Merge pull request #188 from ansible-lockdown/devel

Devel to main release stig v1r9

Author: uk-bolly

.github/workflows/OS.tfvars

@@ -1,4 +1,4 @@
-#Ami Rocky 85
+#Ami Rocky 85 - US_east 1
 ami_id        = "ami-043ceee68871e0bb5"
 ami_os        = "rocky8"
 ami_username  = "rocky"

.github/workflows/linux_benchmark_testing.yml

@@ -31,7 +31,7 @@ jobs:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           pr-message: |-
             Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-            Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well.
+            Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
   # This workflow contains a single job called "build"
   build:
     # The type of runner that the job will run on
@@ -44,7 +44,7 @@ jobs:
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE,
       # so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 

.github/workflows/main.tf

@@ -76,6 +76,5 @@ resource "local_file" "inventory" {
         setup_audit: true
         run_audit: true
         system_is_ec2: true
-        audit_git_version: devel
     EOF
 }

.github/workflows/update_galaxy.yml

@@ -0,0 +1,20 @@
+---
+
+# This is a basic workflow to help you get started with Actions
+
+name: update galaxy
+
+# Controls when the action will run.
+# Triggers the workflow on merge request events to the main branch
+on:
+  push:
+    branches:
+      - main
+jobs:
+    update_role:
+      runs-on: ubuntu-latest
+      steps:
+        - uses: actions/checkout@v2
+        - uses: hspaans/ansible-galaxy-action@master
+          with:
+            api_key: ${{ secrets.GALAXY_API_KEY }}

Changelog.md

@@ -1,12 +1,52 @@
 # Changes to RHEL8STIG
 
+## Relase 2.8.3
+
+- improvements to openssh configs and seperated tasks
+
+## Release 2.8.2
+
+- updates to pamd logic thanks to @JacobBuskirk for highlighting
+
+ Also following issues/PRs
+
+- #168
+- #169
+- #170
+- #171
+- #172
+- #177
+- #178
+- #179
+- #180
+- #181
+
+## Release 2.8.0
+
+- updates to workflow
+  - ami
+  - update to actions to latest versions
+  - update_galaxy workflow added
+- README alignment
+- ansible.cfg added showing how tested
+- audit template updated
+- moved warnihg statements arounf for reboot
+
+- RULEID reference updated
+- 010510 rule no longer required
+- 010671 improvement
+- 020040 loop added
+- 040090 - var typo fixed
+- 040342 new control for FIP_KEX Algorithms
+  - new FIPS_KEX_ALGO variable
+
 ## Release 2.7.0
+
 - lint updates
 - Benchmark 1.8 Updates
   - New RULEID for the following, plus additional notes if needed
     - CAT1
-      - RHEL-08-010000 
-      - 
+      - RHEL-08-010000
     - CAT2
       - RHEL-08-010040
       - RHEL-08-010090
@@ -46,7 +86,7 @@
       - RHEL-08-020230
       - RHEL-08-010280
       - RHEL-08-020300
-      - RHEL-08-020350 - Updated CCI 
+      - RHEL-08-020350 - Updated CCI
       - RHEL-08-020352
       - RHEL-08-040127 - Added tasks to deal with different versions of RHEL8
       - RHEL-08-040161
@@ -73,7 +113,6 @@
       - RHEL-08-040286 - Updated to include find adn remove for conflicting parameters
       - RHEL-08-040340
       - RHEL-08-040341
-      - RHEL-08-040400 - New control 
+      - RHEL-08-040400 - New control
     - CAT3
       - RHEL-08-020340 - Updated CCI
-

README.md

@@ -6,7 +6,7 @@
 
 Configure a RHEL/Rocky 8 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel8stig_disruption_high` to `yes`.
 
-This role is based on RHEL 8 DISA STIG: [Version 1, Rel 8 released on Oct 27, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R8_STIG.zip).
+This role is based on RHEL 8 DISA STIG: [Version 1, Rel 9 released on Jan 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R9_STIG.zip).
 
 ## Join us
 

ansible.cfg

@@ -0,0 +1,28 @@
+[defaults]
+host_key_checking=False
+display_skipped_hosts=True
+system_warnings=False
+command_warnings=False
+nocows=1
+retry_files_save_path=/dev/null
+
+# Use the YAML callback plugin.
+stdout_callback = yaml
+# Use the stdout_callback when running ad-hoc commands.
+bin_ansible_callbacks = True
+
+[privilege_escalation]
+
+[paramiko_connection]
+record_host_keys=False
+
+[ssh_connection]
+transfer_method=scp
+
+[accelerate]
+
+[selinux]
+
+[colors]
+
+[diff]

defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ## metadata for Audit benchmark
-benchmark_version: '1.7'
+benchmark_version: 'v1r9'
 
 ## Benchmark name used by audting control role
 # The audit variable found at the base
@@ -178,7 +178,6 @@ rhel_08_010450: true
 rhel_08_010480: true
 rhel_08_010490: true
 rhel_08_010500: true
-rhel_08_010510: true
 rhel_08_010520: true
 rhel_08_010521: true
 rhel_08_010522: true
@@ -426,6 +425,7 @@ rhel_08_040321: true
 rhel_08_040330: true
 rhel_08_040340: true
 rhel_08_040341: true
+rhel_08_040342: true
 rhel_08_040350: true
 rhel_08_040370: true
 rhel_08_040380: true
@@ -477,6 +477,17 @@ rhel8stig_smartcard: false
 # Configure your smartcard driver
 rhel8stig_smartcarddriver: cackey
 
+#Whether or not system uses remote automounted home directories via autofs
+rhel8stig_autofs_remote_home_dirs: false
+
+#The local mount point used by autofs to mount remote home directory to.  This location will be excluded during getent user enumeration, if rhel8stig_autofs_remote_home_dirs is true
+rhel8stig_auto_mount_home_dirs_local_mount_point: "/home/"
+
+#The default shell command to gather local interactive user directories
+## NOTE: You will need to adjust the UID range in parenthesis below.
+## ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below.
+local_interactive_user_dir_command: "getent passwd { {{ rhel8stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'"
+
 # IPv6 required
 rhel8stig_ipv6_required: true
 
@@ -554,10 +565,10 @@ rhel8stig_local_int_perm: 0740
 # These are the minimum supported releases.
 # (Red Hat has support for older versions if you pay extra for it.)
 rhel8stig_min_supported_os_ver:
-    RedHat: "8.4"
-    CentOS: "8.4"
-    Rocky: "8.4"
-    AlmaLinux: "8.4"
+    RedHat: "8.7"
+    CentOS: "8.7"
+    Rocky: "8.7"
+    AlmaLinux: "8.7"
 
 # RHEL-08-040260
 # If system is not router, run tasks that disable router functions.
@@ -601,7 +612,7 @@ rhel8stig_aide_cron:
     special_time: daily
     # Disable the notification check rule to disable mailing notifications
     notify_by_mail: true
-    notify_cmd: ' | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost'
+    notify_cmd: ' | /var/spool/mail -s "$(hostname) - Daily aide integrity check run" root@localhost'
 
 rhel8stig_cron_special_disable: "{{
         rhel8stig_workaround_for_disa_benchmark or
@@ -855,7 +866,10 @@ rhel8stig_white_list_services:
 # This will be the MACs setting. It is a string that will be the entirety of the MAC's setting in the openssh.config file
 # to conform to STIG standard control RHEL-08-010290 this variable must include hmac-sha2-512,hmac-sha2-256
 # to conform to STIG standard control RHEL-08-010291 this variable must include aes256-ctr,aes192-ctr,aes128-ctr
-rhel8stig_ssh_cipher_settings: "aes256-ctr,aes192-ctr,aes128-ctr"
+rhel8stig_ssh_macs: 'MACS=hmac-sha2-512,hmac-sha2-256'
+rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr"
+rhel8stig_ssh_kex: "KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512"
+
 # This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting
 # to conform to STIG standard control RHEL-08-010290 this variable must contain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256 settings
 # to conform to STIG standard control RHEL-08-010291 this variable must cotnain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr
@@ -875,6 +889,7 @@ rhel8stig_tmux_lock_after_time: 900
 # Value must be greater than 0 to conform to STIG standards
 rhel8stig_sudo_timestamp_timeout: 1
 
+
 #### Goss Configuration Settings ####
 # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
 audit_run_script_environment:
@@ -884,14 +899,14 @@ audit_run_script_environment:
 
 ### Goss binary settings ###
 goss_version:
-    release: v0.3.16
-    checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb'
+    release: v0.3.21
+    checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3'
 audit_bin_path: /usr/local/bin/
 audit_bin: "{{ audit_bin_path }}goss"
 audit_format: json
 
 # if get_goss_file == download change accordingly
-goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64"
+goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64"
 
 ## if get_goss_file - copy the following needs to be updated for your environment
 ## it is expected that it will be copied from somewhere accessible to the control node
@@ -902,7 +917,7 @@ copy_goss_from_path: /some/accessible/path
 ## managed by the control audit_content
 # git
 audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
-audit_git_version: benchmark_v1r8_rh8
+audit_git_version: "benchmark_{{ benchmark_version }}_rh8"
 
 # copy:
 audit_local_copy: "some path to copy from"

tasks/fix-cat1.yml

@@ -242,7 +242,7 @@
       - CAT1
       - CCI-001749
       - SRG-OS-000366-GPOS-00153
-      - SV-230264r627750_rule
+      - SV-230264r880711_rule
       - V-230264
       - yum