ansible-lockdown · uk-bolly · Sep 24, 2024 · Oct 25, 2023 · Oct 25, 2023 · Oct 25, 2023
diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
@@ -27,7 +27,7 @@
   jobs:
     # This will create messages for first time contributers and direct them to the Discord server
       welcome:
-        runs-on: self-hosted
+        runs-on: ubuntu-latest
 
         steps:
             - uses: actions/first-interaction@main
@@ -70,7 +70,6 @@
                  echo IAC_BRANCH=main >> $GITHUB_ENV
               fi
 
-
           # Pull in terraform code for linux servers
           - name: Clone GitHub IaC plan
             uses: actions/checkout@v4

diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml
@@ -23,18 +23,6 @@
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
-    # This will create messages for first time contributers and direct them to the Discord server
-      welcome:
-        runs-on: self-hosted
-
-        steps:
-            - uses: actions/first-interaction@main
-              with:
-                repo-token: ${{ secrets.GITHUB_TOKEN }}
-                pr-message: |-
-                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
-
       # This workflow contains a single job that tests the playbook
       playbook-test:
         # The type of runner that the job will run on

diff --git a/ChangeLog.md b/ChangeLog.md
@@ -1,12 +1,19 @@
 # Changelog
 
-## 3.2 STIG V3R13 25th Oct 2023
-
-- updated workflow to use new methods
-  - new ami being used as old obsolete
-- Updated the audit layout
-- New options if using CentOS to update repo files to vaulted.repo
-  - rhel7stig_add_updated_repo
+## 3.2 STIG v3R14 24th Jan 2024
+
+- Audit updated
+  - moved audit into prelim
+  - updates to audit logic for copy and archive options
+
+- RHEL-07-020019 - title and ruleid update
+- RHEL-07-020022 - ruleid update
+- RHEL-07-020210 - ruleid update
+- RHEL-07-020220 - ruleid update
+- RHEL-07-020100 - ruleid update and bin/false
+- RHEL-07-020101 - ruleid update and bin/false
+- RHEL-07-040180 - ruleid update and bin/false
+- RHEL-07-040190 - ruleid update and bin/false
 
 ## 3.1 STIG V3R13 25th Oct 2023
 

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 ## Configure a RHEL7 based system to be complaint with Disa STIG
 
-This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 13 released on  October 23, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R13_STIG.zip).
+This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 14 released on  January 24, 2024 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R14_STIG.zip).
 
 ---
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -13,7 +13,7 @@ python2_bin: /bin/python2.7
 # audit variable found at the base
 benchmark: RHEL7-STIG
 ## metadata for Audit benchmark
-benchmark_version: 'v3r13'
+benchmark_version: 'v3r14'
 
 # Whether to skip the reboot
 rhel7stig_skip_reboot: true
@@ -23,10 +23,6 @@ rhel7stig_skip_reboot: true
 # It will add the new vaulted location where it is possible to get updates and package
 rhel7stig_add_updated_repo: false
 
-###
-### Settings for associated Audit role using Goss
-###
-
 ###########################################
 ### Goss is required on the remote host ###
 ### vars/auditd.yml for other settings  ###
@@ -77,6 +73,7 @@ audit_log_dir: '/opt'
 
 ### Goss Settings ##
 ####### END ########
+
 #### Detailed settings found at the end of this document ####
 
 # We've defined complexity-high to mean that we cannot automatically remediate
@@ -375,8 +372,8 @@ rhel_07_040000: true
 rhel_07_040530: true
 rhel_07_040600: true
 
-# Whether or not to run tasks related to auditing/patching the desktop environment
-rhel7stig_gui: false
+# Whether or not to run tasks related to auditing/patching the desktop environment - is discovered if using gnome
+rhel7stig_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}"
 
 # Whether to configure dconf rules unconditionally (ignoring presence of dconf
 # or rhel7stig_gui)
@@ -692,10 +689,6 @@ update_audit_template: false
 # RHEL-07-030300 uncomment and set the value to a remote IP address that can receive audit logs
 # rhel7stig_audisp_remote_server: 10.10.10.10
 
-# RHEL-07-030330: set this to 25% of the free space in /var/log/audit (measured in megabytes)
-rhel7stig_auditd_space_left: "{{ ( ansible_mounts | json_query(rhel7stig_audit_disk_size_query) | int / 4 / 1024 / 1024 ) | int + 1 }}"
-rhel7stig_audit_disk_size_query: "[?mount=='{{ rhel7stig_audit_part }}'].size_total | [0]"
-
 # RHEL-07-030350
 rhel7stig_audit_daemon: auditd
 rhel7stig_auditd_mail_acct: root
@@ -749,12 +742,6 @@ rhel7stig_efi_boot_path: '/boot/efi/EFI/'
 
 rhel7stig_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
 
-rhel7stig_local_mounts: "{{ ansible_mounts | to_json | from_json | json_query(rhel7stig_local_mounts_query) }}"
-rhel7stig_local_mounts_query: "[?starts_with(device, '/dev/')].mount"
-
-rhel7stig_nfs_mounts: "{{ ansible_mounts | to_json | from_json | json_query(rhel7stig_nfs_mounts_query) }}"
-rhel7stig_nfs_mounts_query: "[?starts_with(fstype, 'nfs')].mount"
-
 # DNS Servers to configure, you need two to conform to STIG standards
 rhel_07_040600_dns_servers:
     - 9.9.9.9

diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml
@@ -574,7 +574,7 @@
 - name: "HIGH | RHEL-07-040540 | The Red Hat Enterprise Linux operating system must not contain .shosts files."
   block:
       - name: "HIGH | RHEL-07-040540 | AUDIT | The Red Hat Enterprise Linux operating system must not contain .shosts files."
-        ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -name '.shosts'
+        ansible.builtin.shell: find / -xdev -not -fstype nfs -name '.shosts'
         check_mode: false
         changed_when: false
         register: rhel_07_040540_audit
@@ -599,7 +599,7 @@
 - name: "HIGH | RHEL-07-040550 | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files."
   block:
       - name: "HIGH | RHEL-07-040550 | AUDIT | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files."
-        ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -name 'shosts.equiv'
+        ansible.builtin.shell: find / -xdev -not -fstype nfs -name 'shosts.equiv'
         check_mode: false
         changed_when: false
         register: rhel_07_040550_audit