From c5936ffc08df04beb4a048471d7f73b273572dfc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 Jul 2024 13:02:20 +0100 Subject: [PATCH 1/9] 21350 improvements Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 202 +++++++++++++++++++++++---------------------- tasks/prelim.yml | 138 +++++++++++++++++++++---------- 2 files changed, 200 insertions(+), 140 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 1ab19f04..70f00751 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -43,31 +43,31 @@ - V-204392 - permissions -- name: "HIGH | RHEL-07-010020 | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." +- name: "HIGH | RHEL-07-021350 | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." block: - - name: "HIGH | RHEL-07-010020 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." + - name: "HIGH | RHEL-07-021350 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." ansible.builtin.shell: 'rpm -Va --noconfig --nolinkto --nosize --nouser --nogroup --nomtime --nomode --nodigest --nosignature | grep ''^..5'' | tee /dev/stderr | cut -c13- | sed ''s/^ //'' | xargs rpm -qf --qf=''%{name}\n'' | sort -u' check_mode: false failed_when: false - changed_when: rhel_07_010020_audit.stdout| length > 0 - register: rhel_07_010020_audit + changed_when: rhel_07_021350_audit.stdout| length > 0 + register: rhel_07_021350_audit - - name: "HIGH | RHEL-07-010020 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." + - name: "HIGH | RHEL-07-021350 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." ansible.builtin.debug: - msg: "{{ rhel_07_010020_audit.stderr_lines }}" + msg: "{{ rhel_07_021350_audit.stderr_lines }}" changed_when: true - when: rhel_07_010020_audit.stdout | length > 0 + when: rhel_07_021350_audit.stdout | length > 0 - - name: "HIGH | RHEL-07-010020 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." + - name: "HIGH | RHEL-07-021350 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." ansible.builtin.shell: yum reinstall -y {{ item }} failed_when: false with_items: - - "{{ rhel_07_010020_audit.stdout_lines }}" - when: rhel_07_010020_audit.stdout_lines | length > 0 + - "{{ rhel_07_021350_audit.stdout_lines }}" + when: rhel_07_021350_audit.stdout_lines | length > 0 when: - - rhel_07_010020 + - rhel_07_021350 tags: - - RHEL-07-010020 + - RHEL-07-021350 - CAT1 - CCI-001749 - SRG-OS-000480-GPOS-00227 @@ -378,52 +378,59 @@ - V-204462 - accounts -- name: "HIGH | RHEL-07-021350 | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." +- name: "HIGH | RHEL-07-021350 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." block: - - name: "HIGH | RHEL-07-021350 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." + - name: "HIGH | RHEL-07-021350 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | install FIPS" ansible.builtin.package: name: dracut-fips state: present vars: ansible_python_interpreter: "{{ python2_bin }}" - notify: rebuild initramfs - when: - - "'dracut-fips' not in ansible_facts.packages" + notify: + - rebuild initramfs + - change_requires_reboot + when: "'dracut-fips' not in ansible_facts.packages" - name: "HIGH | RHEL-07-021350 | PATCH | Disable prelinking." ansible.builtin.lineinfile: - path: /etc/sysconfig/prelink + dest: /etc/sysconfig/prelink regexp: ^#?PRELINKING line: PRELINKING=no + when: "'prelink' in ansible_facts.packages" notify: undo existing prelinking - when: - - "'prelink' in ansible_facts.packages" - - name: "HIGH | RHEL-07-021350 | AUDIT | Check /etc/default/grub exists" - ansible.builtin.stat: - path: /etc/default/grub - register: rhel7_stig_default_grub - - - name: "HIGH | RHEL-07-021350 | AUDIT | Capture GRUB_CMDLINE_LINUX from /proc/cmdline" - block: - - name: "HIGH | RHEL-07-021350 | AUDIT | Capture GRUB_CMDLINE_LINUX from /proc/cmdline" - ansible.builtin.shell: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline - check_mode: false - changed_when: false - failed_when: rhel_07_021350_grub_cmdline_linux_audit.rc > 1 - register: rhel_07_021350_grub_cmdline_linux_audit - - - name: "HIGH | RHEL-07-021350 | PATCH | Copy over a sane /etc/default/grub" - ansible.builtin.template: - src: etc_default_grub.j2 - dest: /etc/default/grub - owner: root - group: root - mode: 0644 - register: rhel7_stig_grub_template - vars: - grub_cmdline_linux: "{{ rhel_07_021350_grub_cmdline_linux_audit.stdout }}" - when: not rhel7_stig_default_grub.stat.exists + - name: "HIGH | RHEL-07-021350 | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub + check_mode: false + failed_when: false + changed_when: rhel_07_021350_default_grub_missing_audit.rc > 0 + register: rhel_07_021350_default_grub_missing_audit + + - name: "HIGH | RHEL-07-021350 | AUDIT | Parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" + ansible.builtin.shell: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline + check_mode: false + changed_when: false + failed_when: rhel_07_021350_grub_cmdline_linux_audit.rc > 1 + when: rhel_07_021350_default_grub_missing_audit is changed # noqa no-handler + register: rhel_07_021350_grub_cmdline_linux_audit + + - name: "HIGH | RHEL-07-021350 | PATCH | Copy over a sane /etc/default/grub" + ansible.builtin.template: + src: etc_default_grub.j2 + dest: /etc/default/grub + owner: root + group: root + mode: '0644' + vars: + grub_cmdline_linux: "{{ rhel_07_021350_grub_cmdline_linux_audit.stdout }}" + when: rhel_07_021350_default_grub_missing_audit is changed # noqa no-handler + + - name: "HIGH | RHEL-07-021350 | AUDIT | Verify fips kernel parameters in /etc/default/grub" + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])fips=1(?=[" ]).*"$' /etc/default/grub + check_mode: false + changed_when: false + failed_when: rhel_07_021350_fips_kernel_set.rc not in [ 0, 1 ] + register: rhel_07_021350_fips_kernel_set - name: "HIGH | RHEL-07-021350 | PATCH | fips=1 must be in /etc/default/grub" ansible.builtin.replace: @@ -433,71 +440,72 @@ vars: key: GRUB_CMDLINE_LINUX param: fips - value: "{{ fips_value }}" + value: 1 append: true # this is the default - notify: confirm grub2 user cfg when: - not ansible_check_mode or - rhel7_stig_grub_template is not changed + rhel_07_021350_default_grub_missing_audit is not changed + - rhel_07_021350_fips_kernel_set.stdout | length == 0 + notify: + - confirm grub2 user cfg + - change_requires_reboot + + - name: "HIGH | RHEL-07-021350 | AUDIT | Verify boot kernel parameters in /etc/default/grub" + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])boot=UUID={{ rhel7stig_boot_uuid.stdout }}(?=[" ]).*"$' /etc/default/grub + check_mode: false + changed_when: false + failed_when: rhel_07_021350_boot_kernel_set.rc not in [ 0, 1 ] + register: rhel_07_021350_boot_kernel_set - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." - block: - - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." - ansible.builtin.replace: - path: /etc/default/grub - regexp: "{{ rhel7stig_regexp_quoted_params }}" - replace: "{{ rhel7stig_replace_quoted_params }}" - with_items: - - "{{ ansible_mounts | json_query(query) }}" - vars: - query: "[?mount=='{{ rhel7stig_boot_part }}'] | [0]" # noqa: jinja[invalid] - key: GRUB_CMDLINE_LINUX - param: boot - value: UUID={{ item.uuid }} - insert: true - when: - - rhel7stig_boot_part not in ['/', ''] - - item.uuid is defined - - not ansible_check_mode or - rhel7_stig_grub_template is not changed - notify: confirm grub2 user cfg - register: result - - - name: "HIGH | RHEL-07-021350 | AUDIT | Verify kernel parameters in /etc/default/grub" - ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub - check_mode: false - with_items: - - "fips={{ fips_value }}" - - boot=UUID={{ ansible_mounts | json_query(query) }} - vars: - query: "[?mount=='{{ rhel7stig_boot_part }}'].uuid | [0]" # noqa: jinja[invalid] - register: rhel_07_021350_audit - changed_when: - - ansible_check_mode - - rhel_07_021350_audit is failed - failed_when: - - rhel_07_021350_audit.rc not in [ 0, 1 ] - - not ansible_check_mode - - when: - - not ansible_check_mode or - rhel7_stig_grub_template is not changed - - rhel7stig_boot_part not in ['/', ''] or - 'boot=' not in item + ansible.builtin.replace: + path: /etc/default/grub + regexp: "{{ rhel7stig_regexp_quoted_params }}" + replace: "{{ rhel7stig_replace_quoted_params }}" + vars: + query: "{{ rhel7stig_boot_part.stdout }}" + key: GRUB_CMDLINE_LINUX + param: boot + value: UUID={{ rhel7stig_boot_uuid.stdout }} + insert: true + when: + - rhel7stig_boot_part.stdout not in ['/', ''] + - rhel_07_021350_boot_kernel_set.stdout | length == 0 + - not ansible_check_mode or + rhel_07_021350_default_grub_missing_audit is not changed + + notify: confirm grub2 user cfg + register: result + + - name: "HIGH | RHEL-07-021350 | AUDIT | Verify kernel parameters in /etc/default/grub" + ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub + check_mode: false + with_items: + - fips=1 + - boot=UUID={{ rhel7stig_boot_uuid.stdout }} + register: rhel_07_021350_audit + when: + - not ansible_check_mode or + rhel_07_021350_default_grub_missing_audit is not changed + - "rhel7stig_boot_part.stdout not in ['/', ''] or + 'boot=' not in item" + changed_when: + - ansible_check_mode + - rhel_07_021350_audit is failed + failed_when: + - rhel_07_021350_audit is failed + - not ansible_check_mode or + rhel_07_021350_audit.rc > 1 when: - rhel_07_021350 - rhel7stig_use_fips tags: - RHEL-07-021350 - CAT1 - - CCI-001199 - CCI-000068 - - CCI-002450 - - CCI-002476 - SRG-OS-000033-GPOS-00014 - - SV-204497r603261_rule - - V-204497 - - fips + - SV-230223r928585_rule + - V-230223 - name: "HIGH | RHEL-07-021710 | PATCH | The Red Hat Enterprise Linux operating system must not have the telnet-server package installed." ansible.builtin.package: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 3d097c4b..59fccbc8 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,5 +1,67 @@ --- +- name: "PRELIM | Check whether machine is UEFI-based" + ansible.builtin.stat: + path: /sys/firmware/efi + register: rhel7_efi_boot + tags: + - goss_template + - always + +- name: set bootloader type + block: + - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" + ansible.builtin.set_fact: + rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" + rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" + rhel7stig_legacy_boot: false + when: + - rhel7_efi_boot.stat.exists + - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path + + - name: "PRELIM | set fact if UEFI boot | CentOS " + ansible.builtin.set_fact: + rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" + rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" + rhel7stig_legacy_boot: false + when: + - rhel7_efi_boot.stat.exists + - ansible_distribution == 'CentOS' + + - name: "PRELIM | set if not UEFI boot" + ansible.builtin.set_fact: + rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" + rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" + rhel7stig_legacy_boot: true + when: not rhel7_efi_boot.stat.exists + + - name: PRELIM | output bootloader and efi state + ansible.builtin.debug: + msg: + - "bootloader path set to {{ rhel7stig_bootloader_path }}" + - "legacy boot equals {{ rhel7stig_legacy_boot }}" + tags: + - always + +- name: Include audit specific variables + when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit + - run_audit + ansible.builtin.include_vars: + file: audit.yml + +- name: Include pre-remediation audit tasks + when: + - run_audit or audit_only + - setup_audit + tags: + - run_audit + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml + - name: "PRELIM | Check required packages installed | Python2" ansible.builtin.package: name: @@ -43,6 +105,33 @@ vars: ansible_python_interpreter: "{{ python2_bin }}" +- name: "PRELIM | RHEL-07-021350" + block: + - name: "PRELIM | RHEL-07-021350 | Check if /boot or /boot/efi reside on separate partitions" + ansible.builtin.shell: df --output=target /boot | tail -n 1 + changed_when: false + check_mode: false + register: rhel7stig_boot_part + + - name: "PRELIM | RHEL-07-021350 | Check if /boot or /boot/efi reside on separate partitions | get UUID" + ansible.builtin.shell: lsblk -f | grep -E "{{ rhel7stig_boot_part.stdout }}$" | awk '{ print $3 }' + changed_when: false + check_mode: false + register: rhel7stig_boot_uuid + when: + - rhel_07_021350 + tags: + - RHEL-07-021350 + - CAT1 + - CCI-001199 + - CCI-000068 + - CCI-002450 + - CCI-002476 + - SRG-OS-000033-GPOS-00014 + - SV-204497r603261_rule + - V-204497 + - fips + - name: "PRELIM | dconf" block: - name: "PRELIM | Check for dconf availability" @@ -408,49 +497,6 @@ when: - rhel7stig_ssh_required -- name: "PRELIM | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel7_efi_boot - tags: - - goss_template - - always - -- name: set bootloader type - block: - - name: "PRELIM | set fact if UEFI boot | RHEL or OEL" - ansible.builtin.set_fact: - rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" - rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" - rhel7stig_legacy_boot: false - when: - - rhel7_efi_boot.stat.exists - - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path - - - name: "PRELIM | set fact if UEFI boot | CentOS " - ansible.builtin.set_fact: - rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" - rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" - rhel7stig_legacy_boot: false - when: - - rhel7_efi_boot.stat.exists - - ansible_distribution == 'CentOS' - - - name: "PRELIM | set if not UEFI boot" - ansible.builtin.set_fact: - rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" - rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" - rhel7stig_legacy_boot: true - when: not rhel7_efi_boot.stat.exists - - - name: PRELIM | output bootloader and efi state - ansible.builtin.debug: - msg: - - "bootloader path set to {{ rhel7stig_bootloader_path }}" - - "legacy boot equals {{ rhel7stig_legacy_boot }}" - tags: - - always - - name: "PRELIM | Gather interactive user ID min" block: - name: "PRELIM | Gather interactive user ID min" @@ -472,3 +518,9 @@ tags: - always - auditd + +- name: Gather the package facts + ansible.builtin.package_facts: + manager: auto + tags: + - always From ebaefbde5927174497ec2f75444b9a7e8ac80123 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 Jul 2024 13:05:09 +0100 Subject: [PATCH 2/9] moved audit to prelim Signed-off-by: Mark Bolwell --- tasks/main.yml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 2041044a..3196e8c6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -79,20 +79,6 @@ - prelim_tasks - run_audit -- name: include pre-remediation audit - ansible.builtin.import_tasks: - file: pre_remediation_audit.yml - when: - - run_audit - tags: - - run_audit - -- name: Gather the package facts - ansible.builtin.package_facts: - manager: auto - tags: - - always - - name: Include CAT I patches ansible.builtin.import_tasks: file: fix-cat1.yml From bb6ed8d203f8bc871958061b6c504beb5b59fd8b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 Jul 2024 13:24:33 +0100 Subject: [PATCH 3/9] Audit updates Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 30 +++++--- tasks/audit_only.yml | 30 ++++++++ tasks/parse_etc_passwd.yml | 2 +- tasks/post_remediation_audit.yml | 44 +++++------ tasks/pre_remediation_audit.yml | 121 ++++++++++++++++--------------- vars/audit.yml | 40 ++++++++++ vars/main.yml | 2 + 7 files changed, 178 insertions(+), 91 deletions(-) create mode 100644 tasks/audit_only.yml create mode 100644 vars/audit.yml diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index fd75cea5..b08985e2 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,22 +1,32 @@ --- -- name: Download audit binary +- name: Pre Audit Setup | Set audit package name + block: + - name: Pre Audit Setup | Set audit package name | 64bit + when: ansible_facts.machine == "x86_64" + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 + + - name: Pre Audit Setup | Set audit package name | ARM64 + when: ansible_facts.machine == "arm64" + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 + +- name: Pre Audit Setup | Download audit binary + when: get_audit_binary_method == 'download' ansible.builtin.get_url: - url: "{{ audit_bin_url }}" + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" dest: "{{ audit_bin }}" owner: root group: root - checksum: "{{ audit_bin_version.checksum }}" - mode: 0555 - when: - - get_audit_binary_method == 'download' + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" + mode: '0555' -- name: copy audit binary +- name: Pre Audit Setup | Copy audit binary + when: get_audit_binary_method == 'copy' ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: 0555 + mode: '0555' owner: root group: root - when: - - get_audit_binary_method == 'copy' diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml new file mode 100644 index 00000000..66b036d3 --- /dev/null +++ b/tasks/audit_only.yml @@ -0,0 +1,30 @@ +--- + +- name: Audit_Only | Create local Directories for hosts + when: fetch_audit_files + delegate_to: localhost + become: false + ansible.builtin.file: + mode: '0755' + path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + recurse: true + state: directory + +- name: Audit_only | Get audits from systems and put in group dir + when: fetch_audit_files + ansible.builtin.fetch: + dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" + flat: true + mode: '0644' + src: "{{ pre_audit_outfile }}" + +- name: Audit_only | Show Audit Summary + when: + - audit_only + ansible.builtin.debug: + msg: "{{ audit_results.split('\n') }}" + +- name: Audit_only | Stop Playbook Audit Only selected + when: + - audit_only + ansible.builtin.meta: end_play diff --git a/tasks/parse_etc_passwd.yml b/tasks/parse_etc_passwd.yml index 4df03de1..e7612845 100644 --- a/tasks/parse_etc_passwd.yml +++ b/tasks/parse_etc_passwd.yml @@ -15,7 +15,7 @@ vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) - ld_passwd_yaml: | + ld_passwd_yaml: | # pragma: allowlist secret id: >-4 \g password: >-4 diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 6d20eeaa..d58e9217 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,44 +1,44 @@ --- -- name: "Post Audit | Run post_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: false - register: audit_run_post_remediation +- name: Post Audit | Run post_remediation {{ benchmark }} audit + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" + AUDIT_FILE: goss.yml - name: Post Audit | ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" - mode: 0644 + mode: '0644' state: file loop: - "{{ post_audit_outfile }}" - "{{ pre_audit_outfile }}" - name: Post Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "Post Audit | capture data {{ post_audit_outfile }} | JSON format" - ansible.builtin.shell: "cat {{ post_audit_outfile }}" - register: post_audit + - name: Post Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 + register: post_audit_summary changed_when: false - - name: PostAudit | Capture post-audit result | JSON format + - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + post_audit_results: "{{ post_audit_summary.stdout }}" - name: Post Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - name: "Post Audit | capture data {{ post_audit_outfile }} | documentation format" - ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" - register: post_audit + - name: Post Audit | Capture audit data if documentation format + ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation" + register: post_audit_summary changed_when: false - - name: Post Audit | Capture post-audit result | documentation format + - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout_lines }}" - when: - - audit_format == "documentation" + post_audit_results: "{{ post_audit_summary.stdout }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 7b4d06f5..a745826f 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,62 +1,61 @@ --- -- name: Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: - file: LE_audit_setup.yml +- name: Pre Audit Setup | Setup the LE audit when: - setup_audit tags: - setup_audit + ansible.builtin.include_tasks: + file: LE_audit_setup.yml -- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" +- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' - name: Pre Audit Setup | If using git for content set up + when: + - audit_content == 'git' block: - - name: Pre Audit Setup | Install git (rh8 python3) - ansible.builtin.package: - name: git - state: present - when: ansible_distribution_major_version == '8' - - - name: Pre Audit Setup | Install git (rh7 python2) + - name: Pre Audit Setup | Install git ansible.builtin.package: name: git state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == '7' - - name: Pre Audit Setup | retrieve audit content files from git + - name: Pre Audit Setup | Retrieve audit content files from git ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" - when: - - audit_content == 'git' -- name: Pre Audit Setup | copy to audit content files to server - ansible.builtin.copy: - src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dir }}" - mode: 0644 +- name: Pre Audit Setup | Copy to audit content files to server when: - audit_content == 'copy' + ansible.builtin.copy: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" + mode: preserve -- name: Pre Audit Setup | get audit content from url - ansible.builtin.get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" - owner: root - group: root - mode: 0755 +- name: Pre Audit Setup | Unarchive audit content files on server + when: + - audit_content == 'archive' + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" + +- name: Pre Audit Setup | Get audit content from url when: - audit_content == 'get_url' + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available + when: + - run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: @@ -64,52 +63,58 @@ register: goss_available - name: Pre Audit Setup | If audit ensure goss is available + when: + - not goss_available.stat.exists ansible.builtin.assert: - that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - run_audit - name: Pre Audit Setup | Copy ansible default vars values to test audit + tags: + - goss_template + - run_audit + when: + - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: 0600 - when: - - run_audit - tags: - - goss_template + mode: '0600' -- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: audit_run_pre_remediation.rc == 0 - register: audit_run_pre_remediation +- name: Pre Audit | Run pre_remediation {{ benchmark }} audit + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" + AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" - register: pre_audit + - name: Pre Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 + register: pre_audit_summary changed_when: false - - name: Pre Audit | Capture pre-audit result + - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Pre Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - name: "capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" - register: pre_audit + - name: Pre Audit | Capture audit data if documentation format + ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' + register: pre_audit_summary changed_when: false - - name: Pre Audit | Capture pre-audit result + - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" - when: - - audit_format == "documentation" + pre_audit_results: "{{ pre_audit_summary.stdout }}" + +- name: Audit_Only | Run Audit Only + when: + - audit_only + ansible.builtin.import_tasks: + file: audit_only.yml diff --git a/vars/audit.yml b/vars/audit.yml new file mode 100644 index 00000000..9486cdc6 --- /dev/null +++ b/vars/audit.yml @@ -0,0 +1,40 @@ +--- + +#### Audit Configuration Settings #### + +# Timeout for those cmds that take longer to run where timeout set +audit_cmd_timeout: 120000 + +# if get_audit_binary_method == download change accordingly +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-" + +### Goss Audit Benchmark file ### +## managed by the control audit_content +# git +audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +audit_git_version: "benchmark_{{ benchmark_version }}_rh7" + +## Goss configuration information +# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected +audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit" + +# If changed these can affect other products +pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" + +## The following should not need changing + +### Audit binary settings ### +audit_bin_version: + release: v0.3.21 + AMD64_checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' +audit_bin_path: /usr/local/bin/ +audit_bin: "{{ audit_bin_path }}goss" +audit_format: json + +audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" +audit_results: | + The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} + + Full breakdown can be found in {{ audit_log_dir }} diff --git a/vars/main.yml b/vars/main.yml index dbe06ca9..fa752df5 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,6 +1,8 @@ --- rhel7stig_min_ansible_version: 2.10.1 +is_container: false + rhel7stig_dconf_available: "{{ rhel7stig_gui or rhel7stig_dconf_audit.rc == 0 or rhel7stig_always_configure_dconf }}" rhel7stig_has_dconf_command: "{{ rhel7stig_gui or rhel7stig_dconf_audit.rc == 0 }}" From 6a1dd5cff0c4bf467ccc7684c7d8e7d8a2c8a8fa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 Jul 2024 13:25:17 +0100 Subject: [PATCH 4/9] moved var from site to vars/main.yml Signed-off-by: Mark Bolwell --- defaults/main.yml | 105 +++++++++++++++++++--------------------------- site.yml | 10 ++--- 2 files changed, 46 insertions(+), 69 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3c6b0a42..da941427 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -18,26 +18,60 @@ benchmark_version: 'v3r13' # Whether to skip the reboot rhel7stig_skip_reboot: true -### Audit Binary is required on the remote host +### +### Settings for associated Audit role using Goss +### + +########################################### +### Goss is required on the remote host ### +### vars/auditd.yml for other settings ### + +# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false + +# enable audits to run - this runs the audit and get the latest content +run_audit: false +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true + +## Only run Audit do not remediate +audit_only: false +### As part of audit_only ### +# This will enable files to be copied back to control node in audit_only mode +fetch_audit_files: false +# Path to copy the files to will create dir structure in audit_only mode +audit_capture_files_dir: /some/location to copy to on control node +############################# + # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download +## if get_audit_binary_method - copy the following needs to be updated for your environment +## it is expected that it will be copied from somewhere accessible to the control node +## e.g copy from ansible control node to remote host +audit_bin_copy_location: /some/accessible/path + # how to get audit files onto host options -# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# enable audits to run - this runs the audit and get the latest content -run_audit: false +# If using either archive, copy, get_url: +## Note will work with .tar files - zip will require extra configuration +### If using get_url this is expecting github url in tar.gz format e.g. +### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +audit_conf_source: "some path or url to copy from" -# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system -audit_run_heavy_tests: true -# Timeout for those cmds that take longer to run where timeout set -audit_cmd_timeout: 60000 +# Destination for the audit content to be placed on managed node +# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory +audit_conf_dest: "/opt" -### End Audit enablements #### +# Where the audit logs are stored +audit_log_dir: '/opt' + +### Goss Settings ## +####### END ######## #### Detailed settings found at the end of this document #### # We've defined complexity-high to mean that we cannot automatically remediate @@ -737,56 +771,3 @@ rhel7stig_world_write_files_owner_root: false # The value given to Defaults timestamp timeout= in the sudo file. # Value must be greater than 0 to conform to STIG standards rhel7stig_sudo_timestamp_timeout: 1 - -#### Audit Configuration Settings #### -# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_run_script_environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_FILE: 'goss.yml' - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - -### Audit binary settings ### -audit_bin_version: - release: v0.3.21 - checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' -audit_bin_path: /usr/local/bin/ -audit_bin: "{{ audit_bin_path }}goss" -audit_format: json - -# if get_audit_binary_method == download change accordingly -audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64" - -## if get_audit_binary_method - copy the following needs to be updated for your environment -## it is expected that it will be copied from somewhere accessible to the control node -## e.g copy from ansible control node to remote host -audit_bin_copy_location: /some/accessible/path - -### Goss Audit Benchmark file ### -## managed by the control audit_content -# git -audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark_{{ benchmark_version }}_rh7" - -# copy: -audit_local_copy: "some path to copy from" - -# get_url: -audit_files_url: "some url maybe s3?" - -## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" - -# If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" - -## The following should not need changing -audit_control_file: "{{ audit_conf_dir }}goss.yml" -audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" -audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} diff --git a/site.yml b/site.yml index 830c253d..171abc53 100644 --- a/site.yml +++ b/site.yml @@ -1,10 +1,6 @@ --- -- hosts: all # noqa: name[play] +- name: Ansible Lockdown Remediation Role + hosts: all become: true - vars: - is_container: false - roles: - - role: "{{ playbook_dir }}" - rhel7stig_system_is_container: "{{ is_container | default(false) }}" - rhel7stig_skip_for_travis: false + - role: "{{ playbook_dir }}" From 1e000ce0e253f70e43d2ad7c1d1a0cb2c7f2de01 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 Jul 2024 15:36:53 +0100 Subject: [PATCH 5/9] reorder Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 26 +++++++++++++------------- tasks/post_remediation_audit.yml | 4 ++-- tasks/pre_remediation_audit.yml | 4 ++-- tasks/prelim.yml | 8 ++++---- 4 files changed, 21 insertions(+), 21 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 70f00751..4501e626 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -393,7 +393,7 @@ - name: "HIGH | RHEL-07-021350 | PATCH | Disable prelinking." ansible.builtin.lineinfile: - dest: /etc/sysconfig/prelink + path: /etc/sysconfig/prelink regexp: ^#?PRELINKING line: PRELINKING=no when: "'prelink' in ansible_facts.packages" @@ -401,16 +401,16 @@ - name: "HIGH | RHEL-07-021350 | AUDIT | Check for GRUB_CMDLINE_LINUX in /etc/default/grub" ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*"$' /etc/default/grub - check_mode: false failed_when: false changed_when: rhel_07_021350_default_grub_missing_audit.rc > 0 + check_mode: false register: rhel_07_021350_default_grub_missing_audit - name: "HIGH | RHEL-07-021350 | AUDIT | Parse sane GRUB_CMDLINE_LINUX from /proc/cmdline" ansible.builtin.shell: grep -oP ' ro \K.*?(?= ?LANG=)' /proc/cmdline - check_mode: false changed_when: false failed_when: rhel_07_021350_grub_cmdline_linux_audit.rc > 1 + check_mode: false when: rhel_07_021350_default_grub_missing_audit is changed # noqa no-handler register: rhel_07_021350_grub_cmdline_linux_audit @@ -427,9 +427,9 @@ - name: "HIGH | RHEL-07-021350 | AUDIT | Verify fips kernel parameters in /etc/default/grub" ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])fips=1(?=[" ]).*"$' /etc/default/grub - check_mode: false changed_when: false failed_when: rhel_07_021350_fips_kernel_set.rc not in [ 0, 1 ] + check_mode: false register: rhel_07_021350_fips_kernel_set - name: "HIGH | RHEL-07-021350 | PATCH | fips=1 must be in /etc/default/grub" @@ -452,9 +452,9 @@ - name: "HIGH | RHEL-07-021350 | AUDIT | Verify boot kernel parameters in /etc/default/grub" ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])boot=UUID={{ rhel7stig_boot_uuid.stdout }}(?=[" ]).*"$' /etc/default/grub - check_mode: false changed_when: false failed_when: rhel_07_021350_boot_kernel_set.rc not in [ 0, 1 ] + check_mode: false register: rhel_07_021350_boot_kernel_set - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." @@ -479,23 +479,23 @@ - name: "HIGH | RHEL-07-021350 | AUDIT | Verify kernel parameters in /etc/default/grub" ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub + changed_when: + - ansible_check_mode + - rhel_07_021350_audit is failed + failed_when: + - rhel_07_021350_audit is failed + - not ansible_check_mode or + rhel_07_021350_audit.rc > 1 check_mode: false + register: rhel_07_021350_audit with_items: - fips=1 - boot=UUID={{ rhel7stig_boot_uuid.stdout }} - register: rhel_07_021350_audit when: - not ansible_check_mode or rhel_07_021350_default_grub_missing_audit is not changed - "rhel7stig_boot_part.stdout not in ['/', ''] or 'boot=' not in item" - changed_when: - - ansible_check_mode - - rhel_07_021350_audit is failed - failed_when: - - rhel_07_021350_audit is failed - - not ansible_check_mode or - rhel_07_021350_audit.rc > 1 when: - rhel_07_021350 - rhel7stig_use_fips diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index d58e9217..ad433527 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -23,8 +23,8 @@ block: - name: Post Audit | Capture audit data if json format ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 - register: post_audit_summary changed_when: false + register: post_audit_summary - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: @@ -36,8 +36,8 @@ block: - name: Post Audit | Capture audit data if documentation format ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation" - register: post_audit_summary changed_when: false + register: post_audit_summary - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index a745826f..25038fcd 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -93,8 +93,8 @@ block: - name: Pre Audit | Capture audit data if json format ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: @@ -106,8 +106,8 @@ block: - name: Pre Audit | Capture audit data if documentation format ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 59fccbc8..5e4d7848 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -44,23 +44,23 @@ - always - name: Include audit specific variables + ansible.builtin.include_vars: + file: audit.yml when: - run_audit or audit_only - setup_audit tags: - setup_audit - run_audit - ansible.builtin.include_vars: - file: audit.yml - name: Include pre-remediation audit tasks + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml when: - run_audit or audit_only - setup_audit tags: - run_audit - ansible.builtin.import_tasks: - file: pre_remediation_audit.yml - name: "PRELIM | Check required packages installed | Python2" ansible.builtin.package: From aeef574cdfe258efde65fb12abfaa6190a38ad93 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 Jul 2024 15:50:59 +0100 Subject: [PATCH 6/9] quotes on mode items Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- tasks/fix-cat2.yml | 72 +++++++++++++++++++++++----------------------- tasks/main.yml | 2 +- 3 files changed, 38 insertions(+), 38 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 88fb8027..0180d931 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -37,7 +37,7 @@ src: "{{ rhel7stig_bootloader_path }}/{{ item }}" dest: "{{ rhel7stig_not_boot_path }}/{{ item }}" remote_src: true - mode: 0600 + mode: '0600' with_items: - grub.cfg - user.cfg diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5d78599b..d95cc5e3 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -67,7 +67,7 @@ dest: "{{ item }}" owner: root group: root - mode: 0644 + mode: '0644' with_items: - /etc/issue - /etc/issue.net @@ -338,7 +338,7 @@ dest: /etc/pam.d/system-auth regexp: '^#?password\s+(required|requisite) pam_pwquality.so retry' line: password requisite pam_pwquality.so retry=3 - mode: 0644 + mode: '0644' when: - rhel_07_010119 tags: @@ -356,7 +356,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*ucredit' line: "ucredit = {{ rhel7stig_password_complexity.ucredit | default('-1') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010120 tags: @@ -374,7 +374,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*lcredit' line: "lcredit = {{ rhel7stig_password_complexity.lcredit | default('-1') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010130 tags: @@ -392,7 +392,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*dcredit' line: "dcredit = {{ rhel7stig_password_complexity.dcredit | default('-1') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010140 tags: @@ -409,7 +409,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*ocredit' line: "ocredit = {{ rhel7stig_password_complexity.ocredit | default('-1') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010150 tags: @@ -427,7 +427,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*difok' line: "difok = {{ rhel7stig_password_complexity.difok | default('8') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010160 tags: @@ -445,7 +445,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*minclass' line: "minclass = {{ rhel7stig_password_complexity.minclass | default('4') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010170 tags: @@ -463,7 +463,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*maxrepeat' line: "maxrepeat = {{ rhel7stig_password_complexity.maxrepeat | default('3') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010180 tags: @@ -481,7 +481,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*maxclassrepeat' line: "maxclassrepeat = {{ rhel7stig_password_complexity.maxclassrepeat | default('4') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010190 tags: @@ -501,7 +501,7 @@ dest: "/{{ item }}" owner: root group: root - mode: 0644 + mode: '0644' loop: - etc/pam.d/password-auth-local - etc/pam.d/system-auth-local @@ -594,7 +594,7 @@ dest: /etc/login.defs regexp: ^#?PASS_MIN_DAYS line: "PASS_MIN_DAYS {{ rhel7stig_login_defaults.pass_min_days | default('1') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010230 tags: @@ -637,7 +637,7 @@ dest: /etc/login.defs regexp: ^#?PASS_MAX_DAYS line: "PASS_MAX_DAYS {{ rhel7stig_login_defaults.pass_max_days | default('60') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010250 tags: @@ -740,7 +740,7 @@ dest: /etc/security/pwquality.conf regexp: '^#?\s*minlen' line: "minlen = {{ rhel7stig_password_complexity.minlen | default('15') }}" - mode: 0644 + mode: '0644' when: - rhel_07_010280 tags: @@ -1136,7 +1136,7 @@ dest: /etc/pam_pkcs11/pkcs11_eventmgr.conf regexp: '^#?/usr/X11R6/bin/xscreensaver-command -lock' line: "/usr/X11R6/bin/xscreensaver-command -lock" - mode: 0644 + mode: '0644' # This remediates the pam_pkcs11.conf file to enforce the cackey usage for smartcard authentication ### NOTE: If you have custom rules for /etc/pam_pkcs11/pam_pkcs11.conf then change the template pam_pkcs11.conf.j2 @@ -1146,7 +1146,7 @@ dest: /etc/pam_pkcs11/pam_pkcs11.conf owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_07_010500pkcs11install is changed when: @@ -1283,7 +1283,7 @@ create: true owner: root group: root - mode: "0644" + mode: '0644' with_items: - file: /etc/modprobe.d/blacklist.conf insertafter: "^#blacklist usb-storage(\\s+|$)" @@ -1315,7 +1315,7 @@ create: true owner: root group: root - mode: "0644" + mode: '0644' with_items: - file: /etc/modprobe.d/blacklist.conf insertafter: ^#blacklist dccp @@ -1547,7 +1547,7 @@ ansible.builtin.file: path: "{{ item.dir }}" state: directory - mode: 0700 + mode: '0700' with_items: - "{{ rhel7stig_passwd }}" loop_control: @@ -1589,7 +1589,7 @@ ansible.builtin.file: path: "{{ item.dir }}" owner: "{{ item.id }}" - mode: 0700 + mode: '0700' state: directory with_items: - "{{ rhel7stig_passwd }}" @@ -1612,7 +1612,7 @@ path: "{{ item.dir }}" group: "{{ item.gid }}" # noqa risky-file-permissions state: directory - mode: 0700 + mode: '0700' with_items: - "{{ rhel7stig_passwd }}" loop_control: @@ -2206,7 +2206,7 @@ state: file owner: root group: root - mode: 0600 + mode: '0600' when: cron_allow_file_check.stat.exists when: - rhel_07_021110 @@ -2371,7 +2371,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" create: true - mode: 0640 + mode: '0640' notify: restart auditd with_items: - { regexp: '^active =', line: 'active = yes'} @@ -3296,7 +3296,7 @@ - name: "MEDIUM | RHEL-07-040160 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements." ansible.builtin.blockinfile: create: true - mode: 0644 + mode: '0644' dest: "{{ item.dest }}" state: "{{ item.state }}" marker: "# {mark} ANSIBLE MANAGED" @@ -3385,7 +3385,7 @@ path: /etc/sssd/sssd.conf insertafter: "^ldap_search_base*" create: true - mode: 0600 + mode: '0600' when: rhel_07_040180_audit.stdout == "Active" when: - rhel_07_040180 or @@ -3475,7 +3475,7 @@ regexp: "(?i)^#?ClientAliveInterval" line: ClientAliveInterval {{ rhel7stig_ssh_session_timeout }} validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040320 @@ -3517,7 +3517,7 @@ regexp: "(?i)^#?ClientAliveCountMax" line: ClientAliveCountMax 0 validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040340 @@ -3578,7 +3578,7 @@ line: PermitRootLogin no insertafter: '(?i)^#?authentication' validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040370 @@ -3598,7 +3598,7 @@ regexp: "(?i)^#?IgnoreUserKnownHosts" line: IgnoreUserKnownHosts yes validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040380 @@ -3619,7 +3619,7 @@ regexp: "(?i)^#?MACs" line: "MACs {{ rhel7stig_ssh_macs }}" validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040400 @@ -3703,7 +3703,7 @@ regexp: "(?i)^#?GSSAPIAuthentication" line: GSSAPIAuthentication no validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040430 @@ -3826,7 +3826,7 @@ dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" - mode: 0600 + mode: '0600' notify: restart {{ rhel7stig_time_service }} with_items: - "{{ rhel7stig_time_service_configs[rhel7stig_time_service].lines }}" @@ -4138,7 +4138,7 @@ regexp: "(?i)^#?X11Forwarding" line: X11Forwarding no validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040710 @@ -4159,7 +4159,7 @@ regexp: "(?i)^#?KexAlgorithms" line: KexAlgorithms "{{ rhel7stig_ssh_kex }}" validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040712 @@ -4540,7 +4540,7 @@ path: "{{ item.path }}" owner: root group: root - mode: 0600 + mode: '0600' with_items: - "{{ rhel_07_910055_audit_log_files.files }}" when: item.mode is not search '(0[4,6]00)' @@ -4565,7 +4565,7 @@ regexp: "(?i)^#?X11UseLocalhost" line: X11UseLocalhost yes validate: /usr/sbin/sshd -t -f %s - mode: 0600 + mode: '0600' notify: restart sshd when: - rhel_07_040711 diff --git a/tasks/main.yml b/tasks/main.yml index 3196e8c6..2f15a2c7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -109,7 +109,7 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: 0600 + mode: '0600' register: auditd_file notify: restart auditd when: From e00e54b4ccc70900a9c88303704bb4302ccef697 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 18 Jul 2024 10:55:54 +0100 Subject: [PATCH 7/9] added update repo url for centos option Signed-off-by: Mark Bolwell --- defaults/main.yml | 5 +++ tasks/main.yml | 16 +++++++-- templates/etc/yum.repos.d/CentOS-Base.repo.j2 | 34 +++++++++++++++++++ 3 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 templates/etc/yum.repos.d/CentOS-Base.repo.j2 diff --git a/defaults/main.yml b/defaults/main.yml index da941427..f4841b9f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -18,6 +18,11 @@ benchmark_version: 'v3r13' # Whether to skip the reboot rhel7stig_skip_reboot: true +# With CentOS being EoL many mirrors no longer exist and fail for updates +# setting to true will replace the default /etc/yum.repos.d/CentOS-Base.repo +# It will add the new vaulted location where it is possible to get updates and package +rhel7stig_add_updated_repo: false + ### ### Settings for associated Audit role using Goss ### diff --git a/tasks/main.yml b/tasks/main.yml index 2f15a2c7..e2ca6494 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -72,7 +72,19 @@ tags: - always -- name: include prelim tasks +- name: Update CentOS repo for packages - Use vaulted/archive URL - backup original + ansible.builtin.template: + src: etc/yum.repos.d/CentOS-Base.repo.j2 + dest: /etc/yum.repos.d/CentOS-Base.repo + owner: root + group: root + mode: '0644' + backup: true + when: + - rhel7stig_add_updated_repo + - ansible_distribution == "CentOS" + +- name: Include prelim tasks ansible.builtin.import_tasks: file: prelim.yml tags: @@ -103,7 +115,7 @@ - cat3 - low -- name: update auditd +- name: Update auditd ansible.builtin.template: src: audit/99_auditd.rules.j2 dest: /etc/audit/rules.d/99_auditd.rules diff --git a/templates/etc/yum.repos.d/CentOS-Base.repo.j2 b/templates/etc/yum.repos.d/CentOS-Base.repo.j2 new file mode 100644 index 00000000..f2a66f9b --- /dev/null +++ b/templates/etc/yum.repos.d/CentOS-Base.repo.j2 @@ -0,0 +1,34 @@ +# Note the BaseUrl Changes +## This is due to CentOS being End Of Life +# This will now use the legacy archived path +# Original paths +# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra +# #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ + +[base] +name=CentOS-$releasever - Base +baseurl=https://vault.centos.org/7.9.2009/os/$basearch +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#released updates +[updates] +name=CentOS-$releasever - Updates +baseurl=https://vault.centos.org/7.9.2009/updates/$basearch +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#additional packages that may be useful +[extras] +name=CentOS-$releasever - Extras +baseurl=https://vault.centos.org/7.9.2009/extras/$basearch +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#additional packages that extend functionality of existing packages +[centosplus] +name=CentOS-$releasever - Plus +baseurl=https://vault.centos.org/7.9.2009/centosplus/$basearch +gpgcheck=1 +enabled=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 From 150a6b65fd67cc71ff101a11e23ee67e6a1f0bfe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 18 Jul 2024 10:59:22 +0100 Subject: [PATCH 8/9] removed notify not required Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 4501e626..84ca19f8 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -388,7 +388,6 @@ ansible_python_interpreter: "{{ python2_bin }}" notify: - rebuild initramfs - - change_requires_reboot when: "'dracut-fips' not in ansible_facts.packages" - name: "HIGH | RHEL-07-021350 | PATCH | Disable prelinking." @@ -448,7 +447,6 @@ - rhel_07_021350_fips_kernel_set.stdout | length == 0 notify: - confirm grub2 user cfg - - change_requires_reboot - name: "HIGH | RHEL-07-021350 | AUDIT | Verify boot kernel parameters in /etc/default/grub" ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])boot=UUID={{ rhel7stig_boot_uuid.stdout }}(?=[" ]).*"$' /etc/default/grub From ddd17c72be681556c3674768010d3cc209b7820a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 18 Jul 2024 11:00:06 +0100 Subject: [PATCH 9/9] Updated Signed-off-by: Mark Bolwell --- ChangeLog.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ChangeLog.md b/ChangeLog.md index 16e9886b..d362e9f2 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,13 @@ # Changelog +## 3.2 STIG V3R13 25th Oct 2023 + +- updated workflow to use new methods + - new ami being used as old obsolete +- Updated the audit layout +- New options if using CentOS to update repo files to vaulted.repo + - rhel7stig_add_updated_repo + ## 3.1 STIG V3R13 25th Oct 2023 - RHEL_07_010310 - ruleid updated and INACTIVE var created