Merge pull request #155 from ansible-lockdown/devel

Main updates to Benchmark v1r8 release

Author: uk-bolly

.ansible-lint

@@ -9,6 +9,7 @@ skip_list:
     - 'experimental'
     - 'name[casing]'
     - 'name[template]'
+    - 'fqcn[action]'
     - '204'
     - '305'
     - '303'

Changelog.md

@@ -0,0 +1,79 @@
+# Changes to RHEL8STIG
+
+## Release 2.7.0
+- lint updates
+- Benchmark 1.8 Updates
+  - New RULEID for the following, plus additional notes if needed
+    - CAT1
+      - RHEL-08-010000 
+      - 
+    - CAT2
+      - RHEL-08-010040
+      - RHEL-08-010090
+      - RHEL-08-010200 - Updated keep alive count max to 1
+      - RHEL-08-010201
+      - RHEL-08-010360
+      - RHEL-08-010372 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-010373 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-010373 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-010374 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-010375 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-010376 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-010383
+      - RHEL-08-010384
+      - RHEL-08-010430 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-010400
+      - RHEL-08-010500
+      - RHEL-08-010510
+      - RHEL-08-010520
+      - RHEL-08-010521
+      - RHEL-08-010522
+      - RHEL-08-010550
+      - RHEL-08-010671
+      - RHEL-08-010830
+      - RHEL-08-020330
+      - RHEL-08-020090
+      - RHEL-08-020104
+      - RHEL-08-020110
+      - RHEL-08-020120
+      - RHEL-08-020130
+      - RHEL-08-020140
+      - RHEL-08-020150
+      - RHEL-08-020160
+      - RHEL-08-020170
+      - RHEL-08-020190
+      - RHEL-08-020221
+      - RHEL-08-020230
+      - RHEL-08-010280
+      - RHEL-08-020300
+      - RHEL-08-020350 - Updated CCI 
+      - RHEL-08-020352
+      - RHEL-08-040127 - Added tasks to deal with different versions of RHEL8
+      - RHEL-08-040161
+      - RHEL-08-040209 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040210 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040220 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040230 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040239 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040240 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040249 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040250 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040259 - Updated to included find and remove for conflicting parameters
+      - RHEL-08-040260 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040261 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040262 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040270 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040279 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040280 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040281 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040282 - Updated to include find and remove for conflicting parameters
+      - RHEL-08-040283 - Updated to include find adn remove for conflicting parameters
+      - RHEL-08-040284 - Updated to include find adn remove for conflicting parameters
+      - RHEL-08-040285 - Updated to include find adn remove for conflicting parameters
+      - RHEL-08-040286 - Updated to include find adn remove for conflicting parameters
+      - RHEL-08-040340
+      - RHEL-08-040341
+      - RHEL-08-040400 - New control 
+    - CAT3
+      - RHEL-08-020340 - Updated CCI
+

README.md

@@ -6,7 +6,7 @@
 
 Configure a RHEL/Rocky 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`.
 
-This role is based on RHEL 8 DISA STIG: [Version 1, Rel 7 released on July 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R7_STIG.zip).
+This role is based on RHEL 8 DISA STIG: [Version 1, Rel 8 released on Oct 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R8_STIG.zip).
 
 ## Join us
 

defaults/main.yml

@@ -430,6 +430,7 @@ rhel_08_040350: true
 rhel_08_040370: true
 rhel_08_040380: true
 rhel_08_040390: true
+rhel_08_040400: true
 
 # CAT 3 rules
 rhel_08_010171: true
@@ -501,8 +502,8 @@ rhel8stig_sys_commands_perm: 0755
 
 # RHEL-08-010330
 # rhel8stig_lib_file_perm is the permissions teh library files will be set to
-# To conform to STIG standards this needs to be set to 0755 or more restrictive
-rhel8stig_lib_file_perm: 0755
+# To conform to STIG standards this needs to be set to 755 or more restrictive
+rhel8stig_lib_file_perm: 755
 
 # RHEL-08-010480
 # rhel8stig_ssh_pub_key_perm are the permissions set to the SSH public host keys
@@ -828,7 +829,7 @@ rhel8stig_sshd_compression: "no"
 
 # RHEL-08-030740
 # rhel8stig_ntp_server_name is the name of the NTP server
-rhel8stig_ntp_server_name: server.name
+rhel8stig_ntp_server_name: 0.us.pool.ntp.mil
 
 # RHEL-08-040137
 # rhel8stig_fapolicy_white_list is the whitelist for fapolicyd, the last item in the list must be dyny all all
@@ -901,7 +902,7 @@ copy_goss_from_path: /some/accessible/path
 ## managed by the control audit_content
 # git
 audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
-audit_git_version: main
+audit_git_version: benchmark_v1r8_rh8
 
 # copy:
 audit_local_copy: "some path to copy from"
@@ -911,7 +912,7 @@ audit_files_url: "some url maybe s3?"
 
 ## Goss configuration information
 # Where the goss configs and outputs are stored
-audit_out_dir: '/var/tmp'
+audit_out_dir: '/opt'
 # Where the goss audit configuration will be stored
 audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
 

tasks/fix-cat1.yml

@@ -2,7 +2,7 @@
 
 - name: "HIGH | RHEL-08-010000 | AUDIT | The RHEL 8 must be a vendor-supported release."
   debug:
-      msg: Minimum supported version of {{ ansible_distribution }} is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }}
+      msg: Minimum supported version of  {{ ansible_distribution }}  is {{ rhel8stig_min_supported_os_ver[ansible_distribution] }}
   changed_when: ansible_distribution_version is not version_compare(rhel8stig_min_supported_os_ver[ansible_distribution], '>=')
   when:
       - rhel_08_010000
@@ -11,7 +11,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-230221r743913_rule
+      - SV-230221r858734_rule
       - V-230221
 
 - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."
@@ -335,7 +335,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-230380r743993_rule
+      - SV-230380r858715_rule
       - V-230380
       - disruption_high