Merge pull request #11 from ansible-lockdown/devel

Minor Fixes
Signed-off-by: George Nalen <georgen@mindpointgroup.com>

Author: georgenalen

defaults/main.yml

@@ -1,9 +1,4 @@
 ---
-# If you would like a report at the end accordin to OpenSCAP as to the report results
-# then you should set rhel8stig_oscap_scan to true/yes.
-# NOTE: This requires the python_xmltojson package on the control host.
-rhel8stig_oscap_scan: no
-rhel8stig_report_dir: /tmp
 
 rhel8stig_cat1_patch: true
 rhel8stig_cat2_patch: true
@@ -108,9 +103,8 @@ rhel_08_010360: true
 rhel_08_010372: true
 rhel_08_010373: true
 rhel_08_010374: true
-# !!!!!!!!!!!!!!!--------------!!!!!!!!!!!!!!!!!!CHANGE TO TRUE BEFORE FINALIZATION. SET TO FALSE TO PREVENT THE VAGRANT USER FROM AUTHENTICATING WHEN USING SUDO (380/381)
-rhel_08_010380: false
-rhel_08_010381: false
+rhel_08_010380: true
+rhel_08_010381: true
 rhel_08_010390: true
 rhel_08_010400: true
 rhel_08_010410: true
@@ -155,7 +149,7 @@ rhel_08_010720: true
 rhel_08_010730: true
 rhel_08_010740: true
 rhel_08_010750: true
-rhel_01_010760: true
+rhel_08_010760: true
 rhel_08_010770: true
 rhel_08_010780: true
 rhel_08_010790: true

tasks/fix-cat2.yml

@@ -44,12 +44,15 @@
               "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message""
               "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message""
         copy:
-            dest: /etc/issue
+            dest: "{{ item }}"
             content: "{{ rhel8stig_logon_banner }}"
             owner: root
             group: root
             mode: '0644'
         notify: restart sshd
+        with_items:
+            - /etc/issue
+            - /etc/issue.net
         when:
             # - not system_is_ec2
             - rhel_08_010040 or
@@ -247,8 +250,8 @@
       - kerberos
 
 - name: |
-        "HIGH | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services."
-        "HIGH | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy."
+        "MEDIUM | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services."
+        "MEDIUM | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy."
   selinux:
       state: enforcing
       policy: targeted
@@ -296,7 +299,7 @@
         file:
             path: "{{ item }}"
             mode: '1777'
-        with_items: 
+        with_items:
             - "{{ rhel_08_010190_world_writable_files.stdout_lines }}"
   when:
       - rhel_08_010190
@@ -651,7 +654,7 @@
             name: esc
             state: present
         when: rhel8stig_gui
-      
+
       - name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages"
         dnf:
             name: openssl-pkcs11
@@ -1575,15 +1578,15 @@
   tags:
       - RHEL-08-010750
 
-- name: "MEDIUM | REHL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation."
+- name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation."
   lineinfile:
       path: /etc/login.defs
       regexp: '.*?CREATE_HOME.*'
       line: CREATE_HOME     yes
   when:
-      - rhel_01_010760
+      - rhel_08_010760
   tags:
-      - REHL-08-010760
+      - RHEL-08-010760
       - login
       - home
 
@@ -1597,7 +1600,7 @@
       - rhel_08_010770
       - rhel8stig_disruption_high
       - rhel_08_stig_interactive_homedir_inifiles is defined
-  tags: 
+  tags:
       - RHEL-08-010770
       - complexity-high
 
@@ -1671,7 +1674,7 @@
 
 - name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less."
   debug:
-      msg: 
+      msg:
           - "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less."
           - "To do this please run sudo chage -l account_name for the accounts you need to check"
           - "The results will display the Account Expires information"
@@ -2218,7 +2221,7 @@
         lineinfile:
             path: "/etc/pam.d/{{ item }}"
             regexp: '^auth       required pam_faillock.so preauth'
-            line: "auth       required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
+            line: "auth       required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}sfail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
             insertafter: '^auth'
         notify: restart sssd
         with_items:
@@ -2881,7 +2884,7 @@
       path: /etc/security/pwquality.conf
       create: yes
       regexp: '^#?\s*dictcheck'
-      line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}" 
+      line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}"
   when:
       - rhel_08_020300
   tags:
@@ -3373,7 +3376,7 @@
   with_items:
       - -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod
       - -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod
-      - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod 
+      - -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
       - -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
   notify: restart auditd
   when:
@@ -3406,7 +3409,7 @@
       - -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod
       - -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod
       - -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
-      - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod 
+      - -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
   notify: restart auditd
   when:
       - rhel_08_030240
@@ -3623,7 +3626,7 @@
   tags:
       - RHEL-08-030340
       - auditd
- 
+
 - name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record."
   lineinfile:
       path: /etc/audit/rules.d/audit.rules
@@ -4319,7 +4322,7 @@
 
             - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings"
               debug:
-                  msg: 
+                  msg:
                       - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}."
                       - "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}"
               changed_when: true
@@ -4487,7 +4490,7 @@
       - rhel_08_040090
   tags:
       - RHEL-08-040090
-      - firewall 
+      - firewall
 
 - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled."
   block:
@@ -5177,7 +5180,7 @@
   tags:
       - RHEL-08-040330
 
-- name: "HIGH | RHEL-08-040340 | PATCH | Remote X connections for interactive users must be encrypted in RHEL 8."
+- name: "MEDIUM | RHEL-08-040340 | PATCH | Remote X connections for interactive users must be encrypted in RHEL 8."
   lineinfile:
       path: /etc/ssh/sshd_config
       regexp: '^.*X11Forwarding'