From dd187dd199abf8186c58c9b8cbb685482c9234f7 Mon Sep 17 00:00:00 2001
From: uk-bolly <mark.bollyuk@gmail.com>
Date: Wed, 14 Feb 2024 16:54:58 +0000
Subject: [PATCH] devel to main update for release (#443)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* Specify missing state parameter for package
Signed-off-by: Anže Luzar <anze.luzar@xlab.si>
* Correct with_items indentation for package
Signed-off-by: Anže Luzar <anze.luzar@xlab.si>
* Replace inline strings with module parameters
Signed-off-by: Anže Luzar <anze.luzar@xlab.si>
* updated link
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* lint updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* removed old
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* added new defined secrets file
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* added precommit
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* lint updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* updated
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* added pragma allow list
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* updated due to galaxy changes
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* moved file
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* updated path
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* removed quality badge since galaxy-ng
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* Adding additional condition for rhel7stig_grub2_user_cfg for task
Signed-off-by: layluke <layluke@protonmail.com>
* updated the workflow version and galaxy setup
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* removed file
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* updated
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* updated
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* lint update
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* fix typo
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* rhel7stig_boot_part variable now discovered
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* tidy up of rhel7stig_boot_part variable
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* changed logic on 20620
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* updated logic for uuid
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* removed extra line
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* removed doc dir
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* [pre-commit.ci] pre-commit autoupdate
updates:
- [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](https://github.com/gitleaks/gitleaks/compare/v8.18.0...v8.18.1)
- [github.com/ansible-community/ansible-lint: v6.21.1 → v6.22.2](https://github.com/ansible-community/ansible-lint/compare/v6.21.1...v6.22.2)
- [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0)
* Issue #446 tag update to always - thanks to @prestonSeaman2
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* conditional updated 021000 & 021010 #448 thanks @erosen03
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---------
Signed-off-by: Anže Luzar <anze.luzar@xlab.si>
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
Signed-off-by: layluke <layluke@protonmail.com>
Co-authored-by: Anže Luzar <anze.luzar@xlab.si>
Co-authored-by: layluke <layluke@protonmail.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
---
.config/.gitleaks-report.json | 1 -
.config/.secrets.baseline | 79 +------------------
.../workflows/devel_pipeline_validation.yml | 20 ++---
.../workflows/main_pipeline_validation.yml | 18 ++---
.github/workflows/update_galaxy.yml | 14 ++--
.pre-commit-config.yaml | 9 +--
CONTRIBUTING.rst | 1 -
ChangeLog.md | 4 +-
README.md | 1 -
ansible.cfg | 1 -
collections/requirements.yml | 12 ++-
defaults/main.yml | 4 +-
doc/README.md | 8 --
handlers/main.yml | 4 +-
tasks/fix-cat1.yml | 7 +-
tasks/fix-cat2.yml | 56 +++++++------
tasks/main.yml | 24 +++---
tasks/pre_remediation_audit.yml | 3 +-
tasks/prelim.yml | 32 +++-----
templates/01-banner-message.j2 | 2 +-
templates/ansible_vars_goss.yml.j2 | 4 +-
templates/audit/99_auditd.rules.j2 | 2 +-
templates/pam_pkcs11.conf.j2 | 14 ++--
vars/Centos.yml | 9 ---
24 files changed, 121 insertions(+), 208 deletions(-)
delete mode 100644 .config/.gitleaks-report.json
delete mode 100644 doc/README.md
delete mode 100644 vars/Centos.yml
diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json
deleted file mode 100644
index fe51488c..00000000
--- a/.config/.gitleaks-report.json
+++ /dev/null
@@ -1 +0,0 @@
-[]
diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline
index 522a6339..eab74d91 100644
--- a/.config/.secrets.baseline
+++ b/.config/.secrets.baseline
@@ -75,10 +75,6 @@
{
"path": "detect_secrets.filters.allowlist.is_line_allowlisted"
},
- {
- "path": "detect_secrets.filters.common.is_baseline_file",
- "filename": ".config/.secrets.baseline"
- },
{
"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
"min_level": 2
@@ -113,78 +109,11 @@
{
"path": "detect_secrets.filters.regex.should_exclude_file",
"pattern": [
- ".config/.gitleaks-report.json"
+ ".config/.gitleaks-report.json",
+ "tasks/parse_etc_passwd.yml"
]
}
],
- "results": {
- "defaults/main.yml": [
- {
- "type": "Secret Keyword",
- "filename": "defaults/main.yml",
- "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
- "is_verified": false,
- "line_number": 467,
- "is_secret": false
- }
- ],
- "tasks/fix-cat2.yml": [
- {
- "type": "Secret Keyword",
- "filename": "tasks/fix-cat2.yml",
- "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859",
- "is_verified": false,
- "line_number": 1449,
- "is_secret": false
- }
- ],
- "tasks/main.yml": [
- {
- "type": "Secret Keyword",
- "filename": "tasks/main.yml",
- "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e",
- "is_verified": false,
- "line_number": 39,
- "is_secret": false
- },
- {
- "type": "Secret Keyword",
- "filename": "tasks/main.yml",
- "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
- "is_verified": false,
- "line_number": 56,
- "is_secret": false
- }
- ],
- "tasks/parse_etc_passwd.yml": [
- {
- "type": "Secret Keyword",
- "filename": "tasks/parse_etc_passwd.yml",
- "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
- "is_verified": false,
- "line_number": 18
- }
- ],
- "tasks/prelim.yml": [
- {
- "type": "Secret Keyword",
- "filename": "tasks/prelim.yml",
- "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a",
- "is_verified": false,
- "line_number": 228,
- "is_secret": false
- }
- ],
- "templates/pam_pkcs11.conf.j2": [
- {
- "type": "Secret Keyword",
- "filename": "templates/pam_pkcs11.conf.j2",
- "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
- "is_verified": false,
- "line_number": 173,
- "is_secret": false
- }
- ]
- },
- "generated_at": "2023-09-14T14:19:49Z"
+ "results": {},
+ "generated_at": "2023-10-09T14:42:52Z"
}
diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
index a4e7d48a..39af625a 100644
--- a/.github/workflows/devel_pipeline_validation.yml
+++ b/.github/workflows/devel_pipeline_validation.yml
@@ -27,9 +27,9 @@
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
- Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+ Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
- # This workflow contains a single job which tests the playbook
+ # This workflow contains a single job that tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
@@ -44,13 +44,13 @@
steps:
- name: Clone ${{ github.event.repository.name }}
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
# Pull in terraform code for linux servers
- - name: Clone github IaC plan
- uses: actions/checkout@v3
+ - name: Clone GitHub IaC plan
+ uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC
@@ -74,7 +74,7 @@
pwd
ls
env:
- # Imported from github variables this is used to load the relvent OS.tfvars file
+ # Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}
@@ -82,7 +82,7 @@
id: init
run: terraform init
env:
- # Imported from github variables this is used to load the relvent OS.tfvars file
+ # Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
@@ -90,7 +90,7 @@
id: validate
run: terraform validate
env:
- # Imported from github variables this is used to load the relvent OS.tfvars file
+ # Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
@@ -111,9 +111,9 @@
# Aws deployments taking a while to come up insert sleep or playbook fails
- name: Sleep for 60 seconds
- run: sleep 60s
+ run: sleep ${{ vars.BUILD_SLEEPTIME }}
- # Run the ansible playbook
+ # Run the Ansible playbook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml
index 0b149fb3..8ded7018 100644
--- a/.github/workflows/main_pipeline_validation.yml
+++ b/.github/workflows/main_pipeline_validation.yml
@@ -18,7 +18,7 @@
# that can run sequentially or in parallel
jobs:
- # This workflow contains a single job which tests the playbook
+ # This workflow contains a single job that tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
@@ -33,13 +33,13 @@
steps:
- name: Clone ${{ github.event.repository.name }}
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
# Pull in terraform code for linux servers
- - name: Clone github IaC plan
- uses: actions/checkout@v3
+ - name: Clone GitHub IaC plan
+ uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC
@@ -63,7 +63,7 @@
pwd
ls
env:
- # Imported from github variables this is used to load the relvent OS.tfvars file
+ # Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}
@@ -71,7 +71,7 @@
id: init
run: terraform init
env:
- # Imported from github variables this is used to load the relvent OS.tfvars file
+ # Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
@@ -79,7 +79,7 @@
id: validate
run: terraform validate
env:
- # Imported from github variables this is used to load the relvent OS.tfvars file
+ # Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
@@ -100,9 +100,9 @@
# Aws deployments taking a while to come up insert sleep or playbook fails
- name: Sleep for 60 seconds
- run: sleep 60s
+ run: sleep ${{ vars.BUILD_SLEEPTIME }}
- # Run the ansible playbook
+ # Run the Ansible playbook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml
index 951a53cb..f9352800 100644
--- a/.github/workflows/update_galaxy.yml
+++ b/.github/workflows/update_galaxy.yml
@@ -1,11 +1,7 @@
---
-# This is a basic workflow to help you get started with Actions
-
name: update galaxy
-# Controls when the action will run.
-# Triggers the workflow on merge request events to the main branch
on:
push:
branches:
@@ -14,8 +10,10 @@ jobs:
update_role:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
- - uses: robertdebock/galaxy-action@master
+ - name: Checkout repo
+ uses: actions/checkout@v4
+
+ - name: Action Ansible Galaxy Release ${{ github.ref_name }}
+ uses: ansible-actions/ansible-galaxy-action@main
with:
- galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
- git_branch: main
+ galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 97c79434..43020660 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ ci:
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v3.2.0
+ rev: v4.5.0
hooks:
# Safety
- id: detect-aws-credentials
@@ -34,16 +34,15 @@ repos:
hooks:
- id: detect-secrets
args: [ '--baseline', '.config/.secrets.baseline' ]
- exclude: .config/.gitleaks-report.json
- repo: https://github.com/gitleaks/gitleaks
- rev: v8.17.0
+ rev: v8.18.1
hooks:
- id: gitleaks
args: ['--baseline-path', '.config/.gitleaks-report.json']
- repo: https://github.com/ansible-community/ansible-lint
- rev: v6.17.2
+ rev: v6.22.2
hooks:
- id: ansible-lint
name: Ansible-lint
@@ -62,6 +61,6 @@ repos:
- ansible-core>=2.10.1
- repo: https://github.com/adrienverge/yamllint.git
- rev: v1.32.0 # or higher tag
+ rev: v1.33.0 # or higher tag
hooks:
- id: yamllint
diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
index 2fa743d8..23ce2fb7 100644
--- a/CONTRIBUTING.rst
+++ b/CONTRIBUTING.rst
@@ -65,4 +65,3 @@ following text in your contribution commit message:
This message can be entered manually, or if you have configured git
with the correct `user.name` and `user.email`, you can use the `-s`
option to `git commit` to automatically include the signoff message.
-
diff --git a/ChangeLog.md b/ChangeLog.md
index 0859edd9..608849fd 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -115,14 +115,14 @@ README
## Release 1.9.0
-- RHEL-07-010271 - New Control Added
+- RHEL-07-010271 - New Control Added
- Update to STIG V3R9 Oct 27th 2022 - Changes Listed Below
- RHEL-07-010342, RHEL-07-010343, RHEL- 07-020023, RHEL-07-030201 - Updated fix text.
- RHEL-07-021040, RHEL-07-021700 - Updated check text command to eliminate false positives.
- RHEL-07-030840 - Updated check and fix text.
- RHEL-07-040160 - Updated check text.
- RHEL-07-040310 - Corrected typo in the Vulnerability Discussion.
- - RHEL-07-040360, RHEL-07-040530 - Updated CCI.
+ - RHEL-07-040360, RHEL-07-040530 - Updated CCI.
- Update to README and requirements
- RHEL-07-010010, RHEL-07-010020, RHEL-07-010291, RHEL-07-021030,RHEL-07-021040 - Updated Tag Information
diff --git a/README.md b/README.md
index 40081ffc..70be8088 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,6 @@ This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on July 23
[](https://twitter.com/AnsibleLockdown)
-
diff --git a/ansible.cfg b/ansible.cfg
index f0ab6836..c7c4ec86 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -23,4 +23,3 @@ transfer_method=scp
[colors]
[diff]
-
diff --git a/collections/requirements.yml b/collections/requirements.yml
index 4a418efa..8ebc6180 100644
--- a/collections/requirements.yml
+++ b/collections/requirements.yml
@@ -1,8 +1,14 @@
---
collections:
-- name: community.general
+ - name: community.general
+ source: https://github.com/ansible-collections/community.general
+ type: git
-- name: community.crypto
+ - name: community.crypto
+ source: https://github.com/ansible-collections/community.crypto
+ type: git
-- name: ansible.posix
+ - name: ansible.posix
+ source: https://github.com/ansible-collections/ansible.posix
+ type: git
diff --git a/defaults/main.yml b/defaults/main.yml
index 916abcca..89b65ab1 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -464,7 +464,7 @@ rhel7stig_force_exact_packages: "{{ rhel7stig_disruption_high }}"
# RHEL-07-010480 and RHEL-07-010490
# Password protect the boot loader
-rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
+rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
rhel7stig_boot_superuser: root
# RHEL-07-021700 set the value for correctly configured grub bootloader sequence
@@ -693,7 +693,7 @@ rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1,
rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}"
-rhel7stig_boot_part: "{{ rhel_07_boot_part.stdout }}"
+rhel7stig_boot_part: /boot
rhel7stig_legacy_boot_path: '/boot/grub2/'
rhel7stig_efi_boot_path: '/boot/efi/EFI/'
diff --git a/doc/README.md b/doc/README.md
deleted file mode 100644
index fb11aec8..00000000
--- a/doc/README.md
+++ /dev/null
@@ -1,8 +0,0 @@
-To generate the documentation on a RHEL/CentOS 7 system, take the following steps:
-1. Install required packages:
- * `yum install python3-pip python-sphinx`
-2. Install the requirements:
- * `sudo pip3 install -r requirements.txt`
-3. Generate the documentation:
- * `make singlehtml`
-
diff --git a/handlers/main.yml b/handlers/main.yml
index c414bd4c..88fb8027 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -27,7 +27,7 @@
- name: make grub2 config
ansible.builtin.shell: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_bootloader_path }}grub.cfg
when:
- - rhel7stig_grub2_user_cfg.stat.exists
+ - (rhel7stig_grub2_user_cfg is defined) and (rhel7stig_grub2_user_cfg.stat.exists)
- not rhel7stig_skip_for_travis
- not rhel7stig_system_is_container
@@ -42,7 +42,7 @@
- grub.cfg
- user.cfg
when:
- - rhel7stig_grub2_user_cfg.stat.exists
+ - (rhel7stig_grub2_user_cfg is defined) and (rhel7stig_grub2_user_cfg.stat.exists)
- rhel7stig_workaround_for_disa_benchmark
- not rhel7stig_skip_for_travis
- not rhel7stig_system_is_container
diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml
index a46c1f74..a8dab97d 100644
--- a/tasks/fix-cat1.yml
+++ b/tasks/fix-cat1.yml
@@ -456,6 +456,7 @@
insert: true
when:
- rhel7stig_boot_part not in ['/', '']
+ - item.uuid is defined
- not ansible_check_mode or
rhel7_stig_grub_template is not changed
notify: confirm grub2 user cfg
@@ -474,9 +475,9 @@
- ansible_check_mode
- rhel_07_021350_audit is failed
failed_when:
- - rhel_07_021350_audit is failed
- - not ansible_check_mode or
- rhel_07_021350_audit.rc > 1
+ - rhel_07_021350_audit.rc not in [ 0, 1 ]
+ - not ansible_check_mode
+
when:
- not ansible_check_mode or
rhel7_stig_grub_template is not changed
diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml
index 694a304c..1ea2f6de 100644
--- a/tasks/fix-cat2.yml
+++ b/tasks/fix-cat2.yml
@@ -1109,9 +1109,9 @@
ansible.builtin.package:
name: "{{ item }}"
state: present
- with_items:
- - pam_pkcs11
- - pcsc-lite-libs
+ with_items:
+ - pam_pkcs11
+ - pcsc-lite-libs
vars:
ansible_python_interpreter: "{{ python2_bin }}"
register: rhel_07_010500pkcs11install
@@ -1368,7 +1368,7 @@
- name: |
"MEDIUM | RHEL-07-020210 | PATCH | The Red Hat Enterprise Linux operating system must enable SELinux."
"MEDIUM | RHEL-07-020220 | PATCH | The Red Hat Enterprise Linux operating system must enable SELinux targeted policy."
- selinux:
+ ansible.posix.selinux:
state: enforcing
policy: targeted
check_mode: "{{ ansible_check_mode or rhel7stig_system_is_chroot }}"
@@ -1444,9 +1444,10 @@
- "{{ rhel7stig_unnecessary_accounts }}"
- name: "MEDIUM | RHEL-07-020270 | AUDIT | Re-parse /etc/passwd since it changed."
- include_tasks: parse_etc_passwd.yml # noqa: no-handler
+ ansible.builtin.include_tasks:
+ file: parse_etc_passwd.yml
vars:
- rhel7stig_passwd_tasks: "RHEL-07-020270"
+ rhel7stig_passwd_tasks: "RHEL-07-020270" # noqa: no-handler # pragma: allowlist secret
when: rhel_07_020270_patch is changed
when:
- rhel_07_020270
@@ -1553,7 +1554,7 @@
label: "{{ rhel7stig_passwd_label }}"
when:
- rhel_07_020620
- - rhel7stig_interactive_uid_start | int <= item.uid
+ - item.uid >= rhel7stig_interactive_uid_start | int
tags:
- RHEL-07-020620
- CAT2
@@ -1754,7 +1755,7 @@
# set default ACLs so the homedir has an effective umask of 0027
- name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."
- acl:
+ ansible.posix.acl:
path: "{{ item.0 }}"
default: true
state: present
@@ -1925,7 +1926,8 @@
register: rhel_07_020730_perms_results
- name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs."
- include_tasks: audit_homedirinifiles.yml
+ ansible.builtin.include_tasks:
+ file: audit_homedirinifiles.yml
loop:
- "{{ rhel_07_stig_interactive_homedir_inifiles }}"
loop_control:
@@ -2040,7 +2042,7 @@
removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid]
when:
- ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0
- - "'nosuid' not in home_mount.options"
+ - "'nosuid' not in removable_mount.options"
- name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."
ansible.posix.mount:
@@ -2053,7 +2055,7 @@
removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid]
when:
- ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0
- - "'nosuid' not in home_mount.options"
+ - "'nosuid' not in removable_mount2.options"
when:
- rhel_07_021010
- not (rhel7stig_system_is_chroot and rhel7stig_system_is_container)
@@ -3405,7 +3407,7 @@
- ldap
- name: "MEDIUM | RHEL-07-040201 | PATCH | The Red Hat Enterprise Linux operating system must implement virtual address space randomization."
- sysctl:
+ ansible.posix.sysctl:
name: kernel.randomize_va_space
value: '2'
state: present
@@ -3918,7 +3920,7 @@
- firewall
- name: "MEDIUM | RHEL-07-040610 | PATCH | The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets."
- sysctl:
+ ansible.posix.sysctl:
name: net.ipv4.conf.all.accept_source_route
state: present
value: '0'
@@ -3936,7 +3938,7 @@
- ipv4
- name: "MEDIUM | RHEL-07-040611 | PATCH | The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces."
- sysctl:
+ ansible.posix.sysctl:
name: net.ipv4.conf.all.rp_filter
value: '1'
state: present
@@ -3954,7 +3956,7 @@
- ipv4
- name: "MEDIUM | RHEL-07-040612 | PATCH | The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default."
- sysctl:
+ ansible.posix.sysctl:
name: net.ipv4.conf.default.rp_filter
state: present
value: '1'
@@ -3972,7 +3974,7 @@
- ipv4
- name: "MEDIUM | RHEL-07-040620 | PATCH | The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default."
- sysctl:
+ ansible.posix.sysctl:
name: net.ipv4.conf.default.accept_source_route
state: present
value: '0'
@@ -3990,7 +3992,7 @@
- ipv4
- name: "MEDIUM | RHEL-07-040630 | PATCH | The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."
- sysctl:
+ ansible.posix.sysctl:
name: net.ipv4.icmp_echo_ignore_broadcasts
state: present
value: '1'
@@ -4009,7 +4011,7 @@
- ipv4
- name: "MEDIUM | RHEL-07-040640 | PATCH | The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted."
- sysctl:
+ ansible.posix.sysctl:
name: net.ipv4.conf.default.accept_redirects
state: present
value: '0'
@@ -4027,7 +4029,7 @@
- ipv4
- name: "MEDIUM | RHEL-07-040641 | PATCH | The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages"
- sysctl:
+ ansible.posix.sysctl:
name: net.ipv4.conf.all.accept_redirects
state: present
value: '0'
@@ -4045,7 +4047,7 @@
- ipv4
- name: "MEDIUM | RHEL-07-040650 | PATCH | The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default."
- sysctl:
+ ansible.posix.sysctl:
name: net.ipv4.conf.default.send_redirects
state: present
value: '0'
@@ -4063,7 +4065,7 @@
- ipv4
- name: "MEDIUM | RHEL-07-040660 | PATCH | The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects."
- sysctl:
+ ansible.posix.sysctl:
name: net.ipv4.conf.all.send_redirects
state: present
value: '0'
@@ -4215,7 +4217,7 @@
- x11
- name: "MEDIUM | RHEL-07-040740 | PATCH | The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router."
- sysctl:
+ ansible.posix.sysctl:
name: net.ipv4.ip_forward
state: present
value: '0'
@@ -4268,11 +4270,13 @@
- name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."
block:
- name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."
- include_tasks: audit_firewalld.yml
+ ansible.builtin.include_tasks:
+ file: audit_firewalld.yml
when: rhel7stig_firewall_service == "firewalld"
- name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."
- include_tasks: audit_iptables.yml
+ ansible.builtin.include_tasks:
+ file: audit_iptables.yml
when: rhel7stig_firewall_service != "firewalld"
- name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."
@@ -4311,7 +4315,7 @@
- V-204629
- name: "MEDIUM | RHEL-07-040830 | PATCH | The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets."
- sysctl:
+ ansible.posix.sysctl:
name: net.ipv6.conf.all.accept_source_route
state: present
value: '0'
@@ -4742,7 +4746,7 @@
- V-250312
- name: "MEDIUM | RHEL-07-020022 | PATCH | The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH."
- seboolean:
+ ansible.posix.seboolean:
name: ssh_sysadm_login
persistent: true
state: "{{ rhel7stig_ssh_sysadm_login_state }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index 33a01a26..2041044a 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -36,7 +36,7 @@
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
success_msg: "You a password set for the {{ ansible_env.SUDO_USER }}"
vars:
- sudo_password_rule: RHEL-07-010340
+ sudo_password_rule: RHEL-07-010340 # pragma: allowlist secret
when:
- rhel_07_010340
- ansible_env.SUDO_USER is defined
@@ -53,8 +53,8 @@
- name: Check rhel7stig_bootloader_password_hash variable has been changed
ansible.builtin.assert:
- that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
- msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'"
+ that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
+ msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'" # pragma: allowlist secret
when:
- rhel_07_010481 or
rhel_07_010482 or
@@ -73,13 +73,15 @@
- always
- name: include prelim tasks
- ansible.builtin.import_tasks: prelim.yml
+ ansible.builtin.import_tasks:
+ file: prelim.yml
tags:
- prelim_tasks
- run_audit
- name: include pre-remediation audit
- ansible.builtin.import_tasks: pre_remediation_audit.yml
+ ansible.builtin.import_tasks:
+ file: pre_remediation_audit.yml
when:
- run_audit
tags:
@@ -92,21 +94,24 @@
- always
- name: Include CAT I patches
- ansible.builtin.import_tasks: fix-cat1.yml
+ ansible.builtin.import_tasks:
+ file: fix-cat1.yml
when: rhel7stig_cat1_patch
tags:
- cat1
- high
- name: Include CAT II patches
- ansible.builtin.import_tasks: fix-cat2.yml
+ ansible.builtin.import_tasks:
+ file: fix-cat2.yml
when: rhel7stig_cat2_patch
tags:
- cat2
- medium
- name: Include CAT III patches
- ansible.builtin.import_tasks: fix-cat3.yml
+ ansible.builtin.import_tasks:
+ file: fix-cat3.yml
when: rhel7stig_cat3_patch
tags:
- cat3
@@ -133,7 +138,8 @@
- not rhel7stig_skip_reboot
- name: include post-remediation audit
- ansible.builtin.import_tasks: post_remediation_audit.yml
+ ansible.builtin.import_tasks:
+ file: post_remediation_audit.yml
when:
- run_audit
diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml
index e7b7319c..7b4d06f5 100644
--- a/tasks/pre_remediation_audit.yml
+++ b/tasks/pre_remediation_audit.yml
@@ -1,7 +1,8 @@
---
- name: Audit Binary Setup | Setup the LE audit
- ansible.builtin.include_tasks: LE_audit_setup.yml
+ ansible.builtin.include_tasks:
+ file: LE_audit_setup.yml
when:
- setup_audit
tags:
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
index f1863acd..a4cdb913 100644
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@@ -55,6 +55,7 @@
- name: "PRELIM | Install dconf"
ansible.builtin.package:
name: dconf
+ state: present
vars:
ansible_python_interpreter: "{{ python2_bin }}"
when:
@@ -148,6 +149,7 @@
- name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | Install grub2-tools."
ansible.builtin.package:
name: grub2-tools
+ state: present
vars:
ansible_python_interpreter: "{{ python2_bin }}"
when:
@@ -157,13 +159,7 @@
rhel_07_010491 or
rhel_07_021350
tags:
- - cat1
- - high
- - RHEL-07-010481
- - RHEL-07-010482
- - RHEL-07-010483
- - RHEL-07-010491
- - RHEL-07-021350
+ - always
- name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | RHEL-07-021700 | Check whether machine is UEFI-based"
ansible.builtin.stat:
@@ -210,6 +206,7 @@
- name: "PRELIM | ensure cronie is available"
ansible.builtin.package:
name: cronie
+ state: present
vars:
ansible_python_interpreter: "{{ python2_bin }}"
when:
@@ -223,9 +220,10 @@
- RHEL-07-020040
- name: "PRELIM | RHEL-07-020600 | RHEL-07-020620 | RHEL-07-020630 | RHEL-07-020640 | RHEL-07-020650 | RHEL-07-020660 | RHEL-07-020690 | Parse /etc/passwd"
- ansible.builtin.include_tasks: parse_etc_passwd.yml
+ ansible.builtin.include_tasks:
+ file: parse_etc_passwd.yml
vars:
- rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690"
+ rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" # pragma: allowlist secret
when:
- rhel_07_020600 or
rhel_07_020620 or
@@ -282,6 +280,7 @@
- name: "PRELIM | RHEL-07-021100 | RHEL-07-031000 | RHEL-07-031010 | Ensure rsyslog is installed when required."
ansible.builtin.package:
name: rsyslog
+ state: present
vars:
ansible_python_interpreter: "{{ python2_bin }}"
when:
@@ -295,21 +294,10 @@
- RHEL-07-031000
- RHEL-07-031010
-- name: "PRELIM | RHEL-07-021350 | Check if /boot or /boot/efi reside on separate partitions"
- ansible.builtin.shell: df --output=target /boot | tail -n 1
- changed_when: false
- check_mode: false
- register: rhel_07_boot_part
- when:
- - rhel_07_021350
- tags:
- - cat1
- - high
- - RHEL-07-021350
-
- name: "PRELIM | RHEL-07-030300 | RHEL-07-030310 | RHEL-07-030320 | RHEL-07-030321 | Install audit remote plugin."
ansible.builtin.package:
name: audispd-plugins
+ state: present
vars:
ansible_python_interpreter: "{{ python2_bin }}"
when:
@@ -387,6 +375,7 @@
- libselinux-python
- policycoreutils-python
- selinux-policy-targeted
+ state: present
vars:
ansible_python_interpreter: "{{ python2_bin }}"
when:
@@ -399,6 +388,7 @@
- name: "PRELIM | Install SSH"
ansible.builtin.package:
name: openssh-server
+ state: present
vars:
ansible_python_interpreter: "{{ python2_bin }}"
diff --git a/templates/01-banner-message.j2 b/templates/01-banner-message.j2
index 21e7c2b2..7d9c917b 100644
--- a/templates/01-banner-message.j2
+++ b/templates/01-banner-message.j2
@@ -1,4 +1,4 @@
-[org/gnome/login-screen]
+[org/gnome/login-screen]
banner-message-enable=true
banner-message-text='{{ rhel7stig_logon_banner }}'
diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2
index 7e75ab30..8e562654 100644
--- a/templates/ansible_vars_goss.yml.j2
+++ b/templates/ansible_vars_goss.yml.j2
@@ -28,7 +28,7 @@ rhel7stig_cat1: {{ rhel7stig_cat1_patch }}
rhel7stig_cat2: {{ rhel7stig_cat2_patch }}
rhel7stig_cat3: {{ rhel7stig_cat3_patch }}
-## CAT I
+## CAT I
RHEL_07_010010: {{ rhel_07_010010 }}
RHEL_07_010020: {{ rhel_07_010020 }}
RHEL_07_010290: {{ rhel_07_010290 }}
@@ -337,7 +337,7 @@ rhel7stig_staff_u:
# host intrision protection e.g. Mcafee HIPS
rhel7stig_hip_enabled: false
-rhel7stig_hip_pkg:
+rhel7stig_hip_pkg:
rhel7stig_hip_proc:
# RHEL-07-010483 & RHEL-07-010492
diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2
index 2b730902..445e5ef7 100644
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@@ -50,7 +50,7 @@
{% endif %}
{% if rhel_07_030620 %}
--w /var/log/lastlog -p wa -k logins
+-w /var/log/lastlog -p wa -k logins
{% endif %}
{% if rhel_07_030630 %}
diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2
index 7ca73675..9fac3d9f 100644
--- a/templates/pam_pkcs11.conf.j2
+++ b/templates/pam_pkcs11.conf.j2
@@ -9,7 +9,7 @@ pam_pkcs11 {
nullok = true;
# Enable debugging support.
- debug = false;
+ debug = false;
# If the smart card is inserted, only use it
card_only = true;
@@ -32,7 +32,7 @@ pam_pkcs11 {
screen_savers = gnome-screensaver,xscreensaver,kscreensaver
pkcs11_module {{ rhel07stig_smartcarddriver }} {
- {% if rhel07stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel07stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %}
+ {% if rhel07stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel07stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %}
module = /usr/lib64/libcackey.so;
description = "{{ rhel07stig_smartcarddriver }}";
slot_num = 0;
@@ -54,7 +54,7 @@ pam_pkcs11 {
# you can mange the certs in this database with the certutil command in
# the package nss-tools
nss_dir = /etc/pki/nssdb;
-
+
# Sets the Certificate Policy, (see above)
cert_policy = ca, signature;
}
@@ -96,10 +96,10 @@ pam_pkcs11 {
# When no absolute path or module info is provided, use this
# value as module search path
# TODO:
- # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH
+ # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH
mapper_search_path = /usr/$LIB/pam_pkcs11;
- #
+ #
# Generic certificate contents mapper
mapper generic {
debug = true;
@@ -170,7 +170,7 @@ pam_pkcs11 {
# DN to bind with. Must have read-access for user entries under "base"
binddn = "cn=pam,o=example,c=com";
# Password for above DN
- passwd = "test";
+ passwd = "test"; # pragma: allowlist secret
# Searchbase for user entries
base = "ou=People,o=example,c=com";
# Attribute of user entry which contains the certificate
@@ -194,7 +194,7 @@ pam_pkcs11 {
module = internal;
# module = /usr/$LIB/pam_pkcs11/mail_mapper.so;
# Declare mapfile or
- # leave empty "" or "none" to use no map
+ # leave empty "" or "none" to use no map
mapfile = file:///etc/pam_pkcs11/mail_mapping;
# Some certs store email in uppercase. take care on this
ignorecase = true;
diff --git a/vars/Centos.yml b/vars/Centos.yml
deleted file mode 100644
index 05e0e648..00000000
--- a/vars/Centos.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-
-gpg_keys:
- - name: 'CentOS 7 Official Signing Key'
- packager: "security@centos.org"
- fingerprint: "6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5"
-
-gpg_package: centos-release
-rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7