diff --git a/.ansible-lint b/.ansible-lint index e582a588..39c4d623 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,20 +1,24 @@ +--- + parseable: true quiet: true skip_list: - 'schema' - 'no-changed-when' - - 'var-spacing' + - 'fqcn-builtins' - 'experimental' - - 'name[play]' + - 'fqcn[action-core]' + - 'fqcn[action]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' + - 'jinja[spacing]' + - 'var-naming' # Older playbook no new release - '204' + - '208' - '305' - '303' - '403' - '306' - '602' - - '208' use_default_rules: true verbosity: 0 diff --git a/.yamllint b/.yamllint index 72ac645b..ec469292 100644 --- a/.yamllint +++ b/.yamllint @@ -1,28 +1,33 @@ --- -# Based on ansible-lint config extends: default +ignore: | + tests/ + molecule/ + .github/ + .gitlab-ci.yml + *molecule.yml + rules: - braces: {max-spaces-inside: 1, level: error} - brackets: {max-spaces-inside: 1, level: error} - colons: {max-spaces-after: -1, level: error} - commas: {max-spaces-after: -1, level: error} - comments: disable - comments-indentation: disable - document-start: disable - empty-lines: {max: 3, level: error} - hyphens: {level: error} - indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - key-duplicates: enable - line-length: disable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - allowed-values: ['true', 'false'] - check-keys: true + indentation: + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + empty-lines: + max: 1 + line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: false diff --git a/ChangeLog.md b/ChangeLog.md index 8112b081..58351024 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,23 @@ # Changelog +## 2.1 Stig V3r11 27th April 2023 + +Consistent on ansible version +Improvement in checking ansible user has password 010340 +tidy of boootloader discovery and paths + +- New controls + - RHEL-07-010019 + - RHEL-07-010063 + - RHEL-07-020028 + +- rule id updates and changes + - RHEL-07-010119 + - RHEL-07-010199 + - RHEL-07-010271 + - RHEL-07-020028 + - RHEL-07-020030 + ## 2.0.1 update lint inline with galaxy requirements diff --git a/README.md b/README.md index 7250a235..68be4ff5 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,52 @@ # RHEL 7 DISA STIG -![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL7-STIG/CommunityToDevel?label=Devel%20Build%20Status&style=plastic) -![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL7-STIG/DevelToMain?label=Main%20Build%20Status&style=plastic) -![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL7-STIG?style=plastic) +## Configure a RHEL7 based system to be complaint with Disa STIG -Configure a RHEL 7 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`. +This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on April 27, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R11_STIG.zip). -This role is based on RHEL 7 DISA STIG: [Version 3, Rel 10 released on Jan 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R10_STIG.zip). +--- -## Join us +![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social) +![Stars](https://img.shields.io/github/stars/ansible-lockdown/RHEL7-STIG?label=Repo%20Stars&style=social) +![Forks](https://img.shields.io/github/forks/ansible-lockdown/RHEL7-STIG?style=social) +![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) +[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) + +![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61792?label=Quality&&logo=ansible) +![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) + +![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL7-STIG/devel?color=dark%20green&label=Devel%20Branch%20commits) + +![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) +![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Build%20Status) +![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL7-STIG?label=Release%20Date) +![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL7-STIG?label=Release%20Tag&&color=success) + +![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL7-STIG?label=Open%20Issues) +![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL7-STIG?label=Closed%20Issues&&color=success) +![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL7-STIG?label=Pull%20Requests) + +![License](https://img.shields.io/github/license/ansible-lockdown/RHEL7-STIG?label=License) + +--- + +## Looking for support? + +[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH7_stig) + +[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH7_stig) + +### Community On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +--- + +Configure a RHEL 7 system to be DISA STIG compliant. +Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. +Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `true`. + ## Updating Coming from a previous release. @@ -27,7 +62,7 @@ More information can be found in the [ChangeLog](./ChangeLog.md) ## Auditing (new) -This can be turned on or off within the defaults/main.yml file with the variable rhel7stig_run_audit. The value is false by default, please refer to the wiki for more details. +This can be turned on or off within the defaults/main.yml file with the variable run_audit. The value is false by default, please refer to the wiki for more details. This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. @@ -38,63 +73,51 @@ Refer to - [RHEL7-STIG-Audit](https://github.com/ansible-lockdown/RHEL7-STIG-Audit). +## Documentation + +- [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/) +- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_RH7_stig) +- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_RH7_stig) +- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_RH7_stig) +- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_RH7_stig) + ## Requirements RHEL 7 or CentOS 7 - Other versions are not supported. Access to download or add the goss binary and content to the system if using auditing. options are available on how to get the content to the system. -**General:** - -- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible - - - [Main Ansible documentation page](https://docs.ansible.com) - - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) - - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) -- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/RHEL7-STIG/wiki/Main-Variables). -- While check_mode may work, This is not supported. - -### Please be aware - -- This does set the single user password for grub this does need to be defined - You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2' -- Some controls make changes to sudo, please ensure a sudo password is set for the user and it is added to the way to run your playbook. - -## Documentation - -- [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL7-STIG/) -- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown) -- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise) -- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration) -- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise) -- [Wiki](https://github.com/ansible-lockdown/RHEL7-STIG/wiki) - ## Dependencies +The following packages must be installed on the controlling host/host where ansible is executed: + - Python3 (preferred) - Ansible 2.9+ -- jmespath - -Ansible is set to run in a python3 environment. +- python2-passlib (or just passlib, if using python3) +- python-lxml +- python-xmltodict +- python-jmespath -Dependencies required for the playbook are installed on the endpoint if required. +Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible. ## Role Variables -This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/RHEL7-STIG/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions. +This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. -## Tags +### Tags There are many tags available for added control precision. Each control has it's own set of tags noting the control number as well as what parts of the system that control addresses. -Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag ssh, this task will be skipped. The -opposite can also happen where you run only controls tagged with ssh. +Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag dconf, this task will be skipped. The opposite can also happen where you run only controls tagged with dconf. ```sh tags: - - RHEL-07-010050 - - ssh - - dod_logon_banner + - RHEL-07-010060 + - CAT2 + - CCI-000056 + - SRG-OS-000028-GPOS-00009 + - SV-204396r880746_rule + - V-204396 + - dconf ``` ## Example Audit Summary @@ -126,6 +149,25 @@ rhel7test : ok=369 changed=192 unreachable=0 failed=0 skipped=125 r - **gh_pages** - github pages - **all other branches** - Individual community member branches +## Containers - Testing + +- system_is_container + +This is set to false by defaults/main.yml +If discovered it is a container type or ansible_connection == docker it will convert to run to with with true. +Some controls will skip is this is true as they are not applicable at all. Others runs a subset of controls found in vars/is_container.yml based on a vendor supplied un altered image. + +**NON altered vendor image.** + +- container_vars_file: is_container.yml + +This vars file runs controls are grouped into tags so if the container does later have ssh it could be re-enabled by loading an alternative vars file. + +### Please Be Aware + +- This does set the single user password for grub this does need to be defined - You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2' +- Some controls make changes to sudo, please ensure a sudo password is set for the user and it is added to the way to run your playbook. + ## Community Contribution We encourage you (the community) to contribute to this role. Please read the rules below. @@ -139,11 +181,15 @@ We encourage you (the community) to contribute to this role. Please read the rul uses: -- Ansible-core 2.12 -- Ansible collections - pulls in the latest version based on requirements file -- Runs the audit using the devel branch +- ansible-core 2.12 +- ansible collections - pulls in the latest version based on requirements file +- runs the audit using the devel branch - This is an automated test that occurs on pull requests into devel +## Known Issues + +None + ## Support This is a community project at its core and will be managed as such. diff --git a/ansible-lint b/ansible-lint index f21e1f44..39c4d623 100644 --- a/ansible-lint +++ b/ansible-lint @@ -1,14 +1,24 @@ +--- + parseable: true quiet: true skip_list: - - 'schema' - - 'no-changed-when' - - 'fqcn-builtins' - - '204' - - '305' - - '303' - - '403' - - '306' - - '602' + - 'schema' + - 'no-changed-when' + - 'fqcn-builtins' + - 'experimental' + - 'fqcn[action-core]' + - 'fqcn[action]' + - 'name[casing]' + - 'name[template]' + - 'jinja[spacing]' + - 'var-naming' # Older playbook no new release + - '204' + - '208' + - '305' + - '303' + - '403' + - '306' + - '602' use_default_rules: true verbosity: 0 diff --git a/defaults/main.yml b/defaults/main.yml index d52299cc..a56b9ced 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,7 +13,7 @@ python2_bin: /bin/python2.7 # audit variable found at the base benchmark: RHEL7-STIG ## metadata for Audit benchmark -benchmark_version: 'v3r10' +benchmark_version: 'v3r11' # Whether to skip the reboot rhel7stig_skip_reboot: true @@ -29,7 +29,7 @@ get_audit_binary_method: download # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# enable audits to run - this runs the audit and get the latest content +# enable audits to run - this runs the audit and get the latest content run_audit: false # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system @@ -40,7 +40,6 @@ audit_cmd_timeout: 60000 ### End Audit enablements #### #### Detailed settings found at the end of this document #### - # We've defined complexity-high to mean that we cannot automatically remediate # the rule in question. In the future this might mean that the remediation # may fail in some cases. @@ -108,12 +107,14 @@ rhel_07_040690: true rhel_07_040700: true rhel_07_040800: true # CAT 2 rules +rhel_07_010019: true rhel_07_010030: "{{ rhel7stig_gui }}" rhel_07_010040: "{{ rhel7stig_gui }}" rhel_07_010050: true rhel_07_010060: "{{ rhel7stig_gui }}" rhel_07_010061: "{{ rhel7stig_gui }}" rhel_07_010062: "{{ rhel7stig_gui }}" +rhel_07_010063: "{{ rhel7stig_gui }}" rhel_07_010070: "{{ rhel7stig_gui }}" rhel_07_010081: "{{ rhel7stig_gui }}" rhel_07_010082: "{{ rhel7stig_gui }}" @@ -164,6 +165,7 @@ rhel_07_020020: true rhel_07_020021: true rhel_07_020022: true rhel_07_020023: true +rhel_07_020028: true # Is required for 20030 &20040 rhel_07_020029: true rhel_07_020030: true # Send AIDE reports as mail notifications - Disabled by default as this is a non-ideal way to do notifications @@ -459,7 +461,6 @@ rhel7stig_snmp_community: Endgam3Ladyb0g # presence of another compliant equivalent rhel7stig_force_exact_packages: "{{ rhel7stig_disruption_high }}" - # RHEL-07-010480 and RHEL-07-010490 # Password protect the boot loader @@ -488,6 +489,7 @@ rhel7stig_aide_db_file: /var/lib/aide/aide.db.gz # RHEL-07-010483 & RHEL-07-010492 rhel7stig_grub_superusers: su_mode_superuser +# RHEL-07-020030 & RHEL-07-020040 rhel7stig_aide_cron: user: root cron_file: aide @@ -497,7 +499,7 @@ rhel7stig_aide_cron: special_time: daily # Disable the notification check rule to disable mailing notifications notify_by_mail: "{{ rhel_07_020040 }}" - notify_cmd: ' | /var/spool/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' + notify_cmd: ' | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' rhel7stig_cron_special_disable: "{{ rhel7stig_workaround_for_disa_benchmark or @@ -678,25 +680,28 @@ rhel7stig_ipsec_required: false rhel7stig_using_password_auth: true rhel7stig_availability_override: false -# auditd_failure_flag -# 2 Tells your system to perform an immediate shutdown without -# flushing any pending data to disk when the limits of your -# audit system are exceeded. Because this shutdown is not a clean shutdown. -# restrict the use of -f 2 to only the most security conscious environments -# 1 System continues to run, issues a warning and audit stops. -# Use this for any other setup to avoid loss of data or data corruption. +# # auditd_failure_flag +# # 2 Tells your system to perform an immediate shutdown without +# # flushing any pending data to disk when the limits of your +# # audit system are exceeded. Because this shutdown is not a clean shutdown. +# # restrict the use of -f 2 to only the most security conscious environments +# # 1 System continues to run, issues a warning and audit stops. +# # Use this for any other setup to avoid loss of data or data corruption. rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1, 2) }}" rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}" rhel7stig_boot_part: "{{ rhel_07_boot_part.stdout }}" -rhel7stig_machine_uses_uefi: "{{ rhel_07_sys_firmware_efi.stat.exists }}" -rhel7stig_grub_cfg_path: "{{ rhel7stig_machine_uses_uefi | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}" -rhel7stig_grub_cfg_path_invalid: "{{ (not rhel7stig_machine_uses_uefi) | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}" +rhel7stig_legacy_boot_path: '/boot/grub2/' +rhel7stig_efi_boot_path: '/boot/efi/EFI/' + +# rhel7stig_machine_uses_uefi: "{{ rhel_07_sys_firmware_efi.stat.exists }}" +# rhel7stig_grub_cfg_path: "{{ rhel7stig_machine_uses_uefi | ternary(rhel7stig_bootloader_path'/grub.cfg', '/boot/grub2/grub.cfg') }}" +# rhel7stig_grub_cfg_path_invalid: "{{ (not rhel7stig_machine_uses_uefi) | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}" -oracle7stig_grub_cfg_path: "{{ rhel7stig_machine_uses_uefi | ternary('/boot/efi/EFI/redhat/grub.cfg', '/boot/grub2/grub.cfg') }}" -oracle7stig_grub_cfg_path_invalid: "{{ (not rhel7stig_machine_uses_uefi) | ternary('/boot/efi/EFI/redhat/grub.cfg', '/boot/grub2/grub.cfg') }}" +# oracle7stig_grub_cfg_path: "{{ rhel7stig_machine_uses_uefi | ternary('/boot/efi/EFI/redhat/grub.cfg', '/boot/grub2/grub.cfg') }}" +# oracle7stig_grub_cfg_path_invalid: "{{ (not rhel7stig_machine_uses_uefi) | ternary('/boot/efi/EFI/redhat/grub.cfg', '/boot/grub2/grub.cfg') }}" rhel7stig_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" diff --git a/handlers/main.yml b/handlers/main.yml index b39b6b24..c414bd4c 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -25,7 +25,7 @@ notify: make grub2 config - name: make grub2 config - ansible.builtin.shell: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_grub_cfg_path }} + ansible.builtin.shell: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_bootloader_path }}grub.cfg when: - rhel7stig_grub2_user_cfg.stat.exists - not rhel7stig_skip_for_travis @@ -34,8 +34,8 @@ - name: copy grub2 config to BIOS/UEFI to satisfy benchmark listen: make grub2 config ansible.builtin.copy: - src: "{{ rhel7stig_grub_cfg_path | dirname }}/{{ item }}" - dest: "{{ rhel7stig_grub_cfg_path_invalid | dirname }}/{{ item }}" + src: "{{ rhel7stig_bootloader_path }}/{{ item }}" + dest: "{{ rhel7stig_not_boot_path }}/{{ item }}" remote_src: true mode: 0600 with_items: @@ -58,8 +58,6 @@ - name: restart auditd ansible.builtin.shell: /usr/sbin/service "{{ rhel7stig_audit_daemon }}" restart - args: - warn: false - name: rebuild initramfs ansible.builtin.shell: dracut -f diff --git a/meta/main.yml b/meta/main.yml index 40edc8c8..a028684f 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,7 +6,7 @@ galaxy_info: license: MIT role_name: rhel7_stig namespace: mindpointgroup - min_ansible_version: 2.9.0 + min_ansible_version: 2.10.1 platforms: - name: EL versions: diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 68156f16..533cedf0 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -4,8 +4,6 @@ - name: "HIGH | RHEL-07-010010 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." ansible.builtin.shell: | rpm -Va --nolinkto --nofiledigest --nosize --nomtime --nodigest --nosignature | grep -E '^(.M|.....U|......G)' | tee /dev/stderr | cut -c13- | sed 's/^ //' | xargs rpm -qf --qf='%{name}\n' | sort -u - args: - warn: false check_mode: false failed_when: false changed_when: false @@ -193,7 +191,7 @@ - make grub2 config no_log: true when: - - not rhel7stig_machine_uses_uefi + - rhel7stig_legacy_boot - name: "HIGH | RHEL-07-010491 | Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." ansible.builtin.lineinfile: @@ -207,7 +205,7 @@ - confirm grub2 user cfg - make grub2 config when: - - rhel7stig_machine_uses_uefi + - not rhel7stig_legacy_boot when: - rhel_07_010482 or rhel_07_010491 diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 05b6b970..7dca60d6 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1,5 +1,38 @@ --- +- name: "MEDIUM | RHEL-07-010019 | PATCH | RHEL 7 must ensure cryptographic verification of vendor software packages." + block: + - name: "MEDIUM | RHEL-07-010019 | PATCH | RHEL 7 must ensure cryptographic verification of vendor software packages. | package installed" + ansible.builtin.package: + name: "{{ gpg_package }}" + state: present + when: "gpg_package not in ansible_facts.packages" + + - name: "MEDIUM | RHEL-07-010019 | AUDIT | RHEL 7 must ensure cryptographic verification of vendor software packages. | Confirm keys" + ansible.builtin.shell: "gpg -q --keyid-format short --with-fingerprint {{ rpm_gpg_key }} | grep -A1 '{{ item.name }}' | grep '{{ item.fingerprint }}'" + changed_when: false + failed_when: rhel_07_010019_gpg_info.rc not in [ 0, 1] + register: rhel_07_010019_gpg_info + loop: "{{ gpg_keys }}" + loop_control: + label: item.name + + - name: "MEDIUM | RHEL-07-010019 | AUDIT | RHEL 7 must ensure cryptographic verification of vendor software packages. | warn" + ansible.builtin.debug: + msg: + - "WARNING!! Please investigate the vendor gpgkeys match expected values" + loop: "{{ rhel_07_010019_gpg_info.results }}" + when: item.rc != 0 + when: + - rhel_07_010019 + tags: + - RHEL-07-010019 + - CAT2 + - CCI-001749 + - SRG-OS-000366-GPOS-00153 + - SV-256968r902687_rule + - V-256968 + ### RHEL-07-010030 | RHEL-07-010040 combined as related tasks in regards to a config file no other content will be in. - name: "MEDIUM | RHEL-07-010030 | RHEL-07-010040 | PATCH | The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." ansible.builtin.copy: # noqa: template-instead-of-copy @@ -93,6 +126,61 @@ - V-204397 - dconf +- name: "MEDIUM | RHEL-07-010062 | The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." + ansible.builtin.copy: + dest: /etc/dconf/db/local.d/locks/session_rhel_07_010062 + content: | + /org/gnome/desktop/screensaver/lock-enabled + mode: '0644' + notify: dconf update + when: + - rhel7stig_dconf_available + - rhel_07_010062 + tags: + - RHEL-07-010062 + - CAT2 + - CCI-000057 + - SRG-OS-000029-GPOS-00010 + - SV-214937r880767_rule + - V-214937 + - dconf + +- name: "MEDIUM | RHEL-07-010063 | PATCH | The Red Hat Enterprise Linux operating system must disable the login screen user list for graphical user interfaces." + block: + - name: "MEDIUM | RHEL-07-010063 | PATCH | The Red Hat Enterprise Linux operating system must disable the login screen user list for graphical user interfaces. | login_screen" + ansible.builtin.lineinfile: + path: /etc/dconf/db/local.d/00-login-screen + line: "{{ item }}" + mode: '0644' + create": true + loop: + - [org/gnome/login-screen] + - disable-user-list=true + notify: dconf update + + - name: "MEDIUM | RHEL-07-010063 | PATCH | The Red Hat Enterprise Linux operating system must disable the login screen user list for graphical user interfaces. | gdm profile" + ansible.builtin.lineinfile: + path: /etc/dconf/profile/gdm + line: "{{ item }}" + mode: '0644' + create": true + loop: + - user-db:user + - system-db:gdm + - file-db:/usr/share/gdm/greeter-dconf-defaults + notify: dconf update + when: + - rhel7stig_dconf_available + - rhel_07_010063 + tags: + - RHEL-07-010063 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-256969r902690_rule + - V-256969 + - dconf + - name: "MEDIUM | RHEL-07-010070 | PATCH | The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces." ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-screensaver_rhel_07_010070 @@ -248,8 +336,8 @@ ansible.builtin.lineinfile: create: true dest: /etc/pam.d/system-auth - regexp: '^#?password\s+required pam_pwquality.so retry' - line: password required pam_pwquality.so retry=3 + regexp: '^#?password\s+(required|requisite) pam_pwquality.so retry' + line: password requisite pam_pwquality.so retry=3 mode: 0644 when: - rhel_07_010119 @@ -258,7 +346,7 @@ - CAT2 - CCI-000192 - SRG-OS-000069-GPOS-00037 - - SV-204406r603261_rule + - SV-204406r902704_rule - V-204406 - pamd @@ -420,7 +508,7 @@ - CAT2 - CCI-000196 - SRG-OS-000072-GPOS-00040 - - SV-255928r880830_rule + - SV-255928r902706_rule - V-255928 - pamd @@ -633,7 +721,7 @@ - V-204422 - pamd -- name: "MEDIUM | AUDIT | RHEL-07-010271 | The Red Hat Enterprise Linux operating system emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours." +- name: "MEDIUM | AUDIT | RHEL-07-010271 | The Red Hat Enterprise Linux operating system must automatically expire temporary accounts within 72 hours." ansible.builtin.debug: msg: - "Warning!! Verify every existing emergency account and make sure it has an expiration date set within 72 hours." @@ -644,7 +732,7 @@ - CAT2 - CCI-001682 - SRG-OS-000123-GPOS-00064 - - SV-254523r858501_rule + - SV-254523r903130_rule - V-254523 - name: "MEDIUM | RHEL-07-010280 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length." @@ -800,7 +888,7 @@ - V-204428 - pamd -- name: "MEDIUM | RHEL-08-010339 | PATCH | The Red Hat Enterprise Linux operating system must specify the default 'include' directory for the /etc/sudoers file." +- name: "MEDIUM | RHEL-07-010339 | PATCH | The Red Hat Enterprise Linux operating system must specify the default 'include' directory for the /etc/sudoers file." ansible.builtin.lineinfile: path: /etc/sudoers regex: '^#includedir' @@ -969,7 +1057,7 @@ - { regexp: '^\s*set superusers=', line: ' set superusers="{{ rhel7stig_grub_superusers }}"' } - { regexp: '^\s*export superusers', line: ' export superusers'} - { regexp: '^\s*password_pbkdf2', line: ' password_pbkdf2 {{ rhel7stig_grub_superusers }} \${GRUB2_PASSWORD}' } - when: not rhel7stig_machine_uses_uefi + when: rhel7stig_legacy_boot - name: "MEDIUM | RHEL-07-010492 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with Unified Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance. | Set grub unique name UEFI" ansible.builtin.lineinfile: @@ -982,7 +1070,7 @@ - { regexp: '^\s*set superusers=', line: ' set superusers="{{ rhel7stig_grub_superusers }}"' } - { regexp: '^\s*export superusers', line: ' export superusers' } - { regexp: '^\s*password_pbkdf2', line: ' password_pbkdf2 {{ rhel7stig_grub_superusers }} \${GRUB2_PASSWORD}' } - when: rhel7stig_machine_uses_uefi + when: not rhel7stig_legacy_boot when: - rhel_07_010483 or rhel_07_010492 @@ -1112,6 +1200,23 @@ - SV-204444r754744_rule - V-204444 +- name: "MEDIUM | RHEL-07-020028 | PATCH | The Red Hat Enterprise Linux operating system must be configured to allow sending email notifications of configuration changes and adverse events to designated personnel." + ansible.builtin.package: + name: mailx + state: present + notify: "{{ rhel7stig_aide_handler }}" + when: + - rhel_07_020028 + - "'mailx' not in ansible_facts.packages" + tags: + - RHEL-07-020028 + - CAT2 + - CCI-001744 + - SRG-OS-000363-GPOS-00150 + - SV-256970r902696_rule + - V-256970 + - mailx + - name: "MEDIUM | RHEL-07-020029 | PATCH | The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions." ansible.builtin.package: name: aide @@ -1153,6 +1258,7 @@ rhel7stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) | ternary(omit, rhel7stig_aide_cron.special_time) }}" when: + - rhel_07_020028 ## Required as per benchmark - rhel_07_020030 or rhel_07_020040 tags: @@ -1283,7 +1389,6 @@ - V-204454 - selinux - - name: "MEDIUM | RHEL-07-020240 | PATCH | The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files." ansible.builtin.lineinfile: path: /etc/login.defs @@ -1902,7 +2007,7 @@ - complexity-high - name: "MEDIUM | RHEL-07-021000 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed." - ansible.builtin.mount: + ansible.posix.mount: path: /home state: mounted src: "{{ home_mount.device }}" @@ -1925,7 +2030,7 @@ - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." block: - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." - ansible.builtin.mount: + ansible.posix.mount: path: /media state: mounted src: "{{ removable_mount.device }}" @@ -1938,7 +2043,7 @@ - "'nosuid' not in home_mount.options" - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." - ansible.builtin.mount: + ansible.posix.mount: path: /mnt state: mounted src: "{{ removable_mount2.device }}" @@ -1961,7 +2066,7 @@ - V-204481 - name: "MEDIUM | RHEL-07-021020 | PATCH | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)." - ansible.builtin.mount: + ansible.posix.mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" fstype: "{{ ansible_mounts | json_query(fstype_query) }}" @@ -1986,7 +2091,7 @@ - mounts - name: "MEDIUM | RHEL-07-021021 | PATCH | The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)." - ansible.builtin.mount: + ansible.posix.mount: path: "{{ item }}" src: "{{ ansible_mounts | json_query(device_query) }}" fstype: "{{ ansible_mounts | json_query(fstype_query) }}" @@ -2174,7 +2279,7 @@ block: # Let's see what is configured in grub. - name: "MEDIUM | RHEL-07-021700 | AUDIT | The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved." - ansible.builtin.shell: grep -o "set root=.*" "{{ rhel7stig_grub_cfg_path }}" | grep -v "{{ rhel7stig_grub_bootloader_validorder }}" | uniq + ansible.builtin.shell: grep -o "set root=.*" "{{ rhel7stig_bootloader_path }}" | grep -v "{{ rhel7stig_grub_bootloader_validorder }}" | uniq register: rhel7stig_grub_cfg_mediacheck changed_when: false failed_when: false @@ -4352,25 +4457,6 @@ - V-214800 - antivirus -- name: "MEDIUM | RHEL-07-010062 | The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." - ansible.builtin.copy: - dest: /etc/dconf/db/local.d/locks/session_rhel_07_010062 - content: | - /org/gnome/desktop/screensaver/lock-enabled - mode: '0644' - notify: dconf update - when: - - rhel7stig_dconf_available - - rhel_07_010062 - tags: - - RHEL-07-010062 - - CAT2 - - CCI-000057 - - SRG-OS-000029-GPOS-00010 - - SV-214937r880767_rule - - V-214937 - - dconf - - name: "MEDIUM | RHEL-07-020111 | PATCH | The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required." ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-No-Automount diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 501158cc..b544a948 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -64,7 +64,7 @@ - passwd - name: "LOW | RHEL-07-021024 | PATCH | The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options." - ansible.builtin.mount: + ansible.posix.mount: path: /dev/shm state: mounted src: "{{ dev_shm_mount.device | default('tmpfs') }}" diff --git a/tasks/main.yml b/tasks/main.yml index fe187585..2da32ba8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -21,20 +21,20 @@ tags: - always -- name: "Check password set for {{ ansible_user }}" +- name: "Check password set for connecting user" block: - - name: Capture current password state of "{{ ansible_user }}" - ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + - name: Capture current password state of connecting user" + ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: ansible_user_password_set - - name: "Assert that password set for {{ ansible_user }} and account not locked" + - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" ansible.builtin.assert: that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" - success_msg: "You a password set for the {{ ansible_user }}" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" + success_msg: "You a password set for the {{ ansible_env.SUDO_USER }}" vars: sudo_password_rule: RHEL-07-010340 when: @@ -66,6 +66,11 @@ - RHEL-07-010491 - cat1 +- name: Include OS specific variables + ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" + tags: + - always + - name: include prelim tasks ansible.builtin.import_tasks: prelim.yml tags: diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index e31be2ff..6d20eeaa 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -5,8 +5,6 @@ environment: "{{ audit_run_script_environment | default({}) }}" changed_when: false register: audit_run_post_remediation - vars: - warn: false - name: Post Audit | ensure audit files readable by users ansible.builtin.file: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index a733c03b..8bf9ce22 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -18,8 +18,6 @@ failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] ) changed_when: false register: python36_rpm_present - args: - warn: false - name: "PRELIM | Add the EPEL repository required for the python36-rpm pkg" ansible.builtin.package: @@ -434,7 +432,8 @@ block: - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" ansible.builtin.set_fact: - rhel7stig_bootloader_path: /boot/efi/EFI/redhat + rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" + rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false when: - rhel7_efi_boot.stat.exists @@ -442,7 +441,8 @@ - name: "PRELIM | set fact if UEFI boot | CentOS " ansible.builtin.set_fact: - rhel7stig_bootloader_path: /boot/efi/EFI/centos + rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" + rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false when: - rhel7_efi_boot.stat.exists @@ -450,7 +450,8 @@ - name: "PRELIM | set if not UEFI boot" ansible.builtin.set_fact: - rhel7stig_bootloader_path: /boot/grub2/ + rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" + rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" rhel7stig_legacy_boot: true when: not rhel7_efi_boot.stat.exists diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 555c3dbd..08140a1b 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -8,6 +8,13 @@ is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% end run_heavy_tests: {{ audit_run_heavy_tests }} timeout_ms: {{ audit_cmd_timeout }} +gpg_keys: +{% for info in gpg_keys %} + - name: {{ info.name }} + fingerprint: {{ info.fingerprint }} +{% endfor %} +rpm_gpg_key: {{ rpm_gpg_key }} + # If running on RHEL7 <= 7.2 rhel7stig_legacyOS: {% if ansible_distribution_version > '7.2' %} false {% else %} true {% endif %} @@ -51,12 +58,14 @@ RHEL_07_040800: {{ rhel_07_040800 }} ## Cat II +RHEL_07_010019: {{ rhel_07_010019 }} RHEL_07_010030: {{ rhel_07_010030 }} RHEL_07_010040: {{ rhel_07_010040 }} RHEL_07_010050: {{ rhel_07_010050 }} RHEL_07_010060: {{ rhel_07_010060 }} RHEL_07_010061: {{ rhel_07_010061 }} RHEL_07_010062: {{ rhel_07_010062 }} +RHEL_07_010063: {{ rhel_07_010063 }} RHEL_07_010070: {{ rhel_07_010070 }} RHEL_07_010081: {{ rhel_07_010081 }} RHEL_07_010082: {{ rhel_07_010082 }} @@ -107,6 +116,7 @@ RHEL_07_020020: {{ rhel_07_020020 }} RHEL_07_020021: {{ rhel_07_020021 }} RHEL_07_020022: {{ rhel_07_020022 }} RHEL_07_020023: {{ rhel_07_020023 }} +RHEL_07_020028: {{ rhel_07_020028 }} RHEL_07_020029: {{ rhel_07_020029 }} RHEL_07_020030: {{ rhel_07_020030 }} RHEL_07_020040: {{ rhel_07_020040 }} # see rhel7stig_notify_command diff --git a/vars/CentOS.yml b/vars/CentOS.yml new file mode 100644 index 00000000..05e0e648 --- /dev/null +++ b/vars/CentOS.yml @@ -0,0 +1,9 @@ +--- + +gpg_keys: + - name: 'CentOS 7 Official Signing Key' + packager: "security@centos.org" + fingerprint: "6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5" + +gpg_package: centos-release +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 diff --git a/vars/Centos.yml b/vars/Centos.yml new file mode 100644 index 00000000..05e0e648 --- /dev/null +++ b/vars/Centos.yml @@ -0,0 +1,9 @@ +--- + +gpg_keys: + - name: 'CentOS 7 Official Signing Key' + packager: "security@centos.org" + fingerprint: "6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5" + +gpg_package: centos-release +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml new file mode 100644 index 00000000..d2bac88d --- /dev/null +++ b/vars/OracleLinux.yml @@ -0,0 +1,9 @@ +--- + +gpg_keys: + - name: 'Oracle OSS group' + packager: "build@oss.oracle.com" + fingerprint: "4214 4123 FECF C55B 9086 313D 72F9 7B74 EC55 1F03" + +gpg_package: oraclelinux-release +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle diff --git a/vars/RedHat.yml b/vars/RedHat.yml new file mode 100644 index 00000000..b1d35d07 --- /dev/null +++ b/vars/RedHat.yml @@ -0,0 +1,13 @@ +--- + +gpg_keys: + - name: 'release key 2' + packager: 'security@redhat.com' + fingerprint: '567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51' + + - name: 'auxiliary key' + packager: 'security@redhat.com' + fingerprint: '43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0' + +gpg_package: redhat-release +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution | lower }}-release diff --git a/vars/main.yml b/vars/main.yml index 7dd1e3de..dbe06ca9 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,5 @@ --- -rhel7stig_min_ansible_version: 2.10.0 +rhel7stig_min_ansible_version: 2.10.1 rhel7stig_dconf_available: "{{ rhel7stig_gui or rhel7stig_dconf_audit.rc == 0 or rhel7stig_always_configure_dconf }}"