Merge pull request #395 from ansible-lockdown/devel

Release 1.4.0

.gitattributes

@@ -0,0 +1,6 @@
+# adding github settings to show correct language
+*.sh linguist-detectable=true
+*.yml linguist-detectable=true
+*.ps1 linguist-detectable=true
+*.j2 linguist-detectable=true
+*.md linguist-documentation

.github/workflows/communitytodevel.yml

@@ -33,6 +33,6 @@ jobs:
           # Job ID
           job_id: 5f933cbcf9c74e86b1609c00
           # Variables
-          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL7-STIG.git", "image": "ami-07d8d14365439bc6e", "githubBranch": "${{ github.head_ref }}", "username": "ec2-user" }'
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL7-STIG.git", "image": "ami-098f55b4287a885ba", "githubBranch": "${{ github.head_ref }}", "username": "centos" }'
           # Refactr API base URL
           api_url: # optional

.github/workflows/develtomain.yml

@@ -33,6 +33,6 @@ jobs:
           # Job ID
           job_id: 6040fe0cf7b21a22e11cf3b8
           # Variables
-          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL7-STIG.git", "image": "ami-07d8d14365439bc6e", "username": "ec2-user" }'
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL7-STIG.git", "image": "ami-098f55b4287a885ba", "username": "centos" }'
           # Refactr API base URL
           api_url: # optional

README.md

@@ -7,7 +7,7 @@ RHEL 7 DISA STIG
 
 Configure a RHEL 7 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`.
 
-This role is based on RHEL 7 DISA STIG: [Version 3, Rel 4 released on Jul 23, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R4_STIG.zip).
+This role is based on RHEL 7 DISA STIG: [Version 3, Rel 5 released on Oct 27, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R5_STIG.zip).
 
 Updating
 --------

defaults/main.yml

@@ -80,9 +80,11 @@ rhel_07_010290: true
 rhel_07_010300: true
 rhel_07_010440: true
 rhel_07_010450: true
-rhel_07_010480: true
+# possibly removed
+# rhel_07_010480: true
 rhel_07_010482: true
-rhel_07_010490: true
+# possibly removed
+# rhel_07_010490: true
 rhel_07_010491: true
 rhel_07_020000: true
 rhel_07_020010: true
@@ -152,6 +154,9 @@ rhel_07_010492: true
 rhel_07_010500: true
 rhel_07_020019: true
 rhel_07_020020: true
+rhel_07_020021: true
+rhel_07_020022: true
+rhel_07_020023: true
 rhel_07_020030: true
 # Send AIDE reports as mail notifications - Disabled by default as this is a non-ideal way to do notifications
 rhel_07_020040: "{{ rhel7stig_disruption_high }}"
@@ -355,8 +360,9 @@ rhel_07_020020_selinux_change_users: true
 rhel_07_020020_HBSS_path: /opt/McAfee/Agent/bin
 rhel_07_020020_HIPS_path: /opt/McAfee/Agent/bin
 rhel_07_020020_selinux_ldap_maps: false
-rhel_07_020020_selinux_local_interactive_admin_group: wheel
+# rhel_07_020020_selinux_local_interactive_admin_group: wheel
 rhel_07_020020_selinux_local_interactive_users_group: users
+rhel_07_020020_selinux_local_interactive_staff_group: staff
 
 # RHEL-07-020710
 # Set standard user paths here
@@ -545,6 +551,14 @@ rhel7stig_password_complexity:
     maxclassrepeat: 4
     minlen: 15
 
+# RHEL-07-020022
+# rhel7stig_ssh_sysadm_login_state is the state for the ssh_sysadmin_login boolean. 
+# The value False will set the value to off, which does not allow privileged accounts to utilize SSH
+# The value True will set the value to on, which allows privileged accounts to utilize SSH
+# To confrom to STIG requirements use the value of false
+# If set to True this needs to be documented with your ISSO as an operational requirement to be STIG compliant
+rhel7stig_ssh_sysadm_login_state: false
+
 # RHEL-07-040160
 # Session timeout setting file (TMOUT setting can be set in multiple files)
 # Timeout value is in seconds. (60 seconds * 15 = 600)
@@ -754,5 +768,3 @@ audit_results: |
       The pre remediation results are: {{ pre_audit_summary }}.
       The post remediation results are: {{ post_audit_summary }}.
       Full breakdown can be found in {{ audit_out_dir }}
-
-

tasks/audit_selinuxlocaluserdefs.yml

@@ -10,10 +10,10 @@
   tags:
       - RHEL-07-020020
 
-# find the local interactive users
+# find the local interactive staff
 - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
-  shell: "awk -F: '/^{{ rhel_07_020020_selinux_local_interactive_users_group }}/ {print $4;}' /etc/group | tr ',' '\n'"
-  register: rhel_07_020020_local_interactive_users
+  shell: "awk -F: '/^{{ rhel_07_020020_selinux_local_interactive_staff_group }}/ {print $4;}' /etc/group | tr ',' '\n'"
+  register: rhel_07_020020_local_interactive_staff
   when:
       - rhel_07_020020
       - rhel7stig_disruption_high
@@ -23,11 +23,11 @@
 
 - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
   debug:
-      msg: "WARNING: There are no users configured to be part of the specified local interactive uesr group {{ rhel_07_020020_selinux_local_interactive_users_group }}. You must configure this group to satisfy requirements of this control."
+      msg: "WARNING: There are no users configured to be part of the specified local interactive staff group {{ rhel_07_020020_selinux_local_interactive_staff_group }}. You must configure this group to satisfy requirements of this control."
   changed_when:
       - rhel7stig_audit_complex
   when:
-      - not rhel_07_020020_local_interactive_users.stdout_lines | length > 0
+      - not rhel_07_020020_local_interactive_staff.stdout_lines | length > 0
       - rhel_07_020020
       - rhel7stig_disruption_high
       - rhel7stig_audit_disruptive
@@ -37,19 +37,19 @@
 - name: "MEDIUM | RHEL-07-020020 | PATCH | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
   shell: semanage login -m -s user_u "{{ item }}"
   with_items:
-      - "{{ rhel_07_020020_local_interactive_users.stdout_lines }}"
+      - "{{ rhel_07_020020_local_interactive_staff.stdout_lines }}"
   when:
-      - rhel_07_020020_local_interactive_users.stdout_lines | length > 0
+      - rhel_07_020020_local_interactive_staff.stdout_lines | length > 0
       - rhel_07_020020
       - rhel7stig_disruption_high
       - rhel7stig_audit_disruptive
   tags:
       - RHEL-07-020020
 
-# find the local interactive admins
+# find the local interactive users
 - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
-  shell: "awk -F: '/^{{ rhel_07_020020_selinux_local_interactive_admin_group }}/ {print $4;}' /etc/group | tr ',' '\n'"
-  register: rhel_07_020020_local_interactive_admins
+  shell: "awk -F: '/^{{ rhel_07_020020_selinux_local_interactive_users_group }}/ {print $4;}' /etc/group | tr ',' '\n'"
+  register: rhel_07_020020_local_interactive_users
   when:
       - rhel_07_020020
       - rhel7stig_disruption_high
@@ -59,7 +59,7 @@
 
 - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
   debug:
-      msg: "WARNING: There are no users configured to be part of the specified local interactive admin group {{ rhel_07_020020_selinux_local_interactive_admin_group }}. You must configure this group to satisfy requirements of this control."
+      msg: "WARNING: There are no users configured to be part of the specified local interactive user group {{ rhel_07_020020_selinux_local_interactive_users_group }}. You must configure this group to satisfy requirements of this control."
   changed_when:
       - rhel7stig_audit_complex
   when:
@@ -71,13 +71,14 @@
       - RHEL-07-020020
 
 - name: "MEDIUM | RHEL-07-020020 | PATCH | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
-  shell: semanage login -m -s sysadm_u "{{ item }}"
+  shell: semanage login -m -s user_u "{{ item }}"
   with_items:
-      - "{{ rhel_07_020020_local_interactive_admins.stdout_lines }}"
+      - "{{ rhel_07_020020_local_interactive_users.stdout_lines }}"
   when:
       - rhel_07_020020_local_interactive_users.stdout_lines | length > 0
       - rhel_07_020020
       - rhel7stig_disruption_high
       - rhel7stig_audit_disruptive
   tags:
       - RHEL-07-020020
+

tasks/fix-cat1.yml

@@ -161,40 +161,40 @@
       - SV-204433r603261_rule
       - V-204433
 
-- name: |
-    "HIGH | RHEL-07-010480 | PATCH | Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."
-    "HIGH | RHEL-07-010490 | PATCH | Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."
-  lineinfile:
-      dest: /etc/grub.d/40_custom
-      insertafter: EOF
-      regexp: "{{ item.regex }}"
-      line: "{{ item.line }}"
-  with_items:
-      - regexp: ^\s*set superusers=
-        line: '    set superusers="root"'
-      - regexp: ^password_pbkdf2
-        line: "^password_pbkdf2 {{ rhel7stig_boot_superuser }} {{ rhel7stig_bootloader_password_hash }}"
-  no_log: true
-  notify:
-      - make grub2 config
-  when:
-      - rhel_07_010480 or
-        rhel_07_010490
-      - ansible_distribution_version is version_compare('7.2', '<')
-  tags:
-      - CAT1
-      - RHEL-07-010480
-      - CCI-000213
-      - SRG-OS-000080-GPOS-00048
-      - SV-204436r603261_rule
-      - V-204436
-      - RHEL-07-010490
-      - CCI-000213
-      - SRG-OS-000080-GPOS-00048
-      - SV-204439r603261_rule
-      - V-204439
-      - grub
-      - bootloader
+# - name: |
+#     "HIGH | RHEL-07-010480 | PATCH | Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."
+#     "HIGH | RHEL-07-010490 | PATCH | Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."
+#   lineinfile:
+#       dest: /etc/grub.d/40_custom
+#       insertafter: EOF
+#       regexp: "{{ item.regex }}"
+#       line: "{{ item.line }}"
+#   with_items:
+#       - regexp: ^\s*set superusers=
+#         line: '    set superusers="root"'
+#       - regexp: ^password_pbkdf2
+#         line: "^password_pbkdf2 {{ rhel7stig_boot_superuser }} {{ rhel7stig_bootloader_password_hash }}"
+#   no_log: true
+#   notify:
+#       - make grub2 config
+#   when:
+#       - rhel_07_010480 or
+#         rhel_07_010490
+#       - ansible_distribution_version is version_compare('7.2', '<')
+#   tags:
+#       - CAT1
+#       - RHEL-07-010480
+#       - CCI-000213
+#       - SRG-OS-000080-GPOS-00048
+#       - SV-204436r603261_rule
+#       - V-204436
+#       - RHEL-07-010490
+#       - CCI-000213
+#       - SRG-OS-000080-GPOS-00048
+#       - SV-204439r603261_rule
+#       - V-204439
+#       - grub
+#       - bootloader
 
 - name: |
     "HIGH | RHEL-07-010482 | Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."
@@ -497,6 +497,7 @@
                   value: UUID={{ item.uuid }}
                   insert: yes
               when:
+                  - rhel7stig_boot_part not in ['/', '']
                   - not ansible_check_mode or
                     rhel7_stig_grub_template is not changed
               notify: confirm grub2 user cfg