diff --git a/tasks/main.yml b/tasks/main.yml index d511a5d..8dd1651 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -49,104 +49,6 @@ - reboot_required - restrict_strategy -- name: Ensure system crypto policy has OpenSSL library using TLS encryption - block: - - name: Check for duplicate values - lineinfile: - path: /etc/crypto-policies/back-ends/opensslcnf.config - create: false - regexp: ^MinProtocol\s*=\s* - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/crypto-policies/back-ends/opensslcnf.config - lineinfile: - path: /etc/crypto-policies/back-ends/opensslcnf.config - create: false - regexp: ^MinProtocol\s*=\s* - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/crypto-policies/back-ends/opensslcnf.config - lineinfile: - path: /etc/crypto-policies/back-ends/opensslcnf.config - create: true - regexp: ^MinProtocol\s*=\s* - line: MinProtocol = TLSv1.2 - state: present - insertbefore: '^#?MaxProtocol ' - tags: - - CCE-84255-9 - - DISA-STIG-RHEL-08-010294 - - NIST-800-53-AC-17(2) - - configure_openssl_tls_crypto_policy - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - configure_openssl_tls_crypto_policy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - -- name: Configure System Cryptography Policy - lineinfile: - path: /etc/crypto-policies/config - regexp: ^(?!#)(\S+)$ - line: '{{ var_system_crypto_policy }}' - create: true - tags: - - CCE-80935-0 - - NIST-800-53-AC-17(2) - - NIST-800-53-AC-17(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(6) - - NIST-800-53-SC-12(2) - - NIST-800-53-SC-12(3) - - NIST-800-53-SC-13 - - configure_crypto_policy - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - restrict_strategy - when: - - configure_crypto_policy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - restrict_strategy | bool - -- name: Verify that Crypto Policy is Set (runtime) - command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }} - tags: - - CCE-80935-0 - - NIST-800-53-AC-17(2) - - NIST-800-53-AC-17(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(6) - - NIST-800-53-SC-12(2) - - NIST-800-53-SC-12(3) - - NIST-800-53-SC-13 - - configure_crypto_policy - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - restrict_strategy - when: - - configure_crypto_policy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Test for crypto_policy group command: grep '^\s*\[\s*crypto_policy\s*]' /etc/pki/tls/openssl.cnf register: test_crypto_policy_group @@ -242,67 +144,109 @@ - no_reboot_needed - unknown_strategy -- name: Configure SSH to use System Crypto Policy +- name: Configure System Cryptography Policy lineinfile: - dest: /etc/sysconfig/sshd - state: absent - regexp: ^\s*CRYPTO_POLICY.*$ + path: /etc/crypto-policies/config + regexp: ^(?!#)(\S+)$ + line: '{{ var_system_crypto_policy }}' + create: true tags: - - CCE-80939-2 + - CCE-80935-0 - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-MA-4(6) + - NIST-800-53-SC-12(2) + - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - - configure_ssh_crypto_policy - - disable_strategy + - configure_crypto_policy + - high_severity - low_complexity - - medium_disruption - - medium_severity - - reboot_required + - low_disruption + - no_reboot_needed + - restrict_strategy when: - - configure_ssh_crypto_policy | bool - - disable_strategy | bool + - configure_crypto_policy | bool + - high_severity | bool - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool + - low_disruption | bool + - no_reboot_needed | bool + - restrict_strategy | bool -- name: Configure Libreswan to use System Crypto Policy - lineinfile: - path: /etc/ipsec.conf - line: include /etc/crypto-policies/back-ends/libreswan.config - create: true +- name: Verify that Crypto Policy is Set (runtime) + command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }} tags: - - CCE-80937-6 + - CCE-80935-0 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-MA-4(6) - NIST-800-53-SC-12(2) - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - - configure_libreswan_crypto_policy + - configure_crypto_policy + - high_severity - low_complexity - low_disruption - - medium_severity - no_reboot_needed - restrict_strategy when: - - configure_libreswan_crypto_policy | bool + - configure_crypto_policy | bool + - high_severity | bool - low_complexity | bool - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool -- name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: Existing value check' - lineinfile: +- name: Ensure system crypto policy has OpenSSL library using TLS encryption + block: + - name: Check for duplicate values + lineinfile: + path: /etc/crypto-policies/back-ends/opensslcnf.config + create: false + regexp: ^MinProtocol\s*=\s* + state: absent + check_mode: true + changed_when: false + register: dupes + - name: Deduplicate values from /etc/crypto-policies/back-ends/opensslcnf.config + lineinfile: + path: /etc/crypto-policies/back-ends/opensslcnf.config + create: false + regexp: ^MinProtocol\s*=\s* + state: absent + when: dupes.found is defined and dupes.found > 1 + - name: Insert correct line to /etc/crypto-policies/back-ends/opensslcnf.config + lineinfile: + path: /etc/crypto-policies/back-ends/opensslcnf.config + create: true + regexp: ^MinProtocol\s*=\s* + line: MinProtocol = TLSv1.2 + state: present + insertbefore: '^#?MaxProtocol ' + tags: + - CCE-84255-9 + - DISA-STIG-RHEL-08-010294 + - NIST-800-53-AC-17(2) + - configure_openssl_tls_crypto_policy + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + when: + - configure_openssl_tls_crypto_policy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + +- name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: set_fact' + set_fact: path: /etc/crypto-policies/back-ends/gnutls.config - create: false - regexp: \+VERS-ALL:-VERS-DTLS0\.9:-VERS-SSL3\.0:-VERS-TLS1\.0:-VERS-TLS1\.1:-VERS-DTLS1\.0 - state: absent - check_mode: true - changed_when: false - register: gnutls + correct_value: +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 + lineinfile_reg: \+VERS-ALL:-VERS-DTLS0\.9:-VERS-SSL3\.0:-VERS-TLS1\.0:-VERS-TLS1\.1:-VERS-DTLS1\.0 tags: - CCE-84254-2 - DISA-STIG-RHEL-08-010295 @@ -321,13 +265,35 @@ - reboot_required | bool - restrict_strategy | bool -- name: Configure GnuTLS library to use DoD-approved TLS Encryption - copy: - dest: /etc/crypto-policies/back-ends/gnutls.config - content: 'SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM - - ' +- name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: stat' + stat: + path: '{{ path }}' follow: true + register: gnutls_file + tags: + - CCE-84254-2 + - DISA-STIG-RHEL-08-010295 + - NIST-800-53-AC-17(2) + - configure_gnutls_tls_crypto_policy + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + when: + - configure_gnutls_tls_crypto_policy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + +- name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: Add' + lineinfile: + path: '{{ path }}' + regexp: '{{ lineinfile_reg }}' + line: '{{ correct_value }}' + create: true when: - configure_gnutls_tls_crypto_policy | bool - low_complexity | bool @@ -335,7 +301,7 @@ - medium_severity | bool - reboot_required | bool - restrict_strategy | bool - - (gnutls.found is defined and gnutls.found != 1) or gnutls.msg == "file not present" + - not gnutls_file.stat.exists or gnutls_file.stat.size <= correct_value|length tags: - CCE-84254-2 - DISA-STIG-RHEL-08-010295 @@ -347,522 +313,562 @@ - reboot_required - restrict_strategy -- name: Configure Kerberos to use System Crypto Policy - file: - src: /etc/crypto-policies/back-ends/krb5.config - path: /etc/krb5.conf.d/crypto-policies - state: link - tags: - - CCE-80936-8 - - NIST-800-53-SC-12(2) - - NIST-800-53-SC-12(3) - - NIST-800-53-SC-13 - - configure_kerberos_crypto_policy - - configure_strategy - - low_complexity - - low_disruption - - medium_severity - - reboot_required +- name: Configure GnuTLS library to use DoD-approved TLS Encryption + block: + - name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: Existing value check' + lineinfile: + path: '{{ path }}' + create: false + regexp: '{{ lineinfile_reg }}' + state: absent + check_mode: true + changed_when: false + register: gnutls + - name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: Update' + replace: + path: '{{ path }}' + regexp: (\+VERS-ALL(?::-VERS-[A-Z]+\d\.\d)+) + replace: '{{ correct_value }}' + when: gnutls.found is defined and gnutls.found != 1 when: - - configure_kerberos_crypto_policy | bool - - configure_strategy | bool + - configure_gnutls_tls_crypto_policy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - reboot_required | bool - -- name: Gather the package facts - package_facts: - manager: auto + - restrict_strategy | bool + - gnutls_file.stat.exists and gnutls_file.stat.size > correct_value|length tags: - - CCE-80777-6 - - CJIS-5.5.5 - - DISA-STIG-RHEL-08-020030 - - NIST-800-171-3.1.10 + - CCE-84254-2 + - DISA-STIG-RHEL-08-010295 + - NIST-800-53-AC-17(2) + - configure_gnutls_tls_crypto_policy + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Configure Libreswan to use System Crypto Policy + lineinfile: + path: /etc/ipsec.conf + line: include /etc/crypto-policies/back-ends/libreswan.config + create: true + tags: + - CCE-80937-6 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_lock_enabled + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-12(2) + - NIST-800-53-SC-12(3) + - NIST-800-53-SC-13 + - configure_libreswan_crypto_policy - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy + - restrict_strategy when: - - dconf_gnome_screensaver_lock_enabled | bool + - configure_libreswan_crypto_policy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool + - restrict_strategy | bool -- name: Dconf Update - command: dconf update +- name: Configure Kerberos to use System Crypto Policy + file: + src: /etc/crypto-policies/back-ends/krb5.config + path: /etc/krb5.conf.d/crypto-policies + state: link + tags: + - CCE-80936-8 + - NIST-800-53-SC-12(2) + - NIST-800-53-SC-12(3) + - NIST-800-53-SC-13 + - configure_kerberos_crypto_policy + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - reboot_required when: - - dconf_gnome_screensaver_lock_enabled | bool + - configure_kerberos_crypto_policy | bool + - configure_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ansible_distribution == 'SLES' + - reboot_required | bool + +- name: Configure SSH to use System Crypto Policy + lineinfile: + dest: /etc/sysconfig/sshd + state: absent + regexp: ^\s*CRYPTO_POLICY.*$ tags: - - CCE-80777-6 - - CJIS-5.5.5 - - DISA-STIG-RHEL-08-020030 - - NIST-800-171-3.1.10 + - CCE-80939-2 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_lock_enabled + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-13 + - configure_ssh_crypto_policy + - disable_strategy - low_complexity - medium_disruption - medium_severity - - no_reboot_needed - - unknown_strategy - -- name: Enable GNOME3 Screensaver Lock After Idle Period - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/desktop/screensaver - option: lock-enabled - value: 'true' - create: true - no_extra_spaces: true + - reboot_required when: - - dconf_gnome_screensaver_lock_enabled | bool + - configure_ssh_crypto_policy | bool + - disable_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + +- name: Find /etc/sudoers.d/ files + find: + paths: + - /etc/sudoers.d/ + register: sudoers tags: - - CCE-80777-6 - - CJIS-5.5.5 - - DISA-STIG-RHEL-08-020030 - - NIST-800-171-3.1.10 + - CCE-82202-3 + - DISA-STIG-RHEL-08-010381 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_lock_enabled + - NIST-800-53-IA-11 - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy - -- name: Prevent user modification of GNOME lock-enabled - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/lock-enabled - line: /org/gnome/desktop/screensaver/lock-enabled - create: true + - restrict_strategy + - sudo_remove_no_authenticate when: - - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - restrict_strategy | bool + - sudo_remove_no_authenticate | bool + +- name: Remove lines containing !authenticate from sudoers files + replace: + regexp: (^(?!#).*[\s]+\!authenticate.*$) + replace: '# \g<1>' + path: '{{ item.path }}' + validate: /usr/sbin/visudo -cf %s + with_items: + - path: /etc/sudoers + - '{{ sudoers.files }}' tags: - - CCE-80777-6 - - CJIS-5.5.5 - - DISA-STIG-RHEL-08-020030 - - NIST-800-171-3.1.10 + - CCE-82202-3 + - DISA-STIG-RHEL-08-010381 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_lock_enabled + - NIST-800-53-IA-11 - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy - -- name: Check GNOME3 screenserver disable-lock-screen false - command: gsettings get org.gnome.desktop.lockdown disable-lock-screen - register: cmd_out + - restrict_strategy + - sudo_remove_no_authenticate when: - - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ansible_distribution == 'SLES' + - restrict_strategy | bool + - sudo_remove_no_authenticate | bool + +- name: Find /etc/sudoers.d/ files + find: + paths: + - /etc/sudoers.d/ + register: sudoers tags: - - CCE-80777-6 - - CJIS-5.5.5 - - DISA-STIG-RHEL-08-020030 - - NIST-800-171-3.1.10 + - CCE-82197-5 + - DISA-STIG-RHEL-08-010380 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_lock_enabled + - NIST-800-53-IA-11 - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy - -- name: Update GNOME3 screenserver disable-lock-screen false - command: gsettings set org.gnome.desktop.lockdown disable-lock-screen false + - restrict_strategy + - sudo_remove_nopasswd when: - - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ansible_distribution == 'SLES' + - restrict_strategy | bool + - sudo_remove_nopasswd | bool + +- name: Remove lines containing NOPASSWD from sudoers files + replace: + regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$) + replace: '# \g<1>' + path: '{{ item.path }}' + validate: /usr/sbin/visudo -cf %s + with_items: + - path: /etc/sudoers + - '{{ sudoers.files }}' tags: - - CCE-80777-6 - - CJIS-5.5.5 - - DISA-STIG-RHEL-08-020030 - - NIST-800-171-3.1.10 + - CCE-82197-5 + - DISA-STIG-RHEL-08-010380 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_lock_enabled + - NIST-800-53-IA-11 - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy - -- name: Dconf Update - command: dconf update + - restrict_strategy + - sudo_remove_nopasswd when: - - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80777-6 - - CJIS-5.5.5 - - DISA-STIG-RHEL-08-020030 - - NIST-800-171-3.1.10 - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_lock_enabled - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy + - restrict_strategy | bool + - sudo_remove_nopasswd | bool -- name: Gather the package facts - package_facts: - manager: auto +- name: Ensure that Defaults !targetpw is defined in sudoers + lineinfile: + path: /etc/sudoers + create: true + line: Defaults !targetpw + state: present tags: - - CCE-80775-0 - - CJIS-5.5.5 - - DISA-STIG-RHEL-08-020060 - - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(a) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_delay + - CCE-83422-6 + - DISA-STIG-RHEL-08-010383 - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy + - restrict_strategy + - sudoers_validate_passwd when: - - dconf_gnome_screensaver_idle_delay | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool + - restrict_strategy | bool + - sudoers_validate_passwd | bool -- name: Set GNOME3 Screensaver Inactivity Timeout - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/desktop/session - option: idle-delay - value: uint32 {{ inactivity_timeout_value }} +- name: Ensure that Defaults !rootpw is defined in sudoers + lineinfile: + path: /etc/sudoers create: true - no_extra_spaces: true + line: Defaults !rootpw + state: present + tags: + - CCE-83422-6 + - DISA-STIG-RHEL-08-010383 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudoers_validate_passwd when: - - dconf_gnome_screensaver_idle_delay | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - restrict_strategy | bool + - sudoers_validate_passwd | bool + +- name: Ensure that Defaults !runaspw is defined in sudoers + lineinfile: + path: /etc/sudoers + create: true + line: Defaults !runaspw + state: present tags: - - CCE-80775-0 - - CJIS-5.5.5 - - DISA-STIG-RHEL-08-020060 - - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(a) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_delay + - CCE-83422-6 + - DISA-STIG-RHEL-08-010383 - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy - -- name: Prevent user modification of GNOME idle-delay - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/session/idle-delay - line: /org/gnome/desktop/session/idle-delay - create: true + - restrict_strategy + - sudoers_validate_passwd when: - - dconf_gnome_screensaver_idle_delay | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - restrict_strategy | bool + - sudoers_validate_passwd | bool + +- name: Ensure rng-tools is installed + package: + name: rng-tools + state: present tags: - - CCE-80775-0 - - CJIS-5.5.5 - - DISA-STIG-RHEL-08-020060 - - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(a) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_delay + - CCE-82968-9 + - DISA-STIG-RHEL-08-010471 + - enable_strategy - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy - -- name: Dconf Update - command: dconf update + - package_rng-tools_installed when: - - dconf_gnome_screensaver_idle_delay | bool + - enable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + +- name: Ensure abrt-addon-ccpp is removed + package: + name: abrt-addon-ccpp + state: absent tags: - - CCE-80775-0 - - CJIS-5.5.5 - - DISA-STIG-RHEL-08-020060 - - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(a) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_delay + - CCE-82919-2 + - DISA-STIG-RHEL-08-040001 + - disable_strategy - low_complexity - - medium_disruption - - medium_severity + - low_disruption + - low_severity - no_reboot_needed - - unknown_strategy + - package_abrt-addon-ccpp_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool -- name: Gather the package facts - package_facts: - manager: auto +- name: Ensure abrt-addon-kerneloops is removed + package: + name: abrt-addon-kerneloops + state: absent tags: - - CCE-84028-0 - - DISA-STIG-RHEL-08-040171 - - NIST-800-171-3.1.2 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(b) - - dconf_gnome_disable_ctrlaltdel_reboot - - high_severity + - CCE-82926-7 + - DISA-STIG-RHEL-08-040001 + - disable_strategy - low_complexity - - medium_disruption + - low_disruption + - low_severity - no_reboot_needed - - unknown_strategy + - package_abrt-addon-kerneloops_removed when: - - dconf_gnome_disable_ctrlaltdel_reboot | bool - - high_severity | bool + - disable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool + - low_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool -- name: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/settings-daemon/plugins/media-keys - option: logout - value: '''''' - create: true - no_extra_spaces: true +- name: Ensure abrt-addon-python is removed + package: + name: abrt-addon-python + state: absent + tags: + - CCE-82923-4 + - DISA-STIG-RHEL-08-040001 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_abrt-addon-python_removed when: - - dconf_gnome_disable_ctrlaltdel_reboot | bool - - high_severity | bool + - disable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool + - low_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + +- name: Ensure abrt-cli is removed + package: + name: abrt-cli + state: absent tags: - - CCE-84028-0 - - DISA-STIG-RHEL-08-040171 - - NIST-800-171-3.1.2 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(b) - - dconf_gnome_disable_ctrlaltdel_reboot - - high_severity + - CCE-82907-7 + - DISA-STIG-RHEL-08-040001 + - disable_strategy - low_complexity - - medium_disruption + - low_disruption + - low_severity - no_reboot_needed - - unknown_strategy - -- name: Prevent user modification of GNOME disablement of Ctrl-Alt-Del - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/settings-daemon/plugins/media-keys/logout - line: /org/gnome/settings-daemon/plugins/media-keys/logout - create: true + - package_abrt-cli_removed when: - - dconf_gnome_disable_ctrlaltdel_reboot | bool - - high_severity | bool + - disable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool + - low_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + +- name: Ensure abrt-plugin-logger is removed + package: + name: abrt-plugin-logger + state: absent tags: - - CCE-84028-0 - - DISA-STIG-RHEL-08-040171 - - NIST-800-171-3.1.2 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(b) - - dconf_gnome_disable_ctrlaltdel_reboot - - high_severity + - CCE-82913-5 + - DISA-STIG-RHEL-08-040001 + - disable_strategy - low_complexity - - medium_disruption + - low_disruption + - low_severity - no_reboot_needed - - unknown_strategy + - package_abrt-plugin-logger_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool -- name: Dconf Update - command: dconf update +- name: Ensure abrt-plugin-rhtsupport is removed + package: + name: abrt-plugin-rhtsupport + state: absent + tags: + - CCE-82916-8 + - DISA-STIG-RHEL-08-040001 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_abrt-plugin-rhtsupport_removed when: - - dconf_gnome_disable_ctrlaltdel_reboot | bool - - high_severity | bool + - disable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool + - low_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + +- name: Ensure abrt-plugin-sosreport is removed + package: + name: abrt-plugin-sosreport + state: absent tags: - - CCE-84028-0 - - DISA-STIG-RHEL-08-040171 - - NIST-800-171-3.1.2 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(b) - - dconf_gnome_disable_ctrlaltdel_reboot - - high_severity + - CCE-82910-1 + - DISA-STIG-RHEL-08-040001 + - disable_strategy - low_complexity - - medium_disruption + - low_disruption + - low_severity - no_reboot_needed - - unknown_strategy + - package_abrt-plugin-sosreport_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool -- name: Gather the package facts - package_facts: - manager: auto +- name: Ensure gssproxy is removed + package: + name: gssproxy + state: absent tags: - - CCE-80823-8 - - DISA-STIG-RHEL-08-010820 - - NIST-800-171-3.1.1 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(b) - - gnome_gdm_disable_automatic_login - - high_severity + - CCE-82943-2 + - DISA-STIG-RHEL-08-040370 + - disable_strategy - low_complexity - - medium_disruption + - low_disruption + - low_severity - no_reboot_needed - - unknown_strategy + - package_gssproxy_removed when: - - gnome_gdm_disable_automatic_login | bool - - high_severity | bool + - disable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool + - low_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool + - package_gssproxy_removed | bool -- name: Disable GDM Automatic Login - ini_file: - dest: /etc/gdm/custom.conf - section: daemon - option: AutomaticLoginEnable - value: 'false' - no_extra_spaces: true - create: true +- name: Ensure iprutils is removed + package: + name: iprutils + state: absent + tags: + - CCE-82946-5 + - DISA-STIG-RHEL-08-040380 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_iprutils_removed when: - - gnome_gdm_disable_automatic_login | bool - - high_severity | bool + - disable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool + - low_severity | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - package_iprutils_removed | bool + +- name: Ensure krb5-workstation is removed + package: + name: krb5-workstation + state: absent tags: - - CCE-80823-8 - - DISA-STIG-RHEL-08-010820 - - NIST-800-171-3.1.1 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(b) - - gnome_gdm_disable_automatic_login - - high_severity + - CCE-82931-7 + - DISA-STIG-RHEL-08-010162 + - disable_strategy - low_complexity - - medium_disruption + - low_disruption + - medium_severity - no_reboot_needed - - unknown_strategy + - package_krb5-workstation_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure tuned is removed + package: + name: tuned + state: absent + tags: + - CCE-82904-4 + - DISA-STIG-RHEL-08-040390 + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_tuned_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - package_tuned_removed | bool - name: Gather the package facts package_facts: manager: auto tags: - - CCE-83910-0 - - DISA-STIG-RHEL-08-020050 - - dconf_gnome_lock_screen_on_smartcard_removal + - CCE-80777-6 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020030 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy when: - - dconf_gnome_lock_screen_on_smartcard_removal | bool + - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool -- name: Detect if removal-action can be found on /etc/dconf/db/local.d/ - find: - path: /etc/dconf/db/local.d/ - contains: ^\s*removal-action - register: dconf_gnome_lock_screen_on_smartcard_removal_config_files +- name: Dconf Update + command: dconf update when: - - dconf_gnome_lock_screen_on_smartcard_removal | bool + - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool @@ -870,25 +876,31 @@ - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_distribution == 'SLES' tags: - - CCE-83910-0 - - DISA-STIG-RHEL-08-020050 - - dconf_gnome_lock_screen_on_smartcard_removal + - CCE-80777-6 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020030 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy -- name: Configure removal-action - default file +- name: Enable GNOME3 Screensaver Lock After Idle Period ini_file: - dest: /etc/dconf/db/local.d//00-security-settings - section: org/gnome/settings-daemon/peripherals/smartcard - option: removal-action - value: lock-screen + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver + option: lock-enabled + value: 'true' create: true + no_extra_spaces: true when: - - dconf_gnome_lock_screen_on_smartcard_removal | bool + - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool @@ -896,28 +908,28 @@ - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - dconf_gnome_lock_screen_on_smartcard_removal_config_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_config_files.matched - == 0 tags: - - CCE-83910-0 - - DISA-STIG-RHEL-08-020050 - - dconf_gnome_lock_screen_on_smartcard_removal + - CCE-80777-6 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020030 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy -- name: Configure removal-action - existing files - ini_file: - dest: '{{ item.path }}' - section: org/gnome/settings-daemon/peripherals/smartcard - option: removal-action - value: lock-screen +- name: Prevent user modification of GNOME lock-enabled + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/lock-enabled + line: /org/gnome/desktop/screensaver/lock-enabled create: true - with_items: '{{ dconf_gnome_lock_screen_on_smartcard_removal_config_files.files }}' when: - - dconf_gnome_lock_screen_on_smartcard_removal | bool + - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool @@ -925,50 +937,25 @@ - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - dconf_gnome_lock_screen_on_smartcard_removal_config_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_config_files.matched - > 0 tags: - - CCE-83910-0 - - DISA-STIG-RHEL-08-020050 - - dconf_gnome_lock_screen_on_smartcard_removal - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - -- name: Detect if lock for removal-action can be found on /etc/dconf/db/local.d/ - find: - path: /etc/dconf/db/local.d/locks - contains: ^\s*removal-action - register: dconf_gnome_lock_screen_on_smartcard_removal_lock_files - when: - - dconf_gnome_lock_screen_on_smartcard_removal | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-83910-0 - - DISA-STIG-RHEL-08-020050 - - dconf_gnome_lock_screen_on_smartcard_removal + - CCE-80777-6 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020030 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy -- name: Prevent user modification removal-action - default file - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action - line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action - create: true +- name: Check GNOME3 screenserver disable-lock-screen false + command: gsettings get org.gnome.desktop.lockdown disable-lock-screen + register: cmd_out when: - - dconf_gnome_lock_screen_on_smartcard_removal | bool + - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool @@ -976,27 +963,25 @@ - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - dconf_gnome_lock_screen_on_smartcard_removal_lock_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_lock_files.matched - == 0 + - ansible_distribution == 'SLES' tags: - - CCE-83910-0 - - DISA-STIG-RHEL-08-020050 - - dconf_gnome_lock_screen_on_smartcard_removal + - CCE-80777-6 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020030 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy -- name: Prevent user modification removal-action - existing files - lineinfile: - path: '{{ item.path }}' - regexp: ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action - line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action - create: true - with_items: '{{ dconf_gnome_lock_screen_on_smartcard_removal_lock_files.files }}' +- name: Update GNOME3 screenserver disable-lock-screen false + command: gsettings set org.gnome.desktop.lockdown disable-lock-screen false when: - - dconf_gnome_lock_screen_on_smartcard_removal | bool + - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool @@ -1004,22 +989,25 @@ - unknown_strategy | bool - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - dconf_gnome_lock_screen_on_smartcard_removal_lock_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_lock_files.matched - > 0 + - ansible_distribution == 'SLES' tags: - - CCE-83910-0 - - DISA-STIG-RHEL-08-020050 - - dconf_gnome_lock_screen_on_smartcard_removal + - CCE-80777-6 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020030 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy -- name: Dconf Update - removal-action +- name: Dconf Update command: dconf update when: - - dconf_gnome_lock_screen_on_smartcard_removal | bool + - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool @@ -1028,9 +1016,13 @@ - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-83910-0 - - DISA-STIG-RHEL-08-020050 - - dconf_gnome_lock_screen_on_smartcard_removal + - CCE-80777-6 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020030 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity @@ -1041,123 +1033,112 @@ package_facts: manager: auto tags: - - CCE-80791-7 - - DISA-STIG-RHEL-08-010371 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80775-0 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020060 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - ensure_gpgcheck_local_packages - - high_severity + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption + - medium_severity - no_reboot_needed - unknown_strategy when: - - ensure_gpgcheck_local_packages | bool - - high_severity | bool + - dconf_gnome_screensaver_idle_delay | bool - low_complexity | bool - medium_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool -- name: Check existence of yum on Fedora - stat: - path: /etc/yum.conf - register: yum_config_file - check_mode: false +- name: Set GNOME3 Screensaver Inactivity Timeout + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/session + option: idle-delay + value: uint32 {{ inactivity_timeout_value }} + create: true + no_extra_spaces: true when: - - ensure_gpgcheck_local_packages | bool - - high_severity | bool + - dconf_gnome_screensaver_idle_delay | bool - low_complexity | bool - medium_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - - '"yum" in ansible_facts.packages' - - ansible_distribution == "Fedora" + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80791-7 - - DISA-STIG-RHEL-08-010371 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80775-0 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020060 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - ensure_gpgcheck_local_packages - - high_severity + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption + - medium_severity - no_reboot_needed - unknown_strategy -- name: Ensure GPG check Enabled for Local Packages (Yum) - ini_file: - dest: /etc/yum.conf - section: main - option: localpkg_gpgcheck - value: 1 +- name: Prevent user modification of GNOME idle-delay + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/session/idle-delay + line: /org/gnome/desktop/session/idle-delay create: true when: - - ensure_gpgcheck_local_packages | bool - - high_severity | bool + - dconf_gnome_screensaver_idle_delay | bool - low_complexity | bool - medium_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - - '"yum" in ansible_facts.packages' - - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "Scientific" or yum_config_file.stat.exists) + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80791-7 - - DISA-STIG-RHEL-08-010371 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80775-0 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020060 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - ensure_gpgcheck_local_packages - - high_severity + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption + - medium_severity - no_reboot_needed - unknown_strategy -- name: Ensure GPG check Enabled for Local Packages (DNF) - ini_file: - dest: /etc/dnf/dnf.conf - section: main - option: localpkg_gpgcheck - value: 1 - create: true +- name: Dconf Update + command: dconf update when: - - ensure_gpgcheck_local_packages | bool - - high_severity | bool + - dconf_gnome_screensaver_idle_delay | bool - low_complexity | bool - medium_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - - '"yum" in ansible_facts.packages' - - ansible_distribution == "Fedora" + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80791-7 - - DISA-STIG-RHEL-08-010371 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80775-0 + - CJIS-5.5.5 + - DISA-STIG-RHEL-08-020060 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - ensure_gpgcheck_local_packages - - high_severity + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption + - medium_severity - no_reboot_needed - unknown_strategy @@ -1165,646 +1146,719 @@ package_facts: manager: auto tags: - - CCE-80790-9 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-08-010370 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80823-8 + - DISA-STIG-RHEL-08-010820 + - NIST-800-171-3.1.1 + - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_gpgcheck_globally_activated + - NIST-800-53-CM-7(b) + - gnome_gdm_disable_automatic_login - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy when: - - ensure_gpgcheck_globally_activated | bool + - gnome_gdm_disable_automatic_login | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_reboot_needed | bool - unknown_strategy | bool -- name: Check existence of yum on Fedora - stat: - path: /etc/yum.conf - register: yum_config_file - check_mode: false - when: - - ensure_gpgcheck_globally_activated | bool +- name: Disable GDM Automatic Login + ini_file: + dest: /etc/gdm/custom.conf + section: daemon + option: AutomaticLoginEnable + value: 'false' + no_extra_spaces: true + create: true + when: + - gnome_gdm_disable_automatic_login | bool - high_severity | bool - low_complexity | bool - medium_disruption | bool - no_reboot_needed | bool - unknown_strategy | bool - - '"yum" in ansible_facts.packages' - - ansible_distribution == "Fedora" + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80790-9 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-08-010370 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80823-8 + - DISA-STIG-RHEL-08-010820 + - NIST-800-171-3.1.1 + - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_gpgcheck_globally_activated + - NIST-800-53-CM-7(b) + - gnome_gdm_disable_automatic_login - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy -- name: Ensure GPG check is globally activated (yum) - ini_file: - dest: /etc/yum.conf - section: main - option: gpgcheck - value: 1 - no_extra_spaces: true - create: false +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-83910-0 + - DISA-STIG-RHEL-08-020050 + - dconf_gnome_lock_screen_on_smartcard_removal + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy when: - - ensure_gpgcheck_globally_activated | bool - - high_severity | bool + - dconf_gnome_lock_screen_on_smartcard_removal | bool - low_complexity | bool - medium_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - - '"yum" in ansible_facts.packages' - - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "Scientific" or yum_config_file.stat.exists) + +- name: Detect if removal-action can be found on /etc/dconf/db/local.d/ + find: + path: /etc/dconf/db/local.d/ + contains: ^\s*removal-action + register: dconf_gnome_lock_screen_on_smartcard_removal_config_files + when: + - dconf_gnome_lock_screen_on_smartcard_removal | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80790-9 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-08-010370 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) - - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_gpgcheck_globally_activated - - high_severity + - CCE-83910-0 + - DISA-STIG-RHEL-08-020050 + - dconf_gnome_lock_screen_on_smartcard_removal - low_complexity - medium_disruption + - medium_severity - no_reboot_needed - unknown_strategy -- name: Ensure GPG check is globally activated (dnf) +- name: Configure removal-action - default file ini_file: - dest: /etc/dnf/dnf.conf - section: main - option: gpgcheck - value: 1 - no_extra_spaces: true - create: false + dest: /etc/dconf/db/local.d//00-security-settings + section: org/gnome/settings-daemon/peripherals/smartcard + option: removal-action + value: lock-screen + create: true when: - - ensure_gpgcheck_globally_activated | bool - - high_severity | bool + - dconf_gnome_lock_screen_on_smartcard_removal | bool - low_complexity | bool - medium_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - unknown_strategy | bool - - '"yum" in ansible_facts.packages' - - ansible_distribution == "Fedora" + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - dconf_gnome_lock_screen_on_smartcard_removal_config_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_config_files.matched + == 0 tags: - - CCE-80790-9 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-08-010370 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) - - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_gpgcheck_globally_activated - - high_severity + - CCE-83910-0 + - DISA-STIG-RHEL-08-020050 + - dconf_gnome_lock_screen_on_smartcard_removal - low_complexity - medium_disruption + - medium_severity - no_reboot_needed - unknown_strategy -- name: Gather the package facts - package_facts: - manager: auto +- name: Configure removal-action - existing files + ini_file: + dest: '{{ item.path }}' + section: org/gnome/settings-daemon/peripherals/smartcard + option: removal-action + value: lock-screen + create: true + with_items: '{{ dconf_gnome_lock_screen_on_smartcard_removal_config_files.files }}' + when: + - dconf_gnome_lock_screen_on_smartcard_removal | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - dconf_gnome_lock_screen_on_smartcard_removal_config_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_config_files.matched + > 0 tags: - - CCE-82476-3 - - DISA-STIG-RHEL-08-010440 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-2(6) - - clean_components_post_updating + - CCE-83910-0 + - DISA-STIG-RHEL-08-020050 + - dconf_gnome_lock_screen_on_smartcard_removal - low_complexity - - low_disruption - - low_severity + - medium_disruption + - medium_severity - no_reboot_needed - - restrict_strategy + - unknown_strategy + +- name: Detect if lock for removal-action can be found on /etc/dconf/db/local.d/ + find: + path: /etc/dconf/db/local.d/locks + contains: ^\s*removal-action + register: dconf_gnome_lock_screen_on_smartcard_removal_lock_files when: - - clean_components_post_updating | bool + - dconf_gnome_lock_screen_on_smartcard_removal | bool - low_complexity | bool - - low_disruption | bool - - low_severity | bool + - medium_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-83910-0 + - DISA-STIG-RHEL-08-020050 + - dconf_gnome_lock_screen_on_smartcard_removal + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy -- name: Ensure YUM Removes Previous Package Versions +- name: Prevent user modification removal-action - default file lineinfile: - dest: /etc/yum.conf - regexp: ^#?clean_requirements_on_remove - line: clean_requirements_on_remove=1 - insertafter: \[main\] + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action + line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action create: true when: - - clean_components_post_updating | bool + - dconf_gnome_lock_screen_on_smartcard_removal | bool - low_complexity | bool - - low_disruption | bool - - low_severity | bool + - medium_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool - - '"yum" in ansible_facts.packages' + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - dconf_gnome_lock_screen_on_smartcard_removal_lock_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_lock_files.matched + == 0 tags: - - CCE-82476-3 - - DISA-STIG-RHEL-08-010440 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-2(6) - - clean_components_post_updating + - CCE-83910-0 + - DISA-STIG-RHEL-08-020050 + - dconf_gnome_lock_screen_on_smartcard_removal - low_complexity - - low_disruption - - low_severity + - medium_disruption + - medium_severity - no_reboot_needed - - restrict_strategy + - unknown_strategy -- name: Security patches are up to date - package: - name: '*' - state: latest - tags: - - CCE-80865-9 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-08-010010 - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-2(5) - - NIST-800-53-SI-2(c) - - PCI-DSS-Req-6.2 - - high_disruption - - high_severity - - low_complexity - - patch_strategy - - reboot_required - - security_patches_up_to_date - - skip_ansible_lint +- name: Prevent user modification removal-action - existing files + lineinfile: + path: '{{ item.path }}' + regexp: ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action + line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action + create: true + with_items: '{{ dconf_gnome_lock_screen_on_smartcard_removal_lock_files.files }}' when: - - high_disruption | bool - - high_severity | bool + - dconf_gnome_lock_screen_on_smartcard_removal | bool - low_complexity | bool - - patch_strategy | bool - - reboot_required | bool - - security_patches_up_to_date | bool - - skip_ansible_lint | bool - -- name: Ensure rng-tools is installed - package: - name: rng-tools - state: present + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - dconf_gnome_lock_screen_on_smartcard_removal_lock_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_lock_files.matched + > 0 tags: - - CCE-82968-9 - - DISA-STIG-RHEL-08-010471 - - enable_strategy + - CCE-83910-0 + - DISA-STIG-RHEL-08-020050 + - dconf_gnome_lock_screen_on_smartcard_removal - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - - package_rng-tools_installed + - unknown_strategy + +- name: Dconf Update - removal-action + command: dconf update when: - - enable_strategy | bool + - dconf_gnome_lock_screen_on_smartcard_removal | bool - low_complexity | bool - - low_disruption | bool + - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - -- name: Ensure abrt-addon-ccpp is removed - package: - name: abrt-addon-ccpp - state: absent + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82919-2 - - DISA-STIG-RHEL-08-040001 - - disable_strategy + - CCE-83910-0 + - DISA-STIG-RHEL-08-020050 + - dconf_gnome_lock_screen_on_smartcard_removal - low_complexity - - low_disruption - - low_severity + - medium_disruption + - medium_severity - no_reboot_needed - - package_abrt-addon-ccpp_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool + - unknown_strategy -- name: Ensure abrt-addon-kerneloops is removed - package: - name: abrt-addon-kerneloops - state: absent +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-82926-7 - - DISA-STIG-RHEL-08-040001 - - disable_strategy + - CCE-84028-0 + - DISA-STIG-RHEL-08-040171 + - NIST-800-171-3.1.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_ctrlaltdel_reboot + - high_severity - low_complexity - - low_disruption - - low_severity + - medium_disruption - no_reboot_needed - - package_abrt-addon-kerneloops_removed + - unknown_strategy when: - - disable_strategy | bool + - dconf_gnome_disable_ctrlaltdel_reboot | bool + - high_severity | bool - low_complexity | bool - - low_disruption | bool - - low_severity | bool + - medium_disruption | bool - no_reboot_needed | bool + - unknown_strategy | bool -- name: Ensure abrt-addon-python is removed - package: - name: abrt-addon-python - state: absent - tags: - - CCE-82923-4 - - DISA-STIG-RHEL-08-040001 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_abrt-addon-python_removed +- name: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/settings-daemon/plugins/media-keys + option: logout + value: '''''' + create: true + no_extra_spaces: true when: - - disable_strategy | bool + - dconf_gnome_disable_ctrlaltdel_reboot | bool + - high_severity | bool - low_complexity | bool - - low_disruption | bool - - low_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - -- name: Ensure abrt-cli is removed - package: - name: abrt-cli - state: absent + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82907-7 - - DISA-STIG-RHEL-08-040001 - - disable_strategy + - CCE-84028-0 + - DISA-STIG-RHEL-08-040171 + - NIST-800-171-3.1.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_ctrlaltdel_reboot + - high_severity - low_complexity - - low_disruption - - low_severity + - medium_disruption - no_reboot_needed - - package_abrt-cli_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool + - unknown_strategy -- name: Ensure abrt-plugin-logger is removed - package: - name: abrt-plugin-logger - state: absent - tags: - - CCE-82913-5 - - DISA-STIG-RHEL-08-040001 - - disable_strategy - - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_abrt-plugin-logger_removed +- name: Prevent user modification of GNOME disablement of Ctrl-Alt-Del + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/settings-daemon/plugins/media-keys/logout + line: /org/gnome/settings-daemon/plugins/media-keys/logout + create: true when: - - disable_strategy | bool + - dconf_gnome_disable_ctrlaltdel_reboot | bool + - high_severity | bool - low_complexity | bool - - low_disruption | bool - - low_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - -- name: Ensure abrt-plugin-rhtsupport is removed - package: - name: abrt-plugin-rhtsupport - state: absent + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82916-8 - - DISA-STIG-RHEL-08-040001 - - disable_strategy + - CCE-84028-0 + - DISA-STIG-RHEL-08-040171 + - NIST-800-171-3.1.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_ctrlaltdel_reboot + - high_severity - low_complexity - - low_disruption - - low_severity + - medium_disruption - no_reboot_needed - - package_abrt-plugin-rhtsupport_removed + - unknown_strategy + +- name: Dconf Update + command: dconf update when: - - disable_strategy | bool + - dconf_gnome_disable_ctrlaltdel_reboot | bool + - high_severity | bool - low_complexity | bool - - low_disruption | bool - - low_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - -- name: Ensure abrt-plugin-sosreport is removed - package: - name: abrt-plugin-sosreport - state: absent + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82910-1 - - DISA-STIG-RHEL-08-040001 - - disable_strategy + - CCE-84028-0 + - DISA-STIG-RHEL-08-040171 + - NIST-800-171-3.1.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_ctrlaltdel_reboot + - high_severity - low_complexity - - low_disruption - - low_severity + - medium_disruption - no_reboot_needed - - package_abrt-plugin-sosreport_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool + - unknown_strategy -- name: Ensure gssproxy is removed +- name: Security patches are up to date package: - name: gssproxy - state: absent + name: '*' + state: latest tags: - - CCE-82943-2 - - DISA-STIG-RHEL-08-040370 - - disable_strategy + - CCE-80865-9 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-08-010010 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-2(5) + - NIST-800-53-SI-2(c) + - PCI-DSS-Req-6.2 + - high_disruption + - high_severity - low_complexity - - low_disruption - - low_severity - - no_reboot_needed - - package_gssproxy_removed + - patch_strategy + - reboot_required + - security_patches_up_to_date + - skip_ansible_lint when: - - disable_strategy | bool + - high_disruption | bool + - high_severity | bool - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_gssproxy_removed | bool + - patch_strategy | bool + - reboot_required | bool + - security_patches_up_to_date | bool + - skip_ansible_lint | bool -- name: Ensure iprutils is removed - package: - name: iprutils - state: absent +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-82946-5 - - DISA-STIG-RHEL-08-040380 - - disable_strategy + - CCE-80791-7 + - DISA-STIG-RHEL-08-010371 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - ensure_gpgcheck_local_packages + - high_severity - low_complexity - - low_disruption - - low_severity + - medium_disruption - no_reboot_needed - - package_iprutils_removed + - unknown_strategy when: - - disable_strategy | bool + - ensure_gpgcheck_local_packages | bool + - high_severity | bool - low_complexity | bool - - low_disruption | bool - - low_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - - package_iprutils_removed | bool + - unknown_strategy | bool -- name: Ensure krb5-workstation is removed - package: - name: krb5-workstation - state: absent - tags: - - CCE-82931-7 - - DISA-STIG-RHEL-08-010162 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_krb5-workstation_removed +- name: Check existence of yum on Fedora + stat: + path: /etc/yum.conf + register: yum_config_file + check_mode: false when: - - disable_strategy | bool + - ensure_gpgcheck_local_packages | bool + - high_severity | bool - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - -- name: Ensure tuned is removed - package: - name: tuned - state: absent + - unknown_strategy | bool + - '"yum" in ansible_facts.packages' + - ansible_distribution == "Fedora" tags: - - CCE-82904-4 - - DISA-STIG-RHEL-08-040390 - - disable_strategy + - CCE-80791-7 + - DISA-STIG-RHEL-08-010371 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - ensure_gpgcheck_local_packages + - high_severity - low_complexity - - low_disruption - - low_severity + - medium_disruption - no_reboot_needed - - package_tuned_removed + - unknown_strategy + +- name: Ensure GPG check Enabled for Local Packages (Yum) + ini_file: + dest: /etc/yum.conf + section: main + option: localpkg_gpgcheck + value: 1 + create: true when: - - disable_strategy | bool + - ensure_gpgcheck_local_packages | bool + - high_severity | bool - low_complexity | bool - - low_disruption | bool - - low_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - - package_tuned_removed | bool - -- name: Ensure that Defaults !targetpw is defined in sudoers - lineinfile: - path: /etc/sudoers - create: true - line: Defaults !targetpw - state: present + - unknown_strategy | bool + - '"yum" in ansible_facts.packages' + - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "Scientific" or yum_config_file.stat.exists) tags: - - CCE-83422-6 - - DISA-STIG-RHEL-08-010383 + - CCE-80791-7 + - DISA-STIG-RHEL-08-010371 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - ensure_gpgcheck_local_packages + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed - - restrict_strategy - - sudoers_validate_passwd + - unknown_strategy + +- name: Ensure GPG check Enabled for Local Packages (DNF) + ini_file: + dest: /etc/dnf/dnf.conf + section: main + option: localpkg_gpgcheck + value: 1 + create: true when: + - ensure_gpgcheck_local_packages | bool + - high_severity | bool - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - - restrict_strategy | bool - - sudoers_validate_passwd | bool - -- name: Ensure that Defaults !rootpw is defined in sudoers - lineinfile: - path: /etc/sudoers - create: true - line: Defaults !rootpw - state: present + - unknown_strategy | bool + - '"yum" in ansible_facts.packages' + - ansible_distribution == "Fedora" tags: - - CCE-83422-6 - - DISA-STIG-RHEL-08-010383 + - CCE-80791-7 + - DISA-STIG-RHEL-08-010371 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - ensure_gpgcheck_local_packages + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed - - restrict_strategy - - sudoers_validate_passwd - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sudoers_validate_passwd | bool + - unknown_strategy -- name: Ensure that Defaults !runaspw is defined in sudoers - lineinfile: - path: /etc/sudoers - create: true - line: Defaults !runaspw - state: present +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-83422-6 - - DISA-STIG-RHEL-08-010383 + - CCE-80790-9 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-08-010370 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed - - restrict_strategy - - sudoers_validate_passwd + - unknown_strategy when: + - ensure_gpgcheck_globally_activated | bool + - high_severity | bool - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - - restrict_strategy | bool - - sudoers_validate_passwd | bool + - unknown_strategy | bool -- name: Find /etc/sudoers.d/ files - find: - paths: - - /etc/sudoers.d/ - register: sudoers +- name: Check existence of yum on Fedora + stat: + path: /etc/yum.conf + register: yum_config_file + check_mode: false + when: + - ensure_gpgcheck_globally_activated | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"yum" in ansible_facts.packages' + - ansible_distribution == "Fedora" tags: - - CCE-82202-3 - - DISA-STIG-RHEL-08-010381 + - CCE-80790-9 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-08-010370 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-11 + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed - - restrict_strategy - - sudo_remove_no_authenticate + - unknown_strategy + +- name: Ensure GPG check is globally activated (yum) + ini_file: + dest: /etc/yum.conf + section: main + option: gpgcheck + value: 1 + no_extra_spaces: true + create: false when: + - ensure_gpgcheck_globally_activated | bool + - high_severity | bool - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - - restrict_strategy | bool - - sudo_remove_no_authenticate | bool - -- name: Remove lines containing !authenticate from sudoers files - replace: - regexp: (^(?!#).*[\s]+\!authenticate.*$) - replace: '# \g<1>' - path: '{{ item.path }}' - validate: /usr/sbin/visudo -cf %s - with_items: - - path: /etc/sudoers - - '{{ sudoers.files }}' + - unknown_strategy | bool + - '"yum" in ansible_facts.packages' + - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "Scientific" or yum_config_file.stat.exists) tags: - - CCE-82202-3 - - DISA-STIG-RHEL-08-010381 + - CCE-80790-9 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-08-010370 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-11 + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed - - restrict_strategy - - sudo_remove_no_authenticate + - unknown_strategy + +- name: Ensure GPG check is globally activated (dnf) + ini_file: + dest: /etc/dnf/dnf.conf + section: main + option: gpgcheck + value: 1 + no_extra_spaces: true + create: false when: + - ensure_gpgcheck_globally_activated | bool + - high_severity | bool - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - - restrict_strategy | bool - - sudo_remove_no_authenticate | bool + - unknown_strategy | bool + - '"yum" in ansible_facts.packages' + - ansible_distribution == "Fedora" + tags: + - CCE-80790-9 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-08-010370 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy -- name: Find /etc/sudoers.d/ files - find: - paths: - - /etc/sudoers.d/ - register: sudoers +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-82197-5 - - DISA-STIG-RHEL-08-010380 + - CCE-82476-3 + - DISA-STIG-RHEL-08-010440 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-11 + - NIST-800-53-SI-2(6) + - clean_components_post_updating - low_complexity - low_disruption - - medium_severity + - low_severity - no_reboot_needed - restrict_strategy - - sudo_remove_nopasswd when: + - clean_components_post_updating | bool - low_complexity | bool - low_disruption | bool - - medium_severity | bool + - low_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - sudo_remove_nopasswd | bool -- name: Remove lines containing NOPASSWD from sudoers files - replace: - regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$) - replace: '# \g<1>' - path: '{{ item.path }}' - validate: /usr/sbin/visudo -cf %s - with_items: - - path: /etc/sudoers - - '{{ sudoers.files }}' +- name: Ensure YUM Removes Previous Package Versions + lineinfile: + dest: /etc/yum.conf + regexp: ^#?clean_requirements_on_remove + line: clean_requirements_on_remove=1 + insertafter: \[main\] + create: true + when: + - clean_components_post_updating | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"yum" in ansible_facts.packages' tags: - - CCE-82197-5 - - DISA-STIG-RHEL-08-010380 + - CCE-82476-3 + - DISA-STIG-RHEL-08-010440 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-11 + - NIST-800-53-SI-2(6) + - clean_components_post_updating - low_complexity - low_disruption - - medium_severity + - low_severity - no_reboot_needed - restrict_strategy - - sudo_remove_nopasswd - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sudo_remove_nopasswd | bool - name: Modify the System Login Banner - remove incorrect banner file: @@ -2135,43 +2189,35 @@ package_facts: manager: auto tags: - - CCE-80670-3 - - CJIS-5.5.3 - - DISA-STIG-RHEL-08-020014 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(b) + - CCE-80654-7 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-08-020170 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.7 - - accounts_passwords_pam_faillock_unlock_time + - NIST-800-53-IA-5(1)(b) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_difok - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - - accounts_passwords_pam_faillock_unlock_time | bool + - accounts_password_pam_difok | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool -- name: Add auth pam_faillock preauth unlock_time before pam_unix.so - pamd: - name: '{{ item }}' - type: auth - control: sufficient - module_path: pam_unix.so - new_type: auth - new_control: required - new_module_path: pam_faillock.so - module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} - state: before - loop: - - system-auth - - password-auth +- name: Ensure PAM variable difok is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*difok + line: difok = {{ var_password_pam_difok }} when: - - accounts_passwords_pam_faillock_unlock_time | bool + - accounts_password_pam_difok | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -2179,70 +2225,51 @@ - restrict_strategy | bool - '"pam" in ansible_facts.packages' tags: - - CCE-80670-3 - - CJIS-5.5.3 - - DISA-STIG-RHEL-08-020014 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(b) + - CCE-80654-7 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-08-020170 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.7 - - accounts_passwords_pam_faillock_unlock_time + - NIST-800-53-IA-5(1)(b) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_difok - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Add unlock_time argument to pam_faillock preauth - pamd: - name: '{{ item }}' - type: auth - control: required - module_path: pam_faillock.so - module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} - state: args_present - loop: - - system-auth - - password-auth - when: - - accounts_passwords_pam_faillock_unlock_time | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - '"pam" in ansible_facts.packages' +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-80670-3 - - CJIS-5.5.3 - - DISA-STIG-RHEL-08-020014 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(b) + - CCE-82066-2 + - DISA-STIG-RHEL-08-020150 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.7 - - accounts_passwords_pam_faillock_unlock_time + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_maxrepeat - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy + when: + - accounts_password_pam_maxrepeat | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool -- name: Add auth pam_faillock authfail unlock_interval after pam_unix.so - pamd: - name: '{{ item }}' - type: auth - control: sufficient - module_path: pam_unix.so - new_type: auth - new_control: '[default=die]' - new_module_path: pam_faillock.so - module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} - state: after - loop: - - system-auth - - password-auth +- name: Ensure PAM variable maxrepeat is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*maxrepeat + line: maxrepeat = {{ var_password_pam_maxrepeat }} when: - - accounts_passwords_pam_faillock_unlock_time | bool + - accounts_password_pam_maxrepeat | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -2250,69 +2277,51 @@ - restrict_strategy | bool - '"pam" in ansible_facts.packages' tags: - - CCE-80670-3 - - CJIS-5.5.3 - - DISA-STIG-RHEL-08-020014 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(b) + - CCE-82066-2 + - DISA-STIG-RHEL-08-020150 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.7 - - accounts_passwords_pam_faillock_unlock_time + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_maxrepeat - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Add unlock_time argument to auth pam_faillock authfail - pamd: - name: '{{ item }}' - type: auth - control: '[default=die]' - module_path: pam_faillock.so - module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} - state: args_present - loop: - - system-auth - - password-auth - when: - - accounts_passwords_pam_faillock_unlock_time | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - '"pam" in ansible_facts.packages' +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-80670-3 - - CJIS-5.5.3 - - DISA-STIG-RHEL-08-020014 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(b) + - CCE-80653-9 + - DISA-STIG-RHEL-08-020130 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.7 - - accounts_passwords_pam_faillock_unlock_time + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_dcredit - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy + when: + - accounts_password_pam_dcredit | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool -- name: Add account pam_faillock before pam_unix.so - pamd: - name: '{{ item }}' - type: account - control: required - module_path: pam_unix.so - new_type: account - new_control: required - new_module_path: pam_faillock.so - state: before - loop: - - system-auth - - password-auth +- name: Ensure PAM variable dcredit is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*dcredit + line: dcredit = {{ var_password_pam_dcredit }} when: - - accounts_passwords_pam_faillock_unlock_time | bool + - accounts_password_pam_dcredit | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -2320,14 +2329,14 @@ - restrict_strategy | bool - '"pam" in ansible_facts.packages' tags: - - CCE-80670-3 - - CJIS-5.5.3 - - DISA-STIG-RHEL-08-020014 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(b) + - CCE-80653-9 + - DISA-STIG-RHEL-08-020130 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.7 - - accounts_passwords_pam_faillock_unlock_time + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_dcredit - low_complexity - low_disruption - medium_severity @@ -2338,41 +2347,34 @@ package_facts: manager: auto tags: - - CCE-80668-7 - - DISA-STIG-RHEL-08-020022 - - NIST-800-53-AC-7(b) + - CCE-82046-4 + - DISA-STIG-RHEL-08-020160 - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - - accounts_passwords_pam_faillock_deny_root + - accounts_password_pam_minclass - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - - accounts_passwords_pam_faillock_deny_root | bool + - accounts_password_pam_minclass | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool -- name: Add auth pam_faillock preauth even_deny_root before pam_unix.so - pamd: - name: '{{ item }}' - type: auth - control: sufficient - module_path: pam_unix.so - new_type: auth - new_control: required - new_module_path: pam_faillock.so - module_arguments: preauth silent even_deny_root - state: before - loop: - - system-auth - - password-auth +- name: Ensure PAM variable minclass is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*minclass + line: minclass = {{ var_password_pam_minclass }} when: - - accounts_passwords_pam_faillock_deny_root | bool + - accounts_password_pam_minclass | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -2380,66 +2382,53 @@ - restrict_strategy | bool - '"pam" in ansible_facts.packages' tags: - - CCE-80668-7 - - DISA-STIG-RHEL-08-020022 - - NIST-800-53-AC-7(b) + - CCE-82046-4 + - DISA-STIG-RHEL-08-020160 - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - - accounts_passwords_pam_faillock_deny_root + - accounts_password_pam_minclass - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Add even_deny_root argument to auth pam_faillock preauth - pamd: - name: '{{ item }}' - type: auth - control: required - module_path: pam_faillock.so - module_arguments: preauth silent even_deny_root - state: args_present - loop: - - system-auth - - password-auth - when: - - accounts_passwords_pam_faillock_deny_root | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - '"pam" in ansible_facts.packages' +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-80668-7 - - DISA-STIG-RHEL-08-020022 - - NIST-800-53-AC-7(b) + - CCE-80656-2 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-08-020230 - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - - accounts_passwords_pam_faillock_deny_root + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_minlen - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy + when: + - accounts_password_pam_minlen | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool -- name: Add auth pam_faillock authfail even_deny_root after pam_unix.so - pamd: - name: '{{ item }}' - type: auth - control: sufficient - module_path: pam_unix.so - new_type: auth - new_control: '[default=die]' - new_module_path: pam_faillock.so - module_arguments: authfail even_deny_root - state: after - loop: - - system-auth - - password-auth +- name: Ensure PAM variable minlen is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*minlen + line: minlen = {{ var_password_pam_minlen }} when: - - accounts_passwords_pam_faillock_deny_root | bool + - accounts_password_pam_minlen | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -2447,31 +2436,54 @@ - restrict_strategy | bool - '"pam" in ansible_facts.packages' tags: - - CCE-80668-7 - - DISA-STIG-RHEL-08-020022 - - NIST-800-53-AC-7(b) + - CCE-80656-2 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-08-020230 - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - - accounts_passwords_pam_faillock_deny_root + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_minlen - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Add even_deny_root argument to auth pam_faillock authfail - pamd: - name: '{{ item }}' - type: auth - control: '[default=die]' - module_path: pam_faillock.so - module_arguments: authfail even_deny_root - state: args_present - loop: - - system-auth - - password-auth +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80655-4 + - DISA-STIG-RHEL-08-020120 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_lcredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy when: - - accounts_passwords_pam_faillock_deny_root | bool + - accounts_password_pam_lcredit | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Ensure PAM variable lcredit is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*lcredit + line: lcredit = {{ var_password_pam_lcredit }} + when: + - accounts_password_pam_lcredit | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -2479,33 +2491,53 @@ - restrict_strategy | bool - '"pam" in ansible_facts.packages' tags: - - CCE-80668-7 - - DISA-STIG-RHEL-08-020022 - - NIST-800-53-AC-7(b) + - CCE-80655-4 + - DISA-STIG-RHEL-08-020120 - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - - accounts_passwords_pam_faillock_deny_root + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_lcredit - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Add account pam_faillock before pam_unix.so - pamd: - name: '{{ item }}' - type: account - control: required - module_path: pam_unix.so - new_type: account - new_control: required - new_module_path: pam_faillock.so - state: before - loop: - - system-auth - - password-auth +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80665-3 + - DISA-STIG-RHEL-08-020110 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_ucredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy when: - - accounts_passwords_pam_faillock_deny_root | bool + - accounts_password_pam_ucredit | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Ensure PAM variable ucredit is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*ucredit + line: ucredit = {{ var_password_pam_ucredit }} + when: + - accounts_password_pam_ucredit | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -2513,12 +2545,14 @@ - restrict_strategy | bool - '"pam" in ansible_facts.packages' tags: - - CCE-80668-7 - - DISA-STIG-RHEL-08-020022 - - NIST-800-53-AC-7(b) + - CCE-80665-3 + - DISA-STIG-RHEL-08-020110 - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - - accounts_passwords_pam_faillock_deny_root + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_ucredit - low_complexity - low_disruption - medium_severity @@ -2529,34 +2563,88 @@ package_facts: manager: auto tags: - - CCE-80666-1 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-08-020220 - - NIST-800-171-3.5.8 - - NIST-800-53-IA-5(1)(e) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.5 - - accounts_password_pam_unix_remember + - CCE-80663-8 + - DISA-STIG-RHEL-08-020280 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_ocredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - accounts_password_pam_ocredit | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Ensure PAM variable ocredit is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*ocredit + line: ocredit = {{ var_password_pam_ocredit }} + when: + - accounts_password_pam_ocredit | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' + tags: + - CCE-80663-8 + - DISA-STIG-RHEL-08-020280 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_ocredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80664-6 + - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020100 + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(4) + - accounts_password_pam_retry - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed when: - - accounts_password_pam_unix_remember | bool + - accounts_password_pam_retry | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool -- name: Do not allow users to reuse recent passwords - system-auth (change) +- name: Set Password Retry Prompts Permitted Per-Session - system-auth (change) replace: - dest: /etc/pam.d/system-auth - regexp: ^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$ - replace: \g<1>{{ var_password_pam_unix_remember }}\g<3> + dest: '{{ item }}' + regexp: (^.*\spam_pwquality.so\s.*retry\s*=\s*)(\S+)(.*$) + replace: \g<1>{{ var_password_pam_retry }}\g<3> + loop: + - /etc/pam.d/system-auth + - /etc/pam.d/password-auth when: - - accounts_password_pam_unix_remember | bool + - accounts_password_pam_retry | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -2564,27 +2652,29 @@ - no_reboot_needed | bool - '"pam" in ansible_facts.packages' tags: - - CCE-80666-1 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-08-020220 - - NIST-800-171-3.5.8 - - NIST-800-53-IA-5(1)(e) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.5 - - accounts_password_pam_unix_remember + - CCE-80664-6 + - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020100 + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(4) + - accounts_password_pam_retry - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed -- name: Do not allow users to reuse recent passwords - system-auth (add) +- name: Set Password Retry Prompts Permitted Per-Session - system-auth (add) replace: - dest: /etc/pam.d/system-auth - regexp: ^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$ - replace: \g<0> remember={{ var_password_pam_unix_remember }} + dest: '{{ item }}' + regexp: ^.*\spam_pwquality.so\s(?!.*retry\s*=\s*).*$ + replace: \g<0> retry={{ var_password_pam_retry }} + loop: + - /etc/pam.d/system-auth + - /etc/pam.d/password-auth when: - - accounts_password_pam_unix_remember | bool + - accounts_password_pam_retry | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -2592,14 +2682,13 @@ - no_reboot_needed | bool - '"pam" in ansible_facts.packages' tags: - - CCE-80666-1 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-08-020220 - - NIST-800-171-3.5.8 - - NIST-800-53-IA-5(1)(e) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.5 - - accounts_password_pam_unix_remember + - CCE-80664-6 + - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020100 + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(4) + - accounts_password_pam_retry - configure_strategy - low_complexity - medium_disruption @@ -2610,18 +2699,70 @@ package_facts: manager: auto tags: - - CCE-80669-5 - - DISA-STIG-RHEL-08-020012 - - NIST-800-53-AC-7(a) + - CCE-81034-1 + - DISA-STIG-RHEL-08-020140 - NIST-800-53-CM-6(a) - - accounts_passwords_pam_faillock_interval + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_maxclassrepeat - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - - accounts_passwords_pam_faillock_interval | bool + - accounts_password_pam_maxclassrepeat | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Ensure PAM variable maxclassrepeat is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*maxclassrepeat + line: maxclassrepeat = {{ var_password_pam_maxclassrepeat }} + when: + - accounts_password_pam_maxclassrepeat | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' + tags: + - CCE-81034-1 + - DISA-STIG-RHEL-08-020140 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_maxclassrepeat + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80669-5 + - DISA-STIG-RHEL-08-020012 + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - accounts_passwords_pam_faillock_interval + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - accounts_passwords_pam_faillock_interval | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -2791,6 +2932,87 @@ - no_reboot_needed - restrict_strategy +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80666-1 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-08-020220 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_unix_remember + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + when: + - accounts_password_pam_unix_remember | bool + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Do not allow users to reuse recent passwords - system-auth (change) + replace: + dest: /etc/pam.d/system-auth + regexp: ^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$ + replace: \g<1>{{ var_password_pam_unix_remember }}\g<3> + when: + - accounts_password_pam_unix_remember | bool + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + tags: + - CCE-80666-1 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-08-020220 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_unix_remember + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + +- name: Do not allow users to reuse recent passwords - system-auth (add) + replace: + dest: /etc/pam.d/system-auth + regexp: ^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$ + replace: \g<0> remember={{ var_password_pam_unix_remember }} + when: + - accounts_password_pam_unix_remember | bool + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + tags: + - CCE-80666-1 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-08-020220 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_unix_remember + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - name: Gather the package facts package_facts: manager: auto @@ -2999,91 +3221,114 @@ package_facts: manager: auto tags: - - CCE-80892-3 - - CJIS-5.6.2.2 - - DISA-STIG-RHEL-08-010110 - - NIST-800-171-3.13.11 + - CCE-80670-3 + - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020014 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(c) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.1 + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - set_password_hashing_algorithm_logindefs when: + - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - set_password_hashing_algorithm_logindefs | bool -- name: Set Password Hashing Algorithm in /etc/login.defs - lineinfile: - dest: /etc/login.defs - regexp: ^#?ENCRYPT_METHOD - line: ENCRYPT_METHOD {{ var_password_hashing_algorithm }} - state: present - create: true +- name: Add auth pam_faillock preauth unlock_time before pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: required + new_module_path: pam_faillock.so + module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} + state: before + loop: + - system-auth + - password-auth when: + - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - set_password_hashing_algorithm_logindefs | bool - - '"shadow-utils" in ansible_facts.packages' + - '"pam" in ansible_facts.packages' tags: - - CCE-80892-3 - - CJIS-5.6.2.2 - - DISA-STIG-RHEL-08-010110 - - NIST-800-171-3.13.11 + - CCE-80670-3 + - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020014 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(c) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.1 + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - set_password_hashing_algorithm_logindefs -- name: Gather the package facts - package_facts: - manager: auto +- name: Add unlock_time argument to pam_faillock preauth + pamd: + name: '{{ item }}' + type: auth + control: required + module_path: pam_faillock.so + module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} + state: args_present + loop: + - system-auth + - password-auth + when: + - accounts_passwords_pam_faillock_unlock_time | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-80663-8 - - DISA-STIG-RHEL-08-020280 + - CCE-80670-3 + - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020014 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_ocredit + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - when: - - accounts_password_pam_ocredit | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool -- name: Ensure PAM variable ocredit is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*ocredit - line: ocredit = {{ var_password_pam_ocredit }} +- name: Add auth pam_faillock authfail unlock_interval after pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: '[default=die]' + new_module_path: pam_faillock.so + module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} + state: after + loop: + - system-auth + - password-auth when: - - accounts_password_pam_ocredit | bool + - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -3091,51 +3336,69 @@ - restrict_strategy | bool - '"pam" in ansible_facts.packages' tags: - - CCE-80663-8 - - DISA-STIG-RHEL-08-020280 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_ocredit + - CCE-80670-3 + - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020014 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(b) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto +- name: Add unlock_time argument to auth pam_faillock authfail + pamd: + name: '{{ item }}' + type: auth + control: '[default=die]' + module_path: pam_faillock.so + module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} + state: args_present + loop: + - system-auth + - password-auth + when: + - accounts_passwords_pam_faillock_unlock_time | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-81034-1 - - DISA-STIG-RHEL-08-020140 + - CCE-80670-3 + - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020014 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_maxclassrepeat + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - when: - - accounts_password_pam_maxclassrepeat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool -- name: Ensure PAM variable maxclassrepeat is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*maxclassrepeat - line: maxclassrepeat = {{ var_password_pam_maxclassrepeat }} +- name: Add account pam_faillock before pam_unix.so + pamd: + name: '{{ item }}' + type: account + control: required + module_path: pam_unix.so + new_type: account + new_control: required + new_module_path: pam_faillock.so + state: before + loop: + - system-auth + - password-auth when: - - accounts_password_pam_maxclassrepeat | bool + - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -3143,13 +3406,14 @@ - restrict_strategy | bool - '"pam" in ansible_facts.packages' tags: - - CCE-81034-1 - - DISA-STIG-RHEL-08-020140 + - CCE-80670-3 + - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020014 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_maxclassrepeat + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity @@ -3160,35 +3424,41 @@ package_facts: manager: auto tags: - - CCE-80653-9 - - DISA-STIG-RHEL-08-020130 + - CCE-80668-7 + - DISA-STIG-RHEL-08-020022 + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_dcredit + - accounts_passwords_pam_faillock_deny_root - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - - accounts_password_pam_dcredit | bool + - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool -- name: Ensure PAM variable dcredit is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*dcredit - line: dcredit = {{ var_password_pam_dcredit }} +- name: Add auth pam_faillock preauth even_deny_root before pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: required + new_module_path: pam_faillock.so + module_arguments: preauth silent even_deny_root + state: before + loop: + - system-auth + - password-auth when: - - accounts_password_pam_dcredit | bool + - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -3196,53 +3466,31 @@ - restrict_strategy | bool - '"pam" in ansible_facts.packages' tags: - - CCE-80653-9 - - DISA-STIG-RHEL-08-020130 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_dcredit - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80665-3 - - DISA-STIG-RHEL-08-020110 + - CCE-80668-7 + - DISA-STIG-RHEL-08-020022 + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_ucredit + - accounts_passwords_pam_faillock_deny_root - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - when: - - accounts_password_pam_ucredit | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool -- name: Ensure PAM variable ucredit is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*ucredit - line: ucredit = {{ var_password_pam_ucredit }} +- name: Add even_deny_root argument to auth pam_faillock preauth + pamd: + name: '{{ item }}' + type: auth + control: required + module_path: pam_faillock.so + module_arguments: preauth silent even_deny_root + state: args_present + loop: + - system-auth + - password-auth when: - - accounts_password_pam_ucredit | bool + - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -3250,51 +3498,66 @@ - restrict_strategy | bool - '"pam" in ansible_facts.packages' tags: - - CCE-80665-3 - - DISA-STIG-RHEL-08-020110 + - CCE-80668-7 + - DISA-STIG-RHEL-08-020022 + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_ucredit + - accounts_passwords_pam_faillock_deny_root - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto +- name: Add auth pam_faillock authfail even_deny_root after pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: '[default=die]' + new_module_path: pam_faillock.so + module_arguments: authfail even_deny_root + state: after + loop: + - system-auth + - password-auth + when: + - accounts_passwords_pam_faillock_deny_root | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-82066-2 - - DISA-STIG-RHEL-08-020150 + - CCE-80668-7 + - DISA-STIG-RHEL-08-020022 + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - - accounts_password_pam_maxrepeat + - accounts_passwords_pam_faillock_deny_root - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - when: - - accounts_password_pam_maxrepeat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool -- name: Ensure PAM variable maxrepeat is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*maxrepeat - line: maxrepeat = {{ var_password_pam_maxrepeat }} +- name: Add even_deny_root argument to auth pam_faillock authfail + pamd: + name: '{{ item }}' + type: auth + control: '[default=die]' + module_path: pam_faillock.so + module_arguments: authfail even_deny_root + state: args_present + loop: + - system-auth + - password-auth when: - - accounts_password_pam_maxrepeat | bool + - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -3302,50 +3565,33 @@ - restrict_strategy | bool - '"pam" in ansible_facts.packages' tags: - - CCE-82066-2 - - DISA-STIG-RHEL-08-020150 + - CCE-80668-7 + - DISA-STIG-RHEL-08-020022 + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - - accounts_password_pam_maxrepeat + - accounts_passwords_pam_faillock_deny_root - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-82046-4 - - DISA-STIG-RHEL-08-020160 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_minclass - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - accounts_password_pam_minclass | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - -- name: Ensure PAM variable minclass is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*minclass - line: minclass = {{ var_password_pam_minclass }} +- name: Add account pam_faillock before pam_unix.so + pamd: + name: '{{ item }}' + type: account + control: required + module_path: pam_unix.so + new_type: account + new_control: required + new_module_path: pam_faillock.so + state: before + loop: + - system-auth + - password-auth when: - - accounts_password_pam_minclass | bool + - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -3353,13 +3599,12 @@ - restrict_strategy | bool - '"pam" in ansible_facts.packages' tags: - - CCE-82046-4 - - DISA-STIG-RHEL-08-020160 + - CCE-80668-7 + - DISA-STIG-RHEL-08-020022 + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - - accounts_password_pam_minclass + - accounts_passwords_pam_faillock_deny_root - low_complexity - low_disruption - medium_severity @@ -3370,346 +3615,210 @@ package_facts: manager: auto tags: - - CCE-80656-2 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-08-020230 + - CCE-80892-3 + - CJIS-5.6.2.2 + - DISA-STIG-RHEL-08-010110 + - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_minlen + - PCI-DSS-Req-8.2.1 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy + - set_password_hashing_algorithm_logindefs when: - - accounts_password_pam_minlen | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - set_password_hashing_algorithm_logindefs | bool -- name: Ensure PAM variable minlen is set accordingly +- name: Set Password Hashing Algorithm in /etc/login.defs lineinfile: + dest: /etc/login.defs + regexp: ^#?ENCRYPT_METHOD + line: ENCRYPT_METHOD {{ var_password_hashing_algorithm }} + state: present create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*minlen - line: minlen = {{ var_password_pam_minlen }} when: - - accounts_password_pam_minlen | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - set_password_hashing_algorithm_logindefs | bool + - '"shadow-utils" in ansible_facts.packages' tags: - - CCE-80656-2 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-08-020230 + - CCE-80892-3 + - CJIS-5.6.2.2 + - DISA-STIG-RHEL-08-010110 + - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_minlen + - PCI-DSS-Req-8.2.1 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy + - set_password_hashing_algorithm_logindefs -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80664-6 - - CJIS-5.5.3 - - DISA-STIG-RHEL-08-020100 - - NIST-800-53-AC-7(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(4) - - accounts_password_pam_retry - - configure_strategy - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - when: - - accounts_password_pam_retry | bool - - configure_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - -- name: Set Password Retry Prompts Permitted Per-Session - system-auth (change) - replace: - dest: '{{ item }}' - regexp: (^.*\spam_pwquality.so\s.*retry\s*=\s*)(\S+)(.*$) - replace: \g<1>{{ var_password_pam_retry }}\g<3> - loop: - - /etc/pam.d/system-auth - - /etc/pam.d/password-auth +- name: Disable service debug-shell + block: + - name: Gather the service facts + service_facts: null + - name: Disable service debug-shell + systemd: + name: debug-shell.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"debug-shell.service" in ansible_facts.services' when: - - accounts_password_pam_retry | bool - - configure_strategy | bool + - disable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"pam" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80664-6 - - CJIS-5.5.3 - - DISA-STIG-RHEL-08-020100 - - NIST-800-53-AC-7(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(4) - - accounts_password_pam_retry - - configure_strategy + - CCE-80876-6 + - DISA-STIG-RHEL-08-040180 + - NIST-800-171-3.4.5 + - disable_strategy - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed + - service_debug-shell_disabled -- name: Set Password Retry Prompts Permitted Per-Session - system-auth (add) - replace: - dest: '{{ item }}' - regexp: ^.*\spam_pwquality.so\s(?!.*retry\s*=\s*).*$ - replace: \g<0> retry={{ var_password_pam_retry }} - loop: - - /etc/pam.d/system-auth - - /etc/pam.d/password-auth +- name: Unit Socket Exists - debug-shell.socket + command: systemctl list-unit-files debug-shell.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false when: - - accounts_password_pam_retry | bool - - configure_strategy | bool + - disable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - '"pam" in ansible_facts.packages' - tags: - - CCE-80664-6 - - CJIS-5.5.3 - - DISA-STIG-RHEL-08-020100 - - NIST-800-53-AC-7(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(4) - - accounts_password_pam_retry - - configure_strategy - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - -- name: Gather the package facts - package_facts: - manager: auto + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80654-7 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-08-020170 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(b) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_difok + - CCE-80876-6 + - DISA-STIG-RHEL-08-040180 + - NIST-800-171-3.4.5 + - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - service_debug-shell_disabled + +- name: Disable socket debug-shell + systemd: + name: debug-shell.socket + enabled: 'no' + state: stopped + masked: 'yes' when: - - accounts_password_pam_difok | bool + - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"debug-shell.socket" in socket_file_exists.stdout_lines[1]' + tags: + - CCE-80876-6 + - DISA-STIG-RHEL-08-040180 + - NIST-800-171-3.4.5 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_debug-shell_disabled -- name: Ensure PAM variable difok is set accordingly +- name: require single user mode password lineinfile: create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*difok - line: difok = {{ var_password_pam_difok }} + dest: /usr/lib/systemd/system/rescue.service + regexp: ^#?ExecStart= + line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue when: - - accounts_password_pam_difok | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - require_singleuser_auth | bool - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80654-7 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-08-020170 + - CCE-80855-0 + - DISA-STIG-RHEL-08-010151 + - NIST-800-171-3.1.1 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-3 - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(b) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - accounts_password_pam_difok - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80655-4 - - DISA-STIG-RHEL-08-020120 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_lcredit - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - accounts_password_pam_lcredit | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - -- name: Ensure PAM variable lcredit is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*lcredit - line: lcredit = {{ var_password_pam_lcredit }} - when: - - accounts_password_pam_lcredit | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - '"pam" in ansible_facts.packages' - tags: - - CCE-80655-4 - - DISA-STIG-RHEL-08-020120 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_lcredit + - NIST-800-53-IA-2 - low_complexity - low_disruption - medium_severity - no_reboot_needed + - require_singleuser_auth - restrict_strategy -- name: Disable service debug-shell - block: - - name: Gather the service facts - service_facts: null - - name: Disable service debug-shell - systemd: - name: debug-shell.service - enabled: 'no' - state: stopped - masked: 'yes' - when: '"debug-shell.service" in ansible_facts.services' - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80876-6 - - DISA-STIG-RHEL-08-040180 - - NIST-800-171-3.4.5 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_debug-shell_disabled - -- name: Unit Socket Exists - debug-shell.socket - command: systemctl list-unit-files debug-shell.socket - args: - warn: false - register: socket_file_exists - changed_when: false - ignore_errors: true - check_mode: false - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80876-6 - - DISA-STIG-RHEL-08-040180 - - NIST-800-171-3.4.5 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_debug-shell_disabled - -- name: Disable socket debug-shell +- name: Disable Ctrl-Alt-Del Reboot Activation systemd: - name: debug-shell.socket - enabled: 'no' + name: ctrl-alt-del.target + masked: true state: stopped - masked: 'yes' when: + - disable_ctrlaltdel_reboot | bool - disable_strategy | bool + - high_severity | bool - low_complexity | bool - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"debug-shell.socket" in socket_file_exists.stdout_lines[1]' tags: - - CCE-80876-6 - - DISA-STIG-RHEL-08-040180 + - CCE-80785-9 + - DISA-STIG-RHEL-08-040170 - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - disable_ctrlaltdel_reboot - disable_strategy + - high_severity - low_complexity - low_disruption - - medium_severity - no_reboot_needed - - service_debug-shell_disabled -- name: require single user mode password +- name: require emergency mode password lineinfile: create: true - dest: /usr/lib/systemd/system/rescue.service + dest: /usr/lib/systemd/system/emergency.service regexp: ^#?ExecStart= - line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - require_singleuser_auth | bool + - require_emergency_target_auth | bool - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80855-0 + - CCE-82186-8 - DISA-STIG-RHEL-08-010151 - NIST-800-171-3.1.1 - NIST-800-171-3.4.5 @@ -3720,7 +3829,7 @@ - low_disruption - medium_severity - no_reboot_needed - - require_singleuser_auth + - require_emergency_target_auth - restrict_strategy - name: Gather the package facts @@ -3776,61 +3885,6 @@ - low_disruption - no_reboot_needed -- name: require emergency mode password - lineinfile: - create: true - dest: /usr/lib/systemd/system/emergency.service - regexp: ^#?ExecStart= - line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - require_emergency_target_auth | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82186-8 - - DISA-STIG-RHEL-08-010151 - - NIST-800-171-3.1.1 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-3 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-2 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - require_emergency_target_auth - - restrict_strategy - -- name: Disable Ctrl-Alt-Del Reboot Activation - systemd: - name: ctrl-alt-del.target - masked: true - state: stopped - when: - - disable_ctrlaltdel_reboot | bool - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80785-9 - - DISA-STIG-RHEL-08-040170 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - disable_ctrlaltdel_reboot - - disable_strategy - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - name: Ensure opensc is installed package: name: opensc @@ -3971,36 +4025,36 @@ package_facts: manager: auto tags: - - CCE-80647-1 - - CJIS-5.6.2.1 - - DISA-STIG-RHEL-08-020200 + - CCE-80954-1 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-08-020260 - NIST-800-171-3.5.6 + - NIST-800-53-AC-2(3) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(d) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.4 - - accounts_maximum_age_login_defs + - NIST-800-53-IA-4(e) + - PCI-DSS-Req-8.1.4 + - account_disable_post_pw_expiration - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - - accounts_maximum_age_login_defs | bool + - account_disable_post_pw_expiration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool -- name: Set Password Maximum Age +- name: Set Account Expiration Following Inactivity lineinfile: create: true - dest: /etc/login.defs - regexp: ^#?PASS_MAX_DAYS - line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }} + dest: /etc/default/useradd + regexp: ^INACTIVE + line: INACTIVE={{ var_account_disable_post_pw_expiration }} when: - - accounts_maximum_age_login_defs | bool + - account_disable_post_pw_expiration | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -4008,15 +4062,15 @@ - restrict_strategy | bool - '"shadow-utils" in ansible_facts.packages' tags: - - CCE-80647-1 - - CJIS-5.6.2.1 - - DISA-STIG-RHEL-08-020200 + - CCE-80954-1 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-08-020260 - NIST-800-171-3.5.6 + - NIST-800-53-AC-2(3) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(d) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.4 - - accounts_maximum_age_login_defs + - NIST-800-53-IA-4(e) + - PCI-DSS-Req-8.1.4 + - account_disable_post_pw_expiration - low_complexity - low_disruption - medium_severity @@ -4136,36 +4190,36 @@ package_facts: manager: auto tags: - - CCE-80954-1 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-08-020260 + - CCE-80647-1 + - CJIS-5.6.2.1 + - DISA-STIG-RHEL-08-020200 - NIST-800-171-3.5.6 - - NIST-800-53-AC-2(3) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-4(e) - - PCI-DSS-Req-8.1.4 - - account_disable_post_pw_expiration + - NIST-800-53-IA-5(1)(d) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.4 + - accounts_maximum_age_login_defs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - - account_disable_post_pw_expiration | bool + - accounts_maximum_age_login_defs | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool -- name: Set Account Expiration Following Inactivity +- name: Set Password Maximum Age lineinfile: create: true - dest: /etc/default/useradd - regexp: ^INACTIVE - line: INACTIVE={{ var_account_disable_post_pw_expiration }} + dest: /etc/login.defs + regexp: ^#?PASS_MAX_DAYS + line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }} when: - - account_disable_post_pw_expiration | bool + - accounts_maximum_age_login_defs | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -4173,51 +4227,107 @@ - restrict_strategy | bool - '"shadow-utils" in ansible_facts.packages' tags: - - CCE-80954-1 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-08-020260 + - CCE-80647-1 + - CJIS-5.6.2.1 + - DISA-STIG-RHEL-08-020200 - NIST-800-171-3.5.6 - - NIST-800-53-AC-2(3) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-4(e) - - PCI-DSS-Req-8.1.4 - - account_disable_post_pw_expiration + - NIST-800-53-IA-5(1)(d) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.4 + - accounts_maximum_age_login_defs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy +- name: Prevent Log In to Accounts With Empty Password - system-auth + replace: + dest: /etc/pam.d/system-auth + regexp: nullok + tags: + - CCE-80841-0 + - CJIS-5.5.2 + - DISA-STIG-RHEL-08-020330 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - configure_strategy + - high_severity + - low_complexity + - medium_disruption + - no_empty_passwords + - no_reboot_needed + when: + - configure_strategy | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool + - no_empty_passwords | bool + - no_reboot_needed | bool + +- name: Prevent Log In to Accounts With Empty Password - password-auth + replace: + dest: /etc/pam.d/password-auth + regexp: nullok + tags: + - CCE-80841-0 + - CJIS-5.5.2 + - DISA-STIG-RHEL-08-020330 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - configure_strategy + - high_severity + - low_complexity + - medium_disruption + - no_empty_passwords + - no_reboot_needed + when: + - configure_strategy | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool + - no_empty_passwords | bool + - no_reboot_needed | bool + - name: Gather the package facts package_facts: manager: auto tags: - - CCE-83403-6 + - CCE-83386-3 - DISA-STIG-RHEL-08-010130 - - accounts_password_pam_unix_rounds_password_auth + - accounts_password_pam_unix_rounds_system_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed when: - - accounts_password_pam_unix_rounds_password_auth | bool + - accounts_password_pam_unix_rounds_system_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool -- name: Configure number of password-auth password hashing rounds in pam_unix.so +- name: Configure number of system-auth password hashing rounds in pam_unix.so pamd: - name: password-auth + name: system-auth type: password control: sufficient module_path: pam_unix.so module_arguments: rounds={{ var_password_pam_unix_rounds }} state: args_present when: - - accounts_password_pam_unix_rounds_password_auth | bool + - accounts_password_pam_unix_rounds_system_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -4225,9 +4335,9 @@ - no_reboot_needed | bool - '"pam" in ansible_facts.packages' tags: - - CCE-83403-6 + - CCE-83386-3 - DISA-STIG-RHEL-08-010130 - - accounts_password_pam_unix_rounds_password_auth + - accounts_password_pam_unix_rounds_system_auth - configure_strategy - low_complexity - medium_disruption @@ -4238,32 +4348,32 @@ package_facts: manager: auto tags: - - CCE-83386-3 + - CCE-83403-6 - DISA-STIG-RHEL-08-010130 - - accounts_password_pam_unix_rounds_system_auth + - accounts_password_pam_unix_rounds_password_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed when: - - accounts_password_pam_unix_rounds_system_auth | bool + - accounts_password_pam_unix_rounds_password_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool -- name: Configure number of system-auth password hashing rounds in pam_unix.so +- name: Configure number of password-auth password hashing rounds in pam_unix.so pamd: - name: system-auth + name: password-auth type: password control: sufficient module_path: pam_unix.so module_arguments: rounds={{ var_password_pam_unix_rounds }} state: args_present when: - - accounts_password_pam_unix_rounds_system_auth | bool + - accounts_password_pam_unix_rounds_password_auth | bool - configure_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -4271,70 +4381,62 @@ - no_reboot_needed | bool - '"pam" in ansible_facts.packages' tags: - - CCE-83386-3 + - CCE-83403-6 - DISA-STIG-RHEL-08-010130 - - accounts_password_pam_unix_rounds_system_auth + - accounts_password_pam_unix_rounds_password_auth - configure_strategy - low_complexity - medium_disruption - medium_severity - no_reboot_needed -- name: Prevent Log In to Accounts With Empty Password - system-auth - replace: - dest: /etc/pam.d/system-auth - regexp: nullok +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-80841-0 - - CJIS-5.5.2 - - DISA-STIG-RHEL-08-020330 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 + - CCE-84037-1 + - DISA-STIG-RHEL-08-020310 + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - configure_strategy - - high_severity + - accounts_logon_fail_delay - low_complexity - - medium_disruption - - no_empty_passwords - - no_reboot_needed + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy when: - - configure_strategy | bool - - high_severity | bool + - accounts_logon_fail_delay | bool - low_complexity | bool - - medium_disruption | bool - - no_empty_passwords | bool - - no_reboot_needed | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool -- name: Prevent Log In to Accounts With Empty Password - password-auth - replace: - dest: /etc/pam.d/password-auth - regexp: nullok +- name: Set accounts logon fail delay + lineinfile: + dest: /etc/login.defs + regexp: ^FAIL_DELAY + line: FAIL_DELAY {{ var_accounts_fail_delay }} + create: true + when: + - accounts_logon_fail_delay | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"shadow-utils" in ansible_facts.packages' tags: - - CCE-80841-0 - - CJIS-5.5.2 - - DISA-STIG-RHEL-08-020330 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 + - CCE-84037-1 + - DISA-STIG-RHEL-08-020310 + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - configure_strategy - - high_severity + - accounts_logon_fail_delay - low_complexity - - medium_disruption - - no_empty_passwords - - no_reboot_needed - when: - - configure_strategy | bool - - high_severity | bool - - low_complexity | bool - - medium_disruption | bool - - no_empty_passwords | bool - - no_reboot_needed | bool + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy - name: Gather the package facts package_facts: @@ -4399,54 +4501,6 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-84037-1 - - DISA-STIG-RHEL-08-020310 - - NIST-800-53-AC-7(b) - - NIST-800-53-CM-6(a) - - accounts_logon_fail_delay - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - when: - - accounts_logon_fail_delay | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - -- name: Set accounts logon fail delay - lineinfile: - dest: /etc/login.defs - regexp: ^FAIL_DELAY - line: FAIL_DELAY {{ var_accounts_fail_delay }} - create: true - when: - - accounts_logon_fail_delay | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - '"shadow-utils" in ansible_facts.packages' - tags: - - CCE-84037-1 - - DISA-STIG-RHEL-08-020310 - - NIST-800-53-AC-7(b) - - NIST-800-53-CM-6(a) - - accounts_logon_fail_delay - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - - name: Gather the package facts package_facts: manager: auto @@ -4555,13 +4609,37 @@ - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto +- name: Set user umask in /etc/bashrc + replace: + path: /etc/bashrc + regexp: umask.* + replace: umask {{ var_accounts_user_umask }} tags: - - CCE-82888-9 - - DISA-STIG-RHEL-08-020351 - - NIST-800-53-AC-6(1) + - CCE-81036-6 + - DISA-STIG-RHEL-08-020353 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - accounts_umask_etc_bashrc + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - accounts_umask_etc_bashrc | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82888-9 + - DISA-STIG-RHEL-08-020351 + - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - accounts_umask_etc_login_defs - low_complexity @@ -4603,30 +4681,6 @@ - no_reboot_needed - restrict_strategy -- name: Set user umask in /etc/bashrc - replace: - path: /etc/bashrc - regexp: umask.* - replace: umask {{ var_accounts_user_umask }} - tags: - - CCE-81036-6 - - DISA-STIG-RHEL-08-020353 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - accounts_umask_etc_bashrc - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - accounts_umask_etc_bashrc | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - name: Ensure audit is installed package: name: audit @@ -4704,17 +4758,24 @@ package_facts: manager: auto tags: - - CCE-80943-4 - - DISA-STIG-RHEL-08-030602 + - CCE-80825-3 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-08-030601 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) - NIST-800-53-CM-6(a) - - grub2_audit_backlog_limit_argument + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - grub2_audit_argument - low_disruption - medium_complexity - medium_severity - reboot_required - restrict_strategy when: - - grub2_audit_backlog_limit_argument | bool + - grub2_audit_argument | bool - low_disruption | bool - medium_complexity | bool - medium_severity | bool @@ -4726,7 +4787,7 @@ register: kernelopts changed_when: false when: - - grub2_audit_backlog_limit_argument | bool + - grub2_audit_argument | bool - low_disruption | bool - medium_complexity | bool - medium_severity | bool @@ -4735,10 +4796,17 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"grub2-common" in ansible_facts.packages' tags: - - CCE-80943-4 - - DISA-STIG-RHEL-08-030602 + - CCE-80825-3 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-08-030601 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) - NIST-800-53-CM-6(a) - - grub2_audit_backlog_limit_argument + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - grub2_audit_argument - low_disruption - medium_complexity - medium_severity @@ -4746,10 +4814,10 @@ - restrict_strategy - name: Update the bootloader menu - command: /usr/bin/grub2-editenv - set "{{ item }} audit_backlog_limit=8192" + command: /usr/bin/grub2-editenv - set "{{ item }} audit=1" with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | list }}' when: - - grub2_audit_backlog_limit_argument | bool + - grub2_audit_argument | bool - low_disruption | bool - medium_complexity | bool - medium_severity | bool @@ -4759,12 +4827,19 @@ - '"grub2-common" in ansible_facts.packages' - kernelopts.stdout_lines is defined - kernelopts.stdout_lines | length > 0 - - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$', multiline=True) is none + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?audit=1(?:\s.*)?$', multiline=True) is none tags: - - CCE-80943-4 - - DISA-STIG-RHEL-08-030602 + - CCE-80825-3 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-08-030601 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) - NIST-800-53-CM-6(a) - - grub2_audit_backlog_limit_argument + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - grub2_audit_argument - low_disruption - medium_complexity - medium_severity @@ -4775,24 +4850,17 @@ package_facts: manager: auto tags: - - CCE-80825-3 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030601 - - NIST-800-171-3.3.1 - - NIST-800-53-AC-17(1) - - NIST-800-53-AU-10 - - NIST-800-53-AU-14(1) + - CCE-80943-4 + - DISA-STIG-RHEL-08-030602 - NIST-800-53-CM-6(a) - - NIST-800-53-IR-5(1) - - PCI-DSS-Req-10.3 - - grub2_audit_argument + - grub2_audit_backlog_limit_argument - low_disruption - medium_complexity - medium_severity - reboot_required - restrict_strategy when: - - grub2_audit_argument | bool + - grub2_audit_backlog_limit_argument | bool - low_disruption | bool - medium_complexity | bool - medium_severity | bool @@ -4804,7 +4872,7 @@ register: kernelopts changed_when: false when: - - grub2_audit_argument | bool + - grub2_audit_backlog_limit_argument | bool - low_disruption | bool - medium_complexity | bool - medium_severity | bool @@ -4813,17 +4881,10 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '"grub2-common" in ansible_facts.packages' tags: - - CCE-80825-3 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030601 - - NIST-800-171-3.3.1 - - NIST-800-53-AC-17(1) - - NIST-800-53-AU-10 - - NIST-800-53-AU-14(1) + - CCE-80943-4 + - DISA-STIG-RHEL-08-030602 - NIST-800-53-CM-6(a) - - NIST-800-53-IR-5(1) - - PCI-DSS-Req-10.3 - - grub2_audit_argument + - grub2_audit_backlog_limit_argument - low_disruption - medium_complexity - medium_severity @@ -4831,10 +4892,10 @@ - restrict_strategy - name: Update the bootloader menu - command: /usr/bin/grub2-editenv - set "{{ item }} audit=1" + command: /usr/bin/grub2-editenv - set "{{ item }} audit_backlog_limit=8192" with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | list }}' when: - - grub2_audit_argument | bool + - grub2_audit_backlog_limit_argument | bool - low_disruption | bool - medium_complexity | bool - medium_severity | bool @@ -4844,34 +4905,22 @@ - '"grub2-common" in ansible_facts.packages' - kernelopts.stdout_lines is defined - kernelopts.stdout_lines | length > 0 - - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?audit=1(?:\s.*)?$', multiline=True) is none + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$', multiline=True) is none tags: - - CCE-80825-3 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030601 - - NIST-800-171-3.3.1 - - NIST-800-53-AC-17(1) - - NIST-800-53-AU-10 - - NIST-800-53-AU-14(1) + - CCE-80943-4 + - DISA-STIG-RHEL-08-030602 - NIST-800-53-CM-6(a) - - NIST-800-53-IR-5(1) - - PCI-DSS-Req-10.3 - - grub2_audit_argument + - grub2_audit_backlog_limit_argument - low_disruption - medium_complexity - medium_severity - reboot_required - restrict_strategy -- name: Configure auditd Disk Full Action when Disk Space Is Full - lineinfile: - dest: /etc/audit/auditd.conf - line: disk_full_action = {{ var_auditd_disk_full_action }} - regexp: ^\s*disk_full_action\s*=\s*.*$ - state: present - create: true +- name: Service facts + service_facts: null when: - - auditd_data_disk_full_action | bool + - audit_rules_suid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -4879,47 +4928,26 @@ - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-84045-4 - - DISA-STIG-RHEL-08-030060 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - auditd_data_disk_full_action + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Set hostname as computer node name in audit logs - block: - - name: Check for duplicate values - lineinfile: - path: /etc/audit/auditd.conf - create: false - regexp: (?i)^\s*name_format\s*=\s* - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/audit/auditd.conf - lineinfile: - path: /etc/audit/auditd.conf - create: false - regexp: (?i)^\s*name_format\s*=\s* - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/audit/auditd.conf - lineinfile: - path: /etc/audit/auditd.conf - create: true - regexp: (?i)^\s*name_format\s*=\s* - line: name_format = hostname - state: present +- name: Check the rules script being used + command: grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service + register: check_rules_scripts_result when: - - auditd_name_format | bool + - audit_rules_suid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -4927,24 +4955,30 @@ - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82897-0 - - DISA-STIG-RHEL-08-030062 - - auditd_name_format + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size - lineinfile: - dest: /etc/audit/auditd.conf - line: max_log_file_action = {{ var_auditd_max_log_file_action }} - regexp: ^\s*max_log_file_action\s*=\s*.*$ - state: present - create: true +- name: Set suid_audit_rules fact + set_fact: + suid_audit_rules: + - -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid + - -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid + - -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid + - -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid when: - - auditd_data_retention_max_log_file_action | bool + - audit_rules_suid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -4952,104 +4986,126 @@ - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80682-8 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030050 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - auditd_data_retention_max_log_file_action + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Include Local Events in Audit Logs - block: - - name: Check for duplicate values - lineinfile: - path: /etc/audit/auditd.conf - create: false - regexp: (?i)^\s*local_events\s*=\s* - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/audit/auditd.conf - lineinfile: - path: /etc/audit/auditd.conf - create: false - regexp: (?i)^\s*local_events\s*=\s* - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/audit/auditd.conf - lineinfile: - path: /etc/audit/auditd.conf - create: true - regexp: (?i)^\s*local_events\s*=\s* - line: local_events = yes - state: present +- name: Update /etc/audit/rules.d/privileged.rules to audit privileged functions + lineinfile: + path: /etc/audit/rules.d/privileged.rules + line: '{{ item }}' + create: true when: - - auditd_local_events | bool + - audit_rules_suid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"auditd.service" in ansible_facts.services' + - '"augenrules" in check_rules_scripts_result.stdout' + register: augenrules_audit_rules_privilege_function_update_result + with_items: '{{ suid_audit_rules }}' tags: - - CCE-82233-8 - - DISA-STIG-RHEL-08-030061 - - auditd_local_events + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Configure auditd Disk Error Action on Disk Error +- name: Update Update /etc/audit/audit.rules to audit privileged functions lineinfile: - dest: /etc/audit/auditd.conf - line: disk_error_action = {{ var_auditd_disk_error_action }} - regexp: ^\s*disk_error_action\s*=\s*.*$ - state: present + path: /etc/audit/audit.rules + line: '{{ item }}' create: true when: - - auditd_data_disk_error_action | bool + - audit_rules_suid_privilege_function | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"auditd.service" in ansible_facts.services' + - '"auditctl" in check_rules_scripts_result.stdout' + register: auditctl_audit_rules_privilege_function_update_result + with_items: '{{ suid_audit_rules }}' tags: - - CCE-84046-2 - - DISA-STIG-RHEL-08-030040 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - auditd_data_disk_error_action + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - audit_rules_suid_privilege_function - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Configure auditd space_left Action on Low Disk Space +- name: Reload Auditd + command: /usr/sbin/service auditd reload + args: + warn: false + when: + - audit_rules_suid_privilege_function | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed) + - ansible_facts.services["auditd.service"].state == "running" + tags: + - CCE-83556-1 + - DISA-STIG-RHEL-08-030000 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(3) + - NIST-800-53-AU-7(a) + - NIST-800-53-AU-7(b) + - NIST-800-53-AU-8(b) + - NIST-800-53-CM-5(1) + - audit_rules_suid_privilege_function + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Configure auditd Disk Error Action on Disk Error lineinfile: dest: /etc/audit/auditd.conf - line: space_left_action = {{ var_auditd_space_left_action }} - regexp: ^\s*space_left_action\s*=\s*.*$ + line: disk_error_action = {{ var_auditd_disk_error_action }} + regexp: ^\s*disk_error_action\s*=\s*.*$ state: present create: true when: - - auditd_data_retention_space_left_action | bool + - auditd_data_disk_error_action | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -5057,30 +5113,27 @@ - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80684-4 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030730 - - NIST-800-171-3.3.1 + - CCE-84046-2 + - DISA-STIG-RHEL-08-030040 - NIST-800-53-AU-5(1) - NIST-800-53-AU-5(2) - NIST-800-53-AU-5(4) - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - auditd_data_retention_space_left_action + - auditd_data_disk_error_action - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Resolve information before writing to audit logs +- name: Include Local Events in Audit Logs block: - name: Check for duplicate values lineinfile: path: /etc/audit/auditd.conf create: false - regexp: (?i)^\s*log_format\s*=\s* + regexp: (?i)^\s*local_events\s*=\s* state: absent check_mode: true changed_when: false @@ -5089,18 +5142,18 @@ lineinfile: path: /etc/audit/auditd.conf create: false - regexp: (?i)^\s*log_format\s*=\s* + regexp: (?i)^\s*local_events\s*=\s* state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/audit/auditd.conf lineinfile: path: /etc/audit/auditd.conf create: true - regexp: (?i)^\s*log_format\s*=\s* - line: log_format = ENRICHED + regexp: (?i)^\s*local_events\s*=\s* + line: local_events = yes state: present when: - - auditd_log_format | bool + - auditd_local_events | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -5108,23 +5161,24 @@ - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82201-5 - - DISA-STIG-RHEL-08-030063 - - auditd_log_format + - CCE-82233-8 + - DISA-STIG-RHEL-08-030061 + - auditd_local_events - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Configure auditd mail_acct Action on Low Disk Space +- name: Configure auditd space_left Action on Low Disk Space lineinfile: dest: /etc/audit/auditd.conf - line: action_mail_acct = {{ var_auditd_action_mail_acct }} + line: space_left_action = {{ var_auditd_space_left_action }} + regexp: ^\s*space_left_action\s*=\s*.*$ state: present create: true when: - - auditd_data_retention_action_mail_acct | bool + - auditd_data_retention_space_left_action | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -5132,191 +5186,206 @@ - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80678-6 + - CCE-80684-4 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030020 + - DISA-STIG-RHEL-08-030730 - NIST-800-171-3.3.1 + - NIST-800-53-AU-5(1) - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(a) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1) - - PCI-DSS-Req-10.7.a - - auditd_data_retention_action_mail_acct + - PCI-DSS-Req-10.7 + - auditd_data_retention_space_left_action - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Ensure rsyslog-gnutls is installed - package: - name: rsyslog-gnutls +- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size + lineinfile: + dest: /etc/audit/auditd.conf + line: max_log_file_action = {{ var_auditd_max_log_file_action }} + regexp: ^\s*max_log_file_action\s*=\s*.*$ state: present + create: true when: - - enable_strategy | bool + - auditd_data_retention_max_log_file_action | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool + - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82859-0 - - DISA-STIG-RHEL-08-030680 - - enable_strategy + - CCE-80682-8 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-08-030050 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.7 + - auditd_data_retention_max_log_file_action - low_complexity - low_disruption - medium_severity - no_reboot_needed - - package_rsyslog-gnutls_installed + - restrict_strategy -- name: Ensure rsyslog is installed - package: - name: rsyslog - state: present +- name: Set hostname as computer node name in audit logs + block: + - name: Check for duplicate values + lineinfile: + path: /etc/audit/auditd.conf + create: false + regexp: (?i)^\s*name_format\s*=\s* + state: absent + check_mode: true + changed_when: false + register: dupes + - name: Deduplicate values from /etc/audit/auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + create: false + regexp: (?i)^\s*name_format\s*=\s* + state: absent + when: dupes.found is defined and dupes.found > 1 + - name: Insert correct line to /etc/audit/auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + create: true + regexp: (?i)^\s*name_format\s*=\s* + line: name_format = hostname + state: present when: - - enable_strategy | bool + - auditd_name_format | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - package_rsyslog_installed | bool + - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80847-7 - - DISA-STIG-RHEL-08-030670 - - NIST-800-53-CM-6(a) - - enable_strategy + - CCE-82897-0 + - DISA-STIG-RHEL-08-030062 + - auditd_name_format - low_complexity - low_disruption - medium_severity - no_reboot_needed - - package_rsyslog_installed + - restrict_strategy -- name: Enable service rsyslog +- name: Resolve information before writing to audit logs block: - - name: Gather the package facts - package_facts: - manager: auto - - name: Enable service rsyslog - service: - name: rsyslog - enabled: 'yes' - state: started - masked: 'no' - when: - - '"rsyslog" in ansible_facts.packages' + - name: Check for duplicate values + lineinfile: + path: /etc/audit/auditd.conf + create: false + regexp: (?i)^\s*log_format\s*=\s* + state: absent + check_mode: true + changed_when: false + register: dupes + - name: Deduplicate values from /etc/audit/auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + create: false + regexp: (?i)^\s*log_format\s*=\s* + state: absent + when: dupes.found is defined and dupes.found > 1 + - name: Insert correct line to /etc/audit/auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + create: true + regexp: (?i)^\s*log_format\s*=\s* + line: log_format = ENRICHED + state: present when: - - enable_strategy | bool + - auditd_log_format | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - service_rsyslog_enabled | bool + - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80886-5 - - DISA-STIG-RHEL-08-010561 - - NIST-800-53-AU-4(1) - - NIST-800-53-CM-6(a) - - enable_strategy + - CCE-82201-5 + - DISA-STIG-RHEL-08-030063 + - auditd_log_format - low_complexity - low_disruption - medium_severity - no_reboot_needed - - service_rsyslog_enabled + - restrict_strategy -- name: Set rsyslog remote loghost +- name: Configure auditd Disk Full Action when Disk Space Is Full lineinfile: - dest: /etc/rsyslog.conf - regexp: ^\*\.\* - line: '*.* @@{{ rsyslog_remote_loghost_address }}' + dest: /etc/audit/auditd.conf + line: disk_full_action = {{ var_auditd_disk_full_action }} + regexp: ^\s*disk_full_action\s*=\s*.*$ + state: present create: true when: + - auditd_data_disk_full_action | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - rsyslog_remote_loghost | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80863-4 - - DISA-STIG-RHEL-08-030690 - - NIST-800-53-AU-4(1) - - NIST-800-53-AU-9(2) + - CCE-84045-4 + - DISA-STIG-RHEL-08-030060 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) + - auditd_data_disk_full_action - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - rsyslog_remote_loghost -- name: Ensure firewalld is installed - package: - name: firewalld +- name: Configure auditd mail_acct Action on Low Disk Space + lineinfile: + dest: /etc/audit/auditd.conf + line: action_mail_acct = {{ var_auditd_action_mail_acct }} state: present + create: true when: - - enable_strategy | bool + - auditd_data_retention_action_mail_acct | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - package_firewalld_installed | bool + - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82998-6 - - DISA-STIG-RHEL-08-040100 + - CCE-80678-6 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-08-030020 + - NIST-800-171-3.3.1 + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(a) - NIST-800-53-CM-6(a) - - enable_strategy + - NIST-800-53-IA-5(1) + - PCI-DSS-Req-10.7.a + - auditd_data_retention_action_mail_acct - low_complexity - low_disruption - medium_severity - no_reboot_needed - - package_firewalld_installed + - restrict_strategy -- name: Enable service firewalld - block: - - name: Gather the package facts - package_facts: - manager: auto - - name: Enable service firewalld - service: - name: firewalld - enabled: 'yes' - state: started - masked: 'no' - when: - - '"firewalld" in ansible_facts.packages' - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_firewalld_enabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80877-4 - - DISA-STIG-RHEL-08-040100 - - NIST-800-171-3.1.3 - - NIST-800-171-3.4.7 - - NIST-800-53-AC-4 - - NIST-800-53-CA-3(5) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-7(21) - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_firewalld_enabled - -- name: Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0 +- name: Ensure sysctl kernel.unprivileged_bpf_disabled is set to 1 sysctl: - name: net.ipv4.conf.default.send_redirects - value: '0' + name: kernel.unprivileged_bpf_disabled + value: '1' state: present reload: true when: @@ -5325,29 +5394,22 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_net_ipv4_conf_default_send_redirects | bool + - sysctl_kernel_unprivileged_bpf_disabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80921-0 - - CJIS-5.10.1.1 - - DISA-STIG-RHEL-08-040270 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5 - - NIST-800-53-SC-7(a) + - CCE-82974-7 + - DISA-STIG-RHEL-08-040281 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_kernel_unprivileged_bpf_disabled -- name: Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0 +- name: Ensure sysctl kernel.dmesg_restrict is set to 1 sysctl: - name: net.ipv4.conf.all.send_redirects - value: '0' + name: kernel.dmesg_restrict + value: '1' state: present reload: true when: @@ -5356,29 +5418,25 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_net_ipv4_conf_all_send_redirects | bool + - sysctl_kernel_dmesg_restrict | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80918-6 - - CJIS-5.10.1.1 - - DISA-STIG-RHEL-08-040220 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5 - - NIST-800-53-SC-7(a) + - CCE-80913-7 + - DISA-STIG-RHEL-08-010375 + - NIST-800-171-3.1.5 + - NIST-800-53-SI-11(a) + - NIST-800-53-SI-11(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_kernel_dmesg_restrict -- name: Ensure sysctl net.ipv4.ip_forward is set to 0 +- name: Ensure sysctl kernel.yama.ptrace_scope is set to 1 sysctl: - name: net.ipv4.ip_forward - value: '0' + name: kernel.yama.ptrace_scope + value: '1' state: present reload: true when: @@ -5387,28 +5445,22 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_net_ipv4_ip_forward | bool + - sysctl_kernel_yama_ptrace_scope | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-81024-2 - - DISA-STIG-RHEL-08-040260 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5 - - NIST-800-53-SC-7(a) + - CCE-80953-3 + - DISA-STIG-RHEL-08-040282 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - - sysctl_net_ipv4_ip_forward + - sysctl_kernel_yama_ptrace_scope -- name: Ensure sysctl net.ipv4.conf.default.accept_redirects is set +- name: Ensure sysctl kernel.kexec_load_disabled is set to 1 sysctl: - name: net.ipv4.conf.default.accept_redirects - value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}' + name: kernel.kexec_load_disabled + value: '1' state: present reload: true when: @@ -5417,28 +5469,22 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_net_ipv4_conf_default_accept_redirects | bool + - sysctl_kernel_kexec_load_disabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80919-4 - - CJIS-5.10.1.1 - - DISA-STIG-RHEL-08-040210 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-7(a) + - CCE-80952-5 + - DISA-STIG-RHEL-08-010372 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_kernel_kexec_load_disabled -- name: Ensure sysctl net.ipv4.conf.all.rp_filter is set +- name: Ensure sysctl kernel.perf_event_paranoid is set to 2 sysctl: - name: net.ipv4.conf.all.rp_filter - value: '{{ sysctl_net_ipv4_conf_all_rp_filter_value }}' + name: kernel.perf_event_paranoid + value: '2' state: present reload: true when: @@ -5447,57 +5493,48 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_net_ipv4_conf_all_rp_filter | bool + - sysctl_kernel_perf_event_paranoid | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-81021-8 - - DISA-STIG-RHEL-08-040285 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-7(a) + - CCE-81054-9 + - DISA-STIG-RHEL-08-010376 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_kernel_perf_event_paranoid -- name: Ensure sysctl net.ipv4.conf.all.accept_source_route is set +- name: Ensure sysctl user.max_user_namespaces is set to 0 sysctl: - name: net.ipv4.conf.all.accept_source_route - value: '{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}' + name: user.max_user_namespaces + value: '0' state: present reload: true when: - disable_strategy | bool - low_complexity | bool + - low_severity | bool - medium_disruption | bool - - medium_severity | bool - reboot_required | bool - - sysctl_net_ipv4_conf_all_accept_source_route | bool + - sysctl_user_max_user_namespaces | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-81011-9 - - DISA-STIG-RHEL-08-040240 - - NIST-800-171-3.1.20 + - CCE-82211-4 + - DISA-STIG-RHEL-08-040284 - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5 - - NIST-800-53-SC-7(a) + - NIST-800-53-SC-39 - disable_strategy - low_complexity + - low_severity - medium_disruption - - medium_severity - reboot_required - - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_user_max_user_namespaces -- name: Ensure sysctl net.ipv4.conf.default.accept_source_route is set +- name: Ensure sysctl kernel.core_pattern is set to |/bin/false sysctl: - name: net.ipv4.conf.default.accept_source_route - value: '{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}' + name: kernel.core_pattern + value: '|/bin/false' state: present reload: true when: @@ -5506,301 +5543,369 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_net_ipv4_conf_default_accept_source_route | bool + - sysctl_kernel_core_pattern | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80920-2 - - CJIS-5.10.1.1 - - DISA-STIG-RHEL-08-040250 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5 - - NIST-800-53-SC-7(a) + - CCE-82215-5 + - DISA-STIG-RHEL-08-010671 - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_kernel_core_pattern -- name: Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set - sysctl: - name: net.ipv4.icmp_echo_ignore_broadcasts - value: '{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}' - state: present - reload: true +- name: Disable service systemd-coredump + block: + - name: Gather the service facts + service_facts: null + - name: Disable service systemd-coredump + systemd: + name: systemd-coredump.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"systemd-coredump.service" in ansible_facts.services' when: - disable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool + - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80922-8 - - CJIS-5.10.1.1 - - DISA-STIG-RHEL-08-040230 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-5 + - CCE-82881-4 + - DISA-STIG-RHEL-08-010672 - disable_strategy - low_complexity - - medium_disruption + - low_disruption - medium_severity - - reboot_required - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - no_reboot_needed + - service_systemd-coredump_disabled -- name: Ensure sysctl net.ipv4.conf.all.accept_redirects is set - sysctl: - name: net.ipv4.conf.all.accept_redirects - value: '{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}' - state: present - reload: true +- name: Unit Socket Exists - systemd-coredump.socket + command: systemctl list-unit-files systemd-coredump.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false when: - disable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv4_conf_all_accept_redirects | bool + - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80917-8 - - CJIS-5.10.1.1 - - DISA-STIG-RHEL-08-040280 - - NIST-800-171-3.1.20 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-SC-7(a) + - CCE-82881-4 + - DISA-STIG-RHEL-08-010672 - disable_strategy - low_complexity - - medium_disruption + - low_disruption - medium_severity - - reboot_required - - sysctl_net_ipv4_conf_all_accept_redirects + - no_reboot_needed + - service_systemd-coredump_disabled -- name: Ensure kernel module 'can' is disabled - lineinfile: - create: true - dest: /etc/modprobe.d/can.conf - regexp: can - line: install can /bin/true - when: - - disable_strategy | bool - - kernel_module_can_disabled | bool +- name: Disable socket systemd-coredump + systemd: + name: systemd-coredump.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - disable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"systemd-coredump.socket" in socket_file_exists.stdout_lines[1]' tags: - - CCE-82059-7 - - DISA-STIG-RHEL-08-040022 + - CCE-82881-4 + - DISA-STIG-RHEL-08-010672 - disable_strategy - - kernel_module_can_disabled - low_complexity - - medium_disruption + - low_disruption - medium_severity - - reboot_required + - no_reboot_needed + - service_systemd-coredump_disabled -- name: Ensure kernel module 'atm' is disabled +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-81038-2 + - DISA-STIG-RHEL-08-010673 + - disable_users_coredumps + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - disable_users_coredumps | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: disable core dumps with limits lineinfile: + dest: /etc/security/limits.conf + regexp: ^[^#].*core + line: '* hard core 0' create: true - dest: /etc/modprobe.d/atm.conf - regexp: atm - line: install atm /bin/true when: - - disable_strategy | bool - - kernel_module_atm_disabled | bool + - disable_users_coredumps | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-82028-2 - - DISA-STIG-RHEL-08-040021 - - disable_strategy - - kernel_module_atm_disabled + - CCE-81038-2 + - DISA-STIG-RHEL-08-010673 + - disable_users_coredumps - low_complexity - - medium_disruption + - low_disruption - medium_severity - - reboot_required + - no_reboot_needed + - restrict_strategy -- name: Ensure kernel module 'sctp' is disabled - lineinfile: - create: true - dest: /etc/modprobe.d/sctp.conf - regexp: sctp - line: install sctp /bin/true +- name: Disable core dump backtraces + block: + - name: Check for duplicate values + lineinfile: + path: /etc/systemd/coredump.conf + create: false + regexp: ^\s*ProcessSizeMax\s*=\s* + state: absent + check_mode: true + changed_when: false + register: dupes + - name: Deduplicate values from /etc/systemd/coredump.conf + lineinfile: + path: /etc/systemd/coredump.conf + create: false + regexp: ^\s*ProcessSizeMax\s*=\s* + state: absent + when: dupes.found is defined and dupes.found > 1 + - name: Insert correct line to /etc/systemd/coredump.conf + lineinfile: + path: /etc/systemd/coredump.conf + create: false + regexp: ^\s*ProcessSizeMax\s*=\s* + line: ProcessSizeMax=0 + state: present + tags: + - CCE-82251-0 + - DISA-STIG-RHEL-08-010675 + - coredump_disable_backtraces + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy when: - - disable_strategy | bool - - kernel_module_sctp_disabled | bool + - coredump_disable_backtraces | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Disable storing core dump + block: + - name: Check for duplicate values + lineinfile: + path: /etc/systemd/coredump.conf + create: false + regexp: ^\s*Storage\s*=\s* + state: absent + check_mode: true + changed_when: false + register: dupes + - name: Deduplicate values from /etc/systemd/coredump.conf + lineinfile: + path: /etc/systemd/coredump.conf + create: false + regexp: ^\s*Storage\s*=\s* + state: absent + when: dupes.found is defined and dupes.found > 1 + - name: Insert correct line to /etc/systemd/coredump.conf + lineinfile: + path: /etc/systemd/coredump.conf + create: false + regexp: ^\s*Storage\s*=\s* + line: Storage=none + state: present tags: - - CCE-80834-5 - - CJIS-5.10.1 - - DISA-STIG-RHEL-08-040023 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - kernel_module_sctp_disabled + - CCE-82252-8 + - DISA-STIG-RHEL-08-010674 + - coredump_disable_storage - low_complexity - - medium_disruption + - low_disruption - medium_severity - - reboot_required - -- name: Ensure kernel module 'firewire-core' is disabled - lineinfile: - create: true - dest: /etc/modprobe.d/firewire-core.conf - regexp: firewire-core - line: install firewire-core /bin/true + - no_reboot_needed + - restrict_strategy when: - - disable_strategy | bool + - coredump_disable_storage | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-82005-0 - - DISA-STIG-RHEL-08-040026 - - disable_strategy - - kernel_module_firewire-core_disabled - - low_complexity - - medium_disruption + - CCE-80944-2 + - DISA-STIG-RHEL-08-010421 + - NIST-800-53-CM-6(a) + - grub2_page_poison_argument + - low_disruption + - medium_complexity - medium_severity - reboot_required + - restrict_strategy + when: + - grub2_page_poison_argument | bool + - low_disruption | bool + - medium_complexity | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool -- name: Ensure kernel module 'tipc' is disabled - lineinfile: - create: true - dest: /etc/modprobe.d/tipc.conf - regexp: tipc - line: install tipc /bin/true +- name: get current kernel parameters + command: /usr/bin/grub2-editenv - list + register: kernelopts + changed_when: false when: - - disable_strategy | bool - - kernel_module_tipc_disabled | bool - - low_complexity | bool - - medium_disruption | bool + - grub2_page_poison_argument | bool + - low_disruption | bool + - medium_complexity | bool - medium_severity | bool - reboot_required | bool + - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' tags: - - CCE-82297-3 - - DISA-STIG-RHEL-08-040024 + - CCE-80944-2 + - DISA-STIG-RHEL-08-010421 - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - kernel_module_tipc_disabled - - low_complexity - - medium_disruption + - grub2_page_poison_argument + - low_disruption + - medium_complexity - medium_severity - reboot_required + - restrict_strategy -- name: Ensure kernel module 'bluetooth' is disabled - lineinfile: - create: true - dest: /etc/modprobe.d/bluetooth.conf - regexp: bluetooth - line: install bluetooth /bin/true +- name: Update the bootloader menu + command: /usr/bin/grub2-editenv - set "{{ item }} page_poison=1" + with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | list }}' when: - - disable_strategy | bool - - kernel_module_bluetooth_disabled | bool - - low_complexity | bool - - medium_disruption | bool + - grub2_page_poison_argument | bool + - low_disruption | bool + - medium_complexity | bool - medium_severity | bool - reboot_required | bool + - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80832-9 - - CJIS-5.13.1.3 - - DISA-STIG-RHEL-08-040111 - - NIST-800-171-3.1.16 - - NIST-800-53-AC-18(3) - - NIST-800-53-AC-18(a) + - '"grub2-common" in ansible_facts.packages' + - kernelopts.stdout_lines is defined + - kernelopts.stdout_lines | length > 0 + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?page_poison=1(?:\s.*)?$', multiline=True) is none + tags: + - CCE-80944-2 + - DISA-STIG-RHEL-08-010421 - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy - - kernel_module_bluetooth_disabled - - low_complexity - - medium_disruption + - grub2_page_poison_argument + - low_disruption + - medium_complexity - medium_severity - reboot_required + - restrict_strategy -- name: Deactivate Wireless Network Interfaces - command: nmcli radio wifi off +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80945-9 + - DISA-STIG-RHEL-08-010423 + - NIST-800-53-CM-6(a) + - grub2_slub_debug_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy when: - - low_complexity | bool - - medium_disruption | bool + - grub2_slub_debug_argument | bool + - low_disruption | bool + - medium_complexity | bool - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - wireless_disable_interfaces | bool + - reboot_required | bool + - restrict_strategy | bool + +- name: get current kernel parameters + command: /usr/bin/grub2-editenv - list + register: kernelopts + changed_when: false + when: + - grub2_slub_debug_argument | bool + - low_disruption | bool + - medium_complexity | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' tags: - - CCE-83501-7 - - DISA-STIG-RHEL-08-040110 - - NIST-800-171-3.1.16 - - NIST-800-53-AC-18(3) - - NIST-800-53-AC-18(a) + - CCE-80945-9 + - DISA-STIG-RHEL-08-010423 - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - low_complexity - - medium_disruption + - grub2_slub_debug_argument + - low_disruption + - medium_complexity - medium_severity - - no_reboot_needed - - unknown_strategy - - wireless_disable_interfaces + - reboot_required + - restrict_strategy -- name: Ensure sysctl net.ipv6.conf.all.accept_ra is set - sysctl: - name: net.ipv6.conf.all.accept_ra - value: '{{ sysctl_net_ipv6_conf_all_accept_ra_value }}' - state: present - reload: true +- name: Update the bootloader menu + command: /usr/bin/grub2-editenv - set "{{ item }} slub_debug=P" + with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | list }}' when: - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool + - grub2_slub_debug_argument | bool + - low_disruption | bool + - medium_complexity | bool - medium_severity | bool - reboot_required | bool - - sysctl_net_ipv6_conf_all_accept_ra | bool + - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' + - kernelopts.stdout_lines is defined + - kernelopts.stdout_lines | length > 0 + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?slub_debug=P(?:\s.*)?$', multiline=True) is none tags: - - CCE-81006-9 - - DISA-STIG-RHEL-08-040261 - - NIST-800-171-3.1.20 + - CCE-80945-9 + - DISA-STIG-RHEL-08-010423 - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - medium_disruption + - grub2_slub_debug_argument + - low_disruption + - medium_complexity - medium_severity - reboot_required - - sysctl_net_ipv6_conf_all_accept_ra + - restrict_strategy -- name: Ensure sysctl net.ipv6.conf.all.accept_redirects is set +- name: Ensure sysctl kernel.kptr_restrict is set to 1 sysctl: - name: net.ipv6.conf.all.accept_redirects - value: '{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}' + name: kernel.kptr_restrict + value: '1' state: present reload: true when: @@ -5809,26 +5914,26 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_net_ipv6_conf_all_accept_redirects | bool + - sysctl_kernel_kptr_restrict | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-81009-3 - - DISA-STIG-RHEL-08-040280 - - NIST-800-171-3.1.20 + - CCE-80915-2 + - DISA-STIG-RHEL-08-040283 - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) + - NIST-800-53-SC-30 + - NIST-800-53-SC-30(2) + - NIST-800-53-SC-30(5) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_kernel_kptr_restrict -- name: Ensure sysctl net.ipv6.conf.all.accept_source_route is set +- name: Ensure sysctl kernel.randomize_va_space is set to 2 sysctl: - name: net.ipv6.conf.all.accept_source_route - value: '{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}' + name: kernel.randomize_va_space + value: '2' state: present reload: true when: @@ -5837,54 +5942,78 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_net_ipv6_conf_all_accept_source_route | bool + - sysctl_kernel_randomize_va_space | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-81013-5 - - DISA-STIG-RHEL-08-040240 - - NIST-800-171-3.1.20 + - CCE-80916-0 + - DISA-STIG-RHEL-08-010430 + - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) + - NIST-800-53-SC-30 + - NIST-800-53-SC-30(2) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_kernel_randomize_va_space -- name: Ensure sysctl net.ipv6.conf.default.accept_redirects is set - sysctl: - name: net.ipv6.conf.default.accept_redirects - value: '{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}' - state: present - reload: true +- name: Get all world-writable directories with no sticky bits set + shell: 'set -o pipefail + + df --local -P | awk ''{if (NR!=1) print $6}'' | xargs -I ''{}'' find ''{}'' -xdev -type d \( -perm -0002 -a ! -perm -1000 + \) 2>/dev/null + + ' + register: dir_output + tags: + - CCE-80783-4 + - DISA-STIG-RHEL-08-010190 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - dir_perms_world_writable_sticky_bits + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy when: - - disable_strategy | bool + - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - sysctl_net_ipv6_conf_default_accept_redirects | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: ensure sticky bit is set + file: + path: '{{ item }}' + mode: a+t + with_items: + - '{{ dir_output.stdout_lines }}' tags: - - CCE-81010-1 - - DISA-STIG-RHEL-08-040210 - - NIST-800-171-3.1.20 + - CCE-80783-4 + - DISA-STIG-RHEL-08-010190 + - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy + - dir_perms_world_writable_sticky_bits - low_complexity - - medium_disruption + - low_disruption - medium_severity - - reboot_required - - sysctl_net_ipv6_conf_default_accept_redirects + - no_reboot_needed + - restrict_strategy + when: + - dir_perms_world_writable_sticky_bits | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool -- name: Ensure sysctl net.ipv6.conf.default.accept_ra is set +- name: Ensure sysctl fs.protected_hardlinks is set to 1 sysctl: - name: net.ipv6.conf.default.accept_ra - value: '{{ sysctl_net_ipv6_conf_default_accept_ra_value }}' + name: fs.protected_hardlinks + value: '1' state: present reload: true when: @@ -5893,26 +6022,24 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_net_ipv6_conf_default_accept_ra | bool + - sysctl_fs_protected_hardlinks | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-81007-7 - - DISA-STIG-RHEL-08-040262 - - NIST-800-171-3.1.20 + - CCE-81027-5 + - DISA-STIG-RHEL-08-010374 + - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - - sysctl_net_ipv6_conf_default_accept_ra + - sysctl_fs_protected_hardlinks -- name: Ensure sysctl net.ipv6.conf.default.accept_source_route is set +- name: Ensure sysctl fs.protected_symlinks is set to 1 sysctl: - name: net.ipv6.conf.default.accept_source_route - value: '{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}' + name: fs.protected_symlinks + value: '1' state: present reload: true when: @@ -5921,742 +6048,664 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_net_ipv6_conf_default_accept_source_route | bool + - sysctl_fs_protected_symlinks | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-81015-0 - - DISA-STIG-RHEL-08-040250 - - NIST-800-171-3.1.20 + - CCE-81030-9 + - DISA-STIG-RHEL-08-010373 + - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - - sysctl_net_ipv6_conf_default_accept_source_route + - sysctl_fs_protected_symlinks -- name: Ensure policycoreutils is installed - package: - name: policycoreutils - state: present +- name: Configure excluded (non local) file systems + set_fact: + excluded_fstypes: + - afs + - ceph + - cifs + - smb3 + - smbfs + - sshfs + - ncpfs + - ncp + - nfs + - nfs4 + - gfs + - gfs2 + - glusterfs + - gpfs + - pvfs2 + - ocfs2 + - lustre + - davfs + - fuse.sshfs + tags: + - CCE-83375-6 + - DISA-STIG-RHEL-08-010700 + - dir_perms_world_writable_root_owned + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy when: - - enable_strategy | bool - - high_severity | bool + - dir_perms_world_writable_root_owned | bool - low_complexity | bool - - low_disruption | bool + - medium_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - - package_policycoreutils_installed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - restrict_strategy | bool + +- name: Create empty list of excluded paths + set_fact: + excluded_paths: [] tags: - - CCE-82976-2 - - DISA-STIG-RHEL-08-010171 - - enable_strategy - - high_severity + - CCE-83375-6 + - DISA-STIG-RHEL-08-010700 + - dir_perms_world_writable_root_owned - low_complexity - - low_disruption + - medium_disruption + - medium_severity - no_reboot_needed - - package_policycoreutils_installed + - restrict_strategy + when: + - dir_perms_world_writable_root_owned | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool -- name: Ensure SELinux State is Enforcing - block: - - name: Check for duplicate values - lineinfile: - path: /etc/selinux/config - create: false - regexp: ^SELINUX= - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/selinux/config - lineinfile: - path: /etc/selinux/config - create: false - regexp: ^SELINUX= - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/selinux/config - lineinfile: - path: /etc/selinux/config - create: true - regexp: ^SELINUX= - line: SELINUX={{ var_selinux_state }} - state: present +- name: Detect nonlocal file systems and add them to excluded paths + set_fact: + excluded_paths: '{{ excluded_paths | union([item.mount]) }}' + loop: '{{ ansible_mounts }}' when: + - dir_perms_world_writable_root_owned | bool - low_complexity | bool - - low_disruption | bool + - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - selinux_state | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - item.fstype in excluded_fstypes tags: - - CCE-80869-1 - - DISA-STIG-RHEL-08-010170 - - NIST-800-171-3.1.2 - - NIST-800-171-3.7.2 - - NIST-800-53-AC-3 - - NIST-800-53-AC-3(3)(a) - - NIST-800-53-AU-9 - - NIST-800-53-SC-7(21) + - CCE-83375-6 + - DISA-STIG-RHEL-08-010700 + - dir_perms_world_writable_root_owned - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - restrict_strategy - - selinux_state -- name: Configure SELinux Policy - block: - - name: Check for duplicate values - lineinfile: - path: /etc/selinux/config - create: false - regexp: ^SELINUXTYPE= - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/selinux/config - lineinfile: - path: /etc/selinux/config - create: false - regexp: ^SELINUXTYPE= - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/selinux/config - lineinfile: - path: /etc/selinux/config - create: true - regexp: ^SELINUXTYPE= - line: SELINUXTYPE={{ var_selinux_policy_name }} - state: present +- name: Find all directories excluding non-local partitions + find: + paths: / + excludes: excluded_paths + file_type: directory + hidden: true + recurse: true + register: found_dirs + tags: + - CCE-83375-6 + - DISA-STIG-RHEL-08-010700 + - dir_perms_world_writable_root_owned + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy when: + - dir_perms_world_writable_root_owned | bool - low_complexity | bool - - low_disruption | bool + - medium_disruption | bool - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - - selinux_policytype | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + +- name: Create list of world writable directories + set_fact: + world_writable_dirs: '{{ found_dirs.files | selectattr(''woth'') | list }}' tags: - - CCE-80868-3 - - DISA-STIG-RHEL-08-010450 - - NIST-800-171-3.1.2 - - NIST-800-171-3.7.2 - - NIST-800-53-AC-3 - - NIST-800-53-AC-3(3)(a) - - NIST-800-53-AU-9 - - NIST-800-53-SC-7(21) + - CCE-83375-6 + - DISA-STIG-RHEL-08-010700 + - dir_perms_world_writable_root_owned - low_complexity - - low_disruption + - medium_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - - selinux_policytype + when: + - dir_perms_world_writable_root_owned | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool -- name: Disable service autofs - block: - - name: Gather the service facts - service_facts: null - - name: Disable service autofs - systemd: - name: autofs.service - enabled: 'no' - state: stopped - masked: 'yes' - when: '"autofs.service" in ansible_facts.services' +- name: Change owner to root on directories which are world writable + file: + path: '{{ item.path }}' + owner: root + loop: '{{ world_writable_dirs }}' + ignore_errors: true + tags: + - CCE-83375-6 + - DISA-STIG-RHEL-08-010700 + - dir_perms_world_writable_root_owned + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy when: - - disable_strategy | bool + - dir_perms_world_writable_root_owned | bool - low_complexity | bool - - low_disruption | bool + - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - service_autofs_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - restrict_strategy | bool + +- name: Test for existence /var/log/messages + stat: + path: /var/log/messages + register: file_exists tags: - - CCE-80873-3 - - DISA-STIG-RHEL-08-040070 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy + - CCE-83665-0 + - DISA-STIG-RHEL-08-010210 + - configure_strategy + - file_permissions_var_log_messages - low_complexity - low_disruption - medium_severity - no_reboot_needed - - service_autofs_disabled - -- name: Unit Socket Exists - autofs.socket - command: systemctl list-unit-files autofs.socket - args: - warn: false - register: socket_file_exists - changed_when: false - ignore_errors: true - check_mode: false when: - - disable_strategy | bool + - configure_strategy | bool + - file_permissions_var_log_messages | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - service_autofs_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80873-3 - - DISA-STIG-RHEL-08-040070 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_autofs_disabled -- name: Disable socket autofs - systemd: - name: autofs.socket - enabled: 'no' - state: stopped - masked: 'yes' +- name: Ensure permission 0640 on /var/log/messages + file: + path: /var/log/messages + mode: '0640' when: - - disable_strategy | bool + - configure_strategy | bool + - file_permissions_var_log_messages | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - service_autofs_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"autofs.socket" in socket_file_exists.stdout_lines[1]' + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-80873-3 - - DISA-STIG-RHEL-08-040070 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy + - CCE-83665-0 + - DISA-STIG-RHEL-08-010210 + - configure_strategy + - file_permissions_var_log_messages - low_complexity - low_disruption - medium_severity - no_reboot_needed - - service_autofs_disabled -- name: Ensure kernel module 'cramfs' is disabled - lineinfile: - create: true - dest: /etc/modprobe.d/cramfs.conf - regexp: cramfs - line: install cramfs /bin/true - when: - - disable_strategy | bool - - kernel_module_cramfs_disabled | bool - - low_complexity | bool - - low_severity | bool - - medium_disruption | bool - - reboot_required | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Test for existence /var/log/ + stat: + path: /var/log/ + register: file_exists tags: - - CCE-81031-7 - - DISA-STIG-RHEL-08-040025 - - NIST-800-171-3.4.6 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - kernel_module_cramfs_disabled + - CCE-83661-9 + - DISA-STIG-RHEL-08-010250 + - configure_strategy + - file_owner_var_log - low_complexity - - low_severity - - medium_disruption - - reboot_required - -- name: Ensure kernel module 'usb-storage' is disabled - lineinfile: - create: true - dest: /etc/modprobe.d/usb-storage.conf - regexp: usb-storage - line: install usb-storage /bin/true + - low_disruption + - medium_severity + - no_reboot_needed when: - - disable_strategy | bool + - configure_strategy | bool + - file_owner_var_log | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80835-2 - - DISA-STIG-RHEL-08-040080 - - NIST-800-171-3.1.21 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - disable_strategy - - kernel_module_usb-storage_disabled - - low_complexity - - medium_disruption - - medium_severity - - reboot_required + - no_reboot_needed | bool -- name: Ensure permission nosuid are set on var_removable_partition - lineinfile: - path: /etc/fstab - regexp: ^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$ - backrefs: true - line: \1 \2 \3 \4,nosuid \5 +- name: Ensure owner 0 on /var/log/ + file: + path: /var/log/ + owner: '0' when: - configure_strategy | bool - - high_disruption | bool + - file_owner_var_log | bool - low_complexity | bool + - low_disruption | bool - medium_severity | bool - - mount_option_nosuid_removable_partitions | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82744-4 - - DISA-STIG-RHEL-08-010620 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 + - CCE-83661-9 + - DISA-STIG-RHEL-08-010250 - configure_strategy - - high_disruption + - file_owner_var_log - low_complexity + - low_disruption - medium_severity - - mount_option_nosuid_removable_partitions - no_reboot_needed -- name: Check information associated to mountpoint - command: findmnt --fstab '/var/log/audit' - register: device_name - failed_when: device_name.rc > 1 - changed_when: false - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_log_audit_noexec | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Test for existence /var/log/messages + stat: + path: /var/log/messages + register: file_exists tags: - - CCE-82975-4 - - DISA-STIG-RHEL-08-040131 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 + - CCE-83660-1 + - DISA-STIG-RHEL-08-010230 - configure_strategy - - high_disruption + - file_groupowner_var_log_messages - low_complexity + - low_disruption - medium_severity - - mount_option_var_log_audit_noexec - no_reboot_needed - -- name: Create mount_info dictionary variable - set_fact: - mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' - with_together: - - '{{ device_name.stdout_lines[0].split() | list | lower }}' - - '{{ device_name.stdout_lines[1].split() | list }}' when: - configure_strategy | bool - - high_disruption | bool + - file_groupowner_var_log_messages | bool - low_complexity | bool + - low_disruption | bool - medium_severity | bool - - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - device_name.stdout is defined and device_name.stdout_lines is defined - - (device_name.stdout | length > 0) - tags: - - CCE-82975-4 - - DISA-STIG-RHEL-08-040131 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_log_audit_noexec - - no_reboot_needed -- name: If /var/log/audit not mounted, craft mount_info manually - set_fact: - mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' - with_together: - - - target - - source - - fstype - - options - - - /var/log/audit - - '' - - '' - - defaults +- name: Ensure group owner 0 on /var/log/messages + file: + path: /var/log/messages + group: '0' when: - configure_strategy | bool - - high_disruption | bool + - file_groupowner_var_log_messages | bool - low_complexity | bool + - low_disruption | bool - medium_severity | bool - - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ("--fstab" | length == 0) - - (device_name.stdout | length == 0) + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82975-4 - - DISA-STIG-RHEL-08-040131 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 + - CCE-83660-1 + - DISA-STIG-RHEL-08-010230 - configure_strategy - - high_disruption + - file_groupowner_var_log_messages - low_complexity + - low_disruption - medium_severity - - mount_option_var_log_audit_noexec - no_reboot_needed -- name: Make sure noexec option is part of the to /var/log/audit options - set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' +- name: Test for existence /var/log/ + stat: + path: /var/log/ + register: file_exists + tags: + - CCE-83659-3 + - DISA-STIG-RHEL-08-010260 + - configure_strategy + - file_groupowner_var_log + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed when: - configure_strategy | bool - - high_disruption | bool + - file_groupowner_var_log | bool - low_complexity | bool + - low_disruption | bool - medium_severity | bool - - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "noexec" not in mount_info.options - tags: - - CCE-82975-4 - - DISA-STIG-RHEL-08-040131 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_log_audit_noexec - - no_reboot_needed -- name: Ensure /var/log/audit is mounted with noexec option - mount: - path: /var/log/audit - src: '{{ mount_info.source }}' - opts: '{{ mount_info.options }}' - state: mounted - fstype: '{{ mount_info.fstype }}' +- name: Ensure group owner 0 on /var/log/ + file: + path: /var/log/ + group: '0' when: - configure_strategy | bool - - high_disruption | bool + - file_groupowner_var_log | bool - low_complexity | bool + - low_disruption | bool - medium_severity | bool - - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82975-4 - - DISA-STIG-RHEL-08-040131 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 + - CCE-83659-3 + - DISA-STIG-RHEL-08-010260 - configure_strategy - - high_disruption + - file_groupowner_var_log - low_complexity + - low_disruption - medium_severity - - mount_option_var_log_audit_noexec - no_reboot_needed -- name: Check information associated to mountpoint - command: findmnt --fstab '/var/tmp' - register: device_name - failed_when: device_name.rc > 1 - changed_when: false - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_tmp_nosuid | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- name: Test for existence /var/log/messages + stat: + path: /var/log/messages + register: file_exists tags: - - CCE-82154-6 - - DISA-STIG-RHEL-08-040133 + - CCE-83662-7 + - DISA-STIG-RHEL-08-010220 - configure_strategy - - high_disruption + - file_owner_var_log_messages - low_complexity + - low_disruption - medium_severity - - mount_option_var_tmp_nosuid - no_reboot_needed - -- name: Create mount_info dictionary variable - set_fact: - mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' - with_together: - - '{{ device_name.stdout_lines[0].split() | list | lower }}' - - '{{ device_name.stdout_lines[1].split() | list }}' when: - configure_strategy | bool - - high_disruption | bool + - file_owner_var_log_messages | bool - low_complexity | bool + - low_disruption | bool - medium_severity | bool - - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - device_name.stdout is defined and device_name.stdout_lines is defined - - (device_name.stdout | length > 0) - tags: - - CCE-82154-6 - - DISA-STIG-RHEL-08-040133 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_tmp_nosuid - - no_reboot_needed -- name: If /var/tmp not mounted, craft mount_info manually - set_fact: - mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' - with_together: - - - target - - source - - fstype - - options - - - /var/tmp - - '' - - '' - - defaults +- name: Ensure owner 0 on /var/log/messages + file: + path: /var/log/messages + owner: '0' when: - configure_strategy | bool - - high_disruption | bool + - file_owner_var_log_messages | bool - low_complexity | bool + - low_disruption | bool - medium_severity | bool - - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ("--fstab" | length == 0) - - (device_name.stdout | length == 0) + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82154-6 - - DISA-STIG-RHEL-08-040133 + - CCE-83662-7 + - DISA-STIG-RHEL-08-010220 - configure_strategy - - high_disruption + - file_owner_var_log_messages - low_complexity + - low_disruption - medium_severity - - mount_option_var_tmp_nosuid - no_reboot_needed -- name: Make sure nosuid option is part of the to /var/tmp options - set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_tmp_nosuid | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "nosuid" not in mount_info.options +- name: Test for existence /var/log/ + stat: + path: /var/log/ + register: file_exists tags: - - CCE-82154-6 - - DISA-STIG-RHEL-08-040133 + - CCE-83663-5 + - DISA-STIG-RHEL-08-010240 - configure_strategy - - high_disruption + - file_permissions_var_log - low_complexity + - low_disruption - medium_severity - - mount_option_var_tmp_nosuid - no_reboot_needed - -- name: Ensure /var/tmp is mounted with nosuid option - mount: - path: /var/tmp - src: '{{ mount_info.source }}' - opts: '{{ mount_info.options }}' - state: mounted - fstype: '{{ mount_info.fstype }}' when: - configure_strategy | bool - - high_disruption | bool + - file_permissions_var_log | bool - low_complexity | bool + - low_disruption | bool - medium_severity | bool - - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) - tags: - - CCE-82154-6 - - DISA-STIG-RHEL-08-040133 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_tmp_nosuid - - no_reboot_needed -- name: Check information associated to mountpoint - command: findmnt --fstab '/var/tmp' - register: device_name - failed_when: device_name.rc > 1 - changed_when: false +- name: Ensure permission 0755 on /var/log/ + file: + path: /var/log/ + mode: '0755' when: - configure_strategy | bool - - high_disruption | bool + - file_permissions_var_log | bool - low_complexity | bool + - low_disruption | bool - medium_severity | bool - - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82151-2 - - DISA-STIG-RHEL-08-040134 + - CCE-83663-5 + - DISA-STIG-RHEL-08-010240 - configure_strategy - - high_disruption + - file_permissions_var_log - low_complexity + - low_disruption - medium_severity - - mount_option_var_tmp_noexec - no_reboot_needed -- name: Create mount_info dictionary variable - set_fact: - mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' - with_together: - - '{{ device_name.stdout_lines[0].split() | list | lower }}' - - '{{ device_name.stdout_lines[1].split() | list }}' - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_tmp_noexec | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - device_name.stdout is defined and device_name.stdout_lines is defined - - (device_name.stdout | length > 0) +- name: Read list libraries without root ownership + command: find -L /usr/lib /usr/lib64 /lib /lib64 \! -user root + register: libraries_not_owned_by_root + changed_when: false + failed_when: false + check_mode: false tags: - - CCE-82151-2 - - DISA-STIG-RHEL-08-040134 - - configure_strategy - - high_disruption - - low_complexity + - CCE-80807-1 + - DISA-STIG-RHEL-08-010340 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_ownership_library_dirs + - medium_complexity + - medium_disruption - medium_severity - - mount_option_var_tmp_noexec - no_reboot_needed - -- name: If /var/tmp not mounted, craft mount_info manually - set_fact: - mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' - with_together: - - - target - - source - - fstype - - options - - - /var/tmp - - '' - - '' - - defaults + - restrict_strategy when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_var_tmp_noexec | bool + - file_ownership_library_dirs | bool + - medium_complexity | bool + - medium_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ("--fstab" | length == 0) - - (device_name.stdout | length == 0) + - restrict_strategy | bool + +- name: Set ownership of system libraries to root + file: + path: '{{ item }}' + owner: root + with_items: '{{ libraries_not_owned_by_root.stdout_lines }}' + when: + - file_ownership_library_dirs | bool + - medium_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - libraries_not_owned_by_root | length > 0 tags: - - CCE-82151-2 - - DISA-STIG-RHEL-08-040134 - - configure_strategy - - high_disruption - - low_complexity + - CCE-80807-1 + - DISA-STIG-RHEL-08-010340 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_ownership_library_dirs + - medium_complexity + - medium_disruption - medium_severity - - mount_option_var_tmp_noexec - no_reboot_needed + - restrict_strategy -- name: Make sure noexec option is part of the to /var/tmp options - set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' +- name: Read list of world and group writable files in libraries directories + command: find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f + register: world_writable_library_files + changed_when: false + failed_when: false + check_mode: false + tags: + - CCE-80815-4 + - DISA-STIG-RHEL-08-010330 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_permissions_library_dirs + - high_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool + - file_permissions_library_dirs | bool + - high_complexity | bool + - medium_disruption | bool - medium_severity | bool - - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "noexec" not in mount_info.options + - restrict_strategy | bool + +- name: Disable world/group writability to library files + file: + path: '{{ item }}' + mode: go-w + with_items: '{{ world_writable_library_files.stdout_lines }}' + when: + - file_permissions_library_dirs | bool + - high_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - world_writable_library_files.stdout_lines | length > 0 tags: - - CCE-82151-2 - - DISA-STIG-RHEL-08-040134 - - configure_strategy - - high_disruption - - low_complexity + - CCE-80815-4 + - DISA-STIG-RHEL-08-010330 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_permissions_library_dirs + - high_complexity + - medium_disruption - medium_severity - - mount_option_var_tmp_noexec - no_reboot_needed + - restrict_strategy -- name: Ensure /var/tmp is mounted with noexec option +- name: Read list of system executables without root ownership + command: find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/ /usr/local/sbin/ /usr/libexec \! -user root + register: no_root_system_executables + changed_when: false + failed_when: false + check_mode: false + tags: + - CCE-80806-3 + - DISA-STIG-RHEL-08-010310 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_ownership_binary_dirs + - medium_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - file_ownership_binary_dirs | bool + - medium_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Set ownership to root of system executables + file: + path: '{{ item }}' + owner: root + with_items: '{{ no_root_system_executables.stdout_lines }}' + when: + - file_ownership_binary_dirs | bool + - medium_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - no_root_system_executables.stdout_lines | length > 0 + tags: + - CCE-80806-3 + - DISA-STIG-RHEL-08-010310 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_ownership_binary_dirs + - medium_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Read list of world and group writable system executables + command: find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec -perm /022 -type f + register: world_writable_library_files + changed_when: false + failed_when: false + check_mode: false + tags: + - CCE-80809-7 + - DISA-STIG-RHEL-08-010300 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_permissions_binary_dirs + - medium_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - file_permissions_binary_dirs | bool + - medium_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Remove world/group writability of system executables + file: + path: '{{ item }}' + mode: go-w + with_items: '{{ world_writable_library_files.stdout_lines }}' + when: + - file_permissions_binary_dirs | bool + - medium_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - world_writable_library_files.stdout_lines | length > 0 + tags: + - CCE-80809-7 + - DISA-STIG-RHEL-08-010300 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_permissions_binary_dirs + - medium_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Ensure non-root local partitions are mounted with nodev option mount: - path: /var/tmp - src: '{{ mount_info.source }}' - opts: '{{ mount_info.options }}' + path: '{{ item.mount }}' + src: '{{ item.device }}' + opts: '{{ item.options }},nodev' state: mounted - fstype: '{{ mount_info.fstype }}' + fstype: '{{ item.fstype }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_tmp_noexec | bool + - mount_option_nodev_nonroot_local_partitions | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) + - item.mount is match('/\w') + - item.options is not search('nodev') + with_items: + - '{{ ansible_facts.mounts }}' tags: - - CCE-82151-2 - - DISA-STIG-RHEL-08-040134 + - CCE-82069-6 + - DISA-STIG-RHEL-08-010580 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 - configure_strategy - high_disruption - low_complexity - medium_severity - - mount_option_var_tmp_noexec + - mount_option_nodev_nonroot_local_partitions - no_reboot_needed - name: Check information associated to mountpoint - command: findmnt '/dev/shm' + command: findmnt --fstab '/boot' register: device_name failed_when: device_name.rc > 1 changed_when: false @@ -6664,13 +6713,13 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_nodev | bool + - medium_severity | bool + - mount_option_boot_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80837-8 - - DISA-STIG-RHEL-08-040120 + - CCE-81033-3 + - DISA-STIG-RHEL-08-010571 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -6680,8 +6729,8 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_nodev + - medium_severity + - mount_option_boot_nosuid - no_reboot_needed - name: Create mount_info dictionary variable @@ -6694,15 +6743,15 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_nodev | bool + - medium_severity | bool + - mount_option_boot_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - - CCE-80837-8 - - DISA-STIG-RHEL-08-040120 + - CCE-81033-3 + - DISA-STIG-RHEL-08-010571 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -6712,11 +6761,11 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_nodev + - medium_severity + - mount_option_boot_nosuid - no_reboot_needed -- name: If /dev/shm not mounted, craft mount_info manually +- name: If /boot not mounted, craft mount_info manually set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: @@ -6724,23 +6773,23 @@ - source - fstype - options - - - /dev/shm - - tmpfs - - tmpfs - - defaults - when: + - - /boot + - '' + - '' + - defaults + when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_nodev | bool + - medium_severity | bool + - mount_option_boot_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ("" | length == 0) + - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: - - CCE-80837-8 - - DISA-STIG-RHEL-08-040120 + - CCE-81033-3 + - DISA-STIG-RHEL-08-010571 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -6750,25 +6799,25 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_nodev + - medium_severity + - mount_option_boot_nosuid - no_reboot_needed -- name: Make sure nodev option is part of the to /dev/shm options +- name: Make sure nosuid option is part of the to /boot options set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_nodev | bool + - medium_severity | bool + - mount_option_boot_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "nodev" not in mount_info.options + - mount_info is defined and "nosuid" not in mount_info.options tags: - - CCE-80837-8 - - DISA-STIG-RHEL-08-040120 + - CCE-81033-3 + - DISA-STIG-RHEL-08-010571 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -6778,13 +6827,13 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_nodev + - medium_severity + - mount_option_boot_nosuid - no_reboot_needed -- name: Ensure /dev/shm is mounted with nodev option +- name: Ensure /boot is mounted with nosuid option mount: - path: /dev/shm + path: /boot src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted @@ -6793,14 +6842,14 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_nodev | bool + - medium_severity | bool + - mount_option_boot_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - - CCE-80837-8 - - DISA-STIG-RHEL-08-040120 + - CCE-81033-3 + - DISA-STIG-RHEL-08-010571 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -6810,12 +6859,12 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_nodev + - medium_severity + - mount_option_boot_nosuid - no_reboot_needed - name: Check information associated to mountpoint - command: findmnt --fstab '/var/log/audit' + command: findmnt --fstab '/var/log' register: device_name failed_when: device_name.rc > 1 changed_when: false @@ -6824,12 +6873,12 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_audit_nodev | bool + - mount_option_var_log_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82080-3 - - DISA-STIG-RHEL-08-040129 + - CCE-82008-4 + - DISA-STIG-RHEL-08-040128 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -6840,7 +6889,7 @@ - high_disruption - low_complexity - medium_severity - - mount_option_var_log_audit_nodev + - mount_option_var_log_noexec - no_reboot_needed - name: Create mount_info dictionary variable @@ -6854,14 +6903,14 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_audit_nodev | bool + - mount_option_var_log_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - - CCE-82080-3 - - DISA-STIG-RHEL-08-040129 + - CCE-82008-4 + - DISA-STIG-RHEL-08-040128 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -6872,10 +6921,10 @@ - high_disruption - low_complexity - medium_severity - - mount_option_var_log_audit_nodev + - mount_option_var_log_noexec - no_reboot_needed -- name: If /var/log/audit not mounted, craft mount_info manually +- name: If /var/log not mounted, craft mount_info manually set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: @@ -6883,7 +6932,7 @@ - source - fstype - options - - - /var/log/audit + - - /var/log - '' - '' - defaults @@ -6892,14 +6941,14 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_audit_nodev | bool + - mount_option_var_log_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: - - CCE-82080-3 - - DISA-STIG-RHEL-08-040129 + - CCE-82008-4 + - DISA-STIG-RHEL-08-040128 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -6910,24 +6959,24 @@ - high_disruption - low_complexity - medium_severity - - mount_option_var_log_audit_nodev + - mount_option_var_log_noexec - no_reboot_needed -- name: Make sure nodev option is part of the to /var/log/audit options +- name: Make sure noexec option is part of the to /var/log options set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_audit_nodev | bool + - mount_option_var_log_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "nodev" not in mount_info.options + - mount_info is defined and "noexec" not in mount_info.options tags: - - CCE-82080-3 - - DISA-STIG-RHEL-08-040129 + - CCE-82008-4 + - DISA-STIG-RHEL-08-040128 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -6938,12 +6987,12 @@ - high_disruption - low_complexity - medium_severity - - mount_option_var_log_audit_nodev + - mount_option_var_log_noexec - no_reboot_needed -- name: Ensure /var/log/audit is mounted with nodev option +- name: Ensure /var/log is mounted with noexec option mount: - path: /var/log/audit + path: /var/log src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted @@ -6953,43 +7002,13 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_audit_nodev | bool + - mount_option_var_log_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - - CCE-82080-3 - - DISA-STIG-RHEL-08-040129 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - medium_severity - - mount_option_var_log_audit_nodev - - no_reboot_needed - -- name: Ensure permission noexec are set on var_removable_partition - lineinfile: - path: /etc/fstab - regexp: ^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$ - backrefs: true - line: \1 \2 \3 \4,noexec \5 - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - medium_severity | bool - - mount_option_noexec_removable_partitions | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82746-9 - - DISA-STIG-RHEL-08-010610 + - CCE-82008-4 + - DISA-STIG-RHEL-08-040128 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7000,11 +7019,11 @@ - high_disruption - low_complexity - medium_severity - - mount_option_noexec_removable_partitions + - mount_option_var_log_noexec - no_reboot_needed - name: Check information associated to mountpoint - command: findmnt --fstab '/tmp' + command: findmnt '/dev/shm' register: device_name failed_when: device_name.rc > 1 changed_when: false @@ -7012,13 +7031,13 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - medium_severity | bool - - mount_option_tmp_noexec | bool + - low_severity | bool + - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82139-7 - - DISA-STIG-RHEL-08-040125 + - CCE-80837-8 + - DISA-STIG-RHEL-08-040120 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7028,8 +7047,8 @@ - configure_strategy - high_disruption - low_complexity - - medium_severity - - mount_option_tmp_noexec + - low_severity + - mount_option_dev_shm_nodev - no_reboot_needed - name: Create mount_info dictionary variable @@ -7042,15 +7061,15 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - medium_severity | bool - - mount_option_tmp_noexec | bool + - low_severity | bool + - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - - CCE-82139-7 - - DISA-STIG-RHEL-08-040125 + - CCE-80837-8 + - DISA-STIG-RHEL-08-040120 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7060,11 +7079,11 @@ - configure_strategy - high_disruption - low_complexity - - medium_severity - - mount_option_tmp_noexec + - low_severity + - mount_option_dev_shm_nodev - no_reboot_needed -- name: If /tmp not mounted, craft mount_info manually +- name: If /dev/shm not mounted, craft mount_info manually set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: @@ -7072,23 +7091,23 @@ - source - fstype - options - - - /tmp - - '' - - '' + - - /dev/shm + - tmpfs + - tmpfs - defaults when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - medium_severity | bool - - mount_option_tmp_noexec | bool + - low_severity | bool + - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ("--fstab" | length == 0) + - ("" | length == 0) - (device_name.stdout | length == 0) tags: - - CCE-82139-7 - - DISA-STIG-RHEL-08-040125 + - CCE-80837-8 + - DISA-STIG-RHEL-08-040120 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7098,25 +7117,25 @@ - configure_strategy - high_disruption - low_complexity - - medium_severity - - mount_option_tmp_noexec + - low_severity + - mount_option_dev_shm_nodev - no_reboot_needed -- name: Make sure noexec option is part of the to /tmp options +- name: Make sure nodev option is part of the to /dev/shm options set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - medium_severity | bool - - mount_option_tmp_noexec | bool + - low_severity | bool + - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "noexec" not in mount_info.options + - mount_info is defined and "nodev" not in mount_info.options tags: - - CCE-82139-7 - - DISA-STIG-RHEL-08-040125 + - CCE-80837-8 + - DISA-STIG-RHEL-08-040120 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7126,13 +7145,13 @@ - configure_strategy - high_disruption - low_complexity - - medium_severity - - mount_option_tmp_noexec + - low_severity + - mount_option_dev_shm_nodev - no_reboot_needed -- name: Ensure /tmp is mounted with noexec option +- name: Ensure /dev/shm is mounted with nodev option mount: - path: /tmp + path: /dev/shm src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted @@ -7141,14 +7160,14 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - medium_severity | bool - - mount_option_tmp_noexec | bool + - low_severity | bool + - mount_option_dev_shm_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) tags: - - CCE-82139-7 - - DISA-STIG-RHEL-08-040125 + - CCE-80837-8 + - DISA-STIG-RHEL-08-040120 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7158,8 +7177,8 @@ - configure_strategy - high_disruption - low_complexity - - medium_severity - - mount_option_tmp_noexec + - low_severity + - mount_option_dev_shm_nodev - no_reboot_needed - name: Check information associated to mountpoint @@ -7292,7 +7311,7 @@ - no_reboot_needed - name: Check information associated to mountpoint - command: findmnt --fstab '/var/log' + command: findmnt --fstab '/tmp' register: device_name failed_when: device_name.rc > 1 changed_when: false @@ -7301,12 +7320,12 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_nosuid | bool + - mount_option_tmp_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82065-4 - - DISA-STIG-RHEL-08-040127 + - CCE-82623-0 + - DISA-STIG-RHEL-08-040123 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7317,7 +7336,7 @@ - high_disruption - low_complexity - medium_severity - - mount_option_var_log_nosuid + - mount_option_tmp_nodev - no_reboot_needed - name: Create mount_info dictionary variable @@ -7331,14 +7350,14 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_nosuid | bool + - mount_option_tmp_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - - CCE-82065-4 - - DISA-STIG-RHEL-08-040127 + - CCE-82623-0 + - DISA-STIG-RHEL-08-040123 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7349,10 +7368,10 @@ - high_disruption - low_complexity - medium_severity - - mount_option_var_log_nosuid + - mount_option_tmp_nodev - no_reboot_needed -- name: If /var/log not mounted, craft mount_info manually +- name: If /tmp not mounted, craft mount_info manually set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: @@ -7360,7 +7379,7 @@ - source - fstype - options - - - /var/log + - - /tmp - '' - '' - defaults @@ -7369,14 +7388,14 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_nosuid | bool + - mount_option_tmp_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: - - CCE-82065-4 - - DISA-STIG-RHEL-08-040127 + - CCE-82623-0 + - DISA-STIG-RHEL-08-040123 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7387,24 +7406,24 @@ - high_disruption - low_complexity - medium_severity - - mount_option_var_log_nosuid + - mount_option_tmp_nodev - no_reboot_needed -- name: Make sure nosuid option is part of the to /var/log options +- name: Make sure nodev option is part of the to /tmp options set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_nosuid | bool + - mount_option_tmp_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "nosuid" not in mount_info.options + - mount_info is defined and "nodev" not in mount_info.options tags: - - CCE-82065-4 - - DISA-STIG-RHEL-08-040127 + - CCE-82623-0 + - DISA-STIG-RHEL-08-040123 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7415,12 +7434,12 @@ - high_disruption - low_complexity - medium_severity - - mount_option_var_log_nosuid + - mount_option_tmp_nodev - no_reboot_needed -- name: Ensure /var/log is mounted with nosuid option +- name: Ensure /tmp is mounted with nodev option mount: - path: /var/log + path: /tmp src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted @@ -7430,13 +7449,13 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_nosuid | bool + - mount_option_tmp_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - - CCE-82065-4 - - DISA-STIG-RHEL-08-040127 + - CCE-82623-0 + - DISA-STIG-RHEL-08-040123 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7447,11 +7466,11 @@ - high_disruption - low_complexity - medium_severity - - mount_option_var_log_nosuid + - mount_option_tmp_nodev - no_reboot_needed - name: Check information associated to mountpoint - command: findmnt --fstab '/home' + command: findmnt --fstab '/var/log/audit' register: device_name failed_when: device_name.rc > 1 changed_when: false @@ -7460,12 +7479,12 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_home_nosuid | bool + - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-81050-7 - - DISA-STIG-RHEL-08-010570 + - CCE-82975-4 + - DISA-STIG-RHEL-08-040131 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7476,7 +7495,7 @@ - high_disruption - low_complexity - medium_severity - - mount_option_home_nosuid + - mount_option_var_log_audit_noexec - no_reboot_needed - name: Create mount_info dictionary variable @@ -7490,14 +7509,14 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_home_nosuid | bool + - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - - CCE-81050-7 - - DISA-STIG-RHEL-08-010570 + - CCE-82975-4 + - DISA-STIG-RHEL-08-040131 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7508,10 +7527,10 @@ - high_disruption - low_complexity - medium_severity - - mount_option_home_nosuid + - mount_option_var_log_audit_noexec - no_reboot_needed -- name: If /home not mounted, craft mount_info manually +- name: If /var/log/audit not mounted, craft mount_info manually set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: @@ -7519,7 +7538,7 @@ - source - fstype - options - - - /home + - - /var/log/audit - '' - '' - defaults @@ -7528,14 +7547,14 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_home_nosuid | bool + - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: - - CCE-81050-7 - - DISA-STIG-RHEL-08-010570 + - CCE-82975-4 + - DISA-STIG-RHEL-08-040131 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7546,24 +7565,24 @@ - high_disruption - low_complexity - medium_severity - - mount_option_home_nosuid + - mount_option_var_log_audit_noexec - no_reboot_needed -- name: Make sure nosuid option is part of the to /home options +- name: Make sure noexec option is part of the to /var/log/audit options set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_home_nosuid | bool + - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "nosuid" not in mount_info.options + - mount_info is defined and "noexec" not in mount_info.options tags: - - CCE-81050-7 - - DISA-STIG-RHEL-08-010570 + - CCE-82975-4 + - DISA-STIG-RHEL-08-040131 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7574,12 +7593,12 @@ - high_disruption - low_complexity - medium_severity - - mount_option_home_nosuid + - mount_option_var_log_audit_noexec - no_reboot_needed -- name: Ensure /home is mounted with nosuid option +- name: Ensure /var/log/audit is mounted with noexec option mount: - path: /home + path: /var/log/audit src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted @@ -7589,13 +7608,13 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_home_nosuid | bool + - mount_option_var_log_audit_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - - CCE-81050-7 - - DISA-STIG-RHEL-08-010570 + - CCE-82975-4 + - DISA-STIG-RHEL-08-040131 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7606,41 +7625,11 @@ - high_disruption - low_complexity - medium_severity - - mount_option_home_nosuid - - no_reboot_needed - -- name: Ensure permission nodev are set on var_removable_partition - lineinfile: - path: /etc/fstab - regexp: ^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$ - backrefs: true - line: \1 \2 \3 \4,nodev \5 - when: - - configure_strategy | bool - - high_disruption | bool - - low_complexity | bool - - low_severity | bool - - mount_option_nodev_removable_partitions | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82742-8 - - DISA-STIG-RHEL-08-010600 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 - - configure_strategy - - high_disruption - - low_complexity - - low_severity - - mount_option_nodev_removable_partitions + - mount_option_var_log_audit_noexec - no_reboot_needed - name: Check information associated to mountpoint - command: findmnt --fstab '/tmp' + command: findmnt --fstab '/var/log/audit' register: device_name failed_when: device_name.rc > 1 changed_when: false @@ -7649,12 +7638,12 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_tmp_nodev | bool + - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82623-0 - - DISA-STIG-RHEL-08-040123 + - CCE-82080-3 + - DISA-STIG-RHEL-08-040129 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7665,7 +7654,7 @@ - high_disruption - low_complexity - medium_severity - - mount_option_tmp_nodev + - mount_option_var_log_audit_nodev - no_reboot_needed - name: Create mount_info dictionary variable @@ -7679,14 +7668,14 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_tmp_nodev | bool + - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - - CCE-82623-0 - - DISA-STIG-RHEL-08-040123 + - CCE-82080-3 + - DISA-STIG-RHEL-08-040129 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7697,10 +7686,10 @@ - high_disruption - low_complexity - medium_severity - - mount_option_tmp_nodev + - mount_option_var_log_audit_nodev - no_reboot_needed -- name: If /tmp not mounted, craft mount_info manually +- name: If /var/log/audit not mounted, craft mount_info manually set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: @@ -7708,7 +7697,7 @@ - source - fstype - options - - - /tmp + - - /var/log/audit - '' - '' - defaults @@ -7717,14 +7706,14 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_tmp_nodev | bool + - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: - - CCE-82623-0 - - DISA-STIG-RHEL-08-040123 + - CCE-82080-3 + - DISA-STIG-RHEL-08-040129 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7735,10 +7724,10 @@ - high_disruption - low_complexity - medium_severity - - mount_option_tmp_nodev + - mount_option_var_log_audit_nodev - no_reboot_needed -- name: Make sure nodev option is part of the to /tmp options +- name: Make sure nodev option is part of the to /var/log/audit options set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' when: @@ -7746,13 +7735,13 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_tmp_nodev | bool + - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - mount_info is defined and "nodev" not in mount_info.options tags: - - CCE-82623-0 - - DISA-STIG-RHEL-08-040123 + - CCE-82080-3 + - DISA-STIG-RHEL-08-040129 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7763,12 +7752,12 @@ - high_disruption - low_complexity - medium_severity - - mount_option_tmp_nodev + - mount_option_var_log_audit_nodev - no_reboot_needed -- name: Ensure /tmp is mounted with nodev option +- name: Ensure /var/log/audit is mounted with nodev option mount: - path: /tmp + path: /var/log/audit src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted @@ -7778,13 +7767,13 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_tmp_nodev | bool + - mount_option_var_log_audit_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - - CCE-82623-0 - - DISA-STIG-RHEL-08-040123 + - CCE-82080-3 + - DISA-STIG-RHEL-08-040129 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7795,11 +7784,11 @@ - high_disruption - low_complexity - medium_severity - - mount_option_tmp_nodev + - mount_option_var_log_audit_nodev - no_reboot_needed - name: Check information associated to mountpoint - command: findmnt '/dev/shm' + command: findmnt --fstab '/var/log' register: device_name failed_when: device_name.rc > 1 changed_when: false @@ -7807,13 +7796,13 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_noexec | bool + - medium_severity | bool + - mount_option_var_log_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80838-6 - - DISA-STIG-RHEL-08-040122 + - CCE-82077-9 + - DISA-STIG-RHEL-08-040126 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7823,8 +7812,8 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_noexec + - medium_severity + - mount_option_var_log_nodev - no_reboot_needed - name: Create mount_info dictionary variable @@ -7837,15 +7826,15 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_noexec | bool + - medium_severity | bool + - mount_option_var_log_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - - CCE-80838-6 - - DISA-STIG-RHEL-08-040122 + - CCE-82077-9 + - DISA-STIG-RHEL-08-040126 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7855,11 +7844,11 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_noexec + - medium_severity + - mount_option_var_log_nodev - no_reboot_needed -- name: If /dev/shm not mounted, craft mount_info manually +- name: If /var/log not mounted, craft mount_info manually set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: @@ -7867,23 +7856,23 @@ - source - fstype - options - - - /dev/shm - - tmpfs - - tmpfs + - - /var/log + - '' + - '' - defaults when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_noexec | bool + - medium_severity | bool + - mount_option_var_log_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ("" | length == 0) + - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: - - CCE-80838-6 - - DISA-STIG-RHEL-08-040122 + - CCE-82077-9 + - DISA-STIG-RHEL-08-040126 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7893,25 +7882,25 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_noexec + - medium_severity + - mount_option_var_log_nodev - no_reboot_needed -- name: Make sure noexec option is part of the to /dev/shm options +- name: Make sure nodev option is part of the to /var/log options set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_noexec | bool + - medium_severity | bool + - mount_option_var_log_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "noexec" not in mount_info.options + - mount_info is defined and "nodev" not in mount_info.options tags: - - CCE-80838-6 - - DISA-STIG-RHEL-08-040122 + - CCE-82077-9 + - DISA-STIG-RHEL-08-040126 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7921,13 +7910,13 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_noexec + - medium_severity + - mount_option_var_log_nodev - no_reboot_needed -- name: Ensure /dev/shm is mounted with noexec option +- name: Ensure /var/log is mounted with nodev option mount: - path: /dev/shm + path: /var/log src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted @@ -7936,14 +7925,14 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_noexec | bool + - medium_severity | bool + - mount_option_var_log_nodev | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - - CCE-80838-6 - - DISA-STIG-RHEL-08-040122 + - CCE-82077-9 + - DISA-STIG-RHEL-08-040126 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7953,32 +7942,27 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_noexec + - medium_severity + - mount_option_var_log_nodev - no_reboot_needed -- name: Ensure non-root local partitions are mounted with nodev option - mount: - path: '{{ item.mount }}' - src: '{{ item.device }}' - opts: '{{ item.options }},nodev' - state: mounted - fstype: '{{ item.fstype }}' - when: - - configure_strategy | bool +- name: Ensure permission nosuid are set on var_removable_partition + lineinfile: + path: /etc/fstab + regexp: ^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$ + backrefs: true + line: \1 \2 \3 \4,nosuid \5 + when: + - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_nodev_nonroot_local_partitions | bool + - mount_option_nosuid_removable_partitions | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - item.mount is match('/\w') - - item.options is not search('nodev') - with_items: - - '{{ ansible_facts.mounts }}' tags: - - CCE-82069-6 - - DISA-STIG-RHEL-08-010580 + - CCE-82744-4 + - DISA-STIG-RHEL-08-010620 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -7989,11 +7973,71 @@ - high_disruption - low_complexity - medium_severity - - mount_option_nodev_nonroot_local_partitions + - mount_option_nosuid_removable_partitions + - no_reboot_needed + +- name: Ensure permission nodev are set on var_removable_partition + lineinfile: + path: /etc/fstab + regexp: ^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$ + backrefs: true + line: \1 \2 \3 \4,nodev \5 + when: + - configure_strategy | bool + - high_disruption | bool + - low_complexity | bool + - low_severity | bool + - mount_option_nodev_removable_partitions | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82742-8 + - DISA-STIG-RHEL-08-010600 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_nodev_removable_partitions + - no_reboot_needed + +- name: Ensure permission noexec are set on var_removable_partition + lineinfile: + path: /etc/fstab + regexp: ^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$ + backrefs: true + line: \1 \2 \3 \4,noexec \5 + when: + - configure_strategy | bool + - high_disruption | bool + - low_complexity | bool + - medium_severity | bool + - mount_option_noexec_removable_partitions | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82746-9 + - DISA-STIG-RHEL-08-010610 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_noexec_removable_partitions - no_reboot_needed - name: Check information associated to mountpoint - command: findmnt --fstab '/var/log' + command: findmnt --fstab '/tmp' register: device_name failed_when: device_name.rc > 1 changed_when: false @@ -8002,12 +8046,12 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_nodev | bool + - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82077-9 - - DISA-STIG-RHEL-08-040126 + - CCE-82140-5 + - DISA-STIG-RHEL-08-040124 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8018,7 +8062,7 @@ - high_disruption - low_complexity - medium_severity - - mount_option_var_log_nodev + - mount_option_tmp_nosuid - no_reboot_needed - name: Create mount_info dictionary variable @@ -8032,14 +8076,14 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_nodev | bool + - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - - CCE-82077-9 - - DISA-STIG-RHEL-08-040126 + - CCE-82140-5 + - DISA-STIG-RHEL-08-040124 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8050,10 +8094,10 @@ - high_disruption - low_complexity - medium_severity - - mount_option_var_log_nodev + - mount_option_tmp_nosuid - no_reboot_needed -- name: If /var/log not mounted, craft mount_info manually +- name: If /tmp not mounted, craft mount_info manually set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: @@ -8061,7 +8105,7 @@ - source - fstype - options - - - /var/log + - - /tmp - '' - '' - defaults @@ -8070,14 +8114,14 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_nodev | bool + - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: - - CCE-82077-9 - - DISA-STIG-RHEL-08-040126 + - CCE-82140-5 + - DISA-STIG-RHEL-08-040124 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8088,24 +8132,24 @@ - high_disruption - low_complexity - medium_severity - - mount_option_var_log_nodev + - mount_option_tmp_nosuid - no_reboot_needed -- name: Make sure nodev option is part of the to /var/log options +- name: Make sure nosuid option is part of the to /tmp options set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' }) }}' + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_nodev | bool + - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "nodev" not in mount_info.options + - mount_info is defined and "nosuid" not in mount_info.options tags: - - CCE-82077-9 - - DISA-STIG-RHEL-08-040126 + - CCE-82140-5 + - DISA-STIG-RHEL-08-040124 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8116,12 +8160,12 @@ - high_disruption - low_complexity - medium_severity - - mount_option_var_log_nodev + - mount_option_tmp_nosuid - no_reboot_needed -- name: Ensure /var/log is mounted with nodev option +- name: Ensure /tmp is mounted with nosuid option mount: - path: /var/log + path: /tmp src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted @@ -8131,13 +8175,13 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_nodev | bool + - mount_option_tmp_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - - CCE-82077-9 - - DISA-STIG-RHEL-08-040126 + - CCE-82140-5 + - DISA-STIG-RHEL-08-040124 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8148,11 +8192,11 @@ - high_disruption - low_complexity - medium_severity - - mount_option_var_log_nodev + - mount_option_tmp_nosuid - no_reboot_needed - name: Check information associated to mountpoint - command: findmnt --fstab '/boot' + command: findmnt --fstab '/var/log' register: device_name failed_when: device_name.rc > 1 changed_when: false @@ -8161,12 +8205,12 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_boot_nosuid | bool + - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-81033-3 - - DISA-STIG-RHEL-08-010571 + - CCE-82065-4 + - DISA-STIG-RHEL-08-040127 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8177,7 +8221,7 @@ - high_disruption - low_complexity - medium_severity - - mount_option_boot_nosuid + - mount_option_var_log_nosuid - no_reboot_needed - name: Create mount_info dictionary variable @@ -8191,14 +8235,14 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_boot_nosuid | bool + - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - - CCE-81033-3 - - DISA-STIG-RHEL-08-010571 + - CCE-82065-4 + - DISA-STIG-RHEL-08-040127 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8209,10 +8253,10 @@ - high_disruption - low_complexity - medium_severity - - mount_option_boot_nosuid + - mount_option_var_log_nosuid - no_reboot_needed -- name: If /boot not mounted, craft mount_info manually +- name: If /var/log not mounted, craft mount_info manually set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: @@ -8220,7 +8264,7 @@ - source - fstype - options - - - /boot + - - /var/log - '' - '' - defaults @@ -8229,14 +8273,14 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_boot_nosuid | bool + - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: - - CCE-81033-3 - - DISA-STIG-RHEL-08-010571 + - CCE-82065-4 + - DISA-STIG-RHEL-08-040127 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8247,10 +8291,10 @@ - high_disruption - low_complexity - medium_severity - - mount_option_boot_nosuid + - mount_option_var_log_nosuid - no_reboot_needed -- name: Make sure nosuid option is part of the to /boot options +- name: Make sure nosuid option is part of the to /var/log options set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: @@ -8258,13 +8302,13 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_boot_nosuid | bool + - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - mount_info is defined and "nosuid" not in mount_info.options tags: - - CCE-81033-3 - - DISA-STIG-RHEL-08-010571 + - CCE-82065-4 + - DISA-STIG-RHEL-08-040127 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8275,12 +8319,12 @@ - high_disruption - low_complexity - medium_severity - - mount_option_boot_nosuid + - mount_option_var_log_nosuid - no_reboot_needed -- name: Ensure /boot is mounted with nosuid option +- name: Ensure /var/log is mounted with nosuid option mount: - path: /boot + path: /var/log src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted @@ -8290,13 +8334,13 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_boot_nosuid | bool + - mount_option_var_log_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - - CCE-81033-3 - - DISA-STIG-RHEL-08-010571 + - CCE-82065-4 + - DISA-STIG-RHEL-08-040127 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8307,11 +8351,11 @@ - high_disruption - low_complexity - medium_severity - - mount_option_boot_nosuid + - mount_option_var_log_nosuid - no_reboot_needed - name: Check information associated to mountpoint - command: findmnt --fstab '/var/log/audit' + command: findmnt '/dev/shm' register: device_name failed_when: device_name.rc > 1 changed_when: false @@ -8319,13 +8363,13 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - medium_severity | bool - - mount_option_var_log_audit_nosuid | bool + - low_severity | bool + - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82921-8 - - DISA-STIG-RHEL-08-040130 + - CCE-80838-6 + - DISA-STIG-RHEL-08-040122 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8335,8 +8379,8 @@ - configure_strategy - high_disruption - low_complexity - - medium_severity - - mount_option_var_log_audit_nosuid + - low_severity + - mount_option_dev_shm_noexec - no_reboot_needed - name: Create mount_info dictionary variable @@ -8349,15 +8393,15 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - medium_severity | bool - - mount_option_var_log_audit_nosuid | bool + - low_severity | bool + - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - - CCE-82921-8 - - DISA-STIG-RHEL-08-040130 + - CCE-80838-6 + - DISA-STIG-RHEL-08-040122 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8367,11 +8411,11 @@ - configure_strategy - high_disruption - low_complexity - - medium_severity - - mount_option_var_log_audit_nosuid + - low_severity + - mount_option_dev_shm_noexec - no_reboot_needed -- name: If /var/log/audit not mounted, craft mount_info manually +- name: If /dev/shm not mounted, craft mount_info manually set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: @@ -8379,23 +8423,23 @@ - source - fstype - options - - - /var/log/audit - - '' - - '' + - - /dev/shm + - tmpfs + - tmpfs - defaults when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - medium_severity | bool - - mount_option_var_log_audit_nosuid | bool + - low_severity | bool + - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ("--fstab" | length == 0) + - ("" | length == 0) - (device_name.stdout | length == 0) tags: - - CCE-82921-8 - - DISA-STIG-RHEL-08-040130 + - CCE-80838-6 + - DISA-STIG-RHEL-08-040122 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8405,25 +8449,25 @@ - configure_strategy - high_disruption - low_complexity - - medium_severity - - mount_option_var_log_audit_nosuid + - low_severity + - mount_option_dev_shm_noexec - no_reboot_needed -- name: Make sure nosuid option is part of the to /var/log/audit options +- name: Make sure noexec option is part of the to /dev/shm options set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - medium_severity | bool - - mount_option_var_log_audit_nosuid | bool + - low_severity | bool + - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "nosuid" not in mount_info.options + - mount_info is defined and "noexec" not in mount_info.options tags: - - CCE-82921-8 - - DISA-STIG-RHEL-08-040130 + - CCE-80838-6 + - DISA-STIG-RHEL-08-040122 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8433,13 +8477,13 @@ - configure_strategy - high_disruption - low_complexity - - medium_severity - - mount_option_var_log_audit_nosuid + - low_severity + - mount_option_dev_shm_noexec - no_reboot_needed -- name: Ensure /var/log/audit is mounted with nosuid option +- name: Ensure /dev/shm is mounted with noexec option mount: - path: /var/log/audit + path: /dev/shm src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted @@ -8448,14 +8492,14 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - medium_severity | bool - - mount_option_var_log_audit_nosuid | bool + - low_severity | bool + - mount_option_dev_shm_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) tags: - - CCE-82921-8 - - DISA-STIG-RHEL-08-040130 + - CCE-80838-6 + - DISA-STIG-RHEL-08-040122 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8465,12 +8509,12 @@ - configure_strategy - high_disruption - low_complexity - - medium_severity - - mount_option_var_log_audit_nosuid + - low_severity + - mount_option_dev_shm_noexec - no_reboot_needed - name: Check information associated to mountpoint - command: findmnt --fstab '/var/log' + command: findmnt --fstab '/var/tmp' register: device_name failed_when: device_name.rc > 1 changed_when: false @@ -8479,23 +8523,17 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_noexec | bool + - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82008-4 - - DISA-STIG-RHEL-08-040128 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 + - CCE-82154-6 + - DISA-STIG-RHEL-08-040133 - configure_strategy - high_disruption - low_complexity - medium_severity - - mount_option_var_log_noexec + - mount_option_var_tmp_nosuid - no_reboot_needed - name: Create mount_info dictionary variable @@ -8509,28 +8547,22 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_noexec | bool + - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - - CCE-82008-4 - - DISA-STIG-RHEL-08-040128 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 + - CCE-82154-6 + - DISA-STIG-RHEL-08-040133 - configure_strategy - high_disruption - low_complexity - medium_severity - - mount_option_var_log_noexec + - mount_option_var_tmp_nosuid - no_reboot_needed -- name: If /var/log not mounted, craft mount_info manually +- name: If /var/tmp not mounted, craft mount_info manually set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: @@ -8538,7 +8570,7 @@ - source - fstype - options - - - /var/log + - - /var/tmp - '' - '' - defaults @@ -8547,58 +8579,46 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_noexec | bool + - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: - - CCE-82008-4 - - DISA-STIG-RHEL-08-040128 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 + - CCE-82154-6 + - DISA-STIG-RHEL-08-040133 - configure_strategy - high_disruption - low_complexity - medium_severity - - mount_option_var_log_noexec + - mount_option_var_tmp_nosuid - no_reboot_needed -- name: Make sure noexec option is part of the to /var/log options +- name: Make sure nosuid option is part of the to /var/tmp options set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_noexec | bool + - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "noexec" not in mount_info.options + - mount_info is defined and "nosuid" not in mount_info.options tags: - - CCE-82008-4 - - DISA-STIG-RHEL-08-040128 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 + - CCE-82154-6 + - DISA-STIG-RHEL-08-040133 - configure_strategy - high_disruption - low_complexity - medium_severity - - mount_option_var_log_noexec + - mount_option_var_tmp_nosuid - no_reboot_needed -- name: Ensure /var/log is mounted with noexec option +- name: Ensure /var/tmp is mounted with nosuid option mount: - path: /var/log + path: /var/tmp src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted @@ -8608,28 +8628,22 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_var_log_noexec | bool + - mount_option_var_tmp_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - - CCE-82008-4 - - DISA-STIG-RHEL-08-040128 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 + - CCE-82154-6 + - DISA-STIG-RHEL-08-040133 - configure_strategy - high_disruption - low_complexity - medium_severity - - mount_option_var_log_noexec + - mount_option_var_tmp_nosuid - no_reboot_needed - name: Check information associated to mountpoint - command: findmnt '/dev/shm' + command: findmnt --fstab '/home' register: device_name failed_when: device_name.rc > 1 changed_when: false @@ -8637,13 +8651,13 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_nosuid | bool + - medium_severity | bool + - mount_option_home_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80839-4 - - DISA-STIG-RHEL-08-040121 + - CCE-81050-7 + - DISA-STIG-RHEL-08-010570 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8653,8 +8667,8 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_nosuid + - medium_severity + - mount_option_home_nosuid - no_reboot_needed - name: Create mount_info dictionary variable @@ -8667,15 +8681,15 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_nosuid | bool + - medium_severity | bool + - mount_option_home_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - - CCE-80839-4 - - DISA-STIG-RHEL-08-040121 + - CCE-81050-7 + - DISA-STIG-RHEL-08-010570 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8685,11 +8699,11 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_nosuid + - medium_severity + - mount_option_home_nosuid - no_reboot_needed -- name: If /dev/shm not mounted, craft mount_info manually +- name: If /home not mounted, craft mount_info manually set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: @@ -8697,23 +8711,23 @@ - source - fstype - options - - - /dev/shm - - tmpfs - - tmpfs + - - /home + - '' + - '' - defaults when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_nosuid | bool + - medium_severity | bool + - mount_option_home_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - ("" | length == 0) + - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: - - CCE-80839-4 - - DISA-STIG-RHEL-08-040121 + - CCE-81050-7 + - DISA-STIG-RHEL-08-010570 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8723,25 +8737,25 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_nosuid + - medium_severity + - mount_option_home_nosuid - no_reboot_needed -- name: Make sure nosuid option is part of the to /dev/shm options +- name: Make sure nosuid option is part of the to /home options set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_nosuid | bool + - medium_severity | bool + - mount_option_home_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - mount_info is defined and "nosuid" not in mount_info.options tags: - - CCE-80839-4 - - DISA-STIG-RHEL-08-040121 + - CCE-81050-7 + - DISA-STIG-RHEL-08-010570 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8751,13 +8765,13 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_nosuid + - medium_severity + - mount_option_home_nosuid - no_reboot_needed -- name: Ensure /dev/shm is mounted with nosuid option +- name: Ensure /home is mounted with nosuid option mount: - path: /dev/shm + path: /home src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted @@ -8766,14 +8780,14 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool - - low_severity | bool - - mount_option_dev_shm_nosuid | bool + - medium_severity | bool + - mount_option_home_nosuid | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - - CCE-80839-4 - - DISA-STIG-RHEL-08-040121 + - CCE-81050-7 + - DISA-STIG-RHEL-08-010570 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8783,12 +8797,12 @@ - configure_strategy - high_disruption - low_complexity - - low_severity - - mount_option_dev_shm_nosuid + - medium_severity + - mount_option_home_nosuid - no_reboot_needed - name: Check information associated to mountpoint - command: findmnt --fstab '/tmp' + command: findmnt --fstab '/var/tmp' register: device_name failed_when: device_name.rc > 1 changed_when: false @@ -8797,23 +8811,17 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_tmp_nosuid | bool + - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82140-5 - - DISA-STIG-RHEL-08-040124 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 + - CCE-82151-2 + - DISA-STIG-RHEL-08-040134 - configure_strategy - high_disruption - low_complexity - medium_severity - - mount_option_tmp_nosuid + - mount_option_var_tmp_noexec - no_reboot_needed - name: Create mount_info dictionary variable @@ -8827,28 +8835,22 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_tmp_nosuid | bool + - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: - - CCE-82140-5 - - DISA-STIG-RHEL-08-040124 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 + - CCE-82151-2 + - DISA-STIG-RHEL-08-040134 - configure_strategy - high_disruption - low_complexity - medium_severity - - mount_option_tmp_nosuid + - mount_option_var_tmp_noexec - no_reboot_needed -- name: If /tmp not mounted, craft mount_info manually +- name: If /var/tmp not mounted, craft mount_info manually set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: @@ -8856,7 +8858,7 @@ - source - fstype - options - - - /tmp + - - /var/tmp - '' - '' - defaults @@ -8865,58 +8867,46 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_tmp_nosuid | bool + - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: - - CCE-82140-5 - - DISA-STIG-RHEL-08-040124 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 + - CCE-82151-2 + - DISA-STIG-RHEL-08-040134 - configure_strategy - high_disruption - low_complexity - medium_severity - - mount_option_tmp_nosuid + - mount_option_var_tmp_noexec - no_reboot_needed -- name: Make sure nosuid option is part of the to /tmp options +- name: Make sure noexec option is part of the to /var/tmp options set_fact: - mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: - configure_strategy | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_tmp_nosuid | bool + - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - mount_info is defined and "nosuid" not in mount_info.options + - mount_info is defined and "noexec" not in mount_info.options tags: - - CCE-82140-5 - - DISA-STIG-RHEL-08-040124 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-MP-7 + - CCE-82151-2 + - DISA-STIG-RHEL-08-040134 - configure_strategy - high_disruption - low_complexity - medium_severity - - mount_option_tmp_nosuid + - mount_option_var_tmp_noexec - no_reboot_needed -- name: Ensure /tmp is mounted with nosuid option +- name: Ensure /var/tmp is mounted with noexec option mount: - path: /tmp + path: /var/tmp src: '{{ mount_info.source }}' opts: '{{ mount_info.options }}' state: mounted @@ -8926,13 +8916,36 @@ - high_disruption | bool - low_complexity | bool - medium_severity | bool - - mount_option_tmp_nosuid | bool + - mount_option_var_tmp_noexec | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - - CCE-82140-5 - - DISA-STIG-RHEL-08-040124 + - CCE-82151-2 + - DISA-STIG-RHEL-08-040134 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_tmp_noexec + - no_reboot_needed + +- name: Check information associated to mountpoint + command: findmnt --fstab '/var/log/audit' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: + - configure_strategy | bool + - high_disruption | bool + - low_complexity | bool + - medium_severity | bool + - mount_option_var_log_audit_nosuid | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82921-8 + - DISA-STIG-RHEL-08-040130 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -8943,823 +8956,978 @@ - high_disruption - low_complexity - medium_severity - - mount_option_tmp_nosuid + - mount_option_var_log_audit_nosuid - no_reboot_needed -- name: Get all world-writable directories with no sticky bits set - shell: 'set -o pipefail - - df --local -P | awk ''{if (NR!=1) print $6}'' | xargs -I ''{}'' find ''{}'' -xdev -type d \( -perm -0002 -a ! -perm -1000 - \) 2>/dev/null - - ' - register: dir_output +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - configure_strategy | bool + - high_disruption | bool + - low_complexity | bool + - medium_severity | bool + - mount_option_var_log_audit_nosuid | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) tags: - - CCE-80783-4 - - DISA-STIG-RHEL-08-010190 + - CCE-82921-8 + - DISA-STIG-RHEL-08-040130 + - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - dir_perms_world_writable_sticky_bits + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption - low_complexity - - low_disruption - medium_severity + - mount_option_var_log_audit_nosuid - no_reboot_needed - - restrict_strategy + +- name: If /var/log/audit not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /var/log/audit + - '' + - '' + - defaults when: - - dir_perms_world_writable_sticky_bits | bool + - configure_strategy | bool + - high_disruption | bool - low_complexity | bool - - low_disruption | bool - medium_severity | bool + - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - restrict_strategy | bool - -- name: ensure sticky bit is set - file: - path: '{{ item }}' - mode: a+t - with_items: - - '{{ dir_output.stdout_lines }}' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) tags: - - CCE-80783-4 - - DISA-STIG-RHEL-08-010190 + - CCE-82921-8 + - DISA-STIG-RHEL-08-040130 + - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - dir_perms_world_writable_sticky_bits + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption - low_complexity - - low_disruption - medium_severity + - mount_option_var_log_audit_nosuid - no_reboot_needed - - restrict_strategy - when: - - dir_perms_world_writable_sticky_bits | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool -- name: Ensure sysctl fs.protected_hardlinks is set to 1 - sysctl: - name: fs.protected_hardlinks - value: '1' - state: present - reload: true +- name: Make sure nosuid option is part of the to /var/log/audit options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - - disable_strategy | bool + - configure_strategy | bool + - high_disruption | bool - low_complexity | bool - - medium_disruption | bool - medium_severity | bool - - reboot_required | bool - - sysctl_fs_protected_hardlinks | bool + - mount_option_var_log_audit_nosuid | bool + - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nosuid" not in mount_info.options tags: - - CCE-81027-5 - - DISA-STIG-RHEL-08-010374 + - CCE-82921-8 + - DISA-STIG-RHEL-08-040130 + - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_fs_protected_hardlinks - -- name: Configure excluded (non local) file systems - set_fact: - excluded_fstypes: - - afs - - ceph - - cifs - - smb3 - - smbfs - - sshfs - - ncpfs - - ncp - - nfs - - nfs4 - - gfs - - gfs2 - - glusterfs - - gpfs - - pvfs2 - - ocfs2 - - lustre - - davfs - - fuse.sshfs - tags: - - CCE-83375-6 - - DISA-STIG-RHEL-08-010700 - - dir_perms_world_writable_root_owned + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption - low_complexity - - medium_disruption - medium_severity + - mount_option_var_log_audit_nosuid - no_reboot_needed - - restrict_strategy + +- name: Ensure /var/log/audit is mounted with nosuid option + mount: + path: /var/log/audit + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' when: - - dir_perms_world_writable_root_owned | bool + - configure_strategy | bool + - high_disruption | bool - low_complexity | bool - - medium_disruption | bool - medium_severity | bool + - mount_option_var_log_audit_nosuid | bool - no_reboot_needed | bool - - restrict_strategy | bool - -- name: Create empty list of excluded paths - set_fact: - excluded_paths: [] + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - - CCE-83375-6 - - DISA-STIG-RHEL-08-010700 - - dir_perms_world_writable_root_owned + - CCE-82921-8 + - DISA-STIG-RHEL-08-040130 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption - low_complexity - - medium_disruption - medium_severity + - mount_option_var_log_audit_nosuid - no_reboot_needed - - restrict_strategy - when: - - dir_perms_world_writable_root_owned | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool -- name: Detect nonlocal file systems and add them to excluded paths - set_fact: - excluded_paths: '{{ excluded_paths | union([item.mount]) }}' - loop: '{{ ansible_mounts }}' +- name: Check information associated to mountpoint + command: findmnt --fstab '/tmp' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false when: - - dir_perms_world_writable_root_owned | bool + - configure_strategy | bool + - high_disruption | bool - low_complexity | bool - - medium_disruption | bool - medium_severity | bool + - mount_option_tmp_noexec | bool - no_reboot_needed | bool - - restrict_strategy | bool - - item.fstype in excluded_fstypes + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-83375-6 - - DISA-STIG-RHEL-08-010700 - - dir_perms_world_writable_root_owned + - CCE-82139-7 + - DISA-STIG-RHEL-08-040125 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption - low_complexity - - medium_disruption - medium_severity + - mount_option_tmp_noexec - no_reboot_needed - - restrict_strategy -- name: Find all directories excluding non-local partitions - find: - paths: / - excludes: excluded_paths - file_type: directory - hidden: true - recurse: true - register: found_dirs - tags: - - CCE-83375-6 - - DISA-STIG-RHEL-08-010700 - - dir_perms_world_writable_root_owned - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' when: - - dir_perms_world_writable_root_owned | bool + - configure_strategy | bool + - high_disruption | bool - low_complexity | bool - - medium_disruption | bool - medium_severity | bool + - mount_option_tmp_noexec | bool - no_reboot_needed | bool - - restrict_strategy | bool - -- name: Create list of world writable directories - set_fact: - world_writable_dirs: '{{ found_dirs.files | selectattr(''woth'') | list }}' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) tags: - - CCE-83375-6 - - DISA-STIG-RHEL-08-010700 - - dir_perms_world_writable_root_owned + - CCE-82139-7 + - DISA-STIG-RHEL-08-040125 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption - low_complexity - - medium_disruption - medium_severity + - mount_option_tmp_noexec - no_reboot_needed - - restrict_strategy + +- name: If /tmp not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /tmp + - '' + - '' + - defaults when: - - dir_perms_world_writable_root_owned | bool + - configure_strategy | bool + - high_disruption | bool - low_complexity | bool - - medium_disruption | bool - medium_severity | bool + - mount_option_tmp_noexec | bool - no_reboot_needed | bool - - restrict_strategy | bool - -- name: Change owner to root on directories which are world writable - file: - path: '{{ item.path }}' - owner: root - loop: '{{ world_writable_dirs }}' - ignore_errors: true + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) tags: - - CCE-83375-6 - - DISA-STIG-RHEL-08-010700 - - dir_perms_world_writable_root_owned + - CCE-82139-7 + - DISA-STIG-RHEL-08-040125 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption - low_complexity - - medium_disruption - medium_severity + - mount_option_tmp_noexec - no_reboot_needed - - restrict_strategy - when: - - dir_perms_world_writable_root_owned | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool -- name: Ensure sysctl fs.protected_symlinks is set to 1 - sysctl: - name: fs.protected_symlinks - value: '1' - state: present - reload: true +- name: Make sure noexec option is part of the to /tmp options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: - - disable_strategy | bool + - configure_strategy | bool + - high_disruption | bool - low_complexity | bool - - medium_disruption | bool - medium_severity | bool - - reboot_required | bool - - sysctl_fs_protected_symlinks | bool + - mount_option_tmp_noexec | bool + - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "noexec" not in mount_info.options tags: - - CCE-81030-9 - - DISA-STIG-RHEL-08-010373 + - CCE-82139-7 + - DISA-STIG-RHEL-08-040125 + - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - disable_strategy + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_fs_protected_symlinks - -- name: Read list of world and group writable system executables - command: find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec -perm /022 -type f - register: world_writable_library_files - changed_when: false - failed_when: false - check_mode: false - tags: - - CCE-80809-7 - - DISA-STIG-RHEL-08-010300 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) - - file_permissions_binary_dirs - - medium_complexity - - medium_disruption - medium_severity + - mount_option_tmp_noexec - no_reboot_needed - - restrict_strategy - when: - - file_permissions_binary_dirs | bool - - medium_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool -- name: Remove world/group writability of system executables - file: - path: '{{ item }}' - mode: go-w - with_items: '{{ world_writable_library_files.stdout_lines }}' +- name: Ensure /tmp is mounted with noexec option + mount: + path: /tmp + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' when: - - file_permissions_binary_dirs | bool - - medium_complexity | bool - - medium_disruption | bool + - configure_strategy | bool + - high_disruption | bool + - low_complexity | bool - medium_severity | bool + - mount_option_tmp_noexec | bool - no_reboot_needed | bool - - restrict_strategy | bool - - world_writable_library_files.stdout_lines | length > 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - - CCE-80809-7 - - DISA-STIG-RHEL-08-010300 + - CCE-82139-7 + - DISA-STIG-RHEL-08-040125 + - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - file_permissions_binary_dirs - - medium_complexity - - medium_disruption + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity - medium_severity + - mount_option_tmp_noexec - no_reboot_needed - - restrict_strategy -- name: Read list of system executables without root ownership - command: find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/ /usr/local/sbin/ /usr/libexec \! -user root - register: no_root_system_executables +- name: Check information associated to mountpoint + command: findmnt '/dev/shm' + register: device_name + failed_when: device_name.rc > 1 changed_when: false - failed_when: false - check_mode: false + when: + - configure_strategy | bool + - high_disruption | bool + - low_complexity | bool + - low_severity | bool + - mount_option_dev_shm_nosuid | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80806-3 - - DISA-STIG-RHEL-08-010310 + - CCE-80839-4 + - DISA-STIG-RHEL-08-040121 + - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - file_ownership_binary_dirs - - medium_complexity - - medium_disruption - - medium_severity + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nosuid - no_reboot_needed - - restrict_strategy - when: - - file_ownership_binary_dirs | bool - - medium_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool -- name: Set ownership to root of system executables - file: - path: '{{ item }}' - owner: root - with_items: '{{ no_root_system_executables.stdout_lines }}' +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' when: - - file_ownership_binary_dirs | bool - - medium_complexity | bool - - medium_disruption | bool - - medium_severity | bool + - configure_strategy | bool + - high_disruption | bool + - low_complexity | bool + - low_severity | bool + - mount_option_dev_shm_nosuid | bool - no_reboot_needed | bool - - restrict_strategy | bool - - no_root_system_executables.stdout_lines | length > 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) tags: - - CCE-80806-3 - - DISA-STIG-RHEL-08-010310 + - CCE-80839-4 + - DISA-STIG-RHEL-08-040121 + - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - file_ownership_binary_dirs - - medium_complexity - - medium_disruption - - medium_severity + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nosuid - no_reboot_needed - - restrict_strategy -- name: Read list of world and group writable files in libraries directories - command: find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f - register: world_writable_library_files - changed_when: false - failed_when: false - check_mode: false +- name: If /dev/shm not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /dev/shm + - tmpfs + - tmpfs + - defaults + when: + - configure_strategy | bool + - high_disruption | bool + - low_complexity | bool + - low_severity | bool + - mount_option_dev_shm_nosuid | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("" | length == 0) + - (device_name.stdout | length == 0) tags: - - CCE-80815-4 - - DISA-STIG-RHEL-08-010330 + - CCE-80839-4 + - DISA-STIG-RHEL-08-040121 + - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - file_permissions_library_dirs - - high_complexity - - medium_disruption - - medium_severity + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nosuid - no_reboot_needed - - restrict_strategy - when: - - file_permissions_library_dirs | bool - - high_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool -- name: Disable world/group writability to library files - file: - path: '{{ item }}' - mode: go-w - with_items: '{{ world_writable_library_files.stdout_lines }}' +- name: Make sure nosuid option is part of the to /dev/shm options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: - - file_permissions_library_dirs | bool - - high_complexity | bool - - medium_disruption | bool - - medium_severity | bool + - configure_strategy | bool + - high_disruption | bool + - low_complexity | bool + - low_severity | bool + - mount_option_dev_shm_nosuid | bool - no_reboot_needed | bool - - restrict_strategy | bool - - world_writable_library_files.stdout_lines | length > 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nosuid" not in mount_info.options tags: - - CCE-80815-4 - - DISA-STIG-RHEL-08-010330 + - CCE-80839-4 + - DISA-STIG-RHEL-08-040121 + - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - file_permissions_library_dirs - - high_complexity - - medium_disruption - - medium_severity + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nosuid - no_reboot_needed - - restrict_strategy -- name: Read list libraries without root ownership - command: find -L /usr/lib /usr/lib64 /lib /lib64 \! -user root - register: libraries_not_owned_by_root - changed_when: false - failed_when: false - check_mode: false +- name: Ensure /dev/shm is mounted with nosuid option + mount: + path: /dev/shm + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - configure_strategy | bool + - high_disruption | bool + - low_complexity | bool + - low_severity | bool + - mount_option_dev_shm_nosuid | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" | length == 0) tags: - - CCE-80807-1 - - DISA-STIG-RHEL-08-010340 + - CCE-80839-4 + - DISA-STIG-RHEL-08-040121 + - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - file_ownership_library_dirs - - medium_complexity - - medium_disruption - - medium_severity + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nosuid - no_reboot_needed - - restrict_strategy - when: - - file_ownership_library_dirs | bool - - medium_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool -- name: Set ownership of system libraries to root - file: - path: '{{ item }}' - owner: root - with_items: '{{ libraries_not_owned_by_root.stdout_lines }}' +- name: Disable service autofs + block: + - name: Gather the service facts + service_facts: null + - name: Disable service autofs + systemd: + name: autofs.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"autofs.service" in ansible_facts.services' when: - - file_ownership_library_dirs | bool - - medium_complexity | bool - - medium_disruption | bool + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool - - libraries_not_owned_by_root | length > 0 + - service_autofs_disabled | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80807-1 - - DISA-STIG-RHEL-08-010340 - - NIST-800-53-AC-6(1) + - CCE-80873-3 + - DISA-STIG-RHEL-08-040070 + - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - - file_ownership_library_dirs - - medium_complexity - - medium_disruption + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy + - low_complexity + - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - service_autofs_disabled -- name: Test for existence /var/log/ - stat: - path: /var/log/ - register: file_exists +- name: Unit Socket Exists - autofs.socket + command: systemctl list-unit-files autofs.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_autofs_disabled | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-83663-5 - - DISA-STIG-RHEL-08-010240 - - configure_strategy - - file_permissions_var_log + - CCE-80873-3 + - DISA-STIG-RHEL-08-040070 + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed + - service_autofs_disabled + +- name: Disable socket autofs + systemd: + name: autofs.socket + enabled: 'no' + state: stopped + masked: 'yes' when: - - configure_strategy | bool - - file_permissions_var_log | bool + - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - -- name: Ensure permission 0755 on /var/log/ - file: - path: /var/log/ - mode: '0755' - when: - - configure_strategy | bool - - file_permissions_var_log | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - file_exists.stat is defined and file_exists.stat.exists + - service_autofs_disabled | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"autofs.socket" in socket_file_exists.stdout_lines[1]' tags: - - CCE-83663-5 - - DISA-STIG-RHEL-08-010240 - - configure_strategy - - file_permissions_var_log + - CCE-80873-3 + - DISA-STIG-RHEL-08-040070 + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed + - service_autofs_disabled -- name: Test for existence /var/log/ - stat: - path: /var/log/ - register: file_exists - tags: - - CCE-83659-3 - - DISA-STIG-RHEL-08-010260 - - configure_strategy - - file_groupowner_var_log - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed +- name: Ensure kernel module 'cramfs' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/cramfs.conf + regexp: cramfs + line: install cramfs /bin/true when: - - configure_strategy | bool - - file_groupowner_var_log | bool + - disable_strategy | bool + - kernel_module_cramfs_disabled | bool - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - low_severity | bool + - medium_disruption | bool + - reboot_required | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-81031-7 + - DISA-STIG-RHEL-08-040025 + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_cramfs_disabled + - low_complexity + - low_severity + - medium_disruption + - reboot_required -- name: Ensure group owner 0 on /var/log/ - file: - path: /var/log/ - group: '0' +- name: Ensure kernel module 'usb-storage' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/usb-storage.conf + regexp: usb-storage + line: install usb-storage /bin/true when: - - configure_strategy | bool - - file_groupowner_var_log | bool + - disable_strategy | bool - low_complexity | bool - - low_disruption | bool + - medium_disruption | bool - medium_severity | bool - - no_reboot_needed | bool - - file_exists.stat is defined and file_exists.stat.exists + - reboot_required | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-83659-3 - - DISA-STIG-RHEL-08-010260 - - configure_strategy - - file_groupowner_var_log + - CCE-80835-2 + - DISA-STIG-RHEL-08-040080 + - NIST-800-171-3.1.21 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy + - kernel_module_usb-storage_disabled - low_complexity - - low_disruption + - medium_disruption - medium_severity - - no_reboot_needed + - reboot_required -- name: Test for existence /var/log/messages - stat: - path: /var/log/messages - register: file_exists +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-83662-7 - - DISA-STIG-RHEL-08-010220 - - configure_strategy - - file_owner_var_log_messages - - low_complexity + - CCE-80946-7 + - DISA-STIG-RHEL-08-010422 + - NIST-800-53-CM-7(a) + - grub2_vsyscall_argument - low_disruption + - medium_complexity - medium_severity - - no_reboot_needed + - reboot_required + - restrict_strategy when: - - configure_strategy | bool - - file_owner_var_log_messages | bool - - low_complexity | bool + - grub2_vsyscall_argument | bool - low_disruption | bool + - medium_complexity | bool - medium_severity | bool - - no_reboot_needed | bool + - reboot_required | bool + - restrict_strategy | bool -- name: Ensure owner 0 on /var/log/messages - file: - path: /var/log/messages - owner: '0' +- name: get current kernel parameters + command: /usr/bin/grub2-editenv - list + register: kernelopts + changed_when: false when: - - configure_strategy | bool - - file_owner_var_log_messages | bool - - low_complexity | bool + - grub2_vsyscall_argument | bool - low_disruption | bool + - medium_complexity | bool - medium_severity | bool - - no_reboot_needed | bool - - file_exists.stat is defined and file_exists.stat.exists - tags: - - CCE-83662-7 - - DISA-STIG-RHEL-08-010220 - - configure_strategy - - file_owner_var_log_messages - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - -- name: Test for existence /var/log/ - stat: - path: /var/log/ - register: file_exists + - reboot_required | bool + - restrict_strategy | bool + - '"grub2-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-83661-9 - - DISA-STIG-RHEL-08-010250 - - configure_strategy - - file_owner_var_log - - low_complexity + - CCE-80946-7 + - DISA-STIG-RHEL-08-010422 + - NIST-800-53-CM-7(a) + - grub2_vsyscall_argument - low_disruption + - medium_complexity - medium_severity - - no_reboot_needed - when: - - configure_strategy | bool - - file_owner_var_log | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - reboot_required + - restrict_strategy -- name: Ensure owner 0 on /var/log/ - file: - path: /var/log/ - owner: '0' +- name: Update the bootloader menu + command: /usr/bin/grub2-editenv - set "{{ item }} vsyscall=none" + with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | list }}' when: - - configure_strategy | bool - - file_owner_var_log | bool - - low_complexity | bool + - grub2_vsyscall_argument | bool - low_disruption | bool + - medium_complexity | bool - medium_severity | bool - - no_reboot_needed | bool - - file_exists.stat is defined and file_exists.stat.exists + - reboot_required | bool + - restrict_strategy | bool + - '"grub2-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - kernelopts.stdout_lines is defined + - kernelopts.stdout_lines | length > 0 + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?vsyscall=none(?:\s.*)?$', multiline=True) is none tags: - - CCE-83661-9 - - DISA-STIG-RHEL-08-010250 - - configure_strategy - - file_owner_var_log - - low_complexity + - CCE-80946-7 + - DISA-STIG-RHEL-08-010422 + - NIST-800-53-CM-7(a) + - grub2_vsyscall_argument - low_disruption + - medium_complexity - medium_severity - - no_reboot_needed + - reboot_required + - restrict_strategy -- name: Test for existence /var/log/messages - stat: - path: /var/log/messages - register: file_exists +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-83660-1 - - DISA-STIG-RHEL-08-010230 - - configure_strategy - - file_groupowner_var_log_messages - - low_complexity + - CCE-82194-2 + - DISA-STIG-RHEL-08-040004 + - NIST-800-53-SI-16 + - grub2_pti_argument + - high_severity - low_disruption - - medium_severity - - no_reboot_needed + - medium_complexity + - reboot_required + - restrict_strategy when: - - configure_strategy | bool - - file_groupowner_var_log_messages | bool - - low_complexity | bool + - grub2_pti_argument | bool + - high_severity | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - medium_complexity | bool + - reboot_required | bool + - restrict_strategy | bool -- name: Ensure group owner 0 on /var/log/messages - file: - path: /var/log/messages - group: '0' +- name: get current kernel parameters + command: /usr/bin/grub2-editenv - list + register: kernelopts + changed_when: false when: - - configure_strategy | bool - - file_groupowner_var_log_messages | bool - - low_complexity | bool + - grub2_pti_argument | bool + - high_severity | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - file_exists.stat is defined and file_exists.stat.exists + - medium_complexity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"grub2-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-83660-1 - - DISA-STIG-RHEL-08-010230 - - configure_strategy - - file_groupowner_var_log_messages - - low_complexity + - CCE-82194-2 + - DISA-STIG-RHEL-08-040004 + - NIST-800-53-SI-16 + - grub2_pti_argument + - high_severity - low_disruption - - medium_severity - - no_reboot_needed + - medium_complexity + - reboot_required + - restrict_strategy -- name: Test for existence /var/log/messages - stat: - path: /var/log/messages - register: file_exists - tags: - - CCE-83665-0 - - DISA-STIG-RHEL-08-010210 - - configure_strategy - - file_permissions_var_log_messages - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed +- name: Update the bootloader menu + command: /usr/bin/grub2-editenv - set "{{ item }} pti=on" + with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | list }}' when: - - configure_strategy | bool - - file_permissions_var_log_messages | bool - - low_complexity | bool + - grub2_pti_argument | bool + - high_severity | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - medium_complexity | bool + - reboot_required | bool + - restrict_strategy | bool + - '"grub2-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - kernelopts.stdout_lines is defined + - kernelopts.stdout_lines | length > 0 + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?pti=on(?:\s.*)?$', multiline=True) is none + tags: + - CCE-82194-2 + - DISA-STIG-RHEL-08-040004 + - NIST-800-53-SI-16 + - grub2_pti_argument + - high_severity + - low_disruption + - medium_complexity + - reboot_required + - restrict_strategy -- name: Ensure permission 0640 on /var/log/messages - file: - path: /var/log/messages - mode: '0640' +- name: Ensure policycoreutils is installed + package: + name: policycoreutils + state: present when: - - configure_strategy | bool - - file_permissions_var_log_messages | bool + - enable_strategy | bool + - high_severity | bool - low_complexity | bool - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - file_exists.stat is defined and file_exists.stat.exists + - package_policycoreutils_installed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-83665-0 - - DISA-STIG-RHEL-08-010210 - - configure_strategy - - file_permissions_var_log_messages + - CCE-82976-2 + - DISA-STIG-RHEL-08-010171 + - enable_strategy + - high_severity - low_complexity - low_disruption - - medium_severity - no_reboot_needed + - package_policycoreutils_installed -- name: Ensure sysctl kernel.dmesg_restrict is set to 1 - sysctl: - name: kernel.dmesg_restrict - value: '1' - state: present - reload: true +- name: Configure SELinux Policy + block: + - name: Check for duplicate values + lineinfile: + path: /etc/selinux/config + create: false + regexp: ^SELINUXTYPE= + state: absent + check_mode: true + changed_when: false + register: dupes + - name: Deduplicate values from /etc/selinux/config + lineinfile: + path: /etc/selinux/config + create: false + regexp: ^SELINUXTYPE= + state: absent + when: dupes.found is defined and dupes.found > 1 + - name: Insert correct line to /etc/selinux/config + lineinfile: + path: /etc/selinux/config + create: true + regexp: ^SELINUXTYPE= + line: SELINUXTYPE={{ var_selinux_policy_name }} + state: present when: - - disable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_kernel_dmesg_restrict | bool + - restrict_strategy | bool + - selinux_policytype | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80913-7 - - DISA-STIG-RHEL-08-010375 - - NIST-800-171-3.1.5 - - NIST-800-53-SI-11(a) - - NIST-800-53-SI-11(b) - - disable_strategy + - CCE-80868-3 + - DISA-STIG-RHEL-08-010450 + - NIST-800-171-3.1.2 + - NIST-800-171-3.7.2 + - NIST-800-53-AC-3 + - NIST-800-53-AC-3(3)(a) + - NIST-800-53-AU-9 + - NIST-800-53-SC-7(21) - low_complexity - - medium_disruption + - low_disruption - medium_severity - reboot_required - - sysctl_kernel_dmesg_restrict + - restrict_strategy + - selinux_policytype -- name: Ensure sysctl kernel.perf_event_paranoid is set to 2 - sysctl: - name: kernel.perf_event_paranoid - value: '2' - state: present - reload: true +- name: Ensure SELinux State is Enforcing + block: + - name: Check for duplicate values + lineinfile: + path: /etc/selinux/config + create: false + regexp: ^SELINUX= + state: absent + check_mode: true + changed_when: false + register: dupes + - name: Deduplicate values from /etc/selinux/config + lineinfile: + path: /etc/selinux/config + create: false + regexp: ^SELINUX= + state: absent + when: dupes.found is defined and dupes.found > 1 + - name: Insert correct line to /etc/selinux/config + lineinfile: + path: /etc/selinux/config + create: true + regexp: ^SELINUX= + line: SELINUX={{ var_selinux_state }} + state: present when: - - disable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - sysctl_kernel_perf_event_paranoid | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - selinux_state | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-81054-9 - - DISA-STIG-RHEL-08-010376 - - disable_strategy + - CCE-80869-1 + - DISA-STIG-RHEL-08-010170 + - NIST-800-171-3.1.2 + - NIST-800-171-3.7.2 + - NIST-800-53-AC-3 + - NIST-800-53-AC-3(3)(a) + - NIST-800-53-AU-9 + - NIST-800-53-SC-7(21) - low_complexity - - medium_disruption + - low_disruption - medium_severity - - reboot_required - - sysctl_kernel_perf_event_paranoid + - no_reboot_needed + - restrict_strategy + - selinux_state -- name: Ensure sysctl kernel.core_pattern is set to |/bin/false - sysctl: - name: kernel.core_pattern - value: '|/bin/false' +- name: Ensure rsyslog-gnutls is installed + package: + name: rsyslog-gnutls state: present - reload: true when: - - disable_strategy | bool + - enable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - sysctl_kernel_core_pattern | bool + - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82215-5 - - DISA-STIG-RHEL-08-010671 - - disable_strategy + - CCE-82859-0 + - DISA-STIG-RHEL-08-030680 + - enable_strategy - low_complexity - - medium_disruption + - low_disruption - medium_severity - - reboot_required - - sysctl_kernel_core_pattern + - no_reboot_needed + - package_rsyslog-gnutls_installed -- name: Ensure sysctl kernel.unprivileged_bpf_disabled is set to 1 - sysctl: - name: kernel.unprivileged_bpf_disabled - value: '1' +- name: Ensure rsyslog is installed + package: + name: rsyslog state: present - reload: true when: - - disable_strategy | bool + - enable_strategy | bool - low_complexity | bool - - medium_disruption | bool + - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - sysctl_kernel_unprivileged_bpf_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - no_reboot_needed | bool + - package_rsyslog_installed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82974-7 - - DISA-STIG-RHEL-08-040281 - - disable_strategy + - CCE-80847-7 + - DISA-STIG-RHEL-08-030670 + - NIST-800-53-CM-6(a) + - enable_strategy - low_complexity - - medium_disruption + - low_disruption - medium_severity - - reboot_required - - sysctl_kernel_unprivileged_bpf_disabled + - no_reboot_needed + - package_rsyslog_installed -- name: Ensure sysctl kernel.yama.ptrace_scope is set to 1 +- name: Enable service rsyslog + block: + - name: Gather the package facts + package_facts: + manager: auto + - name: Enable service rsyslog + service: + name: rsyslog + enabled: 'yes' + state: started + masked: 'no' + when: + - '"rsyslog" in ansible_facts.packages' + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_rsyslog_enabled | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80886-5 + - DISA-STIG-RHEL-08-010561 + - NIST-800-53-AU-4(1) + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_rsyslog_enabled + +- name: Set rsyslog remote loghost + lineinfile: + dest: /etc/rsyslog.conf + regexp: ^\*\.\* + line: '*.* @@{{ rsyslog_remote_loghost_address }}' + create: true + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - rsyslog_remote_loghost | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80863-4 + - DISA-STIG-RHEL-08-030690 + - NIST-800-53-AU-4(1) + - NIST-800-53-AU-9(2) + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - rsyslog_remote_loghost + +- name: Ensure sysctl net.ipv6.conf.all.accept_ra is set sysctl: - name: kernel.yama.ptrace_scope - value: '1' + name: net.ipv6.conf.all.accept_ra + value: '{{ sysctl_net_ipv6_conf_all_accept_ra_value }}' state: present reload: true when: @@ -9768,48 +9936,54 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_kernel_yama_ptrace_scope | bool + - sysctl_net_ipv6_conf_all_accept_ra | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80953-3 - - DISA-STIG-RHEL-08-040282 + - CCE-81006-9 + - DISA-STIG-RHEL-08-040261 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - - sysctl_kernel_yama_ptrace_scope + - sysctl_net_ipv6_conf_all_accept_ra -- name: Ensure sysctl user.max_user_namespaces is set to 0 +- name: Ensure sysctl net.ipv6.conf.all.accept_source_route is set sysctl: - name: user.max_user_namespaces - value: '0' + name: net.ipv6.conf.all.accept_source_route + value: '{{ sysctl_net_ipv6_conf_all_accept_source_route_value }}' state: present reload: true when: - disable_strategy | bool - low_complexity | bool - - low_severity | bool - medium_disruption | bool + - medium_severity | bool - reboot_required | bool - - sysctl_user_max_user_namespaces | bool + - sysctl_net_ipv6_conf_all_accept_source_route | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82211-4 - - DISA-STIG-RHEL-08-040284 + - CCE-81013-5 + - DISA-STIG-RHEL-08-040240 + - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - - NIST-800-53-SC-39 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - - low_severity - medium_disruption + - medium_severity - reboot_required - - sysctl_user_max_user_namespaces + - sysctl_net_ipv6_conf_all_accept_source_route -- name: Ensure sysctl kernel.kexec_load_disabled is set to 1 +- name: Ensure sysctl net.ipv6.conf.default.accept_redirects is set sysctl: - name: kernel.kexec_load_disabled - value: '1' + name: net.ipv6.conf.default.accept_redirects + value: '{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}' state: present reload: true when: @@ -9818,22 +9992,26 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_kernel_kexec_load_disabled | bool + - sysctl_net_ipv6_conf_default_accept_redirects | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80952-5 - - DISA-STIG-RHEL-08-010372 + - CCE-81010-1 + - DISA-STIG-RHEL-08-040210 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - - sysctl_kernel_kexec_load_disabled + - sysctl_net_ipv6_conf_default_accept_redirects -- name: Ensure sysctl kernel.kptr_restrict is set to 1 +- name: Ensure sysctl net.ipv6.conf.all.accept_redirects is set sysctl: - name: kernel.kptr_restrict - value: '1' + name: net.ipv6.conf.all.accept_redirects + value: '{{ sysctl_net_ipv6_conf_all_accept_redirects_value }}' state: present reload: true when: @@ -9842,26 +10020,26 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_kernel_kptr_restrict | bool + - sysctl_net_ipv6_conf_all_accept_redirects | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80915-2 - - DISA-STIG-RHEL-08-040283 + - CCE-81009-3 + - DISA-STIG-RHEL-08-040280 + - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - - NIST-800-53-SC-30 - - NIST-800-53-SC-30(2) - - NIST-800-53-SC-30(5) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - - sysctl_kernel_kptr_restrict + - sysctl_net_ipv6_conf_all_accept_redirects -- name: Ensure sysctl kernel.randomize_va_space is set to 2 +- name: Ensure sysctl net.ipv6.conf.default.accept_source_route is set sysctl: - name: kernel.randomize_va_space - value: '2' + name: net.ipv6.conf.default.accept_source_route + value: '{{ sysctl_net_ipv6_conf_default_accept_source_route_value }}' state: present reload: true when: @@ -9870,510 +10048,566 @@ - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - sysctl_kernel_randomize_va_space | bool + - sysctl_net_ipv6_conf_default_accept_source_route | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80916-0 - - DISA-STIG-RHEL-08-010430 - - NIST-800-171-3.1.7 + - CCE-81015-0 + - DISA-STIG-RHEL-08-040250 + - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - - NIST-800-53-SC-30 - - NIST-800-53-SC-30(2) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - - sysctl_kernel_randomize_va_space - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80945-9 - - DISA-STIG-RHEL-08-010423 - - NIST-800-53-CM-6(a) - - grub2_slub_debug_argument - - low_disruption - - medium_complexity - - medium_severity - - reboot_required - - restrict_strategy - when: - - grub2_slub_debug_argument | bool - - low_disruption | bool - - medium_complexity | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - sysctl_net_ipv6_conf_default_accept_source_route -- name: get current kernel parameters - command: /usr/bin/grub2-editenv - list - register: kernelopts - changed_when: false +- name: Ensure sysctl net.ipv6.conf.default.accept_ra is set + sysctl: + name: net.ipv6.conf.default.accept_ra + value: '{{ sysctl_net_ipv6_conf_default_accept_ra_value }}' + state: present + reload: true when: - - grub2_slub_debug_argument | bool - - low_disruption | bool - - medium_complexity | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - restrict_strategy | bool + - sysctl_net_ipv6_conf_default_accept_ra | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"grub2-common" in ansible_facts.packages' tags: - - CCE-80945-9 - - DISA-STIG-RHEL-08-010423 + - CCE-81007-7 + - DISA-STIG-RHEL-08-040262 + - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - - grub2_slub_debug_argument - - low_disruption - - medium_complexity + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption - medium_severity - reboot_required - - restrict_strategy + - sysctl_net_ipv6_conf_default_accept_ra -- name: Update the bootloader menu - command: /usr/bin/grub2-editenv - set "{{ item }} slub_debug=P" - with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | list }}' +- name: Ensure firewalld is installed + package: + name: firewalld + state: present when: - - grub2_slub_debug_argument | bool + - enable_strategy | bool + - low_complexity | bool - low_disruption | bool - - medium_complexity | bool - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - no_reboot_needed | bool + - package_firewalld_installed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"grub2-common" in ansible_facts.packages' - - kernelopts.stdout_lines is defined - - kernelopts.stdout_lines | length > 0 - - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?slub_debug=P(?:\s.*)?$', multiline=True) is none tags: - - CCE-80945-9 - - DISA-STIG-RHEL-08-010423 + - CCE-82998-6 + - DISA-STIG-RHEL-08-040100 - NIST-800-53-CM-6(a) - - grub2_slub_debug_argument + - enable_strategy + - low_complexity - low_disruption - - medium_complexity - medium_severity - - reboot_required - - restrict_strategy - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80944-2 - - DISA-STIG-RHEL-08-010421 - - NIST-800-53-CM-6(a) - - grub2_page_poison_argument - - low_disruption - - medium_complexity - - medium_severity - - reboot_required - - restrict_strategy - when: - - grub2_page_poison_argument | bool - - low_disruption | bool - - medium_complexity | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - no_reboot_needed + - package_firewalld_installed -- name: get current kernel parameters - command: /usr/bin/grub2-editenv - list - register: kernelopts - changed_when: false +- name: Enable service firewalld + block: + - name: Gather the package facts + package_facts: + manager: auto + - name: Enable service firewalld + service: + name: firewalld + enabled: 'yes' + state: started + masked: 'no' + when: + - '"firewalld" in ansible_facts.packages' when: - - grub2_page_poison_argument | bool + - enable_strategy | bool + - low_complexity | bool - low_disruption | bool - - medium_complexity | bool - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - no_reboot_needed | bool + - service_firewalld_enabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"grub2-common" in ansible_facts.packages' tags: - - CCE-80944-2 - - DISA-STIG-RHEL-08-010421 + - CCE-80877-4 + - DISA-STIG-RHEL-08-040100 + - NIST-800-171-3.1.3 + - NIST-800-171-3.4.7 + - NIST-800-53-AC-4 + - NIST-800-53-CA-3(5) - NIST-800-53-CM-6(a) - - grub2_page_poison_argument + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(21) + - enable_strategy + - low_complexity - low_disruption - - medium_complexity - medium_severity - - reboot_required - - restrict_strategy + - no_reboot_needed + - service_firewalld_enabled -- name: Update the bootloader menu - command: /usr/bin/grub2-editenv - set "{{ item }} page_poison=1" - with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | list }}' +- name: Ensure kernel module 'sctp' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/sctp.conf + regexp: sctp + line: install sctp /bin/true when: - - grub2_page_poison_argument | bool - - low_disruption | bool - - medium_complexity | bool + - disable_strategy | bool + - kernel_module_sctp_disabled | bool + - low_complexity | bool + - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"grub2-common" in ansible_facts.packages' - - kernelopts.stdout_lines is defined - - kernelopts.stdout_lines | length > 0 - - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?page_poison=1(?:\s.*)?$', multiline=True) is none tags: - - CCE-80944-2 - - DISA-STIG-RHEL-08-010421 + - CCE-80834-5 + - CJIS-5.10.1 + - DISA-STIG-RHEL-08-040023 + - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - - grub2_page_poison_argument - - low_disruption - - medium_complexity + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_sctp_disabled + - low_complexity + - medium_disruption - medium_severity - reboot_required - - restrict_strategy -- name: Disable service systemd-coredump - block: - - name: Gather the service facts - service_facts: null - - name: Disable service systemd-coredump - systemd: - name: systemd-coredump.service - enabled: 'no' - state: stopped - masked: 'yes' - when: '"systemd-coredump.service" in ansible_facts.services' +- name: Ensure kernel module 'firewire-core' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/firewire-core.conf + regexp: firewire-core + line: install firewire-core /bin/true when: - disable_strategy | bool - low_complexity | bool - - low_disruption | bool + - medium_disruption | bool - medium_severity | bool - - no_reboot_needed | bool + - reboot_required | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82881-4 - - DISA-STIG-RHEL-08-010672 + - CCE-82005-0 + - DISA-STIG-RHEL-08-040026 - disable_strategy + - kernel_module_firewire-core_disabled - low_complexity - - low_disruption + - medium_disruption - medium_severity - - no_reboot_needed - - service_systemd-coredump_disabled + - reboot_required -- name: Unit Socket Exists - systemd-coredump.socket - command: systemctl list-unit-files systemd-coredump.socket - args: - warn: false - register: socket_file_exists - changed_when: false - ignore_errors: true - check_mode: false +- name: Ensure kernel module 'can' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/can.conf + regexp: can + line: install can /bin/true when: - disable_strategy | bool + - kernel_module_can_disabled | bool - low_complexity | bool - - low_disruption | bool + - medium_disruption | bool - medium_severity | bool - - no_reboot_needed | bool + - reboot_required | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82881-4 - - DISA-STIG-RHEL-08-010672 + - CCE-82059-7 + - DISA-STIG-RHEL-08-040022 - disable_strategy + - kernel_module_can_disabled - low_complexity - - low_disruption + - medium_disruption - medium_severity - - no_reboot_needed - - service_systemd-coredump_disabled + - reboot_required -- name: Disable socket systemd-coredump - systemd: - name: systemd-coredump.socket - enabled: 'no' - state: stopped - masked: 'yes' +- name: Ensure kernel module 'tipc' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/tipc.conf + regexp: tipc + line: install tipc /bin/true when: - disable_strategy | bool + - kernel_module_tipc_disabled | bool - low_complexity | bool - - low_disruption | bool + - medium_disruption | bool - medium_severity | bool - - no_reboot_needed | bool + - reboot_required | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"systemd-coredump.socket" in socket_file_exists.stdout_lines[1]' tags: - - CCE-82881-4 - - DISA-STIG-RHEL-08-010672 + - CCE-82297-3 + - DISA-STIG-RHEL-08-040024 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) - disable_strategy + - kernel_module_tipc_disabled - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_systemd-coredump_disabled - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-81038-2 - - DISA-STIG-RHEL-08-010673 - - disable_users_coredumps - - low_complexity - - low_disruption + - medium_disruption - medium_severity - - no_reboot_needed - - restrict_strategy - when: - - disable_users_coredumps | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool + - reboot_required -- name: disable core dumps with limits +- name: Ensure kernel module 'atm' is disabled lineinfile: - dest: /etc/security/limits.conf - regexp: ^[^#].*core - line: '* hard core 0' create: true + dest: /etc/modprobe.d/atm.conf + regexp: atm + line: install atm /bin/true when: - - disable_users_coredumps | bool + - disable_strategy | bool + - kernel_module_atm_disabled | bool - low_complexity | bool - - low_disruption | bool + - medium_disruption | bool - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - '"pam" in ansible_facts.packages' + - reboot_required | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-81038-2 - - DISA-STIG-RHEL-08-010673 - - disable_users_coredumps + - CCE-82028-2 + - DISA-STIG-RHEL-08-040021 + - disable_strategy + - kernel_module_atm_disabled - low_complexity - - low_disruption + - medium_disruption - medium_severity - - no_reboot_needed - - restrict_strategy + - reboot_required -- name: Disable storing core dump - block: - - name: Check for duplicate values - lineinfile: - path: /etc/systemd/coredump.conf - create: false - regexp: ^\s*Storage\s*=\s* - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/systemd/coredump.conf - lineinfile: - path: /etc/systemd/coredump.conf - create: false - regexp: ^\s*Storage\s*=\s* - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/systemd/coredump.conf - lineinfile: - path: /etc/systemd/coredump.conf - create: false - regexp: ^\s*Storage\s*=\s* - line: Storage=none - state: present +- name: Ensure sysctl net.ipv4.ip_forward is set to 0 + sysctl: + name: net.ipv4.ip_forward + value: '0' + state: present + reload: true + when: + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_ip_forward | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82252-8 - - DISA-STIG-RHEL-08-010674 - - coredump_disable_storage + - CCE-81024-2 + - DISA-STIG-RHEL-08-040260 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy - low_complexity - - low_disruption + - medium_disruption - medium_severity - - no_reboot_needed - - restrict_strategy + - reboot_required + - sysctl_net_ipv4_ip_forward + +- name: Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0 + sysctl: + name: net.ipv4.conf.default.send_redirects + value: '0' + state: present + reload: true when: - - coredump_disable_storage | bool + - disable_strategy | bool - low_complexity | bool - - low_disruption | bool + - medium_disruption | bool - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_default_send_redirects | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80921-0 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-08-040270 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_send_redirects -- name: Disable core dump backtraces - block: - - name: Check for duplicate values - lineinfile: - path: /etc/systemd/coredump.conf - create: false - regexp: ^\s*ProcessSizeMax\s*=\s* - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/systemd/coredump.conf - lineinfile: - path: /etc/systemd/coredump.conf - create: false - regexp: ^\s*ProcessSizeMax\s*=\s* - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/systemd/coredump.conf - lineinfile: - path: /etc/systemd/coredump.conf - create: false - regexp: ^\s*ProcessSizeMax\s*=\s* - line: ProcessSizeMax=0 - state: present +- name: Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0 + sysctl: + name: net.ipv4.conf.all.send_redirects + value: '0' + state: present + reload: true + when: + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_all_send_redirects | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82251-0 - - DISA-STIG-RHEL-08-010675 - - coredump_disable_backtraces + - CCE-80918-6 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-08-040220 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy - low_complexity - - low_disruption + - medium_disruption - medium_severity - - no_reboot_needed - - restrict_strategy + - reboot_required + - sysctl_net_ipv4_conf_all_send_redirects + +- name: Ensure sysctl net.ipv4.conf.all.accept_source_route is set + sysctl: + name: net.ipv4.conf.all.accept_source_route + value: '{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}' + state: present + reload: true when: - - coredump_disable_backtraces | bool + - disable_strategy | bool - low_complexity | bool - - low_disruption | bool + - medium_disruption | bool - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_all_accept_source_route | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-81011-9 + - DISA-STIG-RHEL-08-040240 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_accept_source_route -- name: Gather the package facts - package_facts: - manager: auto +- name: Ensure sysctl net.ipv4.conf.default.accept_source_route is set + sysctl: + name: net.ipv4.conf.default.accept_source_route + value: '{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}' + state: present + reload: true + when: + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_conf_default_accept_source_route | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82194-2 - - DISA-STIG-RHEL-08-040004 - - NIST-800-53-SI-16 - - grub2_pti_argument - - high_severity - - low_disruption - - medium_complexity + - CCE-80920-2 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-08-040250 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity - reboot_required - - restrict_strategy + - sysctl_net_ipv4_conf_default_accept_source_route + +- name: Ensure sysctl net.ipv4.conf.default.accept_redirects is set + sysctl: + name: net.ipv4.conf.default.accept_redirects + value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}' + state: present + reload: true when: - - grub2_pti_argument | bool - - high_severity | bool - - low_disruption | bool - - medium_complexity | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool - reboot_required | bool - - restrict_strategy | bool + - sysctl_net_ipv4_conf_default_accept_redirects | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80919-4 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-08-040210 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_accept_redirects -- name: get current kernel parameters - command: /usr/bin/grub2-editenv - list - register: kernelopts - changed_when: false +- name: Ensure sysctl net.ipv4.conf.all.rp_filter is set + sysctl: + name: net.ipv4.conf.all.rp_filter + value: '{{ sysctl_net_ipv4_conf_all_rp_filter_value }}' + state: present + reload: true when: - - grub2_pti_argument | bool - - high_severity | bool - - low_disruption | bool - - medium_complexity | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool - reboot_required | bool - - restrict_strategy | bool - - '"grub2-common" in ansible_facts.packages' + - sysctl_net_ipv4_conf_all_rp_filter | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82194-2 - - DISA-STIG-RHEL-08-040004 - - NIST-800-53-SI-16 - - grub2_pti_argument - - high_severity - - low_disruption - - medium_complexity + - CCE-81021-8 + - DISA-STIG-RHEL-08-040285 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity - reboot_required - - restrict_strategy + - sysctl_net_ipv4_conf_all_rp_filter + +- name: Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set + sysctl: + name: net.ipv4.icmp_echo_ignore_broadcasts + value: '{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}' + state: present + reload: true + when: + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - reboot_required | bool + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80922-8 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-08-040230 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- name: Update the bootloader menu - command: /usr/bin/grub2-editenv - set "{{ item }} pti=on" - with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | list }}' +- name: Ensure sysctl net.ipv4.conf.all.accept_redirects is set + sysctl: + name: net.ipv4.conf.all.accept_redirects + value: '{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}' + state: present + reload: true when: - - grub2_pti_argument | bool - - high_severity | bool - - low_disruption | bool - - medium_complexity | bool + - disable_strategy | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool - reboot_required | bool - - restrict_strategy | bool - - '"grub2-common" in ansible_facts.packages' + - sysctl_net_ipv4_conf_all_accept_redirects | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - kernelopts.stdout_lines is defined - - kernelopts.stdout_lines | length > 0 - - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?pti=on(?:\s.*)?$', multiline=True) is none - tags: - - CCE-82194-2 - - DISA-STIG-RHEL-08-040004 - - NIST-800-53-SI-16 - - grub2_pti_argument - - high_severity - - low_disruption - - medium_complexity - - reboot_required - - restrict_strategy - -- name: Gather the package facts - package_facts: - manager: auto tags: - - CCE-80946-7 - - DISA-STIG-RHEL-08-010422 + - CCE-80917-8 + - CJIS-5.10.1.1 + - DISA-STIG-RHEL-08-040280 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - - grub2_vsyscall_argument - - low_disruption - - medium_complexity + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption - medium_severity - reboot_required - - restrict_strategy - when: - - grub2_vsyscall_argument | bool - - low_disruption | bool - - medium_complexity | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - sysctl_net_ipv4_conf_all_accept_redirects -- name: get current kernel parameters - command: /usr/bin/grub2-editenv - list - register: kernelopts - changed_when: false +- name: Ensure kernel module 'bluetooth' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/bluetooth.conf + regexp: bluetooth + line: install bluetooth /bin/true when: - - grub2_vsyscall_argument | bool - - low_disruption | bool - - medium_complexity | bool + - disable_strategy | bool + - kernel_module_bluetooth_disabled | bool + - low_complexity | bool + - medium_disruption | bool - medium_severity | bool - reboot_required | bool - - restrict_strategy | bool - - '"grub2-common" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80946-7 - - DISA-STIG-RHEL-08-010422 + - CCE-80832-9 + - CJIS-5.13.1.3 + - DISA-STIG-RHEL-08-040111 + - NIST-800-171-3.1.16 + - NIST-800-53-AC-18(3) + - NIST-800-53-AC-18(a) + - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - - grub2_vsyscall_argument - - low_disruption - - medium_complexity + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy + - kernel_module_bluetooth_disabled + - low_complexity + - medium_disruption - medium_severity - reboot_required - - restrict_strategy -- name: Update the bootloader menu - command: /usr/bin/grub2-editenv - set "{{ item }} vsyscall=none" - with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | list }}' +- name: Deactivate Wireless Network Interfaces + command: nmcli radio wifi off when: - - grub2_vsyscall_argument | bool - - low_disruption | bool - - medium_complexity | bool + - low_complexity | bool + - medium_disruption | bool - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - '"grub2-common" in ansible_facts.packages' + - no_reboot_needed | bool + - unknown_strategy | bool + - wireless_disable_interfaces | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - kernelopts.stdout_lines is defined - - kernelopts.stdout_lines | length > 0 - - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?vsyscall=none(?:\s.*)?$', multiline=True) is none tags: - - CCE-80946-7 - - DISA-STIG-RHEL-08-010422 + - CCE-83501-7 + - DISA-STIG-RHEL-08-040110 + - NIST-800-171-3.1.16 + - NIST-800-53-AC-18(3) + - NIST-800-53-AC-18(a) + - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - - grub2_vsyscall_argument - - low_disruption - - medium_complexity + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - low_complexity + - medium_disruption - medium_severity - - reboot_required - - restrict_strategy + - no_reboot_needed + - unknown_strategy + - wireless_disable_interfaces - name: Enable service rngd block: @@ -10406,113 +10640,138 @@ - no_reboot_needed - service_rngd_enabled -- name: Ensure sendmail is removed +- name: Ensure abrt is removed package: - name: sendmail + name: abrt state: absent - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_sendmail_removed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-81039-0 - - DISA-STIG-RHEL-08-040002 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) + - CCE-80948-3 + - DISA-STIG-RHEL-08-040001 - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - package_sendmail_removed + - package_abrt_removed + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_abrt_removed | bool -- name: Make sure that that "/etc/aliases" has a defined value for root - lineinfile: - path: /etc/aliases - line: 'root: {{ var_postfix_root_mail_alias }}' - regexp: ^(?:[rR][oO][oO][tT]|"[rR][oO][oO][tT]")\s*:\s*(.+)$ - create: true - state: present +- name: Disable service kdump + block: + - name: Gather the service facts + service_facts: null + - name: Disable service kdump + systemd: + name: kdump.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"kdump.service" in ansible_facts.services' when: - - configure_strategy | bool + - disable_strategy | bool - low_complexity | bool - low_disruption | bool - - low_severity | bool + - medium_severity | bool - no_reboot_needed | bool - - postfix_client_configure_mail_alias | bool + - service_kdump_disabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82381-5 - - DISA-STIG-RHEL-08-030030 + - CCE-80878-2 + - DISA-STIG-RHEL-08-010670 - NIST-800-53-CM-6(a) - - configure_strategy + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy - low_complexity - low_disruption - - low_severity + - medium_severity - no_reboot_needed - - postfix_client_configure_mail_alias + - service_kdump_disabled -- name: Ensure fapolicyd is installed - package: - name: fapolicyd - state: present +- name: Unit Socket Exists - kdump.socket + command: systemctl list-unit-files kdump.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false when: - - enable_strategy | bool + - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - package_fapolicyd_installed | bool + - service_kdump_disabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82191-8 - - DISA-STIG-RHEL-08-040135 + - CCE-80878-2 + - DISA-STIG-RHEL-08-010670 - NIST-800-53-CM-6(a) - - NIST-800-53-SI-4(22) - - enable_strategy + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - package_fapolicyd_installed + - service_kdump_disabled -- name: Enable service fapolicyd - block: - - name: Gather the package facts - package_facts: - manager: auto - - name: Enable service fapolicyd - service: - name: fapolicyd - enabled: 'yes' - state: started - masked: 'no' - when: - - '"fapolicyd" in ansible_facts.packages' +- name: Disable socket kdump + systemd: + name: kdump.socket + enabled: 'no' + state: stopped + masked: 'yes' when: - - enable_strategy | bool + - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - service_fapolicyd_enabled | bool + - service_kdump_disabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82249-4 - - DISA-STIG-RHEL-08-040135 + - '"kdump.socket" in socket_file_exists.stdout_lines[1]' + tags: + - CCE-80878-2 + - DISA-STIG-RHEL-08-010670 - NIST-800-53-CM-6(a) - - NIST-800-53-SI-4(22) - - enable_strategy + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - service_fapolicyd_enabled + - service_kdump_disabled + +- name: Ensure telnet-server is removed + package: + name: telnet-server + state: absent + tags: + - CCE-82182-7 + - DISA-STIG-RHEL-08-040000 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - package_telnet-server_removed + when: + - disable_strategy | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool - name: Ensure rsh-server is removed package: @@ -10642,31 +10901,169 @@ - no_reboot_needed - tftpd_uses_secure_mode -- name: Ensure telnet-server is removed +- name: Ensure fapolicyd is installed package: - name: telnet-server - state: absent + name: fapolicyd + state: present + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_fapolicyd_installed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82182-7 - - DISA-STIG-RHEL-08-040000 + - CCE-82191-8 + - DISA-STIG-RHEL-08-040135 - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - high_severity + - NIST-800-53-SI-4(22) + - enable_strategy - low_complexity - low_disruption + - medium_severity - no_reboot_needed - - package_telnet-server_removed + - package_fapolicyd_installed + +- name: Enable service fapolicyd + block: + - name: Gather the package facts + package_facts: + manager: auto + - name: Enable service fapolicyd + service: + name: fapolicyd + enabled: 'yes' + state: started + masked: 'no' + when: + - '"fapolicyd" in ansible_facts.packages' when: - - disable_strategy | bool - - high_severity | bool + - enable_strategy | bool - low_complexity | bool - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool + - service_fapolicyd_enabled | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82249-4 + - DISA-STIG-RHEL-08-040135 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-4(22) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_fapolicyd_enabled -- name: Get nfs and nfs4 mount points, that don't have nodev - command: findmnt --fstab --types nfs,nfs4 -O nonodev -n +- name: Ensure usbguard is installed + package: + name: usbguard + state: present + tags: + - CCE-82959-8 + - DISA-STIG-RHEL-08-040140 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_usbguard_installed + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_usbguard_installed | bool + +- name: Enable service usbguard + block: + - name: Gather the package facts + package_facts: + manager: auto + - name: Enable service usbguard + service: + name: usbguard + enabled: 'yes' + state: started + masked: 'no' + when: + - '"usbguard" in ansible_facts.packages' + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_usbguard_enabled | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82853-3 + - DISA-STIG-RHEL-08-040140 + - NIST-800-53-CM-8(3)(a) + - NIST-800-53-IA-3 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_usbguard_enabled + +- name: Ensure xorg packages are removed + package: + name: + - xorg-x11-server-Xorg + - xorg-x11-server-common + - xorg-x11-server-utils + - xorg-x11-server-Xwayland + state: absent + tags: + - CCE-83411-9 + - DISA-STIG-RHEL-08-040320 + - NIST-800-53-CM-6(b) + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + - xwindows_remove_packages + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - xwindows_remove_packages | bool + +- name: Switch to multi-user runlevel + file: + src: /usr/lib/systemd/system/multi-user.target + dest: /etc/systemd/system/default.target + state: link + force: true + tags: + - CCE-83411-9 + - DISA-STIG-RHEL-08-040320 + - NIST-800-53-CM-6(b) + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + - xwindows_remove_packages + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - xwindows_remove_packages | bool + +- name: Get nfs and nfs4 mount points, that don't have noexec + command: findmnt --fstab --types nfs,nfs4 -O nonoexec -n register: points_register check_mode: false changed_when: false @@ -10676,52 +11073,56 @@ - low_complexity | bool - medium_disruption | bool - medium_severity | bool - - mount_option_nodev_remote_filesystems | bool + - mount_option_noexec_remote_filesystems | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-84052-0 - - DISA-STIG-RHEL-08-010640 + - CCE-84050-4 + - DISA-STIG-RHEL-08-010630 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(10) + - NIST-800-53-AC-6(8) - NIST-800-53-CM-6(a) - - NIST-800-53-MP-2 - configure_strategy - low_complexity - medium_disruption - medium_severity - - mount_option_nodev_remote_filesystems + - mount_option_noexec_remote_filesystems - no_reboot_needed -- name: Add nodev to nfs and nfs4 mount points +- name: Add noexec to nfs and nfs4 mount points mount: path: '{{ item.split()[0] }}' src: '{{ item.split()[1] }}' fstype: '{{ item.split()[2] }}' state: mounted - opts: '{{ item.split()[3] }},nodev' + opts: '{{ item.split()[3] }},noexec' when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - - mount_option_nodev_remote_filesystems | bool + - mount_option_noexec_remote_filesystems | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - (points_register.stdout | length > 0) with_items: '{{ points_register.stdout_lines }}' tags: - - CCE-84052-0 - - DISA-STIG-RHEL-08-010640 + - CCE-84050-4 + - DISA-STIG-RHEL-08-010630 + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(10) + - NIST-800-53-AC-6(8) - NIST-800-53-CM-6(a) - - NIST-800-53-MP-2 - configure_strategy - low_complexity - medium_disruption - medium_severity - - mount_option_nodev_remote_filesystems + - mount_option_noexec_remote_filesystems - no_reboot_needed -- name: Get nfs and nfs4 mount points, that don't have nosuid - command: findmnt --fstab --types nfs,nfs4 -O nonosuid -n +- name: Get nfs and nfs4 mount points, that don't have nodev + command: findmnt --fstab --types nfs,nfs4 -O nonodev -n register: points_register check_mode: false changed_when: false @@ -10731,54 +11132,52 @@ - low_complexity | bool - medium_disruption | bool - medium_severity | bool - - mount_option_nosuid_remote_filesystems | bool + - mount_option_nodev_remote_filesystems | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-84053-8 - - DISA-STIG-RHEL-08-010650 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM6(a) + - CCE-84052-0 + - DISA-STIG-RHEL-08-010640 + - NIST-800-53-CM-6(a) + - NIST-800-53-MP-2 - configure_strategy - low_complexity - medium_disruption - medium_severity - - mount_option_nosuid_remote_filesystems + - mount_option_nodev_remote_filesystems - no_reboot_needed -- name: Add nosuid to nfs and nfs4 mount points +- name: Add nodev to nfs and nfs4 mount points mount: path: '{{ item.split()[0] }}' src: '{{ item.split()[1] }}' fstype: '{{ item.split()[2] }}' state: mounted - opts: '{{ item.split()[3] }},nosuid' + opts: '{{ item.split()[3] }},nodev' when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - - mount_option_nosuid_remote_filesystems | bool + - mount_option_nodev_remote_filesystems | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - (points_register.stdout | length > 0) with_items: '{{ points_register.stdout_lines }}' - tags: - - CCE-84053-8 - - DISA-STIG-RHEL-08-010650 - - NIST-800-53-AC-6 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM6(a) + tags: + - CCE-84052-0 + - DISA-STIG-RHEL-08-010640 + - NIST-800-53-CM-6(a) + - NIST-800-53-MP-2 - configure_strategy - low_complexity - medium_disruption - medium_severity - - mount_option_nosuid_remote_filesystems + - mount_option_nodev_remote_filesystems - no_reboot_needed -- name: Get nfs and nfs4 mount points, that don't have noexec - command: findmnt --fstab --types nfs,nfs4 -O nonoexec -n +- name: Get nfs and nfs4 mount points, that don't have nosuid + command: findmnt --fstab --types nfs,nfs4 -O nonosuid -n register: points_register check_mode: false changed_when: false @@ -10788,53 +11187,75 @@ - low_complexity | bool - medium_disruption | bool - medium_severity | bool - - mount_option_noexec_remote_filesystems | bool + - mount_option_nosuid_remote_filesystems | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-84050-4 - - DISA-STIG-RHEL-08-010630 + - CCE-84053-8 + - DISA-STIG-RHEL-08-010650 - NIST-800-53-AC-6 - - NIST-800-53-AC-6(10) - - NIST-800-53-AC-6(8) - - NIST-800-53-CM-6(a) + - NIST-800-53-AC-6(1) + - NIST-800-53-CM6(a) - configure_strategy - low_complexity - medium_disruption - medium_severity - - mount_option_noexec_remote_filesystems + - mount_option_nosuid_remote_filesystems - no_reboot_needed -- name: Add noexec to nfs and nfs4 mount points +- name: Add nosuid to nfs and nfs4 mount points mount: path: '{{ item.split()[0] }}' src: '{{ item.split()[1] }}' fstype: '{{ item.split()[2] }}' state: mounted - opts: '{{ item.split()[3] }},noexec' + opts: '{{ item.split()[3] }},nosuid' when: - configure_strategy | bool - low_complexity | bool - medium_disruption | bool - medium_severity | bool - - mount_option_noexec_remote_filesystems | bool + - mount_option_nosuid_remote_filesystems | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - (points_register.stdout | length > 0) with_items: '{{ points_register.stdout_lines }}' tags: - - CCE-84050-4 - - DISA-STIG-RHEL-08-010630 + - CCE-84053-8 + - DISA-STIG-RHEL-08-010650 - NIST-800-53-AC-6 - - NIST-800-53-AC-6(10) - - NIST-800-53-AC-6(8) - - NIST-800-53-CM-6(a) + - NIST-800-53-AC-6(1) + - NIST-800-53-CM6(a) - configure_strategy - low_complexity - medium_disruption - medium_severity - - mount_option_noexec_remote_filesystems + - mount_option_nosuid_remote_filesystems + - no_reboot_needed + +- name: Ensure vsftpd is removed + package: + name: vsftpd + state: absent + tags: + - CCE-82414-4 + - DISA-STIG-RHEL-08-040360 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - high_severity + - low_complexity + - low_disruption - no_reboot_needed + - package_vsftpd_removed + when: + - disable_strategy | bool + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - package_vsftpd_removed | bool - name: Gather the package facts package_facts: @@ -11125,27 +11546,27 @@ - name: Find /etc/ssh/ file(s) find: paths: /etc/ssh/ - patterns: ^.*.pub$ + patterns: ^.*_key$ use_regex: true register: files_found when: - configure_strategy | bool - - file_permissions_sshd_pub_key | bool + - file_permissions_sshd_private_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82428-4 - - DISA-STIG-RHEL-08-010480 + - CCE-82424-3 + - DISA-STIG-RHEL-08-010490 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - - file_permissions_sshd_pub_key + - file_permissions_sshd_private_key - low_complexity - low_disruption - medium_severity @@ -11154,27 +11575,27 @@ - name: Set permissions for /etc/ssh/ file(s) file: path: '{{ item.path }}' - mode: '0644' + mode: '0640' with_items: - '{{ files_found.files }}' when: - configure_strategy | bool - - file_permissions_sshd_pub_key | bool + - file_permissions_sshd_private_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82428-4 - - DISA-STIG-RHEL-08-010480 + - CCE-82424-3 + - DISA-STIG-RHEL-08-010490 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - - file_permissions_sshd_pub_key + - file_permissions_sshd_private_key - low_complexity - low_disruption - medium_severity @@ -11183,27 +11604,27 @@ - name: Find /etc/ssh/ file(s) find: paths: /etc/ssh/ - patterns: ^.*_key$ + patterns: ^.*.pub$ use_regex: true register: files_found when: - configure_strategy | bool - - file_permissions_sshd_private_key | bool + - file_permissions_sshd_pub_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82424-3 - - DISA-STIG-RHEL-08-010490 + - CCE-82428-4 + - DISA-STIG-RHEL-08-010480 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - - file_permissions_sshd_private_key + - file_permissions_sshd_pub_key - low_complexity - low_disruption - medium_severity @@ -11212,27 +11633,27 @@ - name: Set permissions for /etc/ssh/ file(s) file: path: '{{ item.path }}' - mode: '0640' + mode: '0644' with_items: - '{{ files_found.files }}' when: - configure_strategy | bool - - file_permissions_sshd_private_key | bool + - file_permissions_sshd_pub_key | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82424-3 - - DISA-STIG-RHEL-08-010490 + - CCE-82428-4 + - DISA-STIG-RHEL-08-010480 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - - file_permissions_sshd_private_key + - file_permissions_sshd_pub_key - low_complexity - low_disruption - medium_severity @@ -11335,13 +11756,13 @@ - no_reboot_needed - ssh_client_rekey_limit -- name: Prevent remote hosts from connecting to the proxy display +- name: Disable SSH Root Login block: - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*X11UseLocalhost\s+ + regexp: (?i)^\s*PermitRootLogin\s+ state: absent check_mode: true changed_when: false @@ -11350,15 +11771,15 @@ lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*X11UseLocalhost\s+ + regexp: (?i)^\s*PermitRootLogin\s+ state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config create: true - regexp: (?i)^\s*X11UseLocalhost\s+ - line: X11UseLocalhost yes + regexp: (?i)^\s*PermitRootLogin\s+ + line: PermitRootLogin no state: present insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s @@ -11368,26 +11789,36 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - sshd_x11_use_localhost | bool + - sshd_disable_root_login | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-84058-7 - - DISA-STIG-RHEL-08-040341 - - NIST-800-53-CM-6(b) + - CCE-80901-2 + - CJIS-5.5.6 + - DISA-STIG-RHEL-08-010550 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53- + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(2) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-IA-2 + - NIST-800-53-IA-2(5) - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - sshd_x11_use_localhost + - sshd_disable_root_login -- name: Do Not Allow SSH Environment Options +- name: Disable Compression Or Set Compression to delayed block: - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*PermitUserEnvironment\s+ + regexp: (?i)^\s*Compression\s+ state: absent check_mode: true changed_when: false @@ -11396,15 +11827,15 @@ lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*PermitUserEnvironment\s+ + regexp: (?i)^\s*Compression\s+ state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config create: true - regexp: (?i)^\s*PermitUserEnvironment\s+ - line: PermitUserEnvironment no + regexp: (?i)^\s*Compression\s+ + line: Compression {{ var_sshd_disable_compression }} state: present insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s @@ -11414,12 +11845,11 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - sshd_do_not_permit_user_env | bool + - sshd_disable_compression | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80903-8 - - CJIS-5.5.6 - - DISA-STIG-RHEL-08-010830 + - CCE-80895-6 + - DISA-STIG-RHEL-08-010510 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) @@ -11430,60 +11860,15 @@ - medium_severity - no_reboot_needed - restrict_strategy - - sshd_do_not_permit_user_env - -- name: Setting unquoted shell-style assignment of 'SSH_USE_STRONG_RNG' to '32' in '/etc/sysconfig/sshd' - block: - - name: Check for duplicate values - lineinfile: - path: /etc/sysconfig/sshd - create: false - regexp: ^\s*SSH_USE_STRONG_RNG= - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/sysconfig/sshd - lineinfile: - path: /etc/sysconfig/sshd - create: false - regexp: ^\s*SSH_USE_STRONG_RNG= - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/sysconfig/sshd - lineinfile: - path: /etc/sysconfig/sshd - create: true - regexp: ^\s*SSH_USE_STRONG_RNG= - line: SSH_USE_STRONG_RNG=32 - state: present - insertbefore: ^# SSH_USE_STRONG_RNG - validate: /usr/bin/bash -n %s - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_use_strong_rng | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-82462-3 - - DISA-STIG-RHEL-08-010292 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_use_strong_rng + - sshd_disable_compression -- name: Disable SSH Root Login +- name: Disable X11 Forwarding block: - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*PermitRootLogin\s+ + regexp: (?i)^\s*X11Forwarding\s+ state: absent check_mode: true changed_when: false @@ -11492,15 +11877,15 @@ lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*PermitRootLogin\s+ + regexp: (?i)^\s*X11Forwarding\s+ state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config create: true - regexp: (?i)^\s*PermitRootLogin\s+ - line: PermitRootLogin no + regexp: (?i)^\s*X11Forwarding\s+ + line: X11Forwarding no state: present insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s @@ -11510,36 +11895,26 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - sshd_disable_root_login | bool + - sshd_disable_x11_forwarding | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80901-2 - - CJIS-5.5.6 - - DISA-STIG-RHEL-08-010550 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 - - NIST-800-53- - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-6(2) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-IA-2 - - NIST-800-53-IA-2(5) + - CCE-83360-8 + - DISA-STIG-RHEL-08-040340 + - NIST-800-53-CM-6(b) - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - sshd_disable_root_login + - sshd_disable_x11_forwarding -- name: Disable X11 Forwarding +- name: Set SSH Client Alive Count Max to zero block: - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*X11Forwarding\s+ + regexp: (?i)^\s*ClientAliveCountMax\s+ state: absent check_mode: true changed_when: false @@ -11548,15 +11923,15 @@ lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*X11Forwarding\s+ + regexp: (?i)^\s*ClientAliveCountMax\s+ state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config create: true - regexp: (?i)^\s*X11Forwarding\s+ - line: X11Forwarding no + regexp: (?i)^\s*ClientAliveCountMax\s+ + line: ClientAliveCountMax 0 state: present insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s @@ -11566,26 +11941,33 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - sshd_disable_x11_forwarding | bool + - sshd_set_keepalive_0 | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-83360-8 - - DISA-STIG-RHEL-08-040340 - - NIST-800-53-CM-6(b) + - CCE-83405-1 + - CJIS-5.5.6 + - DISA-STIG-RHEL-08-010200 + - NIST-800-171-3.1.11 + - NIST-800-53-AC-12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-2(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-10 + - PCI-DSS-Req-8.1.8 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - sshd_disable_x11_forwarding + - sshd_set_keepalive_0 -- name: Force frequent session key renegotiation +- name: Disable Kerberos Authentication block: - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*RekeyLimit\s+ + regexp: (?i)^\s*KerberosAuthentication\s+ state: absent check_mode: true changed_when: false @@ -11594,43 +11976,48 @@ lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*RekeyLimit\s+ + regexp: (?i)^\s*KerberosAuthentication\s+ state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config create: true - regexp: (?i)^\s*RekeyLimit\s+ - line: RekeyLimit {{ var_rekey_limit_size }} {{ var_rekey_limit_time }} + regexp: (?i)^\s*KerberosAuthentication\s+ + line: KerberosAuthentication no state: present insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s when: - - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - sshd_rekey_limit | bool + - restrict_strategy | bool + - sshd_disable_kerb_auth | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82177-7 - - DISA-STIG-RHEL-08-040161 - - configure_strategy + - CCE-80898-0 + - DISA-STIG-RHEL-08-010521 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) - low_complexity - low_disruption - medium_severity - no_reboot_needed - - sshd_rekey_limit + - restrict_strategy + - sshd_disable_kerb_auth -- name: Disable Compression Or Set Compression to delayed +- name: Disable GSSAPI Authentication block: - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*Compression\s+ + regexp: (?i)^\s*GSSAPIAuthentication\s+ state: absent check_mode: true changed_when: false @@ -11639,15 +12026,15 @@ lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*Compression\s+ + regexp: (?i)^\s*GSSAPIAuthentication\s+ state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config create: true - regexp: (?i)^\s*Compression\s+ - line: Compression {{ var_sshd_disable_compression }} + regexp: (?i)^\s*GSSAPIAuthentication\s+ + line: GSSAPIAuthentication no state: present insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s @@ -11657,11 +12044,11 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - sshd_disable_compression | bool + - sshd_disable_gssapi_auth | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80895-6 - - DISA-STIG-RHEL-08-010510 + - CCE-80897-2 + - DISA-STIG-RHEL-08-010521 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) @@ -11672,15 +12059,15 @@ - medium_severity - no_reboot_needed - restrict_strategy - - sshd_disable_compression + - sshd_disable_gssapi_auth -- name: Enable SSH Print Last Log +- name: Disable SSH Access via Empty Passwords block: - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*PrintLastLog\s+ + regexp: (?i)^\s*PermitEmptyPasswords\s+ state: absent check_mode: true changed_when: false @@ -11689,46 +12076,50 @@ lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*PrintLastLog\s+ + regexp: (?i)^\s*PermitEmptyPasswords\s+ state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config create: true - regexp: (?i)^\s*PrintLastLog\s+ - line: PrintLastLog yes + regexp: (?i)^\s*PermitEmptyPasswords\s+ + line: PermitEmptyPasswords no state: present insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s when: + - high_severity | bool - low_complexity | bool - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - sshd_print_last_log | bool + - sshd_disable_empty_passwords | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82281-7 - - DISA-STIG-RHEL-08-020350 + - CCE-80896-4 + - CJIS-5.5.6 + - DISA-STIG-RHEL-08-020330 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 - NIST-800-53-AC-17(a) - - NIST-800-53-AC-9 - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - high_severity - low_complexity - low_disruption - - medium_severity - no_reboot_needed - restrict_strategy - - sshd_print_last_log + - sshd_disable_empty_passwords -- name: Disable SSH Support for User Known Hosts +- name: Do Not Allow SSH Environment Options block: - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*IgnoreUserKnownHosts\s+ + regexp: (?i)^\s*PermitUserEnvironment\s+ state: absent check_mode: true changed_when: false @@ -11737,15 +12128,15 @@ lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*IgnoreUserKnownHosts\s+ + regexp: (?i)^\s*PermitUserEnvironment\s+ state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config create: true - regexp: (?i)^\s*IgnoreUserKnownHosts\s+ - line: IgnoreUserKnownHosts yes + regexp: (?i)^\s*PermitUserEnvironment\s+ + line: PermitUserEnvironment no state: present insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s @@ -11755,11 +12146,12 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - sshd_disable_user_known_hosts | bool + - sshd_do_not_permit_user_env | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80902-0 - - DISA-STIG-RHEL-08-010520 + - CCE-80903-8 + - CJIS-5.5.6 + - DISA-STIG-RHEL-08-010830 - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) @@ -11770,15 +12162,15 @@ - medium_severity - no_reboot_needed - restrict_strategy - - sshd_disable_user_known_hosts + - sshd_do_not_permit_user_env -- name: Disable GSSAPI Authentication +- name: Force frequent session key renegotiation block: - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*GSSAPIAuthentication\s+ + regexp: (?i)^\s*RekeyLimit\s+ state: absent check_mode: true changed_when: false @@ -11787,40 +12179,35 @@ lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*GSSAPIAuthentication\s+ + regexp: (?i)^\s*RekeyLimit\s+ state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config create: true - regexp: (?i)^\s*GSSAPIAuthentication\s+ - line: GSSAPIAuthentication no + regexp: (?i)^\s*RekeyLimit\s+ + line: RekeyLimit {{ var_rekey_limit_size }} {{ var_rekey_limit_time }} state: present insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s when: + - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_disable_gssapi_auth | bool + - sshd_rekey_limit | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80897-2 - - DISA-STIG-RHEL-08-010521 - - NIST-800-171-3.1.12 - - NIST-800-53-AC-17(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) + - CCE-82177-7 + - DISA-STIG-RHEL-08-040161 + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy - - sshd_disable_gssapi_auth + - sshd_rekey_limit - name: Enable Use of Strict Mode Checking block: @@ -11871,13 +12258,13 @@ - restrict_strategy - sshd_enable_strictmodes -- name: Disable SSH Access via Empty Passwords +- name: Enable SSH Warning Banner block: - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*PermitEmptyPasswords\s+ + regexp: (?i)^\s*Banner\s+ state: absent check_mode: true changed_when: false @@ -11886,92 +12273,86 @@ lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*PermitEmptyPasswords\s+ + regexp: (?i)^\s*Banner\s+ state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config create: true - regexp: (?i)^\s*PermitEmptyPasswords\s+ - line: PermitEmptyPasswords no + regexp: (?i)^\s*Banner\s+ + line: Banner /etc/issue state: present insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s when: - - high_severity | bool - low_complexity | bool - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - sshd_disable_empty_passwords | bool + - sshd_enable_warning_banner | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80896-4 + - CCE-80905-3 - CJIS-5.5.6 - - DISA-STIG-RHEL-08-020330 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 + - DISA-STIG-RHEL-08-010040 + - NIST-800-171-3.1.9 - NIST-800-53-AC-17(a) + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(c) - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - high_severity - low_complexity - low_disruption + - medium_severity - no_reboot_needed - restrict_strategy - - sshd_disable_empty_passwords + - sshd_enable_warning_banner -- name: Disable Kerberos Authentication +- name: Setting unquoted shell-style assignment of 'SSH_USE_STRONG_RNG' to '32' in '/etc/sysconfig/sshd' block: - name: Check for duplicate values lineinfile: - path: /etc/ssh/sshd_config + path: /etc/sysconfig/sshd create: false - regexp: (?i)^\s*KerberosAuthentication\s+ + regexp: ^\s*SSH_USE_STRONG_RNG= state: absent check_mode: true changed_when: false register: dupes - - name: Deduplicate values from /etc/ssh/sshd_config + - name: Deduplicate values from /etc/sysconfig/sshd lineinfile: - path: /etc/ssh/sshd_config + path: /etc/sysconfig/sshd create: false - regexp: (?i)^\s*KerberosAuthentication\s+ + regexp: ^\s*SSH_USE_STRONG_RNG= state: absent when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/ssh/sshd_config + - name: Insert correct line to /etc/sysconfig/sshd lineinfile: - path: /etc/ssh/sshd_config + path: /etc/sysconfig/sshd create: true - regexp: (?i)^\s*KerberosAuthentication\s+ - line: KerberosAuthentication no + regexp: ^\s*SSH_USE_STRONG_RNG= + line: SSH_USE_STRONG_RNG=32 state: present - insertbefore: ^[#\s]*Match - validate: /usr/sbin/sshd -t -f %s + insertbefore: ^# SSH_USE_STRONG_RNG + validate: /usr/bin/bash -n %s when: - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - sshd_disable_kerb_auth | bool + - sshd_use_strong_rng | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80898-0 - - DISA-STIG-RHEL-08-010521 - - NIST-800-171-3.1.12 - - NIST-800-53-AC-17(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) + - CCE-82462-3 + - DISA-STIG-RHEL-08-010292 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - sshd_disable_kerb_auth + - sshd_use_strong_rng - name: Set SSH Idle Timeout Interval block: @@ -12028,13 +12409,13 @@ - restrict_strategy - sshd_set_idle_timeout -- name: Enable SSH Warning Banner +- name: Enable SSH Print Last Log block: - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*Banner\s+ + regexp: (?i)^\s*PrintLastLog\s+ state: absent check_mode: true changed_when: false @@ -12043,15 +12424,15 @@ lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*Banner\s+ + regexp: (?i)^\s*PrintLastLog\s+ state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config create: true - regexp: (?i)^\s*Banner\s+ - line: Banner /etc/issue + regexp: (?i)^\s*PrintLastLog\s+ + line: PrintLastLog yes state: present insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s @@ -12061,31 +12442,78 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - sshd_enable_warning_banner | bool + - sshd_print_last_log | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80905-3 - - CJIS-5.5.6 - - DISA-STIG-RHEL-08-010040 - - NIST-800-171-3.1.9 + - CCE-82281-7 + - DISA-STIG-RHEL-08-020350 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-9 + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_print_last_log + +- name: Disable SSH Support for User Known Hosts + block: + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*IgnoreUserKnownHosts\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*IgnoreUserKnownHosts\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*IgnoreUserKnownHosts\s+ + line: IgnoreUserKnownHosts yes + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_disable_user_known_hosts | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80902-0 + - DISA-STIG-RHEL-08-010520 + - NIST-800-171-3.1.12 - NIST-800-53-AC-17(a) - - NIST-800-53-AC-8(a) - - NIST-800-53-AC-8(c) - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - sshd_enable_warning_banner + - sshd_disable_user_known_hosts -- name: Set SSH Client Alive Count Max to zero +- name: Prevent remote hosts from connecting to the proxy display block: - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*ClientAliveCountMax\s+ + regexp: (?i)^\s*X11UseLocalhost\s+ state: absent check_mode: true changed_when: false @@ -12094,15 +12522,15 @@ lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*ClientAliveCountMax\s+ + regexp: (?i)^\s*X11UseLocalhost\s+ state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config create: true - regexp: (?i)^\s*ClientAliveCountMax\s+ - line: ClientAliveCountMax 0 + regexp: (?i)^\s*X11UseLocalhost\s+ + line: X11UseLocalhost yes state: present insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s @@ -12112,176 +12540,34 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - sshd_set_keepalive_0 | bool + - sshd_x11_use_localhost | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-83405-1 - - CJIS-5.5.6 - - DISA-STIG-RHEL-08-010200 - - NIST-800-171-3.1.11 - - NIST-800-53-AC-12 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-2(5) - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-10 - - PCI-DSS-Req-8.1.8 - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - sshd_set_keepalive_0 - -- name: Ensure xorg packages are removed - package: - name: - - xorg-x11-server-Xorg - - xorg-x11-server-common - - xorg-x11-server-utils - - xorg-x11-server-Xwayland - state: absent - tags: - - CCE-83411-9 - - DISA-STIG-RHEL-08-040320 - - NIST-800-53-CM-6(b) - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - - xwindows_remove_packages - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - xwindows_remove_packages | bool - -- name: Switch to multi-user runlevel - file: - src: /usr/lib/systemd/system/multi-user.target - dest: /etc/systemd/system/default.target - state: link - force: true - tags: - - CCE-83411-9 - - DISA-STIG-RHEL-08-040320 + - CCE-84058-7 + - DISA-STIG-RHEL-08-040341 - NIST-800-53-CM-6(b) - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - - xwindows_remove_packages - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - xwindows_remove_packages | bool + - sshd_x11_use_localhost -- name: Ensure abrt is removed +- name: Ensure sendmail is removed package: - name: abrt + name: sendmail state: absent - tags: - - CCE-80948-3 - - DISA-STIG-RHEL-08-040001 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_abrt_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_abrt_removed | bool - -- name: Disable service kdump - block: - - name: Gather the service facts - service_facts: null - - name: Disable service kdump - systemd: - name: kdump.service - enabled: 'no' - state: stopped - masked: 'yes' - when: '"kdump.service" in ansible_facts.services' - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_kdump_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80878-2 - - DISA-STIG-RHEL-08-010670 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_kdump_disabled - -- name: Unit Socket Exists - kdump.socket - command: systemctl list-unit-files kdump.socket - args: - warn: false - register: socket_file_exists - changed_when: false - ignore_errors: true - check_mode: false - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - service_kdump_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80878-2 - - DISA-STIG-RHEL-08-010670 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_kdump_disabled - -- name: Disable socket kdump - systemd: - name: kdump.socket - enabled: 'no' - state: stopped - masked: 'yes' when: - disable_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - service_kdump_disabled | bool + - package_sendmail_removed | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"kdump.socket" in socket_file_exists.stdout_lines[1]' tags: - - CCE-80878-2 - - DISA-STIG-RHEL-08-010670 + - CCE-81039-0 + - DISA-STIG-RHEL-08-040002 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) @@ -12290,82 +12576,30 @@ - low_disruption - medium_severity - no_reboot_needed - - service_kdump_disabled + - package_sendmail_removed -- name: Ensure usbguard is installed - package: - name: usbguard +- name: Make sure that that "/etc/aliases" has a defined value for root + lineinfile: + path: /etc/aliases + line: 'root: {{ var_postfix_root_mail_alias }}' + regexp: ^(?:[rR][oO][oO][tT]|"[rR][oO][oO][tT]")\s*:\s*(.+)$ + create: true state: present - tags: - - CCE-82959-8 - - DISA-STIG-RHEL-08-040140 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_usbguard_installed - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_usbguard_installed | bool - -- name: Enable service usbguard - block: - - name: Gather the package facts - package_facts: - manager: auto - - name: Enable service usbguard - service: - name: usbguard - enabled: 'yes' - state: started - masked: 'no' - when: - - '"usbguard" in ansible_facts.packages' when: - - enable_strategy | bool + - configure_strategy | bool - low_complexity | bool - low_disruption | bool - - medium_severity | bool + - low_severity | bool - no_reboot_needed | bool - - service_usbguard_enabled | bool + - postfix_client_configure_mail_alias | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82853-3 - - DISA-STIG-RHEL-08-040140 - - NIST-800-53-CM-8(3)(a) - - NIST-800-53-IA-3 - - enable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_usbguard_enabled - -- name: Ensure vsftpd is removed - package: - name: vsftpd - state: absent - tags: - - CCE-82414-4 - - DISA-STIG-RHEL-08-040360 + - CCE-82381-5 + - DISA-STIG-RHEL-08-030030 - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - high_severity + - configure_strategy - low_complexity - low_disruption + - low_severity - no_reboot_needed - - package_vsftpd_removed - when: - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - package_vsftpd_removed | bool + - postfix_client_configure_mail_alias