From 0e839b71de74f3cead422a57fb906d6c4613fa49 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Oct 2024 19:10:10 +0000 Subject: [PATCH 1/4] updated layout 21350 Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 19e0272f..d4b02673 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -43,31 +43,31 @@ - V-204392 - permissions -- name: "HIGH | RHEL-07-021350 | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." +- name: "HIGH | RHEL-07-010020 | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." block: - - name: "HIGH | RHEL-07-021350 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." + - name: "HIGH | RHEL-07-010020 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." ansible.builtin.shell: 'rpm -Va --noconfig --nolinkto --nosize --nouser --nogroup --nomtime --nomode --nodigest --nosignature | grep ''^..5'' | tee /dev/stderr | cut -c13- | sed ''s/^ //'' | xargs rpm -qf --qf=''%{name}\n'' | sort -u' check_mode: false failed_when: false - changed_when: rhel_07_021350_audit.stdout| length > 0 - register: rhel_07_021350_audit + changed_when: rhel_07_010020_audit.stdout| length > 0 + register: rhel_07_010020_audit - - name: "HIGH | RHEL-07-021350 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." + - name: "HIGH | RHEL-07-010020 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." ansible.builtin.debug: - msg: "{{ rhel_07_021350_audit.stderr_lines }}" + msg: "{{ rhel_07_010020_audit.stderr_lines }}" changed_when: true - when: rhel_07_021350_audit.stdout | length > 0 + when: rhel_07_010020_audit.stdout | length > 0 - - name: "HIGH | RHEL-07-021350 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." + - name: "HIGH | RHEL-07-010020 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values." ansible.builtin.shell: yum reinstall -y {{ item }} failed_when: false with_items: - - "{{ rhel_07_021350_audit.stdout_lines }}" - when: rhel_07_021350_audit.stdout_lines | length > 0 + - "{{ rhel_07_010020_audit.stdout_lines }}" + when: rhel_07_010020_audit.stdout_lines | length > 0 when: - - rhel_07_021350 + - rhel_07_010020 tags: - - RHEL-07-021350 + - RHEL-07-010020 - CAT1 - CCI-001749 - SRG-OS-000480-GPOS-00227 @@ -471,9 +471,7 @@ - rhel_07_021350_boot_kernel_set.stdout | length == 0 - not ansible_check_mode or rhel_07_021350_default_grub_missing_audit is not changed - notify: confirm grub2 user cfg - register: result - name: "HIGH | RHEL-07-021350 | AUDIT | Verify kernel parameters in /etc/default/grub" ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ]){{ item | regex_escape }}(?=[" ]).*"$' /etc/default/grub From 18f123f13bd663d7ac02f18bff699f736dfed9f2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 30 Oct 2024 19:12:18 +0000 Subject: [PATCH 2/4] fixed layout 041010 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index b1752277..7d923e58 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4427,8 +4427,8 @@ - name: "MEDIUM | RHEL-07-041010 | AUDIT | check if wifi is enabled" ansible.builtin.shell: nmcli radio wifi - changed_when: false check_mode: false + changed_when: false failed_when: rhel_07_wifi_enabled.rc not in [ 0, 1 ] register: rhel_07_wifi_enabled when: @@ -4458,7 +4458,7 @@ - name: "MEDIUM | RHEL-07-020019 | AUDIT | The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool." ansible.builtin.debug: msg: - - "Please Install and enable the latest Trellix ENSLTP package." + - "Please install and enable the latest Trellix ENSLTP package." - "If the system does not support the Trellix ENSLTP package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official." when: - rhel_07_020019 From aa0be1c5646c739899d39d014b4bc1cf220f6d49 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Nov 2024 10:46:44 +0000 Subject: [PATCH 3/4] moved check_mode Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 6 +++--- tasks/fix-cat2.yml | 34 +++++++++++++++++----------------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index d4b02673..99a580c6 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -573,8 +573,8 @@ block: - name: "HIGH | RHEL-07-040540 | AUDIT | The Red Hat Enterprise Linux operating system must not contain .shosts files." ansible.builtin.shell: find / -xdev -not -fstype nfs -name '.shosts' - check_mode: false changed_when: false + check_mode: false register: rhel_07_040540_audit - name: "HIGH | RHEL-07-040540 | PATCH | The Red Hat Enterprise Linux operating system must not contain .shosts files." @@ -598,8 +598,8 @@ block: - name: "HIGH | RHEL-07-040550 | AUDIT | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." ansible.builtin.shell: find / -xdev -not -fstype nfs -name 'shosts.equiv' - check_mode: false changed_when: false + check_mode: false register: rhel_07_040550_audit - name: "HIGH | RHEL-07-040550 | PATCH | The Red Hat Enterprise Linux operating system must not contain shosts.equiv files." @@ -667,9 +667,9 @@ block: - name: "HIGH | RHEL-07-040800 | AUDIT | SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default." ansible.builtin.shell: grep {{ item }} /etc/snmp/snmpd.conf - check_mode: false failed_when: false changed_when: false + check_mode: false register: rhel_07_040800_audit with_items: - public diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 7d923e58..c341d7d9 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -610,14 +610,14 @@ block: - name: "MEDIUM | RHEL-07-010240 | AUDIT | Passwords must be restricted to a 24 hours/1 day minimum lifetime." ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow" - check_mode: false changed_when: false + check_mode: false register: rhel_07_010240_audit - name: "MEDIUM | RHEL-07-010240 | PATCH | Passwords must be restricted to a 24 hours/1 day minimum lifetime." ansible.builtin.shell: chage -m 1 {{ item }} - check_mode: false changed_when: true + check_mode: false with_items: - "{{ rhel_07_010240_audit.stdout_lines }}" when: @@ -653,8 +653,8 @@ block: - name: "MEDIUM | RHEL-07-010260 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime." ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow" - check_mode: false changed_when: false + check_mode: false register: rhel_07_010260_audit - name: "MEDIUM | RHEL-07-010260 | PATCH | Reset password timeout to prevent locking out user." @@ -1428,9 +1428,9 @@ block: - name: "MEDIUM | RHEL-07-020270 | AUDIT | The Red Hat Enterprise Linux operating system must not have unnecessary accounts." ansible.builtin.shell: "grep '^{{ item }}:' /etc/passwd" - check_mode: false failed_when: rhel_07_020270_audit.rc > 1 changed_when: rhel_07_020270_audit.rc == 0 + check_mode: false register: rhel_07_020270_audit with_items: - "{{ rhel7stig_unnecessary_accounts }}" @@ -1465,9 +1465,9 @@ block: - name: "MEDIUM | RHEL-07-020320 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner." ansible.builtin.shell: find "{{ item }}" -xdev -nouser - check_mode: false failed_when: false changed_when: false + check_mode: false register: rhel_07_020320_audit with_items: - "{{ prelim_local_mount_names }}" @@ -1497,9 +1497,9 @@ block: - name: "MEDIUM | RHEL-07-020330 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner." ansible.builtin.shell: find "{{ item }}" -xdev -nogroup - check_mode: false failed_when: false changed_when: false + check_mode: false register: rhel_07_020330_audit with_items: - "{{ prelim_local_mount_names }}" @@ -1632,8 +1632,8 @@ block: - name: "MEDIUM | RHEL-07-020660 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory." ansible.builtin.shell: "{{ find_command_base }} -print -quit" - check_mode: false changed_when: rhel_07_020660_audit.stdout |length > 0 + check_mode: false register: rhel_07_020660_audit with_items: "{{ rhel7stig_passwd }}" loop_control: @@ -1669,8 +1669,8 @@ block: - name: "MEDIUM | RHEL-07-020670 | AUDIT | Get all GIDs for each user." ansible.builtin.shell: id -G "{{ item.id }}" - check_mode: false changed_when: false + check_mode: false register: rhel_07_all_gid_audit with_items: - "{{ rhel7stig_passwd }}" @@ -1679,8 +1679,8 @@ - name: "MEDIUM | RHEL-07-020670 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member." ansible.builtin.shell: "{{ find_command_base }} -print -quit" - check_mode: false changed_when: rhel_07_020670_audit.stdout| length > 0 + check_mode: false register: rhel_07_020670_audit with_items: - "{{ rhel_07_all_gid_audit.results }}" @@ -1725,8 +1725,8 @@ - name: "MEDIUM | RHEL-07-020680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 - check_mode: false changed_when: rhel_07_020680_patch_audit.stdout| length > 0 + check_mode: false register: rhel_07_020680_patch_audit with_together: - "{{ rhel_07_020680_audit.results | map(attribute='item') | list }}" @@ -1785,8 +1785,8 @@ block: - name: "MEDIUM | RHEL-07-020690 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root." ansible.builtin.shell: "{{ find_command_base }} -print -quit" - check_mode: false changed_when: rhel_07_020690_audit.stdout | length > 0 + check_mode: false register: rhel_07_020690_audit with_items: - "{{ rhel7stig_passwd }}" @@ -1823,8 +1823,8 @@ block: - name: "MEDIUM | RHEL-07-020700 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root." ansible.builtin.shell: "{{ find_command_base }} -print -quit" - check_mode: false changed_when: rhel_07_020700_audit.stdout| length > 0 + check_mode: false register: rhel_07_020700_audit with_items: - "{{ rhel7stig_passwd }}" @@ -2220,9 +2220,9 @@ block: - name: "MEDIUM | RHEL-07-021300 | PATCH | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed." ansible.builtin.shell: "systemctl show kdump | grep LoadState | cut -d = -f 2" - register: rhel_07_021300_kdump_service_status changed_when: false check_mode: false + register: rhel_07_021300_kdump_service_status - name: "MEDIUM | RHEL-07-021300 | PATCH | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed." ansible.builtin.service: @@ -3352,9 +3352,9 @@ "MEDIUM | RHEL-07-040190 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." "MEDIUM | RHEL-07-040200 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications." ansible.builtin.shell: systemctl status sssd.service | grep "Active" | cut -d ':' -f1 | tr " " "\n" | sed '/^$/d' - check_mode: false failed_when: false changed_when: false + check_mode: false register: rhel_07_040180_audit - name: | @@ -4105,8 +4105,8 @@ block: - name: "MEDIUM | RHEL-07-040680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying." ansible.builtin.shell: "/usr/sbin/postconf -n smtpd_client_restrictions" - check_mode: false changed_when: false + check_mode: false register: rhel_07_040680_postconf_audit when: "'postfix' in ansible_facts.packages" @@ -4231,10 +4231,10 @@ block: - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS." ansible.builtin.shell: cat /etc/fstab | grep nfs - register: rhel_07_040750_nfssec_check changed_when: false failed_when: false check_mode: false + register: rhel_07_040750_nfssec_check - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS." ansible.builtin.debug: @@ -4361,13 +4361,13 @@ block: - name: "MEDIUM | RHEL-07-041002 | AUDIT | Check if pam service is configured in sssd file" ansible.builtin.shell: 'grep -E "^\s*services\s*=.*pam" /etc/sssd/sssd.conf' - check_mode: false changed_when: - sssd_services_check.rc == 1 - not rhel7stig_skip_for_travis failed_when: false # todo: only run if sssd installed and config file present # failed_when: sssd_services_check.rc > 1 + check_mode: false register: sssd_services_check - name: "MEDIUM | RHEL-07-041002 | PATCH | The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)." From 744f42e274cb63fe9ea3405599bbe371b3898c98 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Nov 2024 10:58:19 +0000 Subject: [PATCH 4/4] moved check_mode Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index c341d7d9..0744996b 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4427,9 +4427,9 @@ - name: "MEDIUM | RHEL-07-041010 | AUDIT | check if wifi is enabled" ansible.builtin.shell: nmcli radio wifi - check_mode: false changed_when: false failed_when: rhel_07_wifi_enabled.rc not in [ 0, 1 ] + check_mode: false register: rhel_07_wifi_enabled when: - discovered_wireless_adapters.rc == 0