Merge branch 'devel'

.gitignore

@@ -0,0 +1 @@
+*.pyc

README.md

@@ -1,7 +1,11 @@
 RHEL 7 DISA STIG
 ================
 
+**This role is still under active development.**
 
+Configure a RHEL 7 system be be DISA STIG compliant. CAT I findings will be correceted and audited by default. CAT II and II findigs can be enabled by setting the appropriate variables to `yes`.
+
+The RHEL 7 STIG is currently in draft form. This role is based on [Version 1, Revision 0.2 released on July 15, 2016](http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx).
 
 
 Requirements
@@ -14,9 +18,15 @@ Role Variables
 
 | Name              | Default Value       | Description          |
 |-------------------|---------------------|----------------------|
-| `rhel7stig_cat1_patch` | True | Correct CAT I findings |
-| `rhel7stig_cat2_patch` | False | Correct CAT II findings |
-| `rhel7stig_cat3_patch` | False | Correct CAT III findings |
+| `rhel7stig_cat1_patch` | `yes` | Correct CAT I findings |
+| `rhel7stig_cat2_patch` | `no` | Correct CAT II findings |
+| `rhel7stig_cat3_patch` | `no` | Correct CAT III findings |
+| `rhel7stig_gui` | `no` | Whether or not to run tasks related to auditing/patching the desktop environment |
+| `rhel7stig_av_package` | `no` | Anti-virus package(s) to install and service to start and enable. |
+| `rhel7stig_lftpd_required` | `no` | If set to `no`, remove `lftpd`. |
+| `rhel7stig_tftp_required` | `no` | If set to `no`, remove `tftp` client and server packages. |
+| `rhel7stig_snmp_community` | `Endgam3Ladyb0g` | SNMP community string that will replace `public` and `private` in `snmpd.conf`. |
+| `rhel7stig_bootloader_password` | `Boot1tUp!` | GRUB2 bootloader password. This should be stored in an Anisble Vault. |
 
 Dependencies
 ------------

defaults/main.yml

@@ -1,3 +1,40 @@
 rhel7stig_cat1_patch: yes
 rhel7stig_cat2_patch: no
 rhel7stig_cat3_patch: no
+
+# Whether or not to run tasks related to auditing/patching the desktop environment
+rhel7stig_gui: no
+
+# RHEL-07-030810
+# Install and enable a DOD-approved AV program. ClamAV and McAfee (nails)
+# are the currently approved applications. This variable is used in two separate
+# tasks that will install the package and start and enable the service.
+rhel7stig_av_package:
+  package:
+    - clamav
+    - clamav-scanner
+    - clamav-server
+  service: clamav-daemon
+
+# RHEL-07-040490
+# If not required, remove lftpd.
+rhel7stig_lftpd_required: no
+
+# RHEL-07-040500
+# If not required, remove tftp
+rhel7stig_tftp_required: no
+
+# RHEL-07-040580
+# Set the SNMP community string to this from the default of public or private
+rhel7stig_snmp_community: Endgam3Ladyb0g
+
+# RHEL-07-010460 and RHEL-07-010470
+# Password protect the boot loader
+rhel7stig_bootloader_password: 'Boot1tUp!'
+rhel7stig_boot_password_config:
+      - regexp: ^set superusers
+        line: 'set superusers="root"'
+
+      - regexp: ^password_pbkdf2 root
+        line: password_pbkdf2 root {{ rhel7stig_bootloader_password | grub2_hash(salt='KeokpkECTJeoDhEA5XtiLQ') }}
+

filter_plugins/filters.py

@@ -0,0 +1,37 @@
+import crypt
+from random import SystemRandom, shuffle
+from passlib.hash import grub_pbkdf2_sha512
+import string
+try:
+    import passlib.hash
+    HAS_PASSLIB = True
+except:
+    HAS_PASSLIB = False
+
+def grub2_hash(password, salt=None, iterations=10000):
+
+    if salt is None:
+        r = SystemRandom()
+        salt = ''.join([r.choice(string.ascii_letters + string.digits) for _ in range(64)])
+
+    if not HAS_PASSLIB:
+        if sys.platform.startswith('darwin'):
+            raise errors.AnsibleFilterError('|password_hash requires the passlib python module to generate password hashes on Mac OS X/Darwin')
+        saltstring =  "$%s$%s" % (cryptmethod[hashtype],salt)
+        encrypted = grub_pbkdf2_sha512.encrypt(password, salt=salt, rounds=iterations)
+    else:
+        encrypted = grub_pbkdf2_sha512.encrypt(password, salt=salt, rounds=iterations)
+
+    return encrypted
+
+
+class FilterModule(object):
+
+    def filters(self):
+        return {
+            'grub2_hash': grub2_hash
+        }
+
+
+
+

handlers/main.yml

@@ -8,3 +8,11 @@
   async: 0
   poll: 0
   ignore_errors: yes
+
+- name: restart snmpd
+  service:
+      name: snmpd
+      state: restarted
+
+- name: make grub2 config
+  command: grub2-mkconfig --output=/etc/grub2.cfg

tasks/audit-cat1.yml

@@ -0,0 +1,121 @@
+- name: "HIGH | RHEL-07-010010 | AUDIT | The file permissions, ownership, and group membership of system files and commands must match the vendor values."
+  shell: 'rpm -Va | grep ''^.M'''
+  failed_when: no
+  changed_when: no
+  ignore_errors: yes
+  register: rhel_07_010010_audit
+  tags:
+      - cat1
+      - high
+      - audit
+      - RHEL-07-010010
+      - always
+      - rpm
+
+- name: "HIGH | RHEL-07-010020 | AUDIT | The cryptographic hash of system files and commands must match vendor values."
+  shell: 'rpm -Va | grep ''^..5'' | grep -E ''/.?bin/'''
+  failed_when: no
+  changed_when: no
+  ignore_errors: yes
+  register: rhel_07_010020_audit
+  tags:
+      - cat1
+      - high
+      - audit
+      - RHEL-07-010020
+      - always
+
+- name: "HIGH | RHEL-07-010460 | AUDIT | Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."
+  command: grep -i ^password_pbkdf2 /boot/grub2/grub.cfg
+  failed_when: no
+  changed_when: no
+  ignore_errors: yes
+  register: rhel_07_010460_audit
+  tags:
+      - cat1
+      - high
+      - audit
+      - RHEL-07-010460
+      - always
+
+- name: "HIGH | RHEL-07-010470 | AUDIT | Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."
+  command: grep -i ^password_pbkdf2 /boot/efi/EFI/redhat/grub.cfg
+  failed_when: no
+  changed_when: no
+  ignore_errors: yes
+  register: rhel_07_010470_audit
+  tags:
+      - cat1
+      - high
+      - audit
+      - RHEL-07-010470
+      - always
+
+- name: "HIGH | RHEL-07-020170 | PATCH | Operating systems handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest."
+  shell: blkid | grep -vi crypto_LUKS
+  failed_when: no
+  changed_when: no
+  ignore_errors: yes
+  register: rhel_07_020170_audit
+  tags:
+      - cat1
+      - high
+      - audit
+      - RHEL-07-020170
+
+- name: "HIGH | RHEL-07-020310 | AUDIT | The root account must be the only account having unrestricted access to the system."
+  command: 'awk -F: ''$3 == 0 && $1 !~ /root/ {print $1}'' /etc/passwd'
+  failed_when: no
+  changed_when: no
+  ignore_errors: yes
+  register: rhel_07_020310_audit
+  tags:
+      - cat1
+      - high
+      - audit
+      - RHEL-07-020310
+      - always
+
+- name: "HIGH | RHEL-07-040330 | AUDIT | There must be no .shosts files on the system."
+  find:
+      paths: /
+      recurse: yes
+      hidden: yes
+      patterns: '*.shosts'
+  register: rhel_07_040330_audit
+  tags:
+      - cat1
+      - high
+      - audit
+      - RHEL-07-040330
+      - always
+
+- name: "HIGH | RHEL-07-040331 | AUDIT | There must be no shosts.equiv files on the system."
+  find:
+      paths: /
+      recurse: yes
+      patterns: shosts.equiv
+  register: rhel_07_040331_audit
+  tags:
+      - cat1
+      - high
+      - audit
+      - RHEL-07-040331
+      - always
+
+- name: "HIGH | RHEL-07-040580 | AUDIT | SNMP community strings must be changed from the default."
+  command: grep {{ item }} /etc/snmp/snmpd.conf
+  failed_when: no
+  changed_when: no
+  ignore_errors: yes
+  with_items:
+      - public
+      - private
+  register: rhel_07_040580_audit
+  tags:
+      - cat1
+      - high
+      - audit
+      - RHEL-07-040580
+      - always
+      - snmp