Merge pull request #149 from ansible-lockdown/nov_2022_updates

Nov 2022 updates

Author: georgenalen

defaults/main.yml

@@ -502,8 +502,8 @@ rhel8stig_sys_commands_perm: 0755
 
 # RHEL-08-010330
 # rhel8stig_lib_file_perm is the permissions teh library files will be set to
-# To conform to STIG standards this needs to be set to 0755 or more restrictive
-rhel8stig_lib_file_perm: 0755
+# To conform to STIG standards this needs to be set to 755 or more restrictive
+rhel8stig_lib_file_perm: 755
 
 # RHEL-08-010480
 # rhel8stig_ssh_pub_key_perm are the permissions set to the SSH public host keys

tasks/fix-cat2.yml

@@ -299,7 +299,7 @@
       dest: /etc/grub.d/01_users
       owner: root
       group: root
-      mode: 0644
+      mode: 0755
   notify: confirm grub2 user cfg
   when:
       - rhel_08_010141 or
@@ -558,16 +558,16 @@
       - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set preauth"
         lineinfile:
             path: /etc/pam.d/system-auth
-            regexp: '^auth       required pam_faillock.so preauth'
-            line: "auth       required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
-            insertafter: '^auth'
+            regexp: '^auth.*required.*pam_faillock.so preauth'
+            line: "auth        required                                     pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
+            insertafter: '^auth\s+required\s+pam_env.so'
         notify: restart sssd
 
       - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set authfail"
         lineinfile:
             path: /etc/pam.d/system-auth
-            regexp: '^auth       required pam_faillock.so authfail'
-            line: 'auth       required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}'
+            regexp: '^auth.*required.*pam_faillock.so authfail'
+            line: 'auth        required                                     pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}'
             insertafter: '^auth'
         notify: restart sssd
 
@@ -936,9 +936,9 @@
               "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root or a system account. | Get library files not group-owned by root"
         file:
             path: "{{ item }}"
-            owner: root
-            group: root
-            mode: "{{ rhel8stig_lib_file_perm }}"
+            owner: "{{ rhel_08_010340 | ternary('root',omit) }}"
+            group: "{{ rhel_08_010350 | ternary('root',omit) }}"
+            mode: "{{ rhel_08_010330 | ternary(rhel8stig_lib_file_perm,omit) }}"
         with_items:
             - "{{ rhel_08_010330_library_files.stdout_lines }}"
   when:
@@ -6159,7 +6159,7 @@
             path: /tmp
             state: mounted
             src: "{{ tmp_mount.device }}"
-            fstype: xfs
+            fstype: "{{ tmp_mount.fstype }}"
             opts: "defaults{{ rhel_08_040123 | ternary (',nodev', '') }}{{ rhel_08_040124 | ternary (',nosuid', '') }}{{ rhel_08_040125 | ternary (',noexec', '') }}"
         vars:
             tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/tmp`] | [0]') }}"
@@ -6206,7 +6206,7 @@
             path: /var/log
             state: mounted
             src: "{{ var_log_mount.device }}"
-            fstype: xfs
+            fstype: "{{ var_log_mount.fstype }}"
             opts: "defaults{{ rhel_08_040126 | ternary (',nodev', '') }}{{ rhel_08_040127 | ternary (',nosuid', '') }}{{ rhel_08_040128 | ternary (',noexec', '') }}"
         vars:
             var_log_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log`] | [0]') }}"
@@ -6252,7 +6252,7 @@
             path: /var/log/audit
             state: mounted
             src: "{{ audit_mount.device }}"
-            fstype: xfs
+            fstype: "{{ audit_mount.fstype }}"
             opts: "defaults{{ rhel_08_040129 | ternary (',nodev', '') }}{{ rhel_08_040130 | ternary (',nosuid', '') }}{{ rhel_08_040131 | ternary (',noexec', '') }}"
         vars:
             audit_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log/audit`] | [0]') }}"
@@ -6298,7 +6298,7 @@
             path: /var/tmp
             state: mounted
             src: "{{ var_tmp_mount.device }}"
-            fstype: xfs
+            fstype: "{{ var_tmp_mount.fstype }}"
             opts: "defaults{{ rhel_08_040132 | ternary (',nodev', '') }}{{ rhel_08_040133 | ternary (',nosuid', '') }}{{ rhel_08_040134 | ternary (',noexec', '') }}"
         vars:
             var_tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/var/tmp`] | [0]') }}"

tasks/pre_remediation_audit.yml

@@ -21,6 +21,7 @@
             state: present
         when:
             - ansible_distribution_major_version == "8"
+            - audit_content == "git"
             - "'git' not in ansible_facts.packages"
 
       - name: "Pre Audit | Install git (rh7 python2)"
@@ -31,6 +32,7 @@
             ansible_python_interpreter: "{{ python2_bin }}"
         when:
             - ansible_distribution_major_version == "7"
+            - audit_content == "git"
             - "'git' not in ansible_facts.packages"
 
 - name: "Pre Audit | retrieve audit content files from git"