Merge pull request #136 from ansible-lockdown/Oct_issues

Oct issues

Author: georgenalen

.ansible-lint

@@ -6,6 +6,9 @@ skip_list:
     - 'no-changed-when'
     - 'var-spacing'
     - 'fqcn-builtins'
+    - 'experimental'
+    - 'name[casing]'
+    - 'name[template]'
     - '204'
     - '305'
     - '303'

.github/workflows/linux_benchmark_testing.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/first-interaction@v1.1.0
+      - uses: actions/first-interaction@main
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           pr-message: |-

.yamllint

@@ -14,16 +14,13 @@ rules:
     spaces: 4
     # Requiring consistent indentation within a file, either indented or not
     indent-sequences: consistent
-  truthy: disable
+    level: error
   braces:
     max-spaces-inside: 1
     level: error
   brackets:
     max-spaces-inside: 1
     level: error
-  indentation:
-    indent-sequences: consistent
-    level: error
   line-length: disable
   key-duplicates: enable
   new-line-at-end-of-file: enable

defaults/main.yml

@@ -579,7 +579,7 @@ rhel8stig_tftp_required: false
 # RHEL-08-010140 and RHEL-08-020280
 # Password protect the boot loader
 rhel8stig_bootloader_password_hash: grub.pbkdf2.sha512.changethispassword
-rhel8stig_boot_superuser: root
+rhel8stig_boot_superuser: bootloader_admin
 
 # AIDE settings
 # Set to false for fire and forget mode
@@ -782,10 +782,6 @@ rhel8stig_auditd_failure_flag: "{{ rhel8stig_availability_override | ternary(1,
 # REHL-08-010020
 rhel8stig_boot_part: "{{ rhel_08_boot_part.stdout }}"
 
-#
-rhel8stig_machine_uses_uefi: "{{ rhel_08_sys_firmware_efi.stat.exists }}"
-rhel8stig_grub_cfg_path: "{{ rhel8stig_machine_uses_uefi | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}"
-rhel8stig_grub_cfg_path_invalid: "{{ (not rhel8stig_machine_uses_uefi) | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}"
 
 # RHEL-08-010740/RHEL-08-010750
 rhel8stig_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"

handlers/main.yml

@@ -57,13 +57,13 @@
 
 - name: confirm grub2 user cfg
   stat:
-      path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg"
+      path: "/etc/grub.d/01_users"
   changed_when: rhel8stig_grub2_user_cfg.stat.exists
   register: rhel8stig_grub2_user_cfg
   notify: make grub2 config
 
 - name: make grub2 config
-  command: /usr/sbin/grub2-mkconfig --output={{ rhel8stig_grub_cfg_path }}
+  command: /usr/sbin/grub2-mkconfig --output={{ rhel8stig_bootloader_path }}/grub.cfg
   when:
       - rhel8stig_grub2_user_cfg.stat.exists
       - not rhel8stig_skip_for_travis
@@ -72,15 +72,12 @@
 - name: copy grub2 config to BIOS/UEFI to satisfy benchmark
   listen: make grub2 config
   copy:
-      src: "{{ rhel8stig_grub_cfg_path | dirname }}/{{ item }}"
-      dest: "{{ rhel8stig_grub_cfg_path_invalid | dirname }}/{{ item }}"
+      src: "{{ rhel8stig_bootloader_path }}/grub.cfg"
+      dest: "{{ rhel8stig_bootloader_path }}/grub.cfg"
       remote_src: true
       owner: root
       group: root
       mode: 0755
-  with_items:
-      - grub.cfg
-      - user.cfg
   when:
       - rhel8stig_grub2_user_cfg.stat.exists
       - rhel8stig_workaround_for_disa_benchmark

meta/main.yml

@@ -4,7 +4,8 @@ galaxy_info:
     description: "Apply the DISA RHEL 8 STIG"
     company: "MindPoint Group"
     license: MIT
-    # role_name: rhel8_stig
+    role_name: rhel8_stig
+    namespace: mindpointgroup
     min_ansible_version: '2.9.0'
     platforms:
         - name: EL
@@ -21,6 +22,7 @@ galaxy_info:
         - complianceascode
         - disa
         - rhel8
+        - mindpoint
 collections:
     - community.general
     - community.crypto

site.yml

@@ -1,5 +1,5 @@
 ---
-- hosts: all
+- hosts: all  # noqa: name[play]
   become: true
 
   roles:

tasks/fix-cat1.yml

@@ -18,7 +18,9 @@
   block:
       - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | install FIPS"
         package:
-            name: dracut-fips
+            name:
+                - dracut-fips
+                - crypto-policies-scripts
             state: present
         notify:
             - rebuild initramfs
@@ -182,7 +184,7 @@
             "HIGH | RHEL-08-010140 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | Set Grub Password"
             "HIGH | RHEL-08-010150 | PATCH | RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes. | Set Grub Password"
         lineinfile:
-            path: "{{ rhel8stig_grub_cfg_path | dirname }}/user.cfg"
+            path: "{{ rhel8stig_bootloader_path }}/user.cfg"
             create: true
             regexp: ^GRUB2_PASSWORD=
             line: "GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}"

tasks/fix-cat2.yml

@@ -85,7 +85,7 @@
       - name: |
               "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message""
               "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message""
-        copy:
+        copy:  # noqa: template-instead-of-copy
             dest: "{{ item }}"
             content: "{{ rhel8stig_logon_banner }}"
             owner: root
@@ -133,11 +133,12 @@
       - banner
 
 - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."
-  copy:
+  copy:  # noqa: template-instead-of-copy
       dest: /etc/dconf/db/local.d/01-banner-message
       content: |
           [org/gnome/login-screen]
           banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}'
+          banner-message-enable=true
       mode: '0644'
       owner: root
       group: root
@@ -293,18 +294,13 @@
 - name: |
     "MEDIUM | RHEL-08-010141 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance."
     "MEDIUM | RHEL-08-010149 | PATCH | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes."
-  lineinfile:
-      dest: "{{ rhel8stig_grub_cfg_path | dirname }}/grub.cfg"
-      regexp: "{{ item.regexp }}"
-      line: "{{ item.line }}"
-      insertafter: "{{ item.insertafter }}"
+  template:
+      src: 01_users.j2
+      dest: /etc/grub.d/01_users
+      owner: root
+      group: root
+      mode: 0644
   notify: confirm grub2 user cfg
-  with_items:
-      - { regexp: '^set superusers', line: 'set superusers="{{ rhel8stig_boot_superuser }}"', insertafter: '### BEGIN /etc/grub.d/01_users ###' }
-      - { regexp: '^export superusers', line: 'export superusers', insertafter: '^set superusers' }
-      - { regexp: '^password_pbkdf2', line: 'password_pbkdf2 {{ rhel8stig_boot_superuser }} ${GRUB2_PASSWORD}', insertafter: '^export superusers' }
-  loop_control:
-      label: "{{ item.line }}"
   when:
       - rhel_08_010141 or
         rhel_08_010149
@@ -772,33 +768,13 @@
       - ssh
 
 - name: |
-    "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms."
-    "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections."
-  block:
-      - name: |
-          "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Get current FIPS mode state"
-          "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Get current FIPS mode state"
-        command: fips-mode-setup --check
-        changed_when: false
-        failed_when: rhel_08_010290_pre_fips_check.stdout is not defined
-        register: rhel_08_010290_pre_fips_check
-
-      - name: |
-          "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Enable FIPS"
-          "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Enable FIPS"
-        command: fips-mode-setup --enable
-        register: rhel_08_010290_fips_enable
-        notify: change_requires_reboot
-        when: '"disabled" in rhel_08_010290_pre_fips_check.stdout'
-
-      - name: |
-          "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers"
-          "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Add ssh ciphers"
-        lineinfile:
-            path: /etc/crypto-policies/back-ends/opensshserver.config
-            regexp: '^CRYPTO_POLICY='
-            line: CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'
-        notify: change_requires_reboot
+    "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers"
+    "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Add ssh ciphers"
+  lineinfile:
+      path: /etc/crypto-policies/back-ends/opensshserver.config
+      regexp: '^CRYPTO_POLICY='
+      line: CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'
+  notify: change_requires_reboot
   when:
       - rhel_08_010290 or
         rhel_08_010291
@@ -872,7 +848,7 @@
 - name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package"
   lineinfile:
       path: /etc/crypto-policies/back-ends/gnutls.config
-      regexp: '^(.*\+VERS-ALL:)'
+      regexp: '^(.*)\+VERS-ALL:'
       line: '\1{{ rhel8stig_gnutls_encryption }}'
       backrefs: true
       create: true
@@ -2484,6 +2460,7 @@
   when:
       - rhel_08_010740
       - (item.uid >= rhel8stig_interactive_uid_start | int)
+      - (item.uid >= rhel8stig_interactive_uid_stop | int)
   tags:
       - skip_ansible_lint
       - RHEL-08-010740
@@ -2557,8 +2534,7 @@
   file:
       path: "{{ item }}"
       mode: "{{ rhel8stig_local_int_perm }}"
-  with_items:
-      - "{{ rhel_08_stig_interactive_homedir_inifiles }}"
+  with_items: "{{ rhel_08_stig_interactive_homedir_inifiles }}"
   when:
       - rhel_08_010770
       - rhel8stig_disruption_high
@@ -3123,7 +3099,6 @@
             setype: faillog_t
             state: present
         register: add_faillock_secontext
-        when: faillock_dir.changed
 
       - name: |
           "MEDIUM | RHEL-08-020027 | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
@@ -3220,7 +3195,7 @@
       - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Configure tmux"
         lineinfile:
             path: /etc/tmux.conf
-            regexp: '^set \-g'
+            regexp: '^set -g lock-command'
             line: "set -g lock-command vlock"
             create: true
             owner: root
@@ -5938,6 +5913,28 @@
         with_items:
             - "{{ rhel8stig_white_list_services }}"
 
+      - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.10+"
+        firewalld:
+            zone: "{{ rhel8stig_custom_firewall_zone }}"
+            permanent: true
+            state: enabled
+            target: DROP
+        when: ansible_version.full is version_compare('2.10.0 | int', '>=')
+
+      - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.9"
+        block:
+            - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | current setting"
+              shell: "firewall-cmd --list-all --zone={{ rhel8stig_custom_firewall_zone }} | grep 'target: DROP'"
+              changed_when: false
+              failed_when: false
+              register: rhel8stig-target_drop_set
+
+            - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.9"
+              shell: firewall-cmd --permanent --zone={{ rhel8stig_custom_firewall_zone }} --set-target=DROP
+              when:
+                  - rhel8stig-target_drop_set.rc != 0
+        when: ansible_version.full is version_compare('2.10 | int', '<')
+
       - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones"
         command: firewall-cmd --reload
         changed_when: rhel_08_040090_zone_reload.rc == 0

tasks/main.yml

@@ -48,6 +48,25 @@
   tags:
       - user_passwd
 
+- name: "Ensure superuser for grub does not match existing user"
+  block:
+      - name: "Ensure superuser for grub does not match existing user | capture users"
+        shell: cat /etc/passwd | cut -d':' -f1
+        changed_when: false
+        failed_when: false
+        check_mode: false
+        register: rhel8stig_user_list
+
+      - name: "Ensure superuser for grub does not match existing user"
+        assert:
+            that: rhel8stig_boot_superuser not in rhel8stig_user_list.stdout_lines
+            fail_msg: "A unique name must be used for bootloader access user='{{ rhel8stig_boot_superuser }}' already exists refer to variable rhel8stig_boot_superuser"
+  when:
+      - rhel_08_010141 or
+        rhel_08_010149
+  tags:
+      - RHEL-08-010141
+      - RHEL-08-010149
 
 - name: Setup rules if container
   block: