Merge pull request #34 from ansible-lockdown/devel

Devel to main
Signed-off-by: George Nalen <georgen@mindpointgroup.com>

Author: georgenalen

.ansible-lint

@@ -0,0 +1,11 @@
+parseable: true
+quiet: true
+skip_list:
+  - '204'
+  - '305'
+  - '303'
+  - '403'
+  - '306'
+  - '602'
+use_default_rules: true
+verbosity: 0

.gitignore

@@ -1,6 +1,7 @@
 .env
 *.log
 *.retry
+.cache
 .vagrant
 tests/*redhat-subscription
 tests/Dockerfile

.yamllint

@@ -0,0 +1,24 @@
+---
+ignore: |
+  tests/
+  molecule/
+  .github/
+  .gitlab-ci.yml
+  *molecule.yml
+
+extends: default
+
+rules:
+  indentation:
+    # Requiring 4 space indentation
+    spaces: 4
+    # Requiring consistent indentation within a file, either indented or not
+    indent-sequences: consistent
+  truthy: disable
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  line-length: disable

README.md

@@ -12,7 +12,6 @@ Requirements
 
 RHEL 8 or CentOS 8 - Other versions are not supported.
 
-
 Dependencies
 ------------
 
@@ -25,10 +24,12 @@ The following packages must be installed on the controlling host/host where ansi
 
 Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible.
 
-
 Role Variables
 --------------
 
+- some found below
+- please refer to defaults/main.yml for a full breakdown
+
 | Name              | Default Value       | Description          |
 |-------------------|---------------------|----------------------|
 | `rhel8stig_oscap_scan` | `no` | Install and run an OpenSCAP report before and after the application of this role        |
@@ -56,6 +57,12 @@ Role Variables
 | `rhel8stig_password_complexity.maxrepeat` | `3` | Maximum number of allowed same consecutive characters in a new password. |
 | `rhel8stig_password_complexity.maxclassrepeat` | `4` | Maximum number of allowed same consecutive characters in the same **class** in the new password. |
 | `rhel8stig_password_complexity.minlen` | `15` | Minimum number of characters in a new password. |
+| `rhel8stig_sssd_conf` | [see defaults/main.yml](./defaults/main.yml)  | Default location for sssd.conf |
+| `rhel8stig_sssd_domain` | testing.test | Domain to be used in sssd |
+| `rhel8stig_sssd.certmap` | certmap/{{ rhel8stig_sssd_domain }}/rule_name | certmap rule for sssd |
+| `rhel8stig_sssd.matchrule` | =.*EDIPI@mil | match rule in relationship to domain e.g. CN etc |
+| `rhel8stig_sssd.maprule` | (userCertificate;binary={cert!bin}) | map cert auth requirements into sssd rule |
+| `rhel8stig_sssd.domains` | testing.test | comma seperated list of domains using sssd |
 | `rhel8stig_shell_session_timeout` | `file: /etc/profile` `timeout: 600` | Dictionary of session timeout setting and file (TMOUT setting can be set in multiple files) |
 | `rhel8stig_interactive_uid_start` | `1000` | Interactive user start point (UID_MIN) from /etc/login.defs |
 | `rhel8stig_ntp_server_name: server.name` | `server.name` | The NTP Server Name |
@@ -64,9 +71,10 @@ Role Variables
 | `rhel8stig_sshd_compression` | `no` | The Compression parameter in /etc/ssh/sshd_config needs to be set to no or delayed |
 | `rhel8stig_path_to_sshkey` | `/root/.ssh/` | Custom path to the ssh key |
 | `rhel8stig_hashing_rounds` | `5000` | The rounds parameter goes into pamd configs and needs to be set to now lower than 5000 |
-| `rhel8stig_dns_servers` | `9.9.9.9 and 149.112.112.112` | To conform to STIG standards you need two DNS servers, parameter is in list form |
+| `rhel8stig_dns_servers` | `8.8.8.8 and 8.8.4.4` | To conform to STIG standards you need two DNS servers, parameter is in list form |
 | `rhel8stig_nfs_mounts` | `vars` | NFS file system mounts pull automatcially with prelim task |
 | `rhel8stig_nfs_mounts_query` | `[?starts_with(fstype, 'nfs')].mount` | The query for mounts |
+| `rhel8stig_skip_reboot` | `false` | Whether or not to skip the reboot |
 
 
 Example Playbook
@@ -78,4 +86,3 @@ Example Playbook
             when:
                 - ansible_os_family == 'RedHat'
                 - ansible_distribution_major_version | version_compare('8', '=')
-

defaults/main.yml

@@ -38,6 +38,9 @@ rhel8stig_system_is_container: false
 # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
 system_is_ec2: false
 
+# Whether to skip the reboot
+rhel8stig_skip_reboot: false
+
 # These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.
 # PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group
 # in order for the variables below to take effect.
@@ -515,6 +518,15 @@ rhel8stig_password_complexity:
     minlen: 15
     dictcheck: 1
 
+# rhel_08_010400 or rhel_08_020090 or rhel_08_020250 or rhel_08_020290
+rhel8stig_sssd_conf: /etc/sssd/sssd.conf
+rhel8stig_sssd_domain: testing.test
+rhel8stig_sssd:
+    certmap: "certmap/{{ rhel8stig_sssd_domain }}/rule_name"
+    matchrule: "=.*EDIPI@mil"
+    maprule: (userCertificate;binary={cert!bin})
+    domains: "{{ rhel8stig_sssd_domain }}"
+
 # RHEL-08-020070
 # Session timeout setting file (TMOUT setting can be set in multiple files)
 # Timeout value is in seconds. (60 seconds * 10 = 600)
@@ -567,7 +579,7 @@ rhel8stig_audisp_disk_full_action: single
 # rhel8stig_audisp_network_failure_action optoins are syslog, halt, and single
 rhel8stig_audisp_network_failure_action: single
 
-# RHEL-08-030060 
+# RHEL-08-030060
 # rhel8stig_auditd_disk_full_action options are SYSLOG, HALT, and SINGLE to fit STIG standards
 rhel8stig_auditd_disk_full_action: HALT
 
@@ -625,7 +637,7 @@ rhel8stig_auditd_failure_flag: "{{ rhel8stig_availability_override | ternary(1,
 # REHL-08-010020
 rhel8stig_boot_part: "{{ rhel_08_boot_part.stdout }}"
 
-# 
+#
 rhel8stig_machine_uses_uefi: "{{ rhel_08_sys_firmware_efi.stat.exists }}"
 rhel8stig_grub_cfg_path: "{{ rhel8stig_machine_uses_uefi | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}"
 rhel8stig_grub_cfg_path_invalid: "{{ (not rhel8stig_machine_uses_uefi) | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}"
@@ -638,15 +650,25 @@ rhel8stig_nfs_mounts: "{{ ansible_mounts | to_json | from_json | json_query(rhel
 rhel8stig_nfs_mounts_query: "[?starts_with(fstype, 'nfs')].mount"
 
 # RHEL-08-010680
-rhel8stig_dns_servers:
+# This can be managed using a template ensure settings are correct
+rhel8_stig_use_resolv_template: false
+rhel8_stig_resolv_domain: example.com
+rhel8_stig_resolv_search:
+#    - 'example.com'
+#    - 'blah'
+rhel8_stig_resolv_options:
+#    - 'rotate 2'
+#    - 'timeout:1'
+
+rhel8stig_dns_servers:  # The order needs to be set as expected. If you have 3 you will need to amend playbook (not ideal)
     - 8.8.8.8
     - 8.8.4.4
 
 rhel8stig_int_gid: 1000
 
 # RHEL-08-010130
 # The rounds parameter goes into the password sufficient pam_unix.so element of the password-auth and system-auth files. The value shoudl be set no lower than 5000
-rhel8stig_hashing_rounds: 5000 
+rhel8stig_hashing_rounds: 5000
 
 # RHEL-08-010100
 rhel8stig_path_to_sshkey: "/root/.ssh/"
@@ -673,7 +695,7 @@ rhel8stig_custom_firewall_zone: "new_fw_zone"
 
 # RHEL-08-040090
 # rhel8stig_white_list_services is the services that you want to allow through initially for teh new firewall zone
-# http and ssh need to be enabled for the role to run. 
+# http and ssh need to be enabled for the role to run.
 rhel8stig_white_list_services:
     - http
     - https
@@ -698,4 +720,4 @@ rhel8stig_gnutls_encryption: "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1
 
 # RHEL-08-020070
 # This is the value for the tmux lock after setting. To conform to STIG standards value needs to be set to 900 or less
-rhel8stig_tmux_lock_after_time: 900
+rhel8stig_tmux_lock_after_time: 900

handlers/main.yml

@@ -16,6 +16,8 @@
   service:
       name: sssd
       state: restarted
+  when:
+      - "'sssd' in ansible_facts.packages" 
 
 - name: restart snmpd
   service:
@@ -48,6 +50,9 @@
       src: "{{ rhel8stig_grub_cfg_path | dirname }}/{{ item }}"
       dest: "{{ rhel8stig_grub_cfg_path_invalid | dirname }}/{{ item }}"
       remote_src: yes
+      owner: root
+      group: root
+      mode: 0755
   with_items:
       - grub.cfg
       - user.cfg
@@ -107,7 +112,10 @@
 
 - name: dconf update
   command: dconf update
-  when: rhel8stig_has_dconf_command
+  when: 
+  - "'dconf' in ansible_facts.packages"
+  - rhel8stig_always_configure_dconf
+  
 
 - name: prereport score
   debug:
@@ -122,4 +130,5 @@
 - name: reboot system
   shell: sleep 3; reboot
   async: 15
-  poll: 0
+  poll: 0
+  when: not rhel8stig_skip_reboot

meta/main.yml

@@ -1,20 +1,18 @@
 ---
 galaxy_info:
-    author: "Sam Doran, Josh Springer, Daniel Shepherd, James Cassell, Mike Renfro, DFed, George Nalen"
+    author: "Sam Doran, Josh Springer, Daniel Shepherd, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell"
     description: "Apply the DISA RHEL 8 STIG"
     company: "MindPoint Group"
     license: MIT
-    min_ansible_version: 2.8.0
-
+    role_name: rhel8_stig
+    min_ansible_version: 2.9.0
     platforms:
         - name: EL
           versions:
               - 8
-
     galaxy_tags:
         - system
         - security
         - stig
         - hardening
-
 dependencies: []

site.yml

@@ -8,4 +8,4 @@
       - role: "{{ playbook_dir }}"
         rhel8cis_system_is_container: "{{ is_container | default(false) }}"
         rhel8cis_skip_for_travis: false
-        rhel8cis_oscap_scan: yes
+        rhel8cis_oscap_scan: yes

tasks/audit_oscap_scan_after.yml

@@ -11,6 +11,8 @@
   ignore_errors: true
   changed_when: false
   failed_when: false
+  tags:
+      - skip_ansible_lint
 
 - name: Get the second scan result from the XML
   slurp:

tasks/audit_oscap_scan_before.yml

@@ -39,6 +39,8 @@
   ignore_errors: true
   changed_when: false
   failed_when: false
+  tags:
+      - skip_ansible_lint
 
 - name: Get the scan result from the XML
   slurp: