From c8c423497c43f0a14da9d9f2661418b7ff383fd0 Mon Sep 17 00:00:00 2001 From: Greg Shepherd Date: Mon, 22 Nov 2021 17:08:14 -0700 Subject: [PATCH 01/18] Syslog format by default Use syslog format for one line per timestamp for better external logger support (i.e. Splunk) Signed-off-by: Gregory Shepherd --- templates/aide.conf.j2 | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/templates/aide.conf.j2 b/templates/aide.conf.j2 index fb6aa8f9..816a3c65 100644 --- a/templates/aide.conf.j2 +++ b/templates/aide.conf.j2 @@ -17,8 +17,11 @@ gzip_dbout=yes # Default. verbose=5 -report_url=file:@@{LOGDIR}/aide.log -report_url=stdout +# One line per timestamp for better external logger support +syslog_format = true +report_url=syslog:LOG_AUTH +#report_url=file:@@{LOGDIR}/aide.log +#report_url=stdout #report_url=stderr #NOT IMPLEMENTED report_url=mailto:root@foo.com #NOT IMPLEMENTED report_url=syslog:LOG_AUTH @@ -309,4 +312,4 @@ DATAONLY = FIPSR #=/home DIR # Ditto /var/log/sa/ same reason... -!/var/log/httpd/ \ No newline at end of file +!/var/log/httpd/ From e99ad725a328b1270e9f405122e669170cc32dbe Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 13 Dec 2021 08:37:02 -0500 Subject: [PATCH 02/18] Updated README Signed-off-by: George Nalen --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7d8a8729..e6d5c160 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ RHEL 7 DISA STIG Configure a RHEL 7 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`. -This role is based on RHEL 7 DISA STIG: [Version 3, Rel 4 released on Jul 23, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R4_STIG.zip). +This role is based on RHEL 7 DISA STIG: [Version 3, Rel 5 released on Oct 27, 2021](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R5_STIG.zip). Updating -------- From e3ea80ca1da0978c2c77d9cfecdeb3913e8cfcf5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 15 Dec 2021 09:45:20 +0000 Subject: [PATCH 03/18] updated for audit Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 -- templates/ansible_vars_goss.yml.j2 | 12 ++++-------- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 817711b5..f388505e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -754,5 +754,3 @@ audit_results: | The pre remediation results are: {{ pre_audit_summary }}. The post remediation results are: {{ post_audit_summary }}. Full breakdown can be found in {{ audit_out_dir }} - - diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 6a3ad4b9..bad401d3 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,17 +1,13 @@ ## metadata for Audit benchmark -rhel7stig_benchmark: -- "type: STIG" -- "version: '3.3'" -- "os: RHEL 7" -- "epoch: {{ ansible_date_time.epoch }}" -- "hostname: {{ ansible_hostname }}" +benchmark_version: '3.5' + +# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS +is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %} ### Variables for for stig options run_heavy_tests: {{ audit_run_heavy_tests }} timeout_ms: {{ audit_cmd_timeout }} -rhel7stig_os_distribution: {{ ansible_distribution | lower }} - # If running on RHEL7 <= 7.2 rhel7stig_legacyOS: {% if ansible_distribution_version > '7.2' %} false {% else %} true {% endif %} From 32be591a7019938a9810a2d461b3725531d13160 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 15 Dec 2021 10:21:21 +0000 Subject: [PATCH 04/18] removed as no longer required Signed-off-by: Mark Bolwell --- library/goss.py | 147 ------------------------------------------------ 1 file changed, 147 deletions(-) delete mode 100644 library/goss.py diff --git a/library/goss.py b/library/goss.py deleted file mode 100644 index d4dfbc7e..00000000 --- a/library/goss.py +++ /dev/null @@ -1,147 +0,0 @@ -#!/usr/bin/env python -# FROM: https://github.com/indusbox/goss-ansible -import os -from ansible.module_utils.basic import * - -DOCUMENTATION = ''' ---- -module: goss -author: Mathieu Corbin -short_description: Launch goss (https://github.com/aelsabbahy/goss) tests -description: - - Launch goss tests. - This module always returns `changed = false` for idempotence. -options: - path: - required: true - description: - - Test file to validate. - The test file must be on the remote machine. - goss_path: - required: false - description: - - Path location for the goss executable. - Default is "goss" (ie.`no absolute path, goss executable must be available in $PATH). - vars_path: - required: false - description: - - Path location for a variables YAML/JSON file to use as templating inputs. - format: - required: false - description: - - Output goss format. - Goss format list : goss v --format => [documentation json junit nagios nagios_verbose rspecish tap silent]. - Default is "rspecish". - output_file: - required: false - description: - - Save the result of the goss command in a file whose path is output_file -examples: - - name: run goss against the gossfile /path/to/file.yml - goss: - path: "/path/to/file.yml" - - name: run goss against the gossfile /path/to/file.yml with nagios output - goss: - path: "/path/to/file.yml" - format: "nagios" - - name: run /usr/local/bin/goss against the gossfile /path/to/file.yml - goss: - path: "/path/to/file.yml" - goss_path: "/usr/local/bin/goss" - - name: run /usr/local/bin/goss with a variables file - goss: - vars_path: "/path/to/file.yml" - - name: run goss against multiple gossfiles and write the result in JSON format to /my/output/ for each file - goss: - path: "{{ item }}" - format: json - output_file : /my/output/{{ item }} - with_items: "{{ goss_files }}" -''' - - -# launch goss validate command on the file -def check(module, test_file_path, output_format, goss_path, vars_path): - cmd = "{0} --gossfile {1}".format(goss_path, test_file_path) - # goss parent command flags - if vars_path is not None: - cmd += " --vars {0}".format(vars_path) - - # validate sub-command flags - cmd += " validate" - if output_format is not None: - cmd += " --format {0}".format(output_format) - - return module.run_command(cmd) - - -# write goss result to output_file_path -def output_file(output_file_path, out): - if output_file_path is not None: - with open(output_file_path, 'w') as output_file: - output_file.write(out) - - -def main(): - module = AnsibleModule( - argument_spec=dict( - path=dict(required=True, type='str'), - format=dict(required=False, type='str'), - output_file=dict(required=False, type='str'), - vars_path=dict(required=False, type='str'), - goss_path=dict(required=False, default='goss', type='str'), - ), - supports_check_mode=False - ) - - test_file_path = module.params['path'] # test file path - output_format = module.params['format'] # goss output format - output_file_path = module.params['output_file'] - goss_path = module.params['goss_path'] - vars_path = module.params['vars_path'] - - if test_file_path is None: - module.fail_json(msg="test file path is null") - - test_file_path = os.path.expanduser(test_file_path) - - # test if access to test file is ok - if not os.access(test_file_path, os.R_OK): - module.fail_json(msg="Test file %s not readable" % (test_file_path)) - - # test if test file is not a dir - if os.path.isdir(test_file_path): - module.fail_json(msg="Test file must be a file ! : %s" % (test_file_path)) - - (rc, out, err) = check(module, test_file_path, output_format, goss_path, vars_path) - - if output_file_path is not None: - output_file_path = os.path.expanduser(output_file_path) - # check if output_file is a file - if output_file_path.endswith(os.sep): - module.fail_json(msg="output_file must be a file. Actually : %s " - % (output_file_path)) - - output_dirname = os.path.dirname(output_file_path) - - # check if output directory exists - if not os.path.exists(output_dirname): - module.fail_json(msg="directory %s does not exists" % (output_dirname)) - - # check if writable - if not os.access(os.path.dirname(output_file_path), os.W_OK): - module.fail_json(msg="Destination %s not writable" % (os.path.dirname(output_file_path))) - # write goss result on the output file - output_file(output_file_path, out) - - if rc is not None and rc != 0: - error_msg = "err : {0} ; out : {1}".format(err, out) - module.fail_json(msg=error_msg) - - result = {} - result['stdout'] = out - result['changed'] = False - - module.exit_json(**result) - -main() \ No newline at end of file From b3fc07830d6c0b00ab627d805fabd63b48a093a3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 15 Dec 2021 10:21:34 +0000 Subject: [PATCH 05/18] Added new controls Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index f388505e..04a122f4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -152,6 +152,9 @@ rhel_07_010492: true rhel_07_010500: true rhel_07_020019: true rhel_07_020020: true +rhel_07_020021: true +rhel_07_020022: true +rhel_07_020023: true rhel_07_020030: true # Send AIDE reports as mail notifications - Disabled by default as this is a non-ideal way to do notifications rhel_07_020040: "{{ rhel7stig_disruption_high }}" From 0e90ef9c3c220c1429a93d24f53ad78fbf631d86 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 15 Dec 2021 10:21:57 +0000 Subject: [PATCH 06/18] new controls Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index bad401d3..282f0559 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -101,6 +101,9 @@ RHEL_07_010492: {{ rhel_07_010492 }} RHEL_07_010500: {{ rhel_07_010500 }} RHEL_07_020019: {{ rhel_07_020019 }} RHEL_07_020020: {{ rhel_07_020020 }} +RHEL_07_020021: {{ rhel_07_020021 }} +RHEL_07_020022: {{ rhel_07_020022 }} +RHEL_07_020023: {{ rhel_07_020023 }} RHEL_07_020030: {{ rhel_07_020030 }} RHEL_07_020040: {{ rhel_07_020040 }} # see rhel7stig_notify_command RHEL_07_020100: {{ rhel_07_020100 }} From 0898d4b518a23977b90bfd7a891aa15835ff73a5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 15 Dec 2021 10:22:11 +0000 Subject: [PATCH 07/18] updated to use run_audit script Signed-off-by: Mark Bolwell --- tasks/post_remediation_audit.yml | 12 +++--------- tasks/pre_remediation_audit.yml | 12 +++--------- 2 files changed, 6 insertions(+), 18 deletions(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 9e65e237..17ef3f87 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,15 +1,9 @@ --- - name: "Post Audit | Run post_remediation {{ benchmark }} audit" - goss: - goss_path: "{{ audit_bin }}" - path: "{{ audit_control_file }}" - vars_path: "{{ audit_vars_path }}" - format: "{{ audit_format }}" - output_file: "{{ post_audit_outfile }}" - failed_when: false - environment: - GOSS_FMT_OPTIONS: Pretty + shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + vars: + warn: false - name: Post Audit | ensure audit files readable by users file: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 8d75ee39..51b3e2e5 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -78,15 +78,9 @@ - goss_template - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - goss: - goss_path: "{{ audit_bin }}" - path: "{{ audit_control_file }}" - vars_path: "{{ audit_vars_path }}" - format: "{{ audit_format }}" - output_file: "{{ pre_audit_outfile }}" - failed_when: false - environment: - GOSS_FMT_OPTIONS: Pretty + shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + vars: + warn: false - name: Pre Audit | Capture audit data if json format block: From d9c59f10885f3ebd3d06b8c11ace2e90c12e69af Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 15 Dec 2021 13:30:26 +0000 Subject: [PATCH 08/18] Added attributes file Signed-off-by: Mark Bolwell --- .gitattributes | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 00000000..b2daffb9 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,6 @@ +# adding github settings to show correct language +*.sh linguist-detectable=true +*.yml linguist-detectable=true +*.ps1 linguist-detectable=true +*.j2 linguist-detectable=true +*.md linguist-documentation From 3dd3a5e127de5cfcc718a23c92ac28bbbcfee269 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 17 Dec 2021 13:21:48 -0500 Subject: [PATCH 09/18] Updated controls Signed-off-by: George Nalen --- defaults/main.yml | 20 +++- tasks/audit_selinuxlocaluserdefs.yml | 27 +++--- tasks/fix-cat1.yml | 68 +++++++------- tasks/fix-cat2.yml | 132 +++++++++++++++++++++------ 4 files changed, 168 insertions(+), 79 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 817711b5..1b23ffc4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -80,9 +80,11 @@ rhel_07_010290: true rhel_07_010300: true rhel_07_010440: true rhel_07_010450: true -rhel_07_010480: true +# possibly removed +# rhel_07_010480: true rhel_07_010482: true -rhel_07_010490: true +# possibly removed +# rhel_07_010490: true rhel_07_010491: true rhel_07_020000: true rhel_07_020010: true @@ -152,6 +154,9 @@ rhel_07_010492: true rhel_07_010500: true rhel_07_020019: true rhel_07_020020: true +rhel_07_020021: true +rhel_07_020022: true +rhel_07_020023: true rhel_07_020030: true # Send AIDE reports as mail notifications - Disabled by default as this is a non-ideal way to do notifications rhel_07_020040: "{{ rhel7stig_disruption_high }}" @@ -355,8 +360,9 @@ rhel_07_020020_selinux_change_users: true rhel_07_020020_HBSS_path: /opt/McAfee/Agent/bin rhel_07_020020_HIPS_path: /opt/McAfee/Agent/bin rhel_07_020020_selinux_ldap_maps: false -rhel_07_020020_selinux_local_interactive_admin_group: wheel +# rhel_07_020020_selinux_local_interactive_admin_group: wheel rhel_07_020020_selinux_local_interactive_users_group: users +rhel_07_020020_selinux_local_interactive_staff_group: staff # RHEL-07-020710 # Set standard user paths here @@ -545,6 +551,14 @@ rhel7stig_password_complexity: maxclassrepeat: 4 minlen: 15 +# RHEL-07-020022 +# rhel7stig_ssh_sysadm_login_state is the state for the ssh_sysadmin_login boolean. +# The value False will set the value to off, which does not allow privileged accounts to utilize SSH +# The value True will set the value to on, which allows privileged accounts to utilize SSH +# To confrom to STIG requirements use the value of false +# If set to True this needs to be documented with your ISSO as an operational requirement to be STIG compliant +rhel7stig_ssh_sysadm_login_state: false + # RHEL-07-040160 # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 15 = 600) diff --git a/tasks/audit_selinuxlocaluserdefs.yml b/tasks/audit_selinuxlocaluserdefs.yml index ec084402..1a0cb921 100644 --- a/tasks/audit_selinuxlocaluserdefs.yml +++ b/tasks/audit_selinuxlocaluserdefs.yml @@ -10,10 +10,10 @@ tags: - RHEL-07-020020 -# find the local interactive users +# find the local interactive staff - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - shell: "awk -F: '/^{{ rhel_07_020020_selinux_local_interactive_users_group }}/ {print $4;}' /etc/group | tr ',' '\n'" - register: rhel_07_020020_local_interactive_users + shell: "awk -F: '/^{{ rhel_07_020020_selinux_local_interactive_staff_group }}/ {print $4;}' /etc/group | tr ',' '\n'" + register: rhel_07_020020_local_interactive_staff when: - rhel_07_020020 - rhel7stig_disruption_high @@ -23,11 +23,11 @@ - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." debug: - msg: "WARNING: There are no users configured to be part of the specified local interactive uesr group {{ rhel_07_020020_selinux_local_interactive_users_group }}. You must configure this group to satisfy requirements of this control." + msg: "WARNING: There are no users configured to be part of the specified local interactive staff group {{ rhel_07_020020_selinux_local_interactive_staff_group }}. You must configure this group to satisfy requirements of this control." changed_when: - rhel7stig_audit_complex when: - - not rhel_07_020020_local_interactive_users.stdout_lines | length > 0 + - not rhel_07_020020_local_interactive_staff.stdout_lines | length > 0 - rhel_07_020020 - rhel7stig_disruption_high - rhel7stig_audit_disruptive @@ -37,19 +37,19 @@ - name: "MEDIUM | RHEL-07-020020 | PATCH | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." shell: semanage login -m -s user_u "{{ item }}" with_items: - - "{{ rhel_07_020020_local_interactive_users.stdout_lines }}" + - "{{ rhel_07_020020_local_interactive_staff.stdout_lines }}" when: - - rhel_07_020020_local_interactive_users.stdout_lines | length > 0 + - rhel_07_020020_local_interactive_staff.stdout_lines | length > 0 - rhel_07_020020 - rhel7stig_disruption_high - rhel7stig_audit_disruptive tags: - RHEL-07-020020 -# find the local interactive admins +# find the local interactive users - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - shell: "awk -F: '/^{{ rhel_07_020020_selinux_local_interactive_admin_group }}/ {print $4;}' /etc/group | tr ',' '\n'" - register: rhel_07_020020_local_interactive_admins + shell: "awk -F: '/^{{ rhel_07_020020_selinux_local_interactive_users_group }}/ {print $4;}' /etc/group | tr ',' '\n'" + register: rhel_07_020020_local_interactive_users when: - rhel_07_020020 - rhel7stig_disruption_high @@ -59,7 +59,7 @@ - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." debug: - msg: "WARNING: There are no users configured to be part of the specified local interactive admin group {{ rhel_07_020020_selinux_local_interactive_admin_group }}. You must configure this group to satisfy requirements of this control." + msg: "WARNING: There are no users configured to be part of the specified local interactive user group {{ rhel_07_020020_selinux_local_interactive_users_group }}. You must configure this group to satisfy requirements of this control." changed_when: - rhel7stig_audit_complex when: @@ -71,9 +71,9 @@ - RHEL-07-020020 - name: "MEDIUM | RHEL-07-020020 | PATCH | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - shell: semanage login -m -s sysadm_u "{{ item }}" + shell: semanage login -m -s user_u "{{ item }}" with_items: - - "{{ rhel_07_020020_local_interactive_admins.stdout_lines }}" + - "{{ rhel_07_020020_local_interactive_users.stdout_lines }}" when: - rhel_07_020020_local_interactive_users.stdout_lines | length > 0 - rhel_07_020020 @@ -81,3 +81,4 @@ - rhel7stig_audit_disruptive tags: - RHEL-07-020020 + diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 472c83ef..5cae61da 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -161,40 +161,40 @@ - SV-204433r603261_rule - V-204433 -- name: | - "HIGH | RHEL-07-010480 | PATCH | Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." - "HIGH | RHEL-07-010490 | PATCH | Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." - lineinfile: - dest: /etc/grub.d/40_custom - insertafter: EOF - regexp: "{{ item.regex }}" - line: "{{ item.line }}" - with_items: - - regexp: ^\s*set superusers= - line: ' set superusers="root"' - - regexp: ^password_pbkdf2 - line: "^password_pbkdf2 {{ rhel7stig_boot_superuser }} {{ rhel7stig_bootloader_password_hash }}" - no_log: true - notify: - - make grub2 config - when: - - rhel_07_010480 or - rhel_07_010490 - - ansible_distribution_version is version_compare('7.2', '<') - tags: - - CAT1 - - RHEL-07-010480 - - CCI-000213 - - SRG-OS-000080-GPOS-00048 - - SV-204436r603261_rule - - V-204436 - - RHEL-07-010490 - - CCI-000213 - - SRG-OS-000080-GPOS-00048 - - SV-204439r603261_rule - - V-204439 - - grub - - bootloader +# - name: | +# "HIGH | RHEL-07-010480 | PATCH | Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." +# "HIGH | RHEL-07-010490 | PATCH | Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes." +# lineinfile: +# dest: /etc/grub.d/40_custom +# insertafter: EOF +# regexp: "{{ item.regex }}" +# line: "{{ item.line }}" +# with_items: +# - regexp: ^\s*set superusers= +# line: ' set superusers="root"' +# - regexp: ^password_pbkdf2 +# line: "^password_pbkdf2 {{ rhel7stig_boot_superuser }} {{ rhel7stig_bootloader_password_hash }}" +# no_log: true +# notify: +# - make grub2 config +# when: +# - rhel_07_010480 or +# rhel_07_010490 +# - ansible_distribution_version is version_compare('7.2', '<') +# tags: +# - CAT1 +# - RHEL-07-010480 +# - CCI-000213 +# - SRG-OS-000080-GPOS-00048 +# - SV-204436r603261_rule +# - V-204436 +# - RHEL-07-010490 +# - CCI-000213 +# - SRG-OS-000080-GPOS-00048 +# - SV-204439r603261_rule +# - V-204439 +# - grub +# - bootloader - name: | "HIGH | RHEL-07-010482 | Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes." diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 2cccec05..8cd5a41a 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -880,12 +880,9 @@ notify: - make grub2 config with_items: - - regexp: ^\s*set superusers= - line: ' set superusers="{{ rhel7stig_grub_superusers }}"' - - regexp: ^\s*export superusers - line: ' export superusers' - - regexp: ^\s*password_pbkdf2 - line: ' password_pbkdf2 {{ rhel7stig_grub_superusers }} \${GRUB2_PASSWORD}' + - { regexp: '^\s*set superusers=', line: ' set superusers="{{ rhel7stig_grub_superusers }}"' } + - { regexp: '^\s*export superusers', line: ' export superusers'} + - { regexp: '^\s*password_pbkdf2', line: ' password_pbkdf2 {{ rhel7stig_grub_superusers }} \${GRUB2_PASSWORD}' } when: not rhel7stig_machine_uses_uefi - name: "MEDIUM | RHEL-07-010492 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance. | Set grub unique name UEFI" @@ -896,12 +893,9 @@ notify: - make grub2 config with_items: - - regexp: ^\s*set superusers= - line: ' set superusers="{{ rhel7stig_grub_superusers }}"' - - regexp: ^\s*export superusers - line: ' export superusers' - - regexp: ^\s*password_pbkdf2 - line: ' password_pbkdf2 {{ rhel7stig_grub_superusers }} \${GRUB2_PASSWORD}' + - { regexp: '^\s*set superusers=', line: ' set superusers="{{ rhel7stig_grub_superusers }}"' } + - { regexp: '^\s*export superusers', line: ' export superusers' } + - { regexp: '^\s*password_pbkdf2', line: ' password_pbkdf2 {{ rhel7stig_grub_superusers }} \${GRUB2_PASSWORD}' } when: rhel7stig_machine_uses_uefi when: - rhel_07_010483 or @@ -998,28 +992,31 @@ # ######### 20000 ########### # ############################## -- name: "MEDIUM | RHEL-07-020020 | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." +# This control should be manually implemented +- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." block: - # is a HBSS installed? - - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - stat: - path: "{{ rhel_07_020020_HBSS_path }}" - register: rhel_07_020020_HBSS_check + - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Get SELinux authorized users" + shell: semanage login -l + changed_when: false + failed_when: false + register: rhel_07_020020_sel_auth_users - # is a HIPS installed? - - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - stat: - path: "{{ rhel_07_020020_HIPS_path }}" - register: rhel_07_020020_HIPS_check + - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Show SELinux authorized users" + debug: + msg: + - "Warning! Below is your SELinux user/group list. Please review and make sure all of the following are met:" + - "1) All administrators are mapped to staff_u or an appropriately tailored confined SELinux user as defined by the organization" + - "2) All authorized non-administrative users must be mapped to the user_u SELinux user" + - "{{ rhel_07_020020_sel_auth_users.stdout_lines }}" + when: rhel_07_020020_sel_auth_users.stdout | length > 0 - # This is an include to conditionally loop through users to selinux mappings - - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures." - include_tasks: audit_selinuxlocaluserdefs.yml - when: not rhel_07_020020_HBSS_check.stat.exists and not rhel_07_020020_HIPS_check.stat.exists + - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Warn that semanage is not installed" + debug: + msg: + - "Alert! You do not have semanage installed! Please installed the needed packages" + when: "'command not found' in rhel_07_020020_sel_auth_users.stderr" when: - rhel_07_020020 - - rhel7stig_disruption_high - - rhel7stig_audit_disruptive tags: - RHEL-07-020020 - CAT2 @@ -4213,3 +4210,80 @@ - SV-237635r646856_rule - V-237635 - sudo + +- name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege." + block: + - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Get SELinux Role mappings" + shell: semanage user -l + changed_when: false + failed_when: false + register: rhel_07_020021_sel_role_mappings + + - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Show SELinux Role mappings" + debug: + msg: "Warning! Below are your SELinux Role mappings. Please review the mappings with your SA to determine validity of the mappings" + when: rhel_07_020021_sel_role_mappings.stdout | length > 0 + + - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Alert that semanage is not installed" + debug: + msg: "Alert! You do not have semanage installed! Please installed the needed packages" + when: "'command not found' in rhel_07_020021_sel_role_mappings.stderr" + when: + - rhel_07_020021 + tags: + - RHEL-07-020021 + - CAT2 + - CCI-002165 + - CCI-002235 + - SRG-OS-000324-GPOS-00125 + - SV-250312r792843_rule + - V-250312 + +- name: "MEDIUM | RHEL-07-020022 | PATCH | The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH." + seboolean: + name: ssh_sysadm_login + persistent: true + state: "{{ rhel7stig_ssh_sysadm_login_state }}" + when: + - rhel_07_020022 + tags: + - RHEL-07-020022 + - CAT2 + - CCI-002165 + - CI-002235 + - SRG-OS-000324-GPOS-00125 + - SV-250313r792846_rule + - V-250313 + +- name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command" + block: + - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command | Get sysadm_r sudoers status" + shell: grep -s sysadm_r /etc/sudoers.d/* /etc/sudoers + changed_when: false + failed_when: false + register: rhel_07_020023_sel_admin_sudo_status + + - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command" + debug: + msg: + - "Warning! Below is your sysadm_r settings in your sudoers file." + - "Please review to confirm a designated sudoers admin group or account(s) is not configured to eleveate the SELinux type and role to sysadm_t and sysadm_r with the use of the sudo command | Display if entry exists" + - "{{ rhel_07_020023_sel_admin_sudo_status.stdout_lines }}" + when: rhel_07_020023_sel_admin_sudo_status.stdout | length > 0 + + - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command" + debug: + msg: + - "Alert! You do not have sysadm_r configured in your sudoers file(s_" + - "Please configure to designate sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to sysadm_t and sysadm_r with the use of the sudo command | Alert that on entry exists" + when: rhel_07_020023_sel_admin_sudo_status.stdout | length == 0 + when: + - rhel_07_020023 + tags: + - RHEL-07-020023 + - CAT2 + - CCI-002165 + - CCI-002235 + - SRG-OS-000324-GPOS-00125 + - SV-250314r792849_rule + - V-250314 \ No newline at end of file From ba99f0ec0662d84f900a39b5bc25eeccc3c169a9 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 17 Dec 2021 13:26:45 -0500 Subject: [PATCH 10/18] added blank line at end of fix-cat2.yml Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8cd5a41a..0e4f3a2a 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4286,4 +4286,4 @@ - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-250314r792849_rule - - V-250314 \ No newline at end of file + - V-250314 From b0a486c9606248bd126790287e8057613ca1a97c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Dec 2021 09:21:02 +0000 Subject: [PATCH 11/18] removed older controls Signed-off-by: Mark Bolwell --- tasks/main.yml | 8 ++++---- tasks/prelim.yml | 16 ++++++++-------- templates/ansible_vars_goss.yml.j2 | 2 -- 3 files changed, 12 insertions(+), 14 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index b7f651bb..ea57957c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -34,14 +34,14 @@ that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set" when: - - rhel_07_010480 or - rhel_07_010490 or + - rhel_07_010481 or rhel_07_010482 or + rhel_07_010483 or rhel_07_010491 tags: - - RHEL-07-010480 + - RHEL-07-010481 - RHEL-07-010482 - - RHEL-07-010490 + - RHEL-07-010483 - RHEL-07-010491 - cat1 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index db8c5a10..c3c7b7ec 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -154,17 +154,17 @@ vars: ansible_python_interpreter: "{{ python2_bin }}" when: - - rhel_07_010480 or + - rhel_07_010481 or rhel_07_010482 or - rhel_07_010490 or + rhel_07_010483 or rhel_07_010491 or rhel_07_021350 tags: - cat1 - high - - RHEL-07-010480 + - RHEL-07-010481 - RHEL-07-010482 - - RHEL-07-010490 + - RHEL-07-010483 - RHEL-07-010491 - RHEL-07-021350 @@ -173,9 +173,9 @@ path: /sys/firmware/efi register: rhel_07_sys_firmware_efi when: - - rhel_07_010480 or + - rhel_07_010481 or rhel_07_010482 or - rhel_07_010490 or + rhel_07_010483 or rhel_07_010491 or rhel_07_021350 or rhel_07_021700 @@ -184,9 +184,9 @@ - high - cat2 - medium - - RHEL-07-010480 + - RHEL-07-010481 - RHEL-07-010482 - - RHEL-07-010490 + - RHEL-07-010483 - RHEL-07-010491 - RHEL-07-021350 - RHEL-07-021700 diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 282f0559..81873f0d 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -28,9 +28,7 @@ RHEL_07_010290: {{ rhel_07_010290 }} RHEL_07_010300: {{ rhel_07_010300 }} RHEL_07_010440: {{ rhel_07_010440 }} RHEL_07_010450: {{ rhel_07_010450 }} -RHEL_07_010480: {{ rhel_07_010480 }} RHEL_07_010482: {{ rhel_07_010482 }} -RHEL_07_010490: {{ rhel_07_010490 }} RHEL_07_010491: {{ rhel_07_010491 }} RHEL_07_020000: {{ rhel_07_020000 }} RHEL_07_020010: {{ rhel_07_020010 }} From a4d8ccc2b8fa13361f9e92f4d0f6bfeb606fc9ff Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Dec 2021 10:40:32 +0000 Subject: [PATCH 12/18] #391 conditional added thanks @dpbown & @danbarr Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 5cae61da..cf506e31 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -497,6 +497,7 @@ value: UUID={{ item.uuid }} insert: yes when: + - - rhel7stig_boot_part not in ['/', ''] - not ansible_check_mode or rhel7_stig_grub_template is not changed notify: confirm grub2 user cfg From c0d92de8678c492c9922f76e7f02323c8229bf8e Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 29 Dec 2021 13:21:00 -0500 Subject: [PATCH 13/18] added changes from PR 393 due to gpg signing issue Signed-off-by: George Nalen --- templates/aide.conf.j2 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/templates/aide.conf.j2 b/templates/aide.conf.j2 index fb6aa8f9..804733ad 100644 --- a/templates/aide.conf.j2 +++ b/templates/aide.conf.j2 @@ -17,8 +17,11 @@ gzip_dbout=yes # Default. verbose=5 -report_url=file:@@{LOGDIR}/aide.log -report_url=stdout +# One line per timestamp for better external logger support +syslog_format = true +report_url=syslog:LOG_AUTH +#report_url=file:@@{LOGDIR}/aide.log +#report_url=stdout #report_url=stderr #NOT IMPLEMENTED report_url=mailto:root@foo.com #NOT IMPLEMENTED report_url=syslog:LOG_AUTH From 7a6953b5bd95fc237fe4718c24d53200bbdb7347 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jan 2022 15:36:44 +0000 Subject: [PATCH 14/18] fix typo in 21350 Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index cf506e31..08a81581 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -497,7 +497,7 @@ value: UUID={{ item.uuid }} insert: yes when: - - - rhel7stig_boot_part not in ['/', ''] + - rhel7stig_boot_part not in ['/', ''] - not ansible_check_mode or rhel7_stig_grub_template is not changed notify: confirm grub2 user cfg From d928a304e4d6af67b22de3a3f58976ac10906787 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 6 Jan 2022 16:07:25 -0500 Subject: [PATCH 15/18] changed ami Signed-off-by: George Nalen --- .github/workflows/communitytodevel.yml | 2 +- .github/workflows/develtomain.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/communitytodevel.yml b/.github/workflows/communitytodevel.yml index d7a7598f..ec638b93 100644 --- a/.github/workflows/communitytodevel.yml +++ b/.github/workflows/communitytodevel.yml @@ -33,6 +33,6 @@ jobs: # Job ID job_id: 5f933cbcf9c74e86b1609c00 # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL7-STIG.git", "image": "ami-07d8d14365439bc6e", "githubBranch": "${{ github.head_ref }}", "username": "ec2-user" }' + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL7-STIG.git", "image": "ami-098f55b4287a885ba", "githubBranch": "${{ github.head_ref }}", "username": "ec2-user" }' # Refactr API base URL api_url: # optional diff --git a/.github/workflows/develtomain.yml b/.github/workflows/develtomain.yml index ceb7f577..6c3581db 100644 --- a/.github/workflows/develtomain.yml +++ b/.github/workflows/develtomain.yml @@ -33,6 +33,6 @@ jobs: # Job ID job_id: 6040fe0cf7b21a22e11cf3b8 # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL7-STIG.git", "image": "ami-07d8d14365439bc6e", "username": "ec2-user" }' + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL7-STIG.git", "image": "ami-098f55b4287a885ba", "username": "ec2-user" }' # Refactr API base URL api_url: # optional From 9e080c138937bdf4dbd476d6163785880f194803 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 6 Jan 2022 16:22:48 -0500 Subject: [PATCH 16/18] update ami username Signed-off-by: George Nalen --- .github/workflows/communitytodevel.yml | 2 +- .github/workflows/develtomain.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/communitytodevel.yml b/.github/workflows/communitytodevel.yml index ec638b93..fcd5c637 100644 --- a/.github/workflows/communitytodevel.yml +++ b/.github/workflows/communitytodevel.yml @@ -33,6 +33,6 @@ jobs: # Job ID job_id: 5f933cbcf9c74e86b1609c00 # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL7-STIG.git", "image": "ami-098f55b4287a885ba", "githubBranch": "${{ github.head_ref }}", "username": "ec2-user" }' + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL7-STIG.git", "image": "ami-098f55b4287a885ba", "githubBranch": "${{ github.head_ref }}", "username": "centos" }' # Refactr API base URL api_url: # optional diff --git a/.github/workflows/develtomain.yml b/.github/workflows/develtomain.yml index 6c3581db..dd212d93 100644 --- a/.github/workflows/develtomain.yml +++ b/.github/workflows/develtomain.yml @@ -33,6 +33,6 @@ jobs: # Job ID job_id: 6040fe0cf7b21a22e11cf3b8 # Variables - variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL7-STIG.git", "image": "ami-098f55b4287a885ba", "username": "ec2-user" }' + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL7-STIG.git", "image": "ami-098f55b4287a885ba", "username": "centos" }' # Refactr API base URL api_url: # optional From 06a9c62b0472e04bc4b0ae9535f843c8e77e9478 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 6 Jan 2022 16:38:31 -0500 Subject: [PATCH 17/18] updated RHEL-07-041010 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 0e4f3a2a..f870cc1a 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3898,6 +3898,7 @@ command: nmcli radio wifi off when: - "'enabled' in rhel_07_wifi_enabled.stdout" + - "'NetworkManager' in ansible_facts.packages" when: - rhel_07_041010 tags: From c19440287adbd5915f89b115683fe488362c75f4 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 6 Jan 2022 16:54:09 -0500 Subject: [PATCH 18/18] updated RHEL-07-041010 again Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index f870cc1a..64e8a74c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3892,15 +3892,14 @@ changed_when: false check_mode: false register: rhel_07_wifi_enabled - when: "'NetworkManager' in ansible_facts.packages" - name: "MEDIUM | RHEL-07-041010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled." command: nmcli radio wifi off when: - "'enabled' in rhel_07_wifi_enabled.stdout" - - "'NetworkManager' in ansible_facts.packages" when: - rhel_07_041010 + - "'NetworkManager' in ansible_facts.packages" tags: - RHEL-07-041010 - CAT2