Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolve several bugs #4

Closed
wants to merge 9 commits into from
Closed

Resolve several bugs #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
5b3cfe1
add rhel_09_271095 to default
swhitman0 Apr 12, 2024
fd7dcbe
fix loop on RHEL-09-652025
swhitman0 Apr 12, 2024
36e12e6
fix find cmd to return FQFN
swhitman0 Apr 12, 2024
6144fd2
touch is not a valid state for lineinfile
swhitman0 Apr 12, 2024
071cfc4
add create to lineinfile to handle missing file
swhitman0 Apr 12, 2024
43b9792
correct options to option for ini_file
swhitman0 Apr 12, 2024
5758f5e
lock-screen must be enclosed in single quotes
swhitman0 Apr 12, 2024
41d721e
picture-uri cannot be empty
swhitman0 Apr 12, 2024
e7d90af
account for multiple stdout_lines in rhel9stig_dconf_db
swhitman0 Apr 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -343,6 +343,7 @@ rhel_09_271075: true
rhel_09_271080: true
rhel_09_271085: true
rhel_09_271090: true
rhel_09_271095: true
rhel_09_271100: true
rhel_09_271105: true
rhel_09_271110: true
Expand Down Expand Up @@ -675,7 +676,7 @@ rhel9stig_custom_firewall:
interface:
- "{{ ansible_default_ipv4.interface }}"

# rhel9stig_white_list_services is the services that you want to allow through initially for teh new firewall zone
# rhel9stig_white_list_services is the services that you want to allow through initially for the new firewall zone
# http and ssh need to be enabled for the role to run.
# This can also be a port number if no service exists
rhel9stig_white_list_services:
Expand Down
7 changes: 3 additions & 4 deletions tasks/Cat2/RHEL-09-23xxxx.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1588,7 +1588,7 @@
- NIST800-53R4_CM-5
block:
- name: "RHEL-09-232200 | AUDIT | RHEL 9 library files must be owned by root."
ansible.builtin.shell: find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls {} \;
ansible.builtin.shell: find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root
changed_when: false
failed_when: rhel9stig_lib_files_owner.rc not in [ 0, 1 ]
register: rhel9stig_lib_files_owner
Expand All @@ -1597,9 +1597,8 @@
when: rhel9stig_lib_files_owner.stdout | length > 0
ansible.builtin.file:
owner: root
path: "{{ path }}"
loop:
- "{{ rhel9stig_lib_files_owner.stdout_lines }}"
path: "{{ item }}"
loop: "{{ rhel9stig_lib_files_owner.stdout_lines }}"

- name: "RHEL-09-232205 | PATCH | RHEL 9 library files must be group-owned by root or a system account."
when:
Expand Down
70 changes: 45 additions & 25 deletions tasks/Cat2/RHEL-09-27xxxx.yml
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

line 342 is the pink background file always there?

Original file line number Diff line number Diff line change
Expand Up @@ -45,11 +45,12 @@
- NIST800-53R4_CM-6
notify: Update_dconf
ansible.builtin.lineinfile:
create: true
line: banner-message-enable
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session"
path: "/etc/dconf/db/{{ item }}.d/locks/session"
mode: '0644'
modification_time: preserve
state: touch
state: present
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271020 | PATCH | RHEL 9 must disable the graphical user interface automount function unless required."
when:
Expand All @@ -71,10 +72,11 @@
community.general.ini_file:
create: true
mode: '0644'
options: automount-open
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings"
option: automount-open
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/desktop/media-handling'
value: 'false'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271025 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function."
when:
Expand All @@ -97,7 +99,8 @@
ansible.builtin.lineinfile:
create: true
line: /org/gnome/desktop/media-handling/automount-open
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock"
path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271030 | PATCH | RHEL 9 must disable the graphical user interface autorun function unless required."
when:
Expand All @@ -115,9 +118,10 @@
community.general.ini_file:
create: true
option: autorun-never
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings"
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/desktop/media-handling'
value: 'true'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271035 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function."
when:
Expand All @@ -140,7 +144,8 @@
ansible.builtin.lineinfile:
create: true
line: /org/gnome/desktop/media-handling/autorun-never
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock"
path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271045 | PATCH | RHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed."
when:
Expand All @@ -160,9 +165,10 @@
community.general.ini_file:
create: true
option: removal-action
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings"
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/settings-daemon/peripherals/smartcard'
value: 'lock-screen'
value: "'lock-screen'"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271050 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action."
when:
Expand All @@ -182,7 +188,8 @@
ansible.builtin.lineinfile:
create: true
line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock"
path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271055 | PATCH | RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions."
when:
Expand All @@ -202,9 +209,10 @@
community.general.ini_file:
create: true
option: lock-enabled
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings"
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/desktop/screensaver'
value: 'true'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271060 | PATCH | RHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface."
when:
Expand All @@ -224,7 +232,8 @@
ansible.builtin.lineinfile:
create: true
line: /org/gnome/desktop/screensaver/lock-enabled
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session"
path: "/etc/dconf/db/{{ item }}.d/locks/session"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271065 | PATCH | RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity."
when:
Expand All @@ -244,9 +253,10 @@
community.general.ini_file:
create: true
option: idle-delay
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-screensaver"
path: "/etc/dconf/db/{{ item }}.d/00-screensaver"
section: 'org/gnome/desktop/session'
value: 'uint32 900'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271070 | PATCH | RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface"
when:
Expand All @@ -266,7 +276,8 @@
ansible.builtin.lineinfile:
create: true
line: /org/gnome/desktop/session/idle-delay
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session"
path: "/etc/dconf/db/{{ item }}.d/locks/session"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271075 | PATCH | RHEL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated."
when:
Expand All @@ -284,9 +295,10 @@
community.general.ini_file:
create: true
option: lock-delay
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-screensaver"
path: "/etc/dconf/db/{{ item }}.d/00-screensaver"
section: 'org/gnome/desktop/screensaver'
value: 'uint32 5'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271080 | PATCH | RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface"
when:
Expand All @@ -304,7 +316,8 @@
ansible.builtin.lineinfile:
create: true
line: /org/gnome/desktop/screensaver/lock-delay
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session"
path: "/etc/dconf/db/{{ item }}.d/locks/session"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image."
when:
Expand All @@ -324,15 +337,17 @@
community.general.ini_file:
create: true
option: picture-uri
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings"
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/desktop/screensaver'
value: ''
value: '"file:///usr/share/backgrounds/pink-contacts.jpg"'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image."
ansible.builtin.lineinfile:
create: true
line: /org/gnome/desktop/screensaver/picture-uri
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock"
path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271090 | PATCH | RHEL 9 effective dconf policy must match the policy keyfiles."
when:
Expand Down Expand Up @@ -365,9 +380,10 @@
community.general.ini_file:
create: true
option: disable-restart-buttons
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings"
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/settings-daemon/peripherals/smartcard'
value: 'true'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271100 | PATCH | RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface."
when:
Expand All @@ -385,7 +401,8 @@
ansible.builtin.lineinfile:
create: true
line: /org/gnome/login-screen/disable-restart-buttons
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session"
path: "/etc/dconf/db/{{ item }}.d/locks/session"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271105 | PATCH | RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot."
when:
Expand All @@ -403,9 +420,10 @@
community.general.ini_file:
create: true
option: logout
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings"
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/settings-daemon/plugins/media-keys'
value: "['']"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271110 | PATCH | RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface."
when:
Expand All @@ -423,7 +441,8 @@
ansible.builtin.lineinfile:
create: true
line: org/gnome/settings-daemon/plugins/media-keys/logout
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session"
path: "/etc/dconf/db/{{ item }}.d/locks/session"
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"

- name: "MEDIUM | RHEL-09-271115 | PATCH | RHEL 9 must disable the user list at logon for graphical user interfaces."
when:
Expand All @@ -441,6 +460,7 @@
community.general.ini_file:
create: true
option: disable-user-list
path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/02-login-screen"
path: "/etc/dconf/db/{{ item }}.d/02-login-screen"
section: 'org/gnome/login-screen'
value: 'true'
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"
3 changes: 1 addition & 2 deletions tasks/Cat2/RHEL-09-65xxxx.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,8 +183,7 @@
line: '#\1\2\3'
path: "{{ item.path }}"
regex: (Input|ModLoad)(TCP|UDP|RELP|imtcp|imudp|imrelp)(.*)
loop:
- "{{ rhel9stig_rsyslog_conf.files }}"
loop: "{{ rhel9stig_rsyslog_conf.files }}"

- name: "MEDIUM | RHEL-09-652030 | PATCH | All RHEL 9 remote access methods must be monitored."
when:
Expand Down
Loading