}"
 
@@ -638,7 +638,7 @@
   ansible.builtin.lineinfile:
     path: /etc/security/pwquality.conf
     regexp: \s*maxclassrepeat\s*=\s*
-    line: maxclassrepeat = "{{ rhel9stig_pwquality.maxclassrepeat }}"
+    line: "maxclassrepeat = {{ rhel9stig_pwquality.maxclassrepeat }}"
     backrefs: true
 
 - name: "MEDIUM | RHEL-09-611125 | PATCH | RHEL 9 must require the maximum number of repeating characters be limited to three when passwords are changed."
@@ -656,7 +656,7 @@
   ansible.builtin.lineinfile:
     path: /etc/security/pwquality.conf
     regexp: \s*maxrepeat\s*=\s*
-    line: maxrepeat = "{{ rhel9stig_pwquality.maxrepeat }}"
+    line: "maxrepeat = {{ rhel9stig_pwquality.maxrepeat }}"
     backrefs: true
 
 - name: "MEDIUM | RHEL-09-611130 | PATCH | RHEL 9 must require the change of at least four character classes when passwords are changed."
@@ -674,7 +674,7 @@
   ansible.builtin.lineinfile:
     path: /etc/security/pwquality.conf
     regexp: \s*minclass\s*=\s*
-    line: minclass = "{{ rhel9stig_pwquality.minclass }}"
+    line: "minclass = {{ rhel9stig_pwquality.minclass }}"
     backrefs: true
 
 - name: "MEDIUM | RHEL-09-611135 | PATCH | RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords."

diff --git a/tasks/Cat2/RHEL-09-67xxxx.yml b/tasks/Cat2/RHEL-09-67xxxx.yml
@@ -265,7 +265,7 @@
       when:
         - "'FIPS' not in crypto_policies_check.stdout"
         - rhel9stig_disruption_high
-      ansible.builtin.shell: fips-mode-setup --enable
+      ansible.builtin.shell: fips-mode-setup --set FIPS
 
     - name: "MEDIUM | RHEL-09-672045 | WARN | RHEL 9 must implement a system-wide encryption policy."
       when:

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -133,25 +133,32 @@
 - name: Flush handlers
   ansible.builtin.meta: flush_handlers
 
-- name: Reboot system
-  when:
-    - reboot_required
-    - not skip_reboot
-  tags:
-    - always
+- name: Reboot system if changes require it and not skipped
   block:
-    - name: reboot system if not skipped
+    - name: POST | Reboot system if changes require it and not skipped
+      when:
+        - change_requires_reboot
+        - not skip_reboot
       ansible.builtin.reboot:
 
-    - name: Warning a reboot required but skip option set
+    - name: POST | Warning a reboot required but skip option set
       when:
-        - reboot_required
+        - change_requires_reboot
         - skip_reboot
       ansible.builtin.debug:
-        msg: Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results
+        msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
       changed_when: true
 
-- name: run post remediation audit
+    - name: "POST | Warning a reboot required but skip option set | warning count"
+      when:
+        - change_requires_reboot
+        - skip_reboot
+      ansible.builtin.import_tasks:
+        file: warning_facts.yml
+  vars:
+    warn_control_id: Reboot_required
+
+- name: Run post remediation audit
   when:
     - run_audit
   tags:

diff --git a/templates/etc/audit/rules.d/audit.rules.j2 b/templates/etc/audit/rules.d/audit.rules.j2
@@ -170,15 +170,9 @@
 # RHEL9-STIG rule 654200
 -a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown
 {% endif %}
-{% if rhel_09_654030 %}
-# RHEL9-STIG rule 654030
-#-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod
-#-a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod
-{% endif %}
 {% if rhel_09_654205 %}
 # RHEL9-STIG rule 654205
 -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod
--a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod
 {% endif %}
 {% if rhel_09_654210 %}
 # RHEL9-STIG rule 654210

diff --git a/vars/main.yml b/vars/main.yml
@@ -26,7 +26,7 @@ gpg_key_package: "{{ ansible_distribution | lower }}-gpg-keys"
 discover_int_uid: true
 
 # Default for facts
-reboot_required: false
+change_requires_reboot: false
 update_audit_template: false
 
 # DOD encryption