ansible-lockdown
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 3 additions & 3 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎Changelog.md‎
Lines changed: 1 addition & 1 deletion b/‎Changelog.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎LICENSE‎
Lines changed: 2 additions & 2 deletions b/‎LICENSE‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 2 additions & 2 deletions b/‎README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defaults/main.yml‎
Lines changed: 37 additions & 17 deletions b/‎defaults/main.yml‎
Lines changed: 37 additions & 17 deletions
diff --git a/‎galaxy.yml‎
Lines changed: 2 additions & 1 deletion b/‎galaxy.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎handlers/main.yml‎
Lines changed: 15 additions & 5 deletions b/‎handlers/main.yml‎
Lines changed: 15 additions & 5 deletions
diff --git a/‎meta/main.yml‎
Lines changed: 1 addition & 1 deletion b/‎meta/main.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎tasks/Cat1/RHEL-09-2xxxxx.yml‎
Lines changed: 11 additions & 12 deletions b/‎tasks/Cat1/RHEL-09-2xxxxx.yml‎
Lines changed: 11 additions & 12 deletions
diff --git a/‎tasks/Cat1/RHEL-09-4xxxxx.yml‎
Lines changed: 3 additions & 3 deletions b/‎tasks/Cat1/RHEL-09-4xxxxx.yml‎
Lines changed: 3 additions & 3 deletions
@@ -8,7 +8,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.6.0
+  rev: v5.0.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -36,12 +36,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.4
+  rev: v8.23.3
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.7.0
+  rev: v25.1.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint
 
@@ -1,4 +1,4 @@
-# Ubuntu22CIS
+# RHEL9STIG
 
 ## 1.2.1 Based on STIG V1R2 Jan24 2024
 
 
@@ -1,6 +1,6 @@
-# MIT License
+MIT License
 
-Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
+Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 
@@ -2,9 +2,9 @@
 
 ## Configure a RHEL9 based system to be complaint with Disa STIG
 
-This role is based on RHEL 9 DISA STIG: [Version 1, Rel 2 released on Jan 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/U_RHEL_9_V1R2_STIG.zip).
+This role is based on RHEL 9 DISA STIG: [Version 1, Rel 3 released on Apr 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/U_RHEL_9_V1R3_STIG.zip).
 
-## Initial Relase from STIG, still many items that not quite aligned in the documentation
+## Initial Release from STIG, still many items that not quite aligned in the documentation
 
 ---
 
 
@@ -1,7 +1,7 @@
 ---
 
 ## metadata for Audit benchmark
-benchmark_version: 'v1r2'
+benchmark_version: 'v1r3'
 
 ## Benchmark name used by audting control role
 # The audit variable found at the base
@@ -42,6 +42,13 @@ container_vars_file: is_container.yml
 # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
 system_is_ec2: false
 
+# Connecting user, due to the way many users work differently this is to try and assist the use of connecting user if required
+# This is useful when part of kickstart build or running as root and not defining the ansible_user option
+# used @ RHEL-09-411015
+rhel9stig_default_user: root
+rhel9stig_connecting_user: "{{ ansible_env.SUDO_USER | default(rhel9stig_default_user) }}"
+rhel9stig_playbook_user: "{{ ansible_user | default(rhel9stig_connecting_user) }}"
+
 # Whether to skip the reboot
 skip_reboot: true
 
@@ -323,7 +330,6 @@ rhel_09_255045: true
 rhel_09_255055: true
 rhel_09_255060: true
 rhel_09_255065: true
-rhel_09_255070: true
 rhel_09_255075: true
 rhel_09_255080: true
 rhel_09_255085: true
@@ -597,12 +603,16 @@ rhel_09_653120: true
 
 ### CONTROLS
 
-## Grahical/Gnome interface required
-rhel9stig_gui: false
+## Graphical/Gnome interface approved to be present
+rhel9stig_gui_approved: false
+
+# If gui not installed
+rhel9stig_gui: "{{ rhel_09_gnome_present.stat.exists | default(false) }}"
 
 ## SSHD
 rhel9stig_sshd_config_file: /etc/ssh/sshd_config
 rhel9stig_ssh_required: true
+rhel9stig_sshd_config_maxlogins: 10
 rhel9stig_sshd_config:
   banner_file: /etc/issue
   ciphers: "{{ rhel9stig_dod_ciphers }}"
@@ -617,8 +627,7 @@ rhel9stig_sshd_config:
   kerbauth: 'no'
   lastlog: 'yes'
   loglevel: VERBOSE
-  macs_clients: "{{ rhel9stig_dod_macs_clients }}"
-  macs_server: "{{ rhel9stig_dod_macs_server }}"
+  macs: "{{ rhel9stig_dod_macs }}"
   pubkeyauth: 'yes'
   permitroot: 'no'
   privsep: sandbox
@@ -718,6 +727,17 @@ rhel9stig_time_synchronization_servers:
 - '1.us.pool.ntp.mil'
 rhel9stig_chrony_server_options: "iburst maxpoll 16"  # Max Settings is maxpoll 16
 
+## fapolicy
+# Allow adding of fapolicy rules uses whitelist below
+rhel9stig_add_fapolicy_policy: false
+
+# rhel9stig_fapolicy_white_list is the whitelist for fapolicyd
+rhel9stig_fapolicy_white_list:
+- '# Allow Ansible'
+- "allow perm=any trust=1 : dir={{ ansible_env.PWD }}/.ansible/"
+- 'allow perm=any trust=1 : dir=/root/.ansible/'
+- 'allow perm=any trust=1 : dir=/tmp/ansible/'
+
 ## DNS
 # Please adjust accordingly for ipv4 or ipv6
 rhel9stig_dns_ip4_servers:
@@ -740,9 +760,9 @@ rhel9stig_postfix_client_conf: permit_mynetworks,reject
 ### ACCOUNTS and AUTH ###
 ## PAM and password settings
 rhel9stig_pass:
-  max_days: '60'
-  min_days: '1'
-  minlen: '15'
+  max_days: 60
+  min_days: 1
+  minlen: 15
 
 rhel9stig_user_inactive_days: '35'
 
@@ -778,13 +798,13 @@ rhel9stig_pam:
   rounds: '5000'
 
 rhel9stig_pwquality:
-  dcredit: '-1'
-  dictcheck: '1'
-  difok: '8'
-  lcredit: '-1'
-  maxclassrepeat: '4'
-  maxrepeat: '3'
-  minclass: '4'
+  dcredit: -1
+  dictcheck: 1
+  difok: 8
+  lcredit: -1
+  maxclassrepeat: 4
+  maxrepeat: 3
+  minclass: 4
   ocredit: -1
   ucredit: -1
 
@@ -822,7 +842,7 @@ rhel9stig_remotelog_server:
 # Ensure this matches the filesystem where the audit logs are stored.
 # It will affect checks for control RHEL-09-653030
 
-rhel9stig_audit_log_filesystem: /var/log/audit
+rhel9stig_audit_log_filesystem: '/var/log/audit'
 rhel9stig_audit_conf:
   action_mail_acct: root
   admin_space_left: 5%
 
@@ -33,14 +33,15 @@ license:
 # requirements as 'namespace' and 'name'
 tags:
 - ansible-lockdown
-- mindpointgroup
 - stig
 - disa
 - devsecops
 - rhel7
 - rhel7-stig
 - rhel8
 - rhel8-stig
+- rhel9
+- rhel9-stig
 - ubuntu18
 - ubuntu18-stig
 - ubuntu20
 
@@ -4,10 +4,6 @@
   ansible.builtin.systemd:
     daemon_reload: true
 
-- name: Change_requires_reboot
-  ansible.builtin.set_fact:
-    reboot_required: true
-
 - name: Sshd_restart
   ansible.builtin.systemd:
     name: sshd
@@ -82,20 +78,34 @@
     name: rsyslog.service
     state: restarted
 
+# Must be prior to fapolicyd restart
+- name: Generate fapolicyd rules
+  ansible.builtin.shell: fagenrules --load
+
+- name: Restart fapolicyd
+  ansible.builtin.service:
+    name: fapolicyd
+    state: restarted
+
 ## Auditd tasks note order for handlers to run
 
 - name: Auditd_immutable_check
   ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/audit.rules
   changed_when: false
+  failed_when: auditd_immutable_check.rc not in [ 0, 1 ]
   register: auditd_immutable_check
 
 - name: Audit_immutable_fact
   when:
-    - auditd_immutable_check.stdout == '1'
+    - auditd_immutable_check.stdout >= '1'
   notify: change_requires_reboot
   ansible.builtin.debug:
     msg: "Reboot required for auditd to apply new rules as immutable set"
 
+- name: Change_requires_reboot
+  ansible.builtin.set_fact:
+    change_requires_reboot: true
+
 - name: Restart_auditd
   tags:
     - skip_ansible_lint
 
@@ -6,7 +6,7 @@ galaxy_info:
     license: MIT
     role_name: rhel9_stig
     namespace: mindpointgroup
-    min_ansible_version: 2.15.1
+    min_ansible_version: 2.12.1
     platforms:
         - name: EL
           versions:
 
@@ -52,19 +52,18 @@
     - NIST800-53R4_AC-6
   notify: Systemd_daemon_reload
   block:
-    - name: HIGH | RHEL-09-211050 | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled | systemctl disable
-      ansible.builtin.systemd:
-        enabled: false
-        masked: true
-        name: ctrl-alt-del.target
-        state: stopped
-
     - name: HIGH | RHEL-09-211050 | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled | Create symlink to /dev/null
       ansible.builtin.file:
         dest: /etc/systemd/system/ctrl-alt-del.target
         src: /dev/null
         state: link
 
+    - name: HIGH | RHEL-09-211050 | PATCH | The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled | systemctl disable
+      ansible.builtin.systemd:
+        masked: true
+        name: ctrl-alt-del.target
+        state: stopped
+
 - name: HIGH | RHEL-09-212020 | PATCH | RHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes.
   when:
     - rhel_09_212020
@@ -182,19 +181,19 @@
 
 - name: HIGH | RHEL-09-215060 | PATCH | RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
   when:
-    - "'tftp' in ansible_facts.packages"
+    - "'tftp-server' in ansible_facts.packages"
     - rhel_09_215060
   tags:
     - RHEL-09-215060
     - CAT1
     - CCI-000366
     - SRG-OS-000480-GPOS-00227
-    - SV-257835r925492_rule
+    - SV-257835r952171_rule
     - V-257835
     - NIST800-53R4_CM-6
     - tftp
   ansible.builtin.package:
-    name: tftp
+    name: tftp-server
     state: absent
 
 - name: HIGH | RHEL-09-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification
@@ -323,7 +322,7 @@
     - SRG-OS-000106-GPOS-00053
     - SRG-OS-000480-GPOS-00229
     - SRG-OS-000480-GPOS-00227
-    - SV-257984r943034_rule
+    - SV-257984r952179_rule
     - V-257984
     - NIST800-53R4_CM-6
     - NIST800-53R4_IA-2
@@ -343,7 +342,7 @@
     - CAT1
     - CCI-000877
     - SRG-OS-000125-GPOS-00065
-    - SV-257986r943038_rule
+    - SV-257986r952183_rule
     - V-257986
     - NIST800-53R4_MA-4
     - ssh
 
@@ -1,6 +1,6 @@
 ---
 
-- name: HIGH | RHEL-09-0411100 | The root account must be the only account having unrestricted access to RHEL 9 system.
+- name: HIGH | RHEL-09-411100 | The root account must be the only account having unrestricted access to RHEL 9 system.
   when:
     - rhel_09_411100
   tags:
@@ -15,13 +15,13 @@
   vars:
     warn_control_id: "HIGH | RHEL-09-411100"
   block:
-    - name: HIGH | RHEL-09-0411100 | AUDIT | The root account must be the only account having unrestricted access to RHEL 9 system.
+    - name: HIGH | RHEL-09-411100 | AUDIT | The root account must be the only account having unrestricted access to RHEL 9 system.
       ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'"
       changed_when: false
       check_mode: false
       register: rhel9stig_uid_zero_accounts_except_root
 
-    - name: HIGH | RHEL-09-0411100 | WARN | The root account must be the only account having unrestricted access to RHEL 9 system.
+    - name: HIGH | RHEL-09-411100 | WARN | The root account must be the only account having unrestricted access to RHEL 9 system.
       when:
         - rhel9stig_uid_zero_accounts_except_root is defined
         - rhel9stig_uid_zero_accounts_except_root.stdout | length > 0
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# Ubuntu22CIS`
	`1`	`+# RHEL9STIG`
`2`	`2`
`3`	`3`	`## 1.2.1 Based on STIG V1R2 Jan24 2024`
`4`	`4`