Merge pull request #49 from ansible-lockdown/devel

Added Issue and PR templates and an issue fix
Signed-off-by: George Nalen <georgen@mindpointgroup.com>

Author: georgenalen

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,32 @@
+---
+name: Report Issue
+about: Create a bug issue ticket to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Describe the Issue**
+A clear and concise description of what the bug is.
+
+**Expected Behavior**
+A clear and concise description of what you expected to happen.
+
+**Actual Behavior**
+A clear and concise description of what's happening.
+
+**Control(s) Affected**
+What controls are being affected by the issue
+
+**Environment (please complete the following information):**
+ - Ansible Version: [e.g. 2.10] 
+ - Host Python Version: [e.g. Python 3.7.6]
+ - Ansible Server Python Version: [e.g. Python 3.7.6]
+ - Additional Details:
+
+**Additional Notes**
+Anything additional goes here
+
+**Possible Solution**
+Enter a suggested fix here

.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md

@@ -0,0 +1,21 @@
+---
+name: Feature Request or Enhancement
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+**Feature Request or Enhancement**
+ - Feature []
+ - Enhancement []
+
+**Summary of Request**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Suggested Code**
+Please provide any code you have in mind to fulfill the request

.github/ISSUE_TEMPLATE/question.md

@@ -0,0 +1,17 @@
+---
+name: Question
+about: Ask away.......
+title: ''
+labels: question
+assignees: ''
+
+---
+
+**Question**
+Pose question here. 
+
+**Environment (please complete the following information):**
+ - Ansible Version: [e.g. 2.10] 
+ - Host Python Version: [e.g. Python 3.7.6]
+ - Ansible Server Python Version: [e.g. Python 3.7.6]
+ - Additional Details:

.github/pull_request_template.md

@@ -0,0 +1,9 @@
+**Overall Review of Changes**
+A general description of the changes made that are being requested for merge
+
+**Any Related Open Issues**
+Please list any open issues this PR addresses
+
+**How as this been tested?**
+Please give an overview of how these changes were tested. If they were not please use N/A
+

defaults/main.yml

@@ -601,11 +601,13 @@ rhel8stig_pam_pwhistory:
 # RHEL-08-020012
 # RHEL-08-020013
 # pam_faillock settings - accounts must be locked for max time period after 3 unsuccessful attempts within 15 minutes.
+# dir: is set to /var/log/faillock which is the non-default folder. Control 020017 states to not use the standard directory which is /var/run/faillock
 rhel8stig_pam_faillock:
     attempts: 3
     interval: 900
     unlock_time: 0
     fail_for_root: yes
+    dir: /var/log/faillock
 
 # RHEL-08-030670
 # rhel8stig_audisp_disk_full_action options are syslog, halt, and single to fit STIG standards

tasks/fix-cat2.yml

@@ -131,6 +131,7 @@
       enabled: yes
   when:
       - rhel_08_010471
+      - "'rng-tools' in ansible_facts.packages"
   tags:
       - RHEL-08-010471
       - CAT3

tasks/fix-cat3.yml

@@ -408,3 +408,49 @@
             msg:
                 - "bootloader path set to {{ rhel8stig_bootloader_path }}"
                 - "legacy boot equals {{ rhel8stig_legacy_boot }}"
+
+- name: "PRELIM | RHEL-08-020017 | If using selinux set up system prereqs"
+  block:
+      - name: "PRELIM | RHEL-08-020017 | Install policycoreutils-python-utils"
+        package:
+            name: policycoreutils-python-utils
+            state: present
+        when: "'policycoreutils-python-utils' not in ansible_facts.packages"
+
+      - name: "PRELIM | RHEL-08-020017 | create faillock dir if rhel_08_020017"
+        file:
+            path: "{{ rhel8stig_pam_faillock.dir }}"
+            state: directory
+            mode: 0755
+            owner: root
+            group: root
+        register: faillock_dir
+
+      - name: "PRELIM | RHEL-08-020017 | Add permenant secontext"
+        sefcontext:
+            target: "{{ rhel8stig_pam_faillock.dir }}"
+            ftype: d
+            setype: faillog_t
+            state: present
+        register: add_faillock_secontext
+        when: faillock_dir.changed
+
+      - name: "PRELIM | RHEL-08-020017 | Set faillock directory selinux context immediately"
+        shell: "restorecon -irv {{ rhel8stig_pam_faillock.dir }}"
+
+      - name: "PRELIM | RHEL-08-020017 | Capture secontext"
+        shell: "ls -Zd {{ rhel8stig_pam_faillock.dir }}| grep -c faillog_t"
+        register: faillock_secontext
+        changed_when: false
+        failed_when: false
+
+      - name: "PRELIM | RHEL-08-020017 | Modify context of not correct"
+        shell: "semanage fcontext -m -t faillog_t -s system_u {{ rhel8stig_pam_faillock.dir }}"
+        register: modify_secontext
+        when: faillock_secontext.stdout != '1'
+      
+      - name: "PRELIM | RHEL-08-020017 | Set {{ rhel8stig_pam_faillock.dir }} selinux context"
+        shell: "restorecon -irv {{ rhel8stig_pam_faillock.dir }}"
+        when: modify_secontext.changed
+  when:
+      - rhel_08_020017

tasks/prelim.yml

@@ -434,3 +434,20 @@ rhel8stig_remotelog_server: {{ rhel8stig_remotelog_server.server }}
 rhel8stig_remotelog_port: {{ rhel8stig_remotelog_server.port }}
 
 # RHEL_08_040260-62
+rhel8stig_system_is_router: {{ rhel8stig_system_is_router }}
+
+# RHEL-08-020010
+# RHEL-08-020011
+# RHEL-08-020012
+# RHEL-08-020013
+# RHEL-08-020014
+# RHEL-08-020015
+# RHEL-08-020016
+# RHEL-08-020017
+# RHEL-08-020018
+# RHEL-08-020019
+# RHEL-08-020020
+# RHEL-08-020021
+# RHEL-08-020022
+# RHEL-08-020023
+rhel8stig_pam_faillock_dir: {{ rhel8stig_pam_faillock.dir }}