Merge pull request #281 from ansible-lockdown/devel

Initial main release of v1r13

Author: uk-bolly

.github/workflows/devel_pipeline_validation.yml

@@ -113,7 +113,7 @@
             - name: Sleep for 60 seconds
               run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
-          # Run the Ansibleplaybook
+          # Run the Ansible playbook
             - name: Run_Ansible_Playbook
               uses: arillso/action.playbook@master
               with:

.github/workflows/main_pipeline_validation.yml

@@ -102,7 +102,7 @@
             - name: Sleep for 60 seconds
               run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
-          # Run the Ansibleplaybook
+          # Run the Ansible playbook
             - name: Run_Ansible_Playbook
               uses: arillso/action.playbook@master
               with:

Changelog.md

@@ -1,5 +1,34 @@
 # Changes to RHEL8STIG
 
+## 3.2 - STIV V1R13 - 24th Jan 2024
+
+- Audit updated
+  - moved audit into prelim
+  - updates to audit logic for copy and archive options
+
+ruleid updated
+
+- 010001
+- 020250
+- 020290
+- 040090
+
+CAT II
+
+- 020035 - updated rule and added handler for logind restart
+- 040020 - /bin/false update and ruleid update
+- 040080 - /bin/false and ruleid
+- 040111 - /bin/false and ruleid
+
+CAT III
+
+- 040021 - /bin/false and ruleid
+- 040022 - /bin/false and ruleid
+- 040023 - /bin/false and ruleid
+- 040024 - /bin/false and ruleid
+- 040025 - /bin/false and ruleid
+- 040026 - /bin/false and ruleid
+
 ## 3.1 - STIG V1R12 - 25th Oct 2023
 
 ruleid updated

README.md

@@ -2,7 +2,7 @@
 
 ## Configure a RHEL8 based system to be complaint with Disa STIG
 
-This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R12_STIG.zip).
+This role is based on RHEL 8 DISA STIG: [Version 1, Rel 13 released on Jan 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R13_STIG.zip).
 
 ---
 
@@ -29,7 +29,6 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2
 
 ![License](https://img.shields.io/github/license/ansible-lockdown/RHEL8-STIG?label=License)
 
-
 ---
 
 ## Looking for support?
@@ -195,4 +194,5 @@ pre-commit run
 
 Massive thanks to the fantastic community and all its members.
 This includes a huge thanks and credit to the original authors and maintainers.
+
 Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell

defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ## metadata for Audit benchmark
-benchmark_version: 'v1r12'
+benchmark_version: 'v1r13'
 
 ## Benchmark name used by audting control role
 # The audit variable found at the base
@@ -35,7 +35,6 @@ rhel8stig_audit_disruptive: false
 rhel8stig_skip_for_travis: false
 
 rhel8stig_workaround_for_disa_benchmark: true
-rhel8stig_workaround_for_ssg_benchmark: true
 
 # tweak role to run in a chroot, such as in kickstart %post script
 rhel8stig_system_is_chroot: "{{ ansible_is_chroot | default(False) }}"
@@ -56,23 +55,26 @@ rhel8stig_skip_reboot: true
 # Defined will change if control requires
 change_requires_reboot: false
 
-##########################################
+###########################################
 ### Goss is required on the remote host ###
-## Refer to vars/auditd.yml for any other settings ##
+### vars/auditd.yml for other settings  ###
 
 # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
 setup_audit: false
 
 # enable audits to run - this runs the audit and get the latest content
 run_audit: false
+# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
+audit_run_heavy_tests: true
 
-# Only run Audit do not remediate
+## Only run Audit do not remediate
 audit_only: false
-# As part of audit_only
-# This will enable files to be copied back to control node
+### As part of audit_only ###
+# This will enable files to be copied back to control node in audit_only mode
 fetch_audit_files: false
-# Path to copy the files to will create dir structure
+# Path to copy the files to will create dir structure in audit_only mode
 audit_capture_files_dir: /some/location to copy to on control node
+#############################
 
 # How to retrieve audit binary
 # Options are copy or download - detailed settings at the bottom of this file
@@ -85,20 +87,24 @@ get_audit_binary_method: download
 audit_bin_copy_location: /some/accessible/path
 
 # how to get audit files onto host options
-# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
+# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf
 audit_content: git
 
-# archive or copy:
-audit_conf_copy: "some path to copy from"
+# If using either archive, copy, get_url:
+## Note will work with .tar files - zip will require extra configuration
+### If using get_url this is expecting github url in tar.gz format e.g.
+### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
+audit_conf_source: "some path or url to copy from"
 
-# get_url:
-audit_files_url: "some url maybe s3?"
+# Destination for the audit content to be placed on managed node
+# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory
+audit_conf_dest: "/opt"
 
-# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
-audit_run_heavy_tests: true
+# Where the audit logs are stored
+audit_log_dir: '/opt'
 
-### End Goss enablements ####
-#### Detailed settings found at the end of this document ####
+### Goss Settings ##
+####### END ########
 
 # These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.
 # PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group
@@ -501,11 +507,6 @@ rhel8stig_kdump_needed: false
 # or rhel8stig_gui)
 rhel8stig_always_configure_dconf: false
 
-# Whether or not to run tasks related to smart card authentication enforcement
-rhel8stig_smartcard: false
-# Configure your smartcard driver
-rhel8stig_smartcarddriver: cackey
-
 # Set the file that sysctl should write to
 rhel8stig_sysctl_file: /etc/sysctl.d/99_stig_sysctl.conf
 
@@ -528,6 +529,11 @@ rhel8stig_ipv6_required: true
 # When set to anything other than mcafee it will skip this control assuming localized threat prevention management
 rhel8stig_av_sftw: mcafee
 
+# RHEL-08-010110 & 010130 & 010760 & 020190 & 020200 & 020231 & 020310 & 020351
+# rhel8stig_login_defs_file_perms
+# Permissions set on /etc/login.defs
+rhel8stig_login_defs_file_perms: 0644
+
 # RHEL-08-010210
 # rhel8stig_var_log_messages_perm is the permissions the /var/log/messages file is set to.
 # To conform to STIG standards this needs to be 0640 or more restrictive
@@ -559,10 +565,6 @@ rhel8stig_ssh_pub_key_perm: 0644
 rhel8stig_ssh_priv_key_perm: 0600
 
 # RHEL-08-010690
-# Set standard user paths here
-# Also set whether we should automatically remediate paths in user ini files.
-# rhel_08_020720_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin"
-rhel8stig_standard_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin"
 rhel8stig_change_user_path: false
 
 # RHEL-08-010700
@@ -591,6 +593,19 @@ rhel8stig_local_int_home_file_perms: 0750
 # To connform to STIG standards this needs to be set to 0740 or less permissive
 rhel8stig_local_int_perm: 0740
 
+# RHEL-08-020100 pamd file permissions - /etc/pam.d/(password-auth|system-auth) files
+# rhel8stig_pamd_file_perms
+# This needs a minimum of 0644 ( more restrictive may cause issues testing will be required)
+rhel8stig_pamd_file_perms: 0644
+
+# RHEL-08-020110 - pwquality file permissions
+# mode: "{{ rhel8stig_pamd_file_perms }}"
+rhel8stig_pwquality_file_perms: 0644
+
+# RHEL-08-0400xx
+# blacklist.conf - /etc/modprobe.d/blacklist.conf file permissions
+rhel8stig_blacklist_conf_file_perms: 0640
+
 # RHEL-08-020250
 # This is a check for a "supported release"
 # These are the minimum supported releases.
@@ -707,13 +722,6 @@ rhel8stig_sssd:
     maprule: (userCertificate;binary={cert!bin})
     domains: "{{ rhel8stig_sssd_domain }}"
 
-# RHEL-08-020070
-# Session timeout setting file (TMOUT setting can be set in multiple files)
-# Timeout value is in seconds. (60 seconds * 10 = 600)
-rhel8stig_shell_session_timeout:
-    file: /etc/profile.d/tmout.sh
-    timeout: 600
-
 # RHEL-08-010200 | All network connections associated with SSH traffic must
 # terminate at the end of the session or after 10 minutes of inactivity, except
 # to fulfill documented and validated mission requirements.
@@ -763,14 +771,6 @@ rhel8stig_pam_faillock:
 # RHEL-08-020035
 rhel_08_020035_idlesessiontimeout: 900
 
-# RHEL-08-030670
-# rhel8stig_audisp_disk_full_action options are syslog, halt, and single to fit STIG standards
-rhel8stig_audisp_disk_full_action: single
-
-# RHEL-08-030680
-# rhel8stig_audisp_network_failure_action optoins are syslog, halt, and single
-rhel8stig_audisp_network_failure_action: single
-
 # RHEL-08-030060
 # rhel8stig_auditd_disk_full_action options are SYSLOG, HALT, and SINGLE to fit STIG standards
 rhel8stig_auditd_disk_full_action: HALT
@@ -892,7 +892,6 @@ rhel8stig_existing_zone_to_copy: public
 # RHEL-08-040090
 # This designed not work with rhel8stig_existing_zone_to_copy and when deploy new rules
 # rhel8stig_white_list_services is the services that you want to allow through initially for the new firewall zone
-# http and ssh need to be enabled for the role to run.
 # This can also be a port number if no service exists
 rhel8stig_white_list_services:
     - ssh
@@ -910,11 +909,6 @@ rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@open
 # Expected Values for FIPS KEX algorithims
 rhel8stig_ssh_kex: "KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512"
 
-# This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting
-# to conform to STIG standard control RHEL-08-010290 this variable must contain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256 settings
-# to conform to STIG standard control RHEL-08-010291 this variable must cotnain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr
-rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256"
-
 # RHEL-08-010295
 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions
 # to conform to STIG standards this variable must contain +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0

handlers/main.yml

@@ -10,6 +10,11 @@
   when:
       - not system_is_container
 
+- name: Restart_systemdlogin
+  ansible.builtin.systemd:
+      name: systemd-logind
+      state: restarted
+
 - name: sysctl system
   ansible.builtin.shell: sysctl --system
   when: "'procps-ng' in ansible_facts.packages"
@@ -74,7 +79,7 @@
       remote_src: true
       owner: root
       group: root
-      mode: 0755
+      mode: '0755'
   when:
       - rhel8stig_grub2_user_cfg.stat.exists
       - rhel8stig_workaround_for_disa_benchmark
@@ -97,7 +102,7 @@
       dest: /etc/audit/rules.d/99_auditd.rules
       owner: root
       group: root
-      mode: 0600
+      mode: '0600'
   notify: restart auditd
 
 - name: restart auditd

tasks/fix-cat1.yml

@@ -63,7 +63,7 @@
             dest: /etc/default/grub
             owner: root
             group: root
-            mode: 0644
+            mode: '0644'
         vars:
             grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}"
         when: rhel_08_010020_default_grub_missing_audit is changed  # noqa no-handler
@@ -187,7 +187,7 @@
             line: "GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}"
             owner: root
             group: root
-            mode: 0640
+            mode: '0640'
         notify: confirm grub2 user cfg
   when:
       - not system_is_ec2
@@ -437,7 +437,7 @@
             create: true
             owner: root
             group: root
-            mode: 0644
+            mode: '0644'
         with_items:
             - { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' }
             - { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' }