diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json deleted file mode 100644 index fe51488c..00000000 --- a/.config/.gitleaks-report.json +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline deleted file mode 100644 index 2ad77429..00000000 --- a/.config/.secrets.baseline +++ /dev/null @@ -1,120 +0,0 @@ -{ - "version": "1.4.0", - "plugins_used": [ - { - "name": "ArtifactoryDetector" - }, - { - "name": "AWSKeyDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "name": "Base64HighEntropyString", - "limit": 4.5 - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "CloudantDetector" - }, - { - "name": "DiscordBotTokenDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "name": "HexHighEntropyString", - "limit": 3.0 - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "name": "KeywordDetector", - "keyword_exclude": "" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "SendGridDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "filters_used": [ - { - "path": "detect_secrets.filters.allowlist.is_line_allowlisted" - }, - { - "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", - "min_level": 2 - }, - { - "path": "detect_secrets.filters.heuristic.is_indirect_reference" - }, - { - "path": "detect_secrets.filters.heuristic.is_likely_id_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_lock_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_potential_uuid" - }, - { - "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" - }, - { - "path": "detect_secrets.filters.heuristic.is_sequential_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_swagger_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json", - "tasks/parse_etc_passwd.yml", - "templates/pam_pkcs11.conf.j2" - ] - } - ], - "results": {}, - "generated_at": "2023-09-25T15:48:01Z" -} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 873f2757..717f0e69 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,14 +33,11 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: [ '--baseline', '.config/.secrets.baseline' ] - exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks rev: v8.18.2 hooks: - id: gitleaks - args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint rev: v24.2.0 diff --git a/Changelog.md b/Changelog.md index 9dd2c8df..c0bcafc1 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,7 +1,25 @@ # Changes to RHEL8STIG +## 3.1 - STIG V1R12 - 25th Oct 2023 + +ruleid updated + +- 010020 +- 010471 +- 030741 +- 030742 +- 040400 + +- added SSH validation +- added ansible_facts for variable usage + +- AUDIT + - Audit_only ability now added to run standalone audit + - audit_only: true + - Related Audit repo updated to improve tests audit binary(goss updated to latest version) + ## 3.0.3 - Stig V1R11 - 26th July 2023 -q + - updates to collections since galaxy updated - updates to audit diff --git a/README.md b/README.md index 8d27ce4a..9ed50479 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL8 based system to be complaint with Disa STIG -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R11_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R12_STIG.zip). --- diff --git a/defaults/main.yml b/defaults/main.yml index e3c36861..58382591 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r11' +benchmark_version: 'v1r12' ## Benchmark name used by audting control role # The audit variable found at the base @@ -56,24 +56,46 @@ rhel8stig_skip_reboot: true # Defined will change if control requires change_requires_reboot: false -### Goss is required on the remote host +########################################## +### Goss is required on the remote host ### +## Refer to vars/auditd.yml for any other settings ## + +# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false + +# enable audits to run - this runs the audit and get the latest content +run_audit: false + +# Only run Audit do not remediate +audit_only: false +# As part of audit_only +# This will enable files to be copied back to control node +fetch_audit_files: false +# Path to copy the files to will create dir structure +audit_capture_files_dir: /some/location to copy to on control node + # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download +## if get_audit_binary_method - copy the following needs to be updated for your environment +## it is expected that it will be copied from somewhere accessible to the control node +## e.g copy from ansible control node to remote host +audit_bin_copy_location: /some/accessible/path + # how to get audit files onto host options # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# enable audits to run - this runs the audit and get the latest content -run_audit: false +# archive or copy: +audit_conf_copy: "some path to copy from" + +# get_url: +audit_files_url: "some url maybe s3?" # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system audit_run_heavy_tests: true -# Timeout for those cmds that take longer to run where timeout set -audit_cmd_timeout: 60000 ### End Goss enablements #### #### Detailed settings found at the end of this document #### @@ -900,55 +922,3 @@ rhel8stig_tmux_lock_after_time: 900 # The value given to Defaults timestamp timeout= in the sudo file. # Value must be greater than 0 to conform to STIG standards rhel8stig_sudo_timestamp_timeout: 1 - -#### Goss Configuration Settings #### -# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_run_script_environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_FILE: 'goss.yml' - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - -### Goss binary settings ### -audit_bin_version: - release: v0.3.23 - checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' -audit_bin_path: /usr/local/bin/ -audit_bin: "{{ audit_bin_path }}goss" -audit_format: json - -# if get_audit_binary_method == download change accordingly -audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64" - -## if get_audit_binary_method - copy the following needs to be updated for your environment -## it is expected that it will be copied from somewhere accessible to the control node -## e.g copy from ansible control node to remote host -audit_bin_copy_location: /some/accessible/path - -#### Goss Audit Benchmark file ### -## managed by the control audit_content -# git -audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark_{{ benchmark_version }}_rh8" - -# archive or copy: -audit_conf_copy: "some path to copy from" - -# get_url: -audit_files_url: "some url maybe s3?" - -## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" - -# If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" - -## The following should not need changing -audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" -audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} diff --git a/handlers/main.yml b/handlers/main.yml index 3e6ff61d..c210d6f1 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,4 +1,9 @@ --- + +- name: change_requires_reboot + ansible.builtin.set_fact: + change_requires_reboot: true + - name: systemctl daemon-reload ansible.builtin.systemd: daemon_reload: true @@ -16,6 +21,7 @@ when: - not rhel8stig_system_is_chroot - "'openssh-server' in ansible_facts.packages" + - not change_requires_reboot - name: restart sssd ansible.builtin.service: @@ -30,6 +36,7 @@ state: restarted when: - not rhel8stig_system_is_chroot + - not change_requires_reboot - name: restart rsyslog ansible.builtin.service: @@ -82,6 +89,7 @@ - not rhel8stig_skip_for_travis - not rhel8stig_system_is_chroot - not system_is_container + - not change_requires_reboot - name: update auditd ansible.builtin.template: @@ -98,6 +106,7 @@ - not rhel8stig_skip_for_travis - not rhel8stig_system_is_chroot - not system_is_container + - not change_requires_reboot - name: rebuild initramfs ansible.builtin.shell: dracut -f @@ -146,7 +155,3 @@ ansible.builtin.debug: msg: "Post-run OpenSCAP score is {{ rhel8stig_postscanresults.Benchmark.TestResult.score['#text'] }}" when: rhel8stig_oscap_scan - -- name: change_requires_reboot - ansible.builtin.set_fact: - change_requires_reboot: true diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index c8222b8e..7ef94b4a 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,22 +1,34 @@ --- +- name: Pre Audit Setup | Set audit package name + block: + - name: Pre Audit Setup | Set audit package name | 64bit + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 + when: ansible_facts.machine == "x86_64" + + - name: Pre Audit Setup | Set audit package name | ARM64 + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 + when: ansible_facts.machine == "arm64" + - name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: - url: "{{ audit_bin_url }}" + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" dest: "{{ audit_bin }}" owner: root group: root - checksum: "{{ audit_bin_version.checksum }}" + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" mode: '0555' when: - get_audit_binary_method == 'download' -- name: Pre Audit Setup | copy audit binary +- name: Pre Audit Setup | Copy audit binary ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" + mode: '0555' owner: root group: root - mode: '0555' when: - get_audit_binary_method == 'copy' diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml new file mode 100644 index 00000000..864f5bbe --- /dev/null +++ b/tasks/audit_only.yml @@ -0,0 +1,30 @@ +--- + +- name: Audit_Only | Create local Directories for hosts + ansible.builtin.file: + mode: '0755' + path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + recurse: true + state: directory + when: fetch_audit_files + delegate_to: localhost + become: false + +- name: Audit_only | Get audits from systems and put in group dir + ansible.builtin.fetch: + dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" + flat: true + mode: '0644' + src: "{{ pre_audit_outfile }}" + when: fetch_audit_files + +- name: Audit_only | Show Audit Summary + when: + - audit_only + ansible.builtin.debug: + msg: "The Audit results are: {{ pre_audit_summary }}." + +- name: Audit_only | Stop Playbook Audit Only selected + when: + - audit_only + ansible.builtin.meta: end_play diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index a215e10c..69fbcdbf 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -133,7 +133,7 @@ - CAT1 - CCI-000068 - SRG-OS-000033-GPOS-00014 - - SV-230223r792855_rule + - SV-230223r928585_rule - V-230223 - name: "HIGH | RHEL-08-010121 | PATCH | The RHEL 8 operating system must not have accounts configured with blank or null passwords." @@ -321,6 +321,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitEmptyPasswords' line: 'PermitEmptyPasswords no' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_020330 diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 035503f3..527e99ef 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -112,6 +112,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?Banner' line: 'Banner /etc/issue' + validate: '/usr/sbin/sshd -T -f %s' when: - rhel8stig_ssh_required @@ -191,11 +192,42 @@ - V-230226 - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - line: "auth.*;authpriv.*;daemon.* /var/log/secure" - create: true - mode: '0644' + block: + - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings info" + ansible.builtin.shell: grep '*.info' /etc/rsyslog.conf + changed_when: false + failed_when: false + register: rhel_08_010070_info_set_rsyslog + + - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings authpriv" + ansible.builtin.shell: grep 'authpriv.* /var/log/secure' /etc/rsyslog.conf + changed_when: false + failed_when: false + register: rhel_08_010070_authpriv_set_rsyslog + + - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored. | Adjust settings no info" + ansible.builtin.lineinfile: + path: /etc/rsyslog.conf + regexp: ^(?!#).*\/var\/log\/secure + line: 'auth.*;authpriv.*;daemon.* /var/log/secure' + create: true + mode: '0644' + when: + - rhel_08_010070_info_set_rsyslog.stdout == 0 + - rhel_08_010070_authpriv_set_rsyslog.stdout > 0 + + - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored. | Adjust settings if info set" + ansible.builtin.lineinfile: + path: /etc/rsyslog.conf + backrefs: true + regexp: ^(?!#)(.*)(authpriv\.\*)(.*\/var\/log\/secure) + line: \1authpriv.*\2/var/log/secure + create: true + mode: '0644' + when: + - rhel_08_010070_info_set_rsyslog.stdout | length > 0 + - rhel_08_010070_authpriv_set_rsyslog.stdout == 0 + notify: restart rsyslog when: - rhel_08_010070 @@ -524,6 +556,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?ClientAliveCountMax.*' line: ClientAliveCountMax 1 + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010200 @@ -542,6 +575,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?ClientAliveInterval.*' line: "ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}" + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010201 @@ -1666,6 +1700,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?StrictModes' line: 'StrictModes yes' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010500 @@ -1684,6 +1719,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?IgnoreUserKnownHosts' line: 'IgnoreUserKnownHosts yes' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010520 @@ -1702,6 +1738,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?KerberosAuthentication' line: "KerberosAuthentication no" + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010521 @@ -1720,6 +1757,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?GSSAPIAuthentication' line: "GSSAPIAuthentication no" + validate: '/usr/sbin/sshd -T -f %s' when: - rhel_08_010522 - rhel8stig_ssh_required @@ -1776,6 +1814,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitRootLogin' line: 'PermitRootLogin no' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010550 @@ -2747,6 +2786,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?PermitUserEnvironment' line: 'PermitUserEnvironment no' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_010830 @@ -3260,16 +3300,17 @@ - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." block: - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled" - ansible.builtin.shell: "grep lock-enabled /etc/dconf/db/* -rI | sort -u | tail -n 1 | cut -f1 -d:" + ansible.builtin.shell: "grep -IlR ^lock-enabled /etc/dconf/db/*" changed_when: false failed_when: false register: rhel_08_020030_lock_enabled - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists" ansible.builtin.lineinfile: - path: "{{ rhel_08_020030_lock_enabled.stdout }}" - regexp: '^lock-enabled' + path: "{{ item }}" + regexp: ^lock-enabled line: lock-enabled=true + loop: "{{ rhel_08_020030_lock_enabled.stdout_lines }}" when: rhel_08_020030_lock_enabled.stdout | length > 0 notify: dconf update @@ -3372,13 +3413,13 @@ - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed." block: - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - ansible.builtin.shell: 'grep "removal-action=" /etc/dconf/db/* -R | cut -f1 -d:' + ansible.builtin.shell: "grep -IlR removal-action= /etc/dconf/db/*" changed_when: false failed_when: false register: rhel_08_020050_removal_action - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param" - ansible.builtin.shell: "grep removal-action= /etc/dconf/db/* -R | cut -f1 -d: | sed 's:.*/::'" + ansible.builtin.shell: "grep -IlR removal-action= /etc/dconf/db/* | sed 's:.*/::'" changed_when: false failed_when: false register: rhel_08_020050_removal_action_file @@ -3398,9 +3439,10 @@ - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists" ansible.builtin.lineinfile: - path: "{{ rhel_08_020050_removal_action.stdout }}" + path: "{{ item }}" regexp: ^removal-action= line: removal-action='lock-screen' + loop: "{{ rhel_08_020050_removal_action.stdout }}" when: rhel_08_020050_removal_action.stdout | length > 0 notify: dconf update @@ -3436,7 +3478,7 @@ - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity." block: - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter" - ansible.builtin.shell: 'grep idle-delay= /etc/dconf/db/* -R | cut -f1 -d:' + ansible.builtin.shell: 'grep -IlR idle-delay= /etc/dconf/db/*' changed_when: false failed_when: false register: rhel_08_020060_idle_delay_param @@ -3458,14 +3500,15 @@ - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" ansible.builtin.lineinfile: - path: "{{ rhel_08_020060_idle_delay_param.stdout }}" + path: "{{ item }}" regexp: '^idle-delay=' line: idle-delay=uint32 900 owner: root group: root mode: 0640 - notify: dconf update + loop: "{{ rhel_08_020060_idle_delay_param.stdout }}" when: rhel_08_020060_idle_delay_param.stdout | length > 0 + notify: dconf update when: - rhel_08_020060 - "'dconf' in ansible_facts.packages" @@ -6119,7 +6162,7 @@ - CCI-001444 - SRG-OS-000299-GPOS-00117 - SV-230506r627750_rule - - V-23050 + - V-230506 - wifi - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled." @@ -6581,6 +6624,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?RekeyLimit' line: 'RekeyLimit 1G 1h' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_040161 @@ -7441,6 +7485,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?X11Forwarding' line: 'X11Forwarding no' + validate: '/usr/sbin/sshd -T -f %s' notify: restart sshd when: - rhel_08_040340 @@ -7459,6 +7504,7 @@ path: /etc/ssh/sshd_config regexp: '(?i)^#?X11UseLocalhost' line: 'X11UseLocalhost yes' + validate: '/usr/sbin/sshd -T -f %s' when: - rhel_08_040341 - rhel8stig_ssh_required @@ -7473,11 +7519,12 @@ - name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | Add KEXs" block: - name: "MEDIUM | RHEL-08-040342 | AUDIT | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" - ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g' + ansible.builtin.shell: grep -E "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g' changed_when: false + failed_when: false register: rhel8stig_current_kex - - name: MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs" + - name: MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | update KEXs" ansible.builtin.lineinfile: path: /etc/crypto-policies/back-ends/opensshserver.config regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_kex.stdout }}(.*$)' @@ -7586,7 +7633,7 @@ - CAT2 - CCI-002265 - SRG-OS-000324-GPOS-00125 - - SV-254520r858835_rule + - SV-254520r928805_rule - V-254520 - selinux diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 66c817ca..31c8abb7 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -163,7 +163,7 @@ - CAT3 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-230285r917876_rule + - SV-230285r928587_rule - SV-244527r743830_rule - V-230285 - V-244527 @@ -406,7 +406,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230485r627750_rule + - SV-230485r928590_rule - V-230485 - chrony @@ -422,7 +422,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230486r627750_rule + - SV-230486r928593_rule - V-230486 - chrony diff --git a/tasks/main.yml b/tasks/main.yml index c516e703..a1acf152 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,15 +4,15 @@ ansible.builtin.setup: gather_subset: distribution,!all,!min when: - - ansible_distribution is not defined + - ansible_facts.distribution is not defined tags: - always - name: Check OS version and family ansible.builtin.assert: - that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') - fail_msg: "This role can only be run against RHEL/Rocky 8. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." - success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" + that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('8', '==') + fail_msg: "This role can only be run against RHEL/Rocky 8. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." + success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" when: - not skip_os_check tags: @@ -43,7 +43,7 @@ - system_is_container when: - ansible_connection == 'docker' or - ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: - container_discovery - always @@ -92,7 +92,7 @@ - RHEL-08-010149 - name: Include OS specific variables - ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" + ansible.builtin.include_vars: "{{ ansible_facts.distribution }}.yml" tags: - always @@ -134,10 +134,19 @@ - prelim_tasks - run_audit -- name: Include pre-remediation tasks - ansible.builtin.import_tasks: pre_remediation_audit.yml +- name: Include audit specific variables + ansible.builtin.include_vars: audit.yml when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit - run_audit + +- name: Include pre-remediation audit tasks + ansible.builtin.import_tasks: pre_remediation_audit.yml + when: + - run_audit or audit_only - setup_audit tags: - run_audit diff --git a/tasks/parse_etc_passwd.yml b/tasks/parse_etc_passwd.yml index ef4fbf6a..aada90e2 100644 --- a/tasks/parse_etc_passwd.yml +++ b/tasks/parse_etc_passwd.yml @@ -15,7 +15,7 @@ vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) - ld_passwd_yaml: | + ld_passwd_yaml: | # pragma: allowlist secret id: >-4 \g password: >-4 diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index fa9614b6..2c51bbb0 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,18 +1,28 @@ --- -- name: Post Audit | Capture audit data if json format - block: +- name: Post Audit | Run post_remediation {{ benchmark }} audit + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: goss.yml - - name: "Post Audit | Run post_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" +- name: Post Audit | ensure audit files readable by users + ansible.builtin.file: + path: "{{ item }}" + mode: '0644' + state: file + loop: + - "{{ post_audit_outfile }}" + - "{{ pre_audit_outfile }}" - - name: "capture data {{ post_audit_outfile }}" - ansible.builtin.shell: "cat {{ post_audit_outfile }}" +- name: Post Audit | Capture audit data if json format + when: + - audit_format == "json" + block: + - name: capture data {{ post_audit_outfile }} + ansible.builtin.shell: cat {{ post_audit_outfile }} register: post_audit changed_when: false @@ -20,37 +30,17 @@ ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + summary: summary."summary-line" - name: Post Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - - name: "Post Audit | Run post_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }} -f documentation" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - - - name: "Post Audit | capture data {{ post_audit_outfile }}" - ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" + - name: Post Audit | capture data {{ post_audit_outfile }} + ansible.builtin.shell: tail -2 {{ post_audit_outfile }} register: post_audit changed_when: false - name: Post Audit | Capture post-audit result ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" - when: - - audit_format == "documentation" - -- name: Post Audit | ensure audit files readable by users - ansible.builtin.file: - path: "{{ item }}" - mode: '0644' - state: file - loop: - - "{{ post_audit_outfile }}" - - "{{ pre_audit_outfile }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 290170d6..e3a261e7 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,58 +1,58 @@ --- -- name: Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: - file: LE_audit_setup.yml +- name: Pre Audit Setup | Setup the LE audit when: - setup_audit tags: - setup_audit + ansible.builtin.include_tasks: LE_audit_setup.yml -- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" +- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' - name: Pre Audit Setup | If using git for content set up + when: + - audit_content == 'git' block: - name: Pre Audit Setup | Install git ansible.builtin.package: name: git state: present - when: "'git' not in ansible_facts.packages" - - name: Pre Audit Setup | retrieve audit content files from git + - name: Pre Audit Setup | Retrieve audit content files from git ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" - when: - - audit_content == 'git' -- name: Pre Audit Setup | copy to audit content files to server +- name: Pre Audit Setup | Copy to audit content files to server + when: + - audit_content == 'copy' ansible.builtin.copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dest }}" mode: preserve - when: - - audit_content == 'copy' -- name: Pre Audit Setup | unarchive audit content files on server +- name: Pre Audit Setup | Unarchive audit content files on server + when: + - audit_content == 'archived' ansible.builtin.unarchive: src: "{{ audit_conf_copy }}" dest: "{{ audit_conf_dir }}" - when: - - audit_content == 'archived' -- name: Pre Audit Setup | get audit content from url +- name: Pre Audit Setup | Get audit content from url + when: + - audit_content == 'get_url' ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" - when: - - audit_content == 'get_url' - name: Pre Audit Setup | Check Goss is available + when: + - run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: @@ -60,34 +60,36 @@ register: goss_available - name: Pre Audit Setup | If audit ensure goss is available + when: + - not goss_available.stat.exists ansible.builtin.assert: - that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - run_audit - name: Pre Audit Setup | Copy ansible default vars values to test audit + tags: + - goss_template + - run_audit + when: + - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: '0600' - when: - - run_audit - tags: - - goss_template + +- name: Pre Audit | Run pre_remediation {{ benchmark }} audit + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - - - name: "capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + - name: capture data {{ pre_audit_outfile }} + ansible.builtin.shell: cat {{ pre_audit_outfile }} register: pre_audit changed_when: false @@ -95,28 +97,22 @@ ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + summary: summary."summary-line" - name: Pre Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }} -f documentation" - changed_when: true - environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" - - - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format + ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result | documentation format ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" + +- name: Audit_Only | Run Audit Only when: - - audit_format == "documentation" + - audit_only + ansible.builtin.import_tasks: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 4a04d26d..91b429df 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -49,7 +49,7 @@ - "'dconf' not in ansible_facts.packages" - rhel8stig_gui - - name: dconf directory structure + - name: "PRELIM | dconf directory structure setup" ansible.builtin.file: path: /etc/dconf/db/local.d/locks state: directory @@ -106,7 +106,7 @@ tags: - always -- name: ensure cronie is available +- name: "PRELIM | ensure cronie is available" ansible.builtin.package: name: cronie when: @@ -274,12 +274,12 @@ state: "{{ rhel8stig_service_started }}" enabled: true - - name: PRELIM | check if ssh host key exists + - name: PRELIM | Check if ssh host key exists ansible.builtin.stat: path: /etc/ssh/ssh_host_rsa_key register: rhel8stig_ssh_host_rsa_key_stat - - name: PRELIM | create ssh host key to allow 'sshd -t -f %s' to succeed + - name: PRELIM | Create ssh host key to allow 'sshd -t -f %s' to succeed ansible.builtin.shell: ssh-keygen -N '' -f /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 when: not rhel8stig_ssh_host_rsa_key_stat.stat.exists notify: clean up ssh host key @@ -302,7 +302,7 @@ - RHEL-08-010770 - complexity-high -- name: "MEDIUM | RHEL-08-010660 | RHEL-08-010770 | Set fact for home directory paths for interactive users" +- name: "PRELIM | RHEL-08-010660 | RHEL-08-010770 | Set fact for home directory paths for interactive users" ansible.builtin.set_fact: rhel_08_stig_interactive_homedir_inifiles: "{{ rhel_08_010770_ini_file_list.results | map(attribute='stdout_lines') | list }}" when: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 69484221..d9af9eae 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,6 +1,6 @@ ## metadata for Audit benchmark -benchmark_version: '1.11' +benchmark_version: {{ benchmark_version }} rhel8stig_os_distribution: {{ ansible_distribution | lower }} @@ -443,13 +443,13 @@ MAX_UID: {{ rhel8stig_interactive_uid_stop }} # RHEL_08_010040-010050-010060 rhel8stig_banner_file: /etc/issue rhel8stig_logon_banner: -- You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. -- By using this IS (which includes any device attached to this IS), you consent to the following conditions -- -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -- -At any time, the USG may inspect and seize data stored on this IS. -- -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -- -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -- -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + By using this IS (which includes any device attached to this IS), you consent to the following conditions + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + -At any time, the USG may inspect and seize data stored on this IS. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. # RHEL_08_010680 to change if using hostfile only - seperate checks rhel8stig_uses_dns: true @@ -479,6 +479,3 @@ rhel8stig_remotelog_protocol: '{{ rhel8stig_remotelog_server.protocol }}' # RHEL_08_040137 python_bin: {{ ansible_python.executable }} - -# RHEL_08_040260-62 -rhel8stig_system_is_router: {{ rhel8stig_system_is_router }} diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2 deleted file mode 100644 index 32c441b5..00000000 --- a/templates/pam_pkcs11.conf.j2 +++ /dev/null @@ -1,249 +0,0 @@ -# -# Configuration file for pam_pkcs11 module -# -# Version 0.4 -# Author: Juan Antonio Martinez -# -pam_pkcs11 { - # Allow empty passwords - nullok = true; - - # Enable debugging support. - debug = false; - - # If the smart card is inserted, only use it - card_only = true; - - # Do not prompt the user for the passwords but take them from the - # PAM_ items instead. - use_first_pass = false; - - # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK - # is unset. - try_first_pass = false; - - # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been - # previously set (intended for stacking password modules only). - use_authtok = false; - - # Filename of the PKCS #11 module. The default value is "default" - use_pkcs11_module = {{ rhel08stig_smartcarddriver }}; - - screen_savers = gnome-screensaver,xscreensaver,kscreensaver - - pkcs11_module {{ rhel08stig_smartcarddriver }} { - {% if rhel08stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel08stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} - module = /usr/lib64/libcackey.so; - description = "{{ rhel08stig_smartcarddriver }}"; - slot_num = 0; - support_threads = false; - ca_dir = /etc/pam_pkcs11/cacerts; - crl_dir = /etc/pam_pkcs11/crls; - cert_policy = signature; - } - - pkcs11_module opensc { - module = opensc-pkcs11.so; - description = "OpenSC PKCS#11 module"; - # Slot-number to use. One for the first, two for the second and so - # on. The default value is zero which means to use the first slot - # with an available token. - slot_num = 0; - - # Path to the directory where the NSS CA certificate database is stored. - # you can mange the certs in this database with the certutil command in - # the package nss-tools - nss_dir = /etc/pki/nssdb; - - # Sets the Certificate Policy, (see above) - cert_policy = ca, signature; - } - - # Default pkcs11 module - pkcs11_module default { - module = /usr/$LIB/pam_pkcs11/pkcs11_module.so; - description = "Default pkcs#11 module"; - slot_num = 0; - #ca_dir = /etc/pam_pkcs11/cacerts; - #crl_dir = /etc/pam_pkcs11/crls; - nss_dir = /etc/pki/nssdb; - cert_policy = ca, signature; - } - - # Which mappers ( Cert to login ) to use? - # you can use several mappers: - # - # subject - Cert Subject to login file based mapper - # pwent - CN to getpwent() login or gecos fields mapper - # ldap - LDAP mapper - # opensc - Search certificate in ${HOME}/.eid/authorized_certificates - # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys - # mail - Compare email fields from certificate - # ms - Use Microsoft Universal Principal Name extension - # krb - Compare againts Kerberos Principal Name - # cn - Compare Common Name (CN) - # uid - Compare Unique Identifier - # digest - Certificate digest to login (mapfile based) mapper - # generic - User defined certificate contents mapped - # null - blind access/deny mapper - # - # You can select a comma-separated mapper list. - # If used null mapper should be the last in the list :-) - # Also you should select at least one mapper, otherwise - # certificate will not match :-) - use_mappers = cn, uid, pwent, null; - - # When no absolute path or module info is provided, use this - # value as module search path - # TODO: - # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH - mapper_search_path = /usr/$LIB/pam_pkcs11; - - # - # Generic certificate contents mapper - mapper generic { - debug = true; - module = /usr/$LIB/pam_pkcs11/generic_mapper.so; - # ignore letter case on match/compare - ignorecase = false; - # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid" - cert_item = cn; - # Define mapfile if needed, else select "none" - mapfile = file:///etc/pam_pkcs11/generic_mapping - # Decide if use getpwent() to map login - use_getpwent = false; - } - - # Certificate Subject to login based mapper - # provided file stores one or more "Subject -> login" lines - mapper subject { - debug = false; - # module = /usr/$LIB/pam_pkcs11/subject_mapper.so; - module = internal; - ignorecase = false; - mapfile = file:///etc/pam_pkcs11/subject_mapping; - } - - # Search public keys from $HOME/.ssh/authorized_keys to match users - mapper openssh { - debug = false; - module = /usr/$LIB/pam_pkcs11/openssh_mapper.so; - } - - # Search certificates from $HOME/.eid/authorized_certificates to match users - mapper opensc { - debug = false; - module = /usr/$LIB/pam_pkcs11/opensc_mapper.so; - } - - # Certificate Common Name ( CN ) to getpwent() mapper - mapper pwent { - debug = false; - ignorecase = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/pwent_mapper.so; - } - - # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody" - mapper null { - debug = false; - # module = /usr/$LIB/pam_pkcs11/null_mapper.so; - module = internal ; - # select behavior: always match, or always fail - default_match = false; - # on match, select returned user - default_user = nobody ; - } - - # Directory ( ldap style ) mapper - mapper ldap { - debug = false; - module = /usr/$LIB/pam_pkcs11/ldap_mapper.so; - # where base directory resides - basedir = /etc/pam_pkcs11/mapdir; - # hostname of ldap server - ldaphost = "localhost"; - # Port on ldap server to connect - ldapport = 389; - # Scope of search: 0 = x, 1 = y, 2 = z - scope = 2; - # DN to bind with. Must have read-access for user entries under "base" - binddn = "cn=pam,o=example,c=com"; - # Password for above DN - passwd = "test"; - # Searchbase for user entries - base = "ou=People,o=example,c=com"; - # Attribute of user entry which contains the certificate - attribute = "userCertificate"; - # Searchfilter for user entry. Must only let pass user entry for the login user. - filter = "(&(objectClass=posixAccount)(uid=%s))" - } - - # Assume common name (CN) to be the login - mapper cn { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/cn_mapper.so; - ignorecase = true; - mapfile = file:///etc/pam_pkcs11/cn_map; - } - - # mail - Compare email field from certificate - mapper mail { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; - # Declare mapfile or - # leave empty "" or "none" to use no map - mapfile = file:///etc/pam_pkcs11/mail_mapping; - # Some certs store email in uppercase. take care on this - ignorecase = true; - # Also check that host matches mx domain - # when using mapfile this feature is ignored - ignoredomain = false; - } - - # ms - Use Microsoft Universal Principal Name extension - # UPN is in format login@ADS_Domain. No map is needed, just - # check domain name. - mapper ms { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/ms_mapper.so; - ignorecase = false; - ignoredomain = false; - domain = "domain.com"; - } - - # krb - Compare againts Kerberos Principal Name - mapper krb { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/krb_mapper.so; - ignorecase = false; - mapfile = "none"; - } - - # uid - Maps Subject Unique Identifier field (if exist) to login - mapper uid { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/uid_mapper.so; - ignorecase = false; - mapfile = "none"; - } - - # digest - elaborate certificate digest and map it into a file - mapper digest { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/digest_mapper.so; - # algorithm used to evaluate certificate digest - # Select one of: - # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160" - algorithm = "sha1"; - mapfile = file:///etc/pam_pkcs11/digest_mapping; - # mapfile = "none"; - } - -} diff --git a/vars/audit.yml b/vars/audit.yml new file mode 100644 index 00000000..89e61a84 --- /dev/null +++ b/vars/audit.yml @@ -0,0 +1,41 @@ +--- + +#### Audit Configuration Settings #### + +# Timeout for those cmds that take longer to run where timeout set +audit_cmd_timeout: 120000 + +# if get_audit_binary_method == download change accordingly +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-" + +### Goss Audit Benchmark file ### +## managed by the control audit_content +# git +audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +audit_git_version: "benchmark_{{ benchmark_version }}_rh8" + +## Goss configuration information +# Where the goss configs and outputs are stored +audit_out_dir: '/opt' +# Where the goss audit configuration will be stored +audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" + +# If changed these can affect other products +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" + +## The following should not need changing + +### Audit binary settings ### +audit_bin_version: + release: v0.4.4 + AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' +audit_bin_path: /usr/local/bin/ +audit_bin: "{{ audit_bin_path }}goss" +audit_format: json + +audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" +audit_results: | + The pre remediation results are: {{ pre_audit_summary }}. + The post remediation results are: {{ post_audit_summary }}. + Full breakdown can be found in {{ audit_out_dir }}