From a7aa04003fb7bfd55353a1079d4064ef11798e82 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 11:29:24 +0100 Subject: [PATCH 01/15] 20035 added and new vars Signed-off-by: Mark Bolwell --- defaults/main.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index fdbd905f..b76b7c04 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r10' +benchmark_version: 'v1r11' ## Benchmark name used by audting control role # The audit variable found at the base @@ -275,6 +275,7 @@ rhel_08_020210: true rhel_08_020220: true rhel_08_020221: true rhel_08_020230: true +rhel_08_020235: true rhel_08_020231: true rhel_08_020240: true rhel_08_020250: true @@ -733,6 +734,9 @@ rhel8stig_pam_faillock: fail_for_root: true dir: /var/log/faillock +# RHEL-08-020035 +rhel_08_020035_idlesessiontimeout: 900 + # RHEL-08-030670 # rhel8stig_audisp_disk_full_action options are syslog, halt, and single to fit STIG standards rhel8stig_audisp_disk_full_action: single @@ -773,9 +777,11 @@ rhel8stig_login_defaults: create_home: 'yes' # RHEL-08-030690 uncomment and set the value to a remote IP address that can receive audit logs +# NOTE different protocol configs '@''=UDP '@@''=TCP '':omrelp:'=RELP rhel8stig_remotelog_server: server: 10.10.10.10 port: 9999 + protocol: '@@' # RHEL-08-030020 rhel8stig_auditd_mail_acct: root @@ -870,8 +876,8 @@ rhel8stig_white_list_services: # This will be the MACs setting. It is a string that will be the entirety of the MAC's setting in the openssh.config file # to conform to STIG standard control RHEL-08-010290 this variable must include hmac-sha2-512,hmac-sha2-256 # to conform to STIG standard control RHEL-08-010291 this variable must include aes256-ctr,aes192-ctr,aes128-ctr -rhel8stig_ssh_macs: 'MACS=hmac-sha2-512,hmac-sha2-256' -rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr" +rhel8stig_ssh_macs: 'MACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com' +rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com" rhel8stig_ssh_kex: "KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512" # This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting From 1adc8d3bcd76b41bd232a69a4886c05dfa6511a0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 12:20:11 +0100 Subject: [PATCH 02/15] added 20035 and vars Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 93f210e6..8218bcf0 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,6 +1,6 @@ ## metadata for Audit benchmark -benchmark_version: '1.10' +benchmark_version: '1.11' rhel8stig_os_distribution: {{ ansible_distribution | lower }} @@ -210,6 +210,7 @@ RHEL_08_020028: {{ rhel_08_020028 }} RHEL_08_020030: {{ rhel_08_020030 }} RHEL_08_020031: {{ rhel_08_020031 }} RHEL_08_020032: {{ rhel_08_020032 }} +RHEL_08_020035: {{ rhel_08_020035 }} RHEL_08_020039: {{ rhel_08_020039 }} RHEL_08_020040: {{ rhel_08_020040 }} RHEL_08_020041: {{ rhel_08_020041 }} @@ -459,6 +460,9 @@ rhel8stig_aide_cron_file: /etc/cron.d/aide # RHEL_08_200027 &28 rhel8stig_pam_faillock_dir: {{ rhel8stig_pam_faillock.dir }} +# RHEL_08_020035 +rhel_08_020035_idlesessiontimeout: {{ rhel_08_020035_idlesessiontimeout }} + # RHEL_08_030040 - Options are SYSLOG, SINGLE, and HALT to fit STIG standards rhel8stig_auditd_disk_error_action: {{ rhel8stig_auditd_disk_error_action }} @@ -471,6 +475,7 @@ rhel8stig_auditd_disk_full_action: {{ rhel8stig_auditd_disk_full_action }} # RHEL_08_030690 if using remote syslog server rhel8stig_remotelog_server: {{ rhel8stig_remotelog_server.server }} rhel8stig_remotelog_port: {{ rhel8stig_remotelog_server.port }} +rhel8stig_remotelog_protocol: {{ rhel8stig_remotelog_server.protocol }} # RHEL_08_040137 python_bin: {{ ansible_python.executable }} From 50c0deea412bb522d3551a6cf13b287ef989e417 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 12:21:25 +0100 Subject: [PATCH 03/15] 20035added. tmux update and ruleid Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 43 ++++++++++++++++++++++++++++++------------- 1 file changed, 30 insertions(+), 13 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 4b62cf1b..2b23d85c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -98,7 +98,7 @@ - CAT2 - CCI-001199 - SRG-OS-000185-GPOS-00079 - - SV-230224r809268_rule + - SV-230224r917864_rule - V-230224 - name: | @@ -533,7 +533,7 @@ - CAT2 - CCI-001133 - SRG-OS-000163-GPOS-00072 - - SV-230244r858697_rule + - SV-230244r917867_rule - V-230244 - ssh @@ -551,7 +551,7 @@ - CAT2 - CCI-001133 - SRG-OS-000163-GPOS-00072 - - SV-244525r858699_rule + - SV-244525r917886_rule - V-244525 - ssh @@ -820,7 +820,7 @@ - RHEL-08-010290 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-230251r743937_rule + - SV-230251r917870_rule - V-230251 - fips @@ -845,7 +845,7 @@ - RHEL-08-010291 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-230252r877394_rule + - SV-230252r917873_rule - V-230252 - fips @@ -2661,7 +2661,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230325r627750_rule + - SV-230325r917879_rule - V-230325 - complexity-high @@ -3293,6 +3293,22 @@ - V-230347 - gui +- name: "MEDIUM | RHEL-08-020035 | PATCH | RHEL 8 must terminate idle user sessions." + ansible.builtin.lineinfile: + path: "/etc/systemd/logind.conf" + regexp: '^StopIdleSessionSec=|^\# StopIdleSessionSec=' + line: "StopIdleSessionSec= {{ rhel_08_020035_idlesessiontimeout }}" + when: + - rhel_08_020035 + tags: + - RHEL-08-020035 + - CAT2 + - CCI-001133 + - SRG-OS-000163-GPOS-00072 + - SV-257258r917891_rule + - V-257258 + - session + - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions." block: - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux" @@ -3332,7 +3348,7 @@ if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) exec tmux ;; esac + case "$name" in (sshd|login) tmux ;; esac fi create: true when: @@ -3342,7 +3358,7 @@ - CAT2 - CCI-000056 - SRG-OS-000028-GPOS-00009 - - SV-230349r880737_rule + - SV-230349r917920_rule - V-230349 - tmux @@ -5620,7 +5636,7 @@ ansible.builtin.lineinfile: path: /etc/rsyslog.conf regexp: '^.*\@\@' - line: "*.* @@{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" + line: "*.* {{ rhel8stig_remotelog_server.protocol }}{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}" when: - rhel_08_030690 tags: @@ -5628,7 +5644,7 @@ - CAT2 - CCI-001851 - SRG-OS-000342-GPOS-00133 - - SV-230479r627750_rule + - SV-230479r917883_rule - V-230479 - auditd - rsyslog @@ -6545,8 +6561,8 @@ - CAT2 - CCI-002418 - SRG-OS-000423-GPOS-00187 - - SV-244549r743896_rule - - SV-230526r744032_rule + - SV-244549r916422_rule + - SV-230526r916422_rule - V-244549 - V-230526 - ssh @@ -7403,7 +7419,8 @@ - CAT2 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-255924r880733_rule + - SV-255924r917888_rule + - V-255924 - fips - name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode." From 4343f1525f21432c68603ca30a3a38a144d3678f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 12:21:36 +0100 Subject: [PATCH 04/15] ruleid update Signed-off-by: Mark Bolwell --- tasks/fix-cat3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index ac9b6dc3..39c12a56 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -157,7 +157,7 @@ - CAT3 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230285r627750_rule + - SV-230285r917876_rule - SV-244527r743830_rule - V-230285 - V-244527 From 86420c00e3a9affcf4d877366ac1e3d598d8cf55 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 12:21:49 +0100 Subject: [PATCH 05/15] 1.11 update Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3b48ccf1..79083a39 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL8 based system to be complaint with Disa STIG -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 10 released on April 24, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R10_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R11_STIG.zip). --- From 7c8c29a8ce395490ee74ab81395b9b04758a3e33 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 12:22:00 +0100 Subject: [PATCH 06/15] updated Signed-off-by: Mark Bolwell --- Changelog.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/Changelog.md b/Changelog.md index 1198104f..e6091c5a 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,28 @@ # Changes to RHEL8STIG +## Stig V1R11 - 26th July 2023 + +### 3.0.0 + +Controls updated + +- CAT2: + - 010030 - ruleid + - 010200 - ruleid + - 010201 - ruleid + - 010290 - ruleid and SSH MACS updated + - 010291 - ruleid and SSH Ciphers updated + - 010770 - ruleid + - 020035 - new control idlesession timeout new var rhel_08_020035_idlesessiontimeout + - 020041 - ruleid and tmux script update + - 030690 - ruleid and protocol options added + - 040159 - ruleid + - 040160 - ruleid + - 040342 - ruleid and SSH KEX algorithms updated + +- CAT3 + - 010471 - ruleid + ## 2.9.2 - #216 check that sudo user has a password check improvement From 288a534e06186658c0a8b2d5f724ca848ecf4a6b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 13:35:49 +0100 Subject: [PATCH 07/15] updated lint config Signed-off-by: Mark Bolwell --- .ansible-lint | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 964eb052..b717f678 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,11 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' + - 'key-order[task]' - '204' - '305' - '303' From f3b54c846de79286d0d7f8e42d66f6d63d9abc29 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 13:36:02 +0100 Subject: [PATCH 08/15] updated kex comments Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index b76b7c04..f346d73b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -878,6 +878,8 @@ rhel8stig_white_list_services: # to conform to STIG standard control RHEL-08-010291 this variable must include aes256-ctr,aes192-ctr,aes128-ctr rhel8stig_ssh_macs: 'MACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com' rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com" +# RHEL-08-040342 +# Expected Values for FIPS KEX algorithims rhel8stig_ssh_kex: "KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512" # This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting From 632488397d291f47888953b44a737c9136b8a4a9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 13:36:23 +0100 Subject: [PATCH 09/15] lint Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 4 ++-- tasks/fix-cat2.yml | 10 +++++----- vars/is_container.yml | 2 ++ 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 7b147fa5..03408954 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -54,7 +54,7 @@ check_mode: false changed_when: false failed_when: rhel_08_010020_grub_cmdline_linux_audit.rc > 1 - when: rhel_08_010020_default_grub_missing_audit is changed + when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler register: rhel_08_010020_grub_cmdline_linux_audit - name: "HIGH | RHEL-08-010020 | PATCH | Copy over a sane /etc/default/grub" @@ -66,7 +66,7 @@ mode: 0644 vars: grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}" - when: rhel_08_010020_default_grub_missing_audit is changed + when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler - name: "HIGH | RHEL-08-010020 | PATCH | fips=1 must be in /etc/default/grub" ansible.builtin.replace: diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 2b23d85c..c481acf8 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -243,7 +243,7 @@ mode: '0700' - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair" - openssh_keypair: + community.crypto.openssh_keypair: path: "{{ rhel8stig_path_to_sshkey }}/id_rsa" when: - rhel_08_010100 @@ -3234,7 +3234,7 @@ "MEDIUM | RHEL-08-020027 | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory. MEDIUM | RHEL-08-020028 | RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory." ansible.builtin.shell: "restorecon -irvF {{ rhel8stig_pam_faillock.dir }}" - when: add_faillock_secontext.changed + when: add_faillock_secontext.changed # noqa no-handler when: - rhel_08_020027 or rhel_08_020028 @@ -4280,10 +4280,10 @@ with_items: "{{ rhel8stig_unnecessary_accounts }}" - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file" - include_tasks: parse_etc_passwd.yml + ansible.builtin.include_tasks: parse_etc_passwd.yml vars: rhel8stig_passwd_tasks: "RHEL-08-020320" - when: rhel_08_020320_accounts_removed is changed + when: rhel_08_020320_accounts_removed is changed # noqa no-handler when: - rhel_08_020320 tags: @@ -6101,7 +6101,7 @@ - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled" ansible.builtin.shell: nmcli radio wifi off - when: rhel_08_wifi_enabled is changed + when: rhel_08_wifi_enabled is changed # noqa no-handler when: - rhel_08_040110 tags: diff --git a/vars/is_container.yml b/vars/is_container.yml index f8f2f8c2..e08cbead 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -1,3 +1,5 @@ +--- + # Container vars file rhel8stig_ssh_required: false From 0f1d472157b3c72a01398b89ad75640cd3ae7b48 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 13:36:37 +0100 Subject: [PATCH 10/15] removed var not used Signed-off-by: Mark Bolwell --- vars/main.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/vars/main.yml b/vars/main.yml index 3d2ab14d..f01c9ff9 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,4 +1,5 @@ --- + rhel8stig_min_ansible_version: 2.10.1 rhel8stig_dconf_available: "{{ rhel8stig_gui or rhel8stig_dconf_audit.rc == 0 or @@ -43,7 +44,3 @@ rhel8stig_re_qp_key_end: (?:" *) # insert the parameter at the beginning or append to the end, default append rhel8stig_re_qp_insert: "{{ insert | default(not (append | default(true))) }}" - -# RHEL-08-040342 -# Expected Values for FIPS KEX algorithims -FIPS_KEX_ALGO: '-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512' From 9332efa544f32ff4bb748697869d8c2c497b8195 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 15:52:55 +0100 Subject: [PATCH 11/15] added rule 020035 Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index f346d73b..ae94f434 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -246,6 +246,7 @@ rhel_08_020028: true rhel_08_020030: true rhel_08_020031: true rhel_08_020032: true +rhel_08_020035: true rhel_08_020039: true rhel_08_020040: true rhel_08_020041: true From 6a5f8d072b4e04b07d871b0e2c3894e1270fabea Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 16:43:59 +0100 Subject: [PATCH 12/15] updates to auditing with goss Signed-off-by: Mark Bolwell --- defaults/main.yml | 29 +++++------ tasks/LE_audit_setup.yml | 14 ++--- tasks/post_remediation_audit.yml | 14 ++--- tasks/pre_remediation_audit.yml | 83 ++++++++++++++---------------- tasks/prelim.yml | 8 ++- templates/ansible_vars_goss.yml.j2 | 18 +------ 6 files changed, 71 insertions(+), 95 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ae94f434..12466a98 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -61,7 +61,7 @@ setup_audit: false # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded -get_goss_file: download +get_audit_binary_method: download # how to get audit files onto host options # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf @@ -910,29 +910,29 @@ audit_run_script_environment: AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Goss binary settings ### -goss_version: - release: v0.3.21 - checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' +audit_bin_version: + release: v0.3.23 + checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json -# if get_goss_file == download change accordingly -goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" +# if get_audit_binary_method == download change accordingly +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64" -## if get_goss_file - copy the following needs to be updated for your environment +## if get_audit_binary_method - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node ## e.g copy from ansible control node to remote host -copy_goss_from_path: /some/accessible/path +audit_bin_copy_location: /some/accessible/path -### Goss Audit Benchmark file ### +#### Goss Audit Benchmark file ### ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_git_version: "benchmark_{{ benchmark_version }}_rh8" -# copy: -audit_local_copy: "some path to copy from" +# archive or copy: +audit_conf_copy: "some path to copy from" # get_url: audit_files_url: "some url maybe s3?" @@ -941,14 +941,13 @@ audit_files_url: "some url maybe s3?" # Where the goss configs and outputs are stored audit_out_dir: '/opt' # Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" +audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" ## The following should not need changing -goss_file: "{{ audit_conf_dir }}goss.yml" audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" audit_results: | The pre remediation results are: {{ pre_audit_summary }}. diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index b4ac4d25..4ef8469f 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,22 +1,22 @@ --- -- name: Download audit binary +- name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: - url: "{{ goss_url }}" + url: "{{ audit_bin_url }}" dest: "{{ audit_bin }}" owner: root group: root - checksum: "{{ goss_version.checksum }}" + checksum: "{{ audit_bin_version.checksum }}" mode: 0555 when: - - get_goss_file == 'download' + - get_audit_binary_method == 'download' -- name: copy audit binary +- name: Pre Audit Setup | copy audit binary ansible.builtin.copy: - src: + src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" mode: 0555 owner: root group: root when: - - get_goss_file == 'copy' + - get_audit_binary_method == 'copy' diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 821afd4d..370d2f66 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,11 +2,11 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: rhel8stig_run_post_remediation.rc == 0 - register: rhel8stig_run_post_remediation - vars: - warn: false + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" - name: Post Audit | ensure audit files readable by users ansible.builtin.file: @@ -19,12 +19,12 @@ - name: Post Audit | Capture audit data if json format block: - - name: Post Audit | "capture data {{ post_audit_outfile }}" + - name: "capture data {{ post_audit_outfile }}" ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false - - name: Post Audit | Capture post-audit result + - name: Capture post-audit result ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index c09253a3..8083b7f2 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,71 +1,72 @@ --- -- name: "Pre Audit | Setup the audit" +- name: Audit Binary Setup | Setup the LE audit ansible.builtin.include_tasks: LE_audit_setup.yml when: - setup_audit tags: - setup_audit -- name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" +- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' -- name: "Pre Audit | If using git for content set up" +- name: Pre Audit Setup | If using git for content set up block: - - name: Pre Audit | Install git (rh8 python3) + - name: Pre Audit Setup | Install git (rh8 python3) ansible.builtin.package: name: git state: present - when: - - ansible_distribution_major_version == "8" - - audit_content == "git" - - "'git' not in ansible_facts.packages" + when: ansible_distribution_major_version == '8' - - name: "Pre Audit | Install git (rh7 python2)" + - name: Pre Audit Setup | Install git (rh7 python2) ansible.builtin.package: name: git state: present vars: ansible_python_interpreter: "{{ python2_bin }}" - when: - - ansible_distribution_major_version == "7" - - audit_content == "git" - - "'git' not in ansible_facts.packages" + when: ansible_distribution_major_version == '7' -- name: "Pre Audit | retrieve audit content files from git" - ansible.builtin.git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" + - name: Pre Audit Setup | retrieve audit content files from git + ansible.builtin.git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - audit_content == 'git' -- name: "Pre Audit | copy to audit content files to server" +- name: Pre Audit Setup | copy to audit content files to server ansible.builtin.copy: src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dir }}" - mode: 0644 + dest: "{{ audit_conf_dest }}" + mode: preserve when: - audit_content == 'copy' -- name: "Pre Audit | get audit content from url" +- name: Pre Audit Setup | unarchive audit content files on server + ansible.builtin.unarchive: + src: "{{ audit_conf_copy }}" + dest: "{{ audit_conf_dir }}" + when: + - audit_content == 'archived' + +- name: Pre Audit Setup | get audit content from url ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" when: - audit_content == 'get_url' -- name: "Pre Audit | Check Goss is available" +- name: Pre Audit Setup | Check Goss is available block: - - name: Pre Audit | Check for goss file + - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: path: "{{ audit_bin }}" register: goss_available - - name: "Pre Audit | If audit ensure goss is available" + - name: Pre Audit Setup | If audit ensure goss is available ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" when: @@ -73,14 +74,7 @@ when: - run_audit -- name: "Pre Audit | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel8_efi_boot - tags: - - goss_template - -- name: "Pre Audit | Copy ansible default vars values to test audit" +- name: Pre Audit Setup | Copy ansible default vars values to test audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" @@ -89,23 +83,24 @@ - run_audit tags: - goss_template + - always - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: rhel8stig_run_pre_remediation.rc == 0 - register: rhel8stig_run_pre_remediation - vars: - warn: false + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" -- name: "Pre Audit | Capture audit data if json format" +- name: Pre Audit | Capture audit data if json format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" + - name: "capture data {{ pre_audit_outfile }}" ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false - - name: "Pre Audit | Capture pre-audit result" + - name: Pre Audit | Capture pre-audit result ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: @@ -113,14 +108,14 @@ when: - audit_format == "json" -- name: "Pre Audit | Capture audit data if documentation format" +- name: Pre Audit | Capture audit data if documentation format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" + - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false - - name: "Pre Audit | Capture pre-audit result" + - name: Pre Audit | Capture pre-audit result | documentation format ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index b6436d95..a2984325 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -323,11 +323,7 @@ rhel_08_020250 or rhel_08_020290 tags: - - RHEL-08-010400 - - RHEL-08-020250 - - RHEL-08-020090 - - RHEL-08-020290 - - pamd + - always - name: "PRELIM | Gather interactive user ID min" block: @@ -347,6 +343,8 @@ ansible.builtin.set_fact: rhel8stig_interactive_uid_start: "{{ rhel8stig_min_uid.stdout | string }}" rhel8stig_interactive_uid_stop: "{{ rhel8stig_max_uid.stdout | string }}" + tags: + - always - name: Gather the package facts ansible.builtin.package_facts: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 8218bcf0..e81f9658 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -475,26 +475,10 @@ rhel8stig_auditd_disk_full_action: {{ rhel8stig_auditd_disk_full_action }} # RHEL_08_030690 if using remote syslog server rhel8stig_remotelog_server: {{ rhel8stig_remotelog_server.server }} rhel8stig_remotelog_port: {{ rhel8stig_remotelog_server.port }} -rhel8stig_remotelog_protocol: {{ rhel8stig_remotelog_server.protocol }} +rhel8stig_remotelog_protocol: '{{ rhel8stig_remotelog_server.protocol }}' # RHEL_08_040137 python_bin: {{ ansible_python.executable }} # RHEL_08_040260-62 rhel8stig_system_is_router: {{ rhel8stig_system_is_router }} - -# RHEL-08-020010 -# RHEL-08-020011 -# RHEL-08-020012 -# RHEL-08-020013 -# RHEL-08-020014 -# RHEL-08-020015 -# RHEL-08-020016 -# RHEL-08-020017 -# RHEL-08-020018 -# RHEL-08-020019 -# RHEL-08-020020 -# RHEL-08-020021 -# RHEL-08-020022 -# RHEL-08-020023 - From f365e4d7e8a9c6f3266502f05feea3876ae74ebe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 16:48:24 +0100 Subject: [PATCH 13/15] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index e6091c5a..564fd851 100644 --- a/Changelog.md +++ b/Changelog.md @@ -23,6 +23,8 @@ Controls updated - CAT3 - 010471 - ruleid +- audit updated new version and variable naming + ## 2.9.2 - #216 check that sudo user has a password check improvement From 12fd48eff16d8c0dcfe49c7e0f773ba969d2b94f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Jul 2023 08:46:57 +0100 Subject: [PATCH 14/15] improved run order for finish of playbook Signed-off-by: Mark Bolwell --- tasks/main.yml | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 4e8f298c..53875d00 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -165,23 +165,29 @@ - name: flush handlers ansible.builtin.meta: flush_handlers - tags: - - CAT1 - - CAT2 - - CAT3 -- name: reboot system if changes require it and not skipped - ansible.builtin.reboot: - when: - - change_requires_reboot - - not rhel8stig_skip_reboot - tags: - - always +- name: reboot system + block: + - name: reboot system if not skipped + ansible.builtin.reboot: + when: + - change_requires_reboot + - not rhel8stig_skip_reboot -- name: Include post-remediation tasks + - name: Warning a reboot required but skip option set + ansible.builtin.debug: + msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + changed_when: true + when: + - change_requires_reboot + - rhel8stig_skip_reboot + +- name: run post remediation audit ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit + tags: + - always - name: Show Audit Summary ansible.builtin.debug: @@ -190,13 +196,4 @@ - run_audit tags: - run_audit - -- name: Warning a reboot required but skip option set - ansible.builtin.debug: - msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" - changed_when: true - when: - - change_requires_reboot - - rhel8stig_skip_reboot - tags: - always From b796550f09cbe1878d80119945228e98a7bb4b22 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Jul 2023 08:47:04 +0100 Subject: [PATCH 15/15] updated Signed-off-by: Mark Bolwell --- Changelog.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 564fd851..0b5158f6 100644 --- a/Changelog.md +++ b/Changelog.md @@ -23,7 +23,8 @@ Controls updated - CAT3 - 010471 - ruleid -- audit updated new version and variable naming +- audit variables updated, new version +- tidied up the end of the playbook ordering with reboot taking place(if set and enabled) prior to audit now. ## 2.9.2