Stig v3r13 into devel (#457)

* updated version Signed-off-by: Mark Bolwell <[email protected]> * quoted version Signed-off-by: Mark Bolwell <[email protected]> * updated rule id 020230 Signed-off-by: Mark Bolwell <[email protected]> * rule ids and inactive variable added Signed-off-by: Mark Bolwell <[email protected]> * updated Signed-off-by: Mark Bolwell <[email protected]> * updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell <[email protected]> * lint Signed-off-by: Mark Bolwell <[email protected]> * updated precommit files Signed-off-by: Mark Bolwell <[email protected]> * incorporated Feb_24 fixes Signed-off-by: Mark Bolwell <[email protected]> --------- Signed-off-by: Mark Bolwell <[email protected]> Signed-off-by: uk-bolly <[email protected]>
ansible-lockdown · Mar 14, 2024 · 6d800a4 · 6d800a4
1 parent da5270f
commit 6d800a4
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 14 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -1,5 +1,14 @@
 # Changelog
 
+## 3.1 STIG V3R13 25th Oct 2023
+
+- RHEL_07_010310 - ruleid updated and INACTIVE var created
+- RHEL_07_020020 - ruleid
+- RHEL_07_020021 - ruleid
+- RHEL_07_020023 - ruleid
+- RHEL_07_020230 - ruleid
+- RHEL_07_021700 - ruleid
+
 ## 3.0 Stig V3R12 26th July 2023
 
 - RHEL-07-010199 - pamd password and system auth rewrite and ruleid updated

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 ## Configure a RHEL7 based system to be complaint with Disa STIG
 
-This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on  July 23, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R12_STIG.zip).
+This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 13 released on  October 23, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R13_STIG.zip).
 
 ---
 
@@ -47,7 +47,7 @@ Configure a RHEL 7 system to be DISA STIG compliant.
 Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default.
 Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `true`.
 
-# Caution(s)
+## Caution(s)
 
 This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
 
@@ -222,5 +222,7 @@ pre-commit run
 This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig)
 
 Massive thanks to the fantastic community and all its members.
+
 This includes a huge thanks and credit to the original authors and maintainers.
-Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell
+
+- Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -13,7 +13,7 @@ python2_bin: /bin/python2.7
 # audit variable found at the base
 benchmark: RHEL7-STIG
 ## metadata for Audit benchmark
-benchmark_version: 'v3r12'
+benchmark_version: 'v3r13'
 
 # Whether to skip the reboot
 rhel7stig_skip_reboot: true
@@ -348,6 +348,9 @@ rhel7stig_smartcard: false
 # Configure your smartcard driver
 rhel7stig_smartcarddriver: cackey
 
+# RHEL_07_010310
+# Must be 35 or less but not 0 or -1
+rhel_07_010310_inactive: 35
 # RHEL_07_020020
 # Set "selinux_change_users" false to disable this control's actions and just report results.
 # You will need to adjust the paths for installed HIPS/HBSS for this control.

diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: "HIGH | RHEL-07-010010 | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values."
   block:
       - name: "HIGH | RHEL-07-010010 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values."
@@ -306,7 +307,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-204455r833106_rule
+      - SV-204455r928574_rule
       - V-204455
       - systemctl
 

diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml
@@ -756,7 +756,7 @@
   ansible.builtin.lineinfile:
       path: /etc/default/useradd
       regexp: ^#?INACTIVE
-      line: INACTIVE=35
+      line: "INACTIVE={{ rhel_07_010310_inactive }}"
   when:
       - rhel_07_010310
   tags:
@@ -1167,15 +1167,15 @@
 # ##############################
 
 # This control should be manually implemented
-- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
+- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
   block:
-      - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Get SELinux authorized users"
+      - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Get SELinux authorized users"
         ansible.builtin.shell: semanage login -l
         changed_when: false
         failed_when: false
         register: rhel_07_020020_sel_auth_users
 
-      - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Show SELinux authorized users"
+      - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Show SELinux authorized users"
         ansible.builtin.debug:
             msg:
                 - "Warning!! Below is your SELinux user/group list. Please review and make sure all of the following are met:"
@@ -1184,7 +1184,7 @@
                 - "{{ rhel_07_020020_sel_auth_users.stdout_lines }}"
         when: rhel_07_020020_sel_auth_users.stdout | length > 0
 
-      - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Warn that semanage is not installed"
+      - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Warn that semanage is not installed"
         ansible.builtin.debug:
             msg:
                 - "Warning!! You do not have semanage installed! Please installed the needed packages"
@@ -1197,7 +1197,7 @@
       - CCI-002235
       - CCI-002165
       - SRG-OS-000324-GPOS-00125
-      - SV-204444r754744_rule
+      - SV-204444r928571_rule
       - V-204444
 
 - name: "MEDIUM | RHEL-07-020028 | PATCH | The Red Hat Enterprise Linux operating system must be configured to allow sending email notifications of configuration changes and adverse events to designated personnel."
@@ -2307,7 +2307,7 @@
       - CCI-001813
       - CCI-000318
       - SRG-OS-000364-GPOS-00151
-      - SV-204501r603261_rule
+      - SV-204501r928576_rule
       - V-204501
       - grub
       - bootloader
@@ -4742,7 +4742,7 @@
       - CCI-002165
       - CCI-002235
       - SRG-OS-000324-GPOS-00125
-      - SV-250312r792843_rule
+      - SV-250312r928579_rule
       - V-250312
 
 - name: "MEDIUM | RHEL-07-020022 | PATCH | The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH."
@@ -4791,5 +4791,5 @@
       - CCI-002165
       - CCI-002235
       - SRG-OS-000324-GPOS-00125
-      - SV-250314r861076_rule
+      - SV-250314r877392_rule
       - V-250314