Stig v3r15 - release to devel

ChangeLog.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 3.3 STIG V3R15 24th July 2024
+
+Product has now been sunset by STIG officiall last release
+All Rule IDs updated
+
+- RHEL-07-020250 - updated statement to show now EOL
+- RHEL-07-020260 - Set to false - updates no longer available as standard high potential for conflicts
+
 ## 3.2 STIG v3R14 24th Jan 2024
 
 - Audit updated

README.md

@@ -2,7 +2,13 @@
 
 ## Configure a RHEL7 based system to be complaint with Disa STIG
 
-This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 14 released on  January 24, 2024 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R14_STIG.zip).
+### RHEL7 is End-Of-Life
+
+This has now been archived by DISA STIG
+
+#### This may require further testing if run a clean system
+
+This role is based on RHEL 7 DISA STIG: [Version 3, Rel 15 released on  July 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R15_STIG.zip).
 
 ---
 

defaults/main.yml

@@ -13,7 +13,7 @@ python2_bin: /bin/python2.7
 # audit variable found at the base
 benchmark: RHEL7-STIG
 ## metadata for Audit benchmark
-benchmark_version: 'v3r14'
+benchmark_version: 'v3r15'
 
 # Whether to skip the reboot
 rhel7stig_skip_reboot: true
@@ -213,7 +213,7 @@ rhel_07_020111: true
 rhel_07_020210: true
 rhel_07_020220: true
 rhel_07_020240: true
-rhel_07_020260: true
+rhel_07_020260: false  # OS patching - AS EoL this can cause serious issues
 rhel_07_020270: true
 rhel_07_020320: true
 rhel_07_020330: true

tasks/audit_firewalld.yml

@@ -1,27 +1,27 @@
 ---
 
-- name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."
+- name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services. | get default zone"
   ansible.builtin.shell: firewall-cmd --get-default-zone
-  register: rhel_07_040810_firewalld_zone_audit
   changed_when: false
   failed_when: false
+  register: rhel_07_040810_firewalld_zone_audit
   when:
       - rhel7stig_start_firewall_service
   tags:
       - RHEL-07-040810
       - firewall
 
-- name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."
+- name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services. | get info about zone"
   ansible.builtin.shell: firewall-cmd --list-all --zone="{{ rhel_07_040810_firewalld_zone_audit.stdout }}"
-  register: rhel_07_040810_firewalld_zone_default_audit
   changed_when: false
+  register: rhel_07_040810_firewalld_zone_default_audit
   when:
       - rhel_07_040810_firewalld_zone_audit.stdout | length > 0
       - rhel7stig_start_firewall_service
   tags:
       - RHEL-07-040810
       - firewall
-- name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."
+- name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services. | output zone details"
   ansible.builtin.debug:
       msg: "The following task output is the firewalld settings for zone {{ rhel_07_040810_firewalld_zone_audit.stdout }} from {{ ansible_hostname }}:"
   when:
@@ -30,6 +30,7 @@
   tags:
       - RHEL-07-040810
       - firewall
+
 - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."
   ansible.builtin.debug:
       var: rhel_07_040810_firewalld_zone_default_audit.stdout_lines
@@ -40,6 +41,7 @@
   tags:
       - RHEL-07-040810
       - firewall
+
 - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."
   ansible.builtin.debug:
       msg: "Warning!! We could pull no configured rules for {{ rhel7stig_firewall_service }} on {{ ansible_hostname }}! This is a finding per RHEL-07-040810 - The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."

tasks/fix-cat1.yml

@@ -14,8 +14,8 @@
         ansible.builtin.shell: >
                 ( rpm --setugids {{ item }}; rpm --setperms {{ item }} )
                 2>&1 1>&2 | grep -v ': No such file or directory$'
+        failed_when: rhel_07_010010_patch.rc not in [ 0, 1 ]
         register: rhel_07_010010_patch
-        ignore_errors: true
         with_items: "{{ rhel_07_010010_audit.stdout_lines }}"
         when: rhel_07_010010_audit.stdout_lines | length > 0
 
@@ -39,7 +39,7 @@
       - CCI-002165
       - CCI-002235
       - SRG-OS-000257-GPOS-00098
-      - SV-204392r880752_rule
+      - SV-204392r991558_rule
       - V-204392
       - permissions
 
@@ -66,12 +66,13 @@
         when: rhel_07_010020_audit.stdout_lines | length > 0
   when:
       - rhel_07_010020
+      - rhel7stig_disruption_high
   tags:
       - RHEL-07-010020
       - CAT1
       - CCI-001749
       - SRG-OS-000480-GPOS-00227
-      - SSV-214799r854001_rule
+      - SSV-214799r991589_rule
       - V-214799
       - packages
 
@@ -89,7 +90,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-204424r880839_rule
+      - SV-204424r991589_rule
       - V-204424
       - accounts
 
@@ -117,7 +118,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-251702r809220_rule
+      - SV-251702r991589_rule
       - V-251702
       - accounts
 
@@ -137,7 +138,7 @@
       - CAT1
       - CCI-000766
       - SRG-OS-000106-GPOS-00053
-      - SV-204425r603261_rule
+      - SV-204425r958486_rule
       - V-204425
       - ssh
 
@@ -155,7 +156,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00229
-      - SV-204432r603261_rule
+      - SV-204432r991591_rule
       - V-204432
       - gui
 
@@ -173,7 +174,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00229
-      - SV-204433r603261_rule
+      - SV-204433r991591_rule
       - V-204433
 
 - name: |
@@ -216,12 +217,10 @@
       - RHEL-07-010482
       - CCI-000213
       - SRG-OS-000080-GPOS-00048
-      - SV-204438r744095_rule
+      - SV-204438r958472_rule
       - V-204438
       - RHEL-07-010491
-      - CCI-000213
-      - SRG-OS-000080-GPOS-00048
-      - SV-204440r744098_rule
+      - SV-204440r958472_rule
       - V-204440
       - grub
       - bootloader
@@ -240,7 +239,7 @@
       - CAT1
       - CCI-000381
       - SRG-OS-000095-GPOS-00049
-      - SV-204442r603261_rule
+      - SV-204442r958478_rule
       - V-204442
       - rsh
 
@@ -258,7 +257,7 @@
       - CAT1
       - CCI-000381
       - SRG-OS-000095-GPOS-00049
-      - SV-204443r603261_rule
+      - SV-204443r958478_rule
       - V-204443
       - ypserv
 
@@ -275,7 +274,7 @@
       - CAT1
       - CCI-001749
       - SRG-OS-000366-GPOS-00153
-      - SV-204447r603261_rule
+      - SV-204447r982212_rule
       - V-204447
       - yum
 
@@ -292,7 +291,7 @@
       - CAT1
       - CCI-001749
       - SRG-OS-000366-GPOS-00153
-      - SV-204448r603261_rule
+      - SV-204448r982212_rule
       - V-204448
       - yum
 
@@ -307,7 +306,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-204455r928574_rule
+      - SV-204455r991589_rule
       - V-204455
       - systemctl
 
@@ -327,7 +326,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-204456r603261_rule
+      - SV-204456r991589_rule
       - V-204456
       - gui
 
@@ -337,10 +336,9 @@
 # Maintainance RHEL7.9 30th April 2021
 - name: "HIGH | RHEL-07-020250 | PATCH | The Red Hat Enterprise Linux operating system must be a vendor supported release."
   ansible.builtin.debug:
-      msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel7stig_min_supported_os_ver[ansible_distribution] }}
+      msg: This Product is now end of Maintenance Support {{ ansible_distribution }} is {{ rhel7stig_min_supported_os_ver[ansible_distribution] }}
   changed_when:
       - rhel7stig_audit_complex
-      - ansible_distribution_version is not version_compare(rhel7stig_min_supported_os_ver[ansible_distribution], '>=')
   when:
       - rhel_07_020250
       - rhel7stig_complex
@@ -349,7 +347,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-204458r744100_rule
+      - SV-204458r991589_rule
       - V-204458
       - complexity-high
 
@@ -374,7 +372,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-204462r603261_rule
+      - SV-204462r991589_rule
       - V-204462
       - accounts
 
@@ -410,8 +408,8 @@
         changed_when: false
         failed_when: rhel_07_021350_grub_cmdline_linux_audit.rc > 1
         check_mode: false
-        when: rhel_07_021350_default_grub_missing_audit is changed  # noqa no-handler
         register: rhel_07_021350_grub_cmdline_linux_audit
+        when: rhel_07_021350_default_grub_missing_audit is changed  # noqa no-handler
 
       - name: "HIGH | RHEL-07-021350 | PATCH | Copy over a sane /etc/default/grub"
         ansible.builtin.template:
@@ -500,7 +498,7 @@
       - CAT1
       - CCI-000068
       - SRG-OS-000033-GPOS-00014
-      - SV-230223r928585_rule
+      - SV-204497r958408_rule
       - V-230223
 
 - name: "HIGH | RHEL-07-021710 | PATCH | The Red Hat Enterprise Linux operating system must not have the telnet-server package installed."
@@ -517,7 +515,7 @@
       - CAT1
       - CCI-000381
       - SRG-OS-000095-GPOS-00049
-      - SV-204502r603261_rule
+      - SV-204502r958478_rule
       - V-204502
       - telnet
 
@@ -544,7 +542,7 @@
       - CAT1
       - CCI-001668
       - SRG-OS-000480-GPOS-00227
-      - SV-214801r603261_rule
+      - SV-214801r991589_rule
       - V-214801
       - antivirus
 
@@ -565,7 +563,7 @@
       - CCI-000366
       - CCI-000197
       - SRG-OS-000074-GPOS-00042
-      - SV-204594r603261_rule
+      - SV-204594r987796_rule
       - V-204594
       - ssh
 
@@ -590,7 +588,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-204606r603261_rule
+      - SV-204606r991589_rule
       - V-204606
       - shosts
 
@@ -615,7 +613,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-204607r603261_rule
+      - SV-204607r991589_rule
       - V-204607
       - shosts
 
@@ -634,7 +632,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-204620r603261_rule
+      - SV-204620r991589_rule
       - V-204620
       - ftp
 
@@ -659,7 +657,7 @@
       - CCI-001812
       - CCI-000318
       - SRG-OS-000480-GPOS-00227
-      - SV-204621r603261_rule
+      - SV-204621r991589_rule
       - V-204621
       - tftp
 
@@ -691,6 +689,6 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-204627r603261_rule
+      - SV-204627r991589_rule
       - V-204627
       - snmp