diff --git a/tasks/main.yml b/tasks/main.yml index c1e3f51..dac5eda 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -331,6 +331,7 @@ tags: - CCE-82214-8 - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1.5 - enable_strategy - low_complexity - low_disruption @@ -526,6 +527,7 @@ validate: /usr/sbin/visudo -cf %s tags: - CCE-83798-9 + - PCI-DSS-Req-10.2.1.5 - low_complexity - low_disruption - medium_severity @@ -971,8 +973,6 @@ - name: Read signatures in GPG key command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - args: - warn: false changed_when: false register: gpg_fingerprints check_mode: false @@ -1174,8 +1174,6 @@ cmd: rpm -qV pam register: result_altered_authselect ignore_errors: true - args: - warn: false when: - configure_strategy | bool - enable_authselect | bool @@ -5371,6 +5369,7 @@ - NIST-800-171-3.1.6 - NIST-800-53-CM-6(a) - NIST-800-53-IA-2 + - PCI-DSS-Req-8.6.1 - low_complexity - low_disruption - medium_severity @@ -5496,6 +5495,7 @@ - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 + - PCI-DSS-Req-8.6.1 - accounts_tmout - low_complexity - low_disruption @@ -5525,6 +5525,7 @@ - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 + - PCI-DSS-Req-8.6.1 - accounts_tmout - low_complexity - low_disruption @@ -5554,6 +5555,7 @@ - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 + - PCI-DSS-Req-8.6.1 - accounts_tmout - low_complexity - low_disruption @@ -5561,17 +5563,20 @@ - no_reboot_needed - restrict_strategy -- name: Replace user umask in /etc/bashrc - replace: +- name: Check if umask in /etc/bashrc is already set + ansible.builtin.lineinfile: path: /etc/bashrc - regexp: umask.* - replace: umask {{ var_accounts_user_umask }} + regexp: ^(\s*)umask\s+.* + state: absent + check_mode: true + changed_when: false register: umask_replace tags: - CCE-81036-6 - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.6.1 - accounts_umask_etc_bashrc - low_complexity - low_disruption @@ -5587,8 +5592,35 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Append user umask in /etc/bashrc - lineinfile: +- name: Replace user umask in /etc/bashrc + ansible.builtin.replace: + path: /etc/bashrc + regexp: ^(\s*)umask(\s+).* + replace: \g<1>umask\g<2>{{ var_accounts_user_umask }} + when: + - DISA_STIG_RHEL_08_020353 | bool + - accounts_umask_etc_bashrc | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - umask_replace.found > 0 + tags: + - CCE-81036-6 + - DISA-STIG-RHEL-08-020353 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.6.1 + - accounts_umask_etc_bashrc + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Ensure the Default umask is Appended Correctly + ansible.builtin.lineinfile: create: true path: /etc/bashrc line: umask {{ var_accounts_user_umask }} @@ -5600,12 +5632,13 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - umask_replace is not changed + - umask_replace.found == 0 tags: - CCE-81036-6 - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.6.1 - accounts_umask_etc_bashrc - low_complexity - low_disruption @@ -5621,6 +5654,7 @@ - DISA-STIG-RHEL-08-020351 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.6.1 - accounts_umask_etc_login_defs - low_complexity - low_disruption @@ -5636,12 +5670,14 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Ensure the Default UMASK is Set Correctly - replace: +- name: Check if UMASK is already set + ansible.builtin.lineinfile: path: /etc/login.defs - regexp: ^UMASK - replace: UMASK {{ var_accounts_user_umask }} - register: umask_replace + regexp: ^(\s*)UMASK\s+.* + state: absent + check_mode: true + changed_when: false + register: result_umask_is_set when: - DISA_STIG_RHEL_08_020351 | bool - accounts_umask_etc_login_defs | bool @@ -5656,6 +5692,35 @@ - DISA-STIG-RHEL-08-020351 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.6.1 + - accounts_umask_etc_login_defs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Replace user UMASK in /etc/login.defs + ansible.builtin.replace: + path: /etc/login.defs + regexp: ^(\s*)UMASK(\s+).* + replace: \g<1>UMASK\g<2>{{ var_accounts_user_umask }} + when: + - DISA_STIG_RHEL_08_020351 | bool + - accounts_umask_etc_login_defs | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"shadow-utils" in ansible_facts.packages' + - result_umask_is_set.found > 0 + tags: + - CCE-82888-9 + - DISA-STIG-RHEL-08-020351 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.6.1 - accounts_umask_etc_login_defs - low_complexity - low_disruption @@ -5664,7 +5729,7 @@ - restrict_strategy - name: Ensure the Default UMASK is Appended Correctly - lineinfile: + ansible.builtin.lineinfile: create: true path: /etc/login.defs line: UMASK {{ var_accounts_user_umask }} @@ -5677,12 +5742,13 @@ - no_reboot_needed | bool - restrict_strategy | bool - '"shadow-utils" in ansible_facts.packages' - - umask_replace is not changed + - result_umask_is_set.found == 0 tags: - CCE-82888-9 - DISA-STIG-RHEL-08-020351 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.6.1 - accounts_umask_etc_login_defs - low_complexity - low_disruption @@ -5703,6 +5769,7 @@ - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.6.1 - accounts_umask_etc_profile - low_complexity - low_disruption @@ -5728,6 +5795,7 @@ - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.6.1 - accounts_umask_etc_profile - low_complexity - low_disruption @@ -5762,6 +5830,7 @@ - DISA-STIG-RHEL-08-020353 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.6.1 - accounts_umask_etc_profile - low_complexity - low_disruption @@ -6335,11 +6404,85 @@ - restrict_strategy - rsyslog_remote_loghost +- name: Get omfwd configuration directive + shell: sed -e '/^action\s*(\s*type\s*=\s*"omfwd"/,/)/!d' /etc/rsyslog.conf /etc/rsyslog.d/*.conf || true + register: include_omfwd_config_output + when: + - configure_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_remote_tls | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82457-3 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(a) + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - rsyslog_remote_tls + +- name: Get include files directives + shell: 'set -o pipefail echo \"{{ include_omfwd_config_output.stdout }}\"|grep ''StreamDriver=\"gtls\"'' + + ' + register: include_omfwd_gtls_config_output + when: + - configure_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_remote_tls | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (include_omfwd_config_output.stdout_lines| length > 0) + tags: + - CCE-82457-3 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(a) + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - rsyslog_remote_tls + +- name: Set rsyslog omfwd to use TLS + lineinfile: + dest: /etc/rsyslog.conf + line: action(type="omfwd" protocol="tcp" Target="{{ rsyslog_remote_loghost_address }}" port="6514" StreamDriver="gtls" + StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on") + create: true + when: + - configure_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - rsyslog_remote_tls | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (include_omfwd_gtls_config_output is skipped ) or ("gtls" not in include_omfwd_gtls_config_output.stdout) + tags: + - CCE-82457-3 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(a) + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - rsyslog_remote_tls + - name: List /etc/sysctl.d/*.conf files find: paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.all.accept_ra_defrtr.*$ patterns: '*.conf' file_type: any @@ -6361,7 +6504,7 @@ - sysctl_net_ipv6_conf_all_accept_ra_defrtr - unknown_severity -- name: Comment out any occurrences of net.ipv6.conf.all.accept_ra_defrtr from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.all.accept_ra_defrtr from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.all.accept_ra_defrtr @@ -6412,6 +6555,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.all.accept_ra_pinfo.*$ patterns: '*.conf' file_type: any @@ -6433,7 +6577,7 @@ - sysctl_net_ipv6_conf_all_accept_ra_pinfo - unknown_severity -- name: Comment out any occurrences of net.ipv6.conf.all.accept_ra_pinfo from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.all.accept_ra_pinfo from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.all.accept_ra_pinfo @@ -6484,6 +6628,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.all.accept_ra_rtr_pref.*$ patterns: '*.conf' file_type: any @@ -6505,7 +6650,7 @@ - sysctl_net_ipv6_conf_all_accept_ra_rtr_pref - unknown_severity -- name: Comment out any occurrences of net.ipv6.conf.all.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.all.accept_ra_rtr_pref from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.all.accept_ra_rtr_pref @@ -6556,6 +6701,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.all.accept_redirects.*$ patterns: '*.conf' file_type: any @@ -6585,7 +6731,7 @@ - reboot_required - sysctl_net_ipv6_conf_all_accept_redirects -- name: Comment out any occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.all.accept_redirects from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.all.accept_redirects @@ -6652,6 +6798,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.all.accept_source_route.*$ patterns: '*.conf' file_type: any @@ -6679,7 +6826,7 @@ - reboot_required - sysctl_net_ipv6_conf_all_accept_source_route -- name: Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.all.accept_source_route from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.all.accept_source_route @@ -6742,6 +6889,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.all.autoconf.*$ patterns: '*.conf' file_type: any @@ -6763,7 +6911,7 @@ - sysctl_net_ipv6_conf_all_autoconf - unknown_severity -- name: Comment out any occurrences of net.ipv6.conf.all.autoconf from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.all.autoconf from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.all.autoconf @@ -6814,6 +6962,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.all.max_addresses.*$ patterns: '*.conf' file_type: any @@ -6835,7 +6984,7 @@ - sysctl_net_ipv6_conf_all_max_addresses - unknown_severity -- name: Comment out any occurrences of net.ipv6.conf.all.max_addresses from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.all.max_addresses from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.all.max_addresses @@ -6886,6 +7035,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.all.router_solicitations.*$ patterns: '*.conf' file_type: any @@ -6907,7 +7057,7 @@ - sysctl_net_ipv6_conf_all_router_solicitations - unknown_severity -- name: Comment out any occurrences of net.ipv6.conf.all.router_solicitations from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.all.router_solicitations from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.all.router_solicitations @@ -6958,6 +7108,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.default.accept_ra_defrtr.*$ patterns: '*.conf' file_type: any @@ -6979,7 +7130,7 @@ - sysctl_net_ipv6_conf_default_accept_ra_defrtr - unknown_severity -- name: Comment out any occurrences of net.ipv6.conf.default.accept_ra_defrtr from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.default.accept_ra_defrtr from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.default.accept_ra_defrtr @@ -7030,6 +7181,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.default.accept_ra_pinfo.*$ patterns: '*.conf' file_type: any @@ -7051,7 +7203,7 @@ - sysctl_net_ipv6_conf_default_accept_ra_pinfo - unknown_severity -- name: Comment out any occurrences of net.ipv6.conf.default.accept_ra_pinfo from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.default.accept_ra_pinfo from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.default.accept_ra_pinfo @@ -7102,6 +7254,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.default.accept_ra_rtr_pref.*$ patterns: '*.conf' file_type: any @@ -7123,7 +7276,7 @@ - sysctl_net_ipv6_conf_default_accept_ra_rtr_pref - unknown_severity -- name: Comment out any occurrences of net.ipv6.conf.default.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.default.accept_ra_rtr_pref from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.default.accept_ra_rtr_pref @@ -7174,6 +7327,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.default.accept_redirects.*$ patterns: '*.conf' file_type: any @@ -7201,7 +7355,7 @@ - reboot_required - sysctl_net_ipv6_conf_default_accept_redirects -- name: Comment out any occurrences of net.ipv6.conf.default.accept_redirects from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.default.accept_redirects from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.default.accept_redirects @@ -7264,6 +7418,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.default.accept_source_route.*$ patterns: '*.conf' file_type: any @@ -7286,6 +7441,7 @@ - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -7293,7 +7449,7 @@ - reboot_required - sysctl_net_ipv6_conf_default_accept_source_route -- name: Comment out any occurrences of net.ipv6.conf.default.accept_source_route from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.default.accept_source_route from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.default.accept_source_route @@ -7317,6 +7473,7 @@ - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -7348,6 +7505,7 @@ - NIST-800-53-CM-6.1(iv) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -7360,6 +7518,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.default.autoconf.*$ patterns: '*.conf' file_type: any @@ -7381,7 +7540,7 @@ - sysctl_net_ipv6_conf_default_autoconf - unknown_severity -- name: Comment out any occurrences of net.ipv6.conf.default.autoconf from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.default.autoconf from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.default.autoconf @@ -7432,6 +7591,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.default.max_addresses.*$ patterns: '*.conf' file_type: any @@ -7453,7 +7613,7 @@ - sysctl_net_ipv6_conf_default_max_addresses - unknown_severity -- name: Comment out any occurrences of net.ipv6.conf.default.max_addresses from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.default.max_addresses from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.default.max_addresses @@ -7504,6 +7664,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv6.conf.default.router_solicitations.*$ patterns: '*.conf' file_type: any @@ -7525,7 +7686,7 @@ - sysctl_net_ipv6_conf_default_router_solicitations - unknown_severity -- name: Comment out any occurrences of net.ipv6.conf.default.router_solicitations from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv6.conf.default.router_solicitations from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv6.conf.default.router_solicitations @@ -7576,6 +7737,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.conf.all.accept_redirects.*$ patterns: '*.conf' file_type: any @@ -7605,7 +7767,7 @@ - reboot_required - sysctl_net_ipv4_conf_all_accept_redirects -- name: Comment out any occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.conf.all.accept_redirects from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.all.accept_redirects @@ -7672,6 +7834,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.conf.all.accept_source_route.*$ patterns: '*.conf' file_type: any @@ -7701,7 +7864,7 @@ - reboot_required - sysctl_net_ipv4_conf_all_accept_source_route -- name: Comment out any occurrences of net.ipv4.conf.all.accept_source_route from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.conf.all.accept_source_route from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.all.accept_source_route @@ -7768,6 +7931,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.conf.all.log_martians.*$ patterns: '*.conf' file_type: any @@ -7793,7 +7957,7 @@ - sysctl_net_ipv4_conf_all_log_martians - unknown_severity -- name: Comment out any occurrences of net.ipv4.conf.all.log_martians from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.conf.all.log_martians from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.all.log_martians @@ -7852,6 +8016,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.conf.all.rp_filter.*$ patterns: '*.conf' file_type: any @@ -7873,6 +8038,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -7880,7 +8046,7 @@ - reboot_required - sysctl_net_ipv4_conf_all_rp_filter -- name: Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.conf.all.rp_filter from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.all.rp_filter @@ -7903,6 +8069,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -7933,6 +8100,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -7945,6 +8113,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.conf.all.secure_redirects.*$ patterns: '*.conf' file_type: any @@ -7964,6 +8133,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -7971,7 +8141,7 @@ - reboot_required - sysctl_net_ipv4_conf_all_secure_redirects -- name: Comment out any occurrences of net.ipv4.conf.all.secure_redirects from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.conf.all.secure_redirects from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.all.secure_redirects @@ -7992,6 +8162,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -8020,6 +8191,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -8032,6 +8204,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.conf.default.accept_redirects.*$ patterns: '*.conf' file_type: any @@ -8054,6 +8227,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -8061,7 +8235,7 @@ - reboot_required - sysctl_net_ipv4_conf_default_accept_redirects -- name: Comment out any occurrences of net.ipv4.conf.default.accept_redirects from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.conf.default.accept_redirects from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.default.accept_redirects @@ -8085,6 +8259,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -8116,6 +8291,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -8128,6 +8304,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.conf.default.accept_source_route.*$ patterns: '*.conf' file_type: any @@ -8157,7 +8334,7 @@ - reboot_required - sysctl_net_ipv4_conf_default_accept_source_route -- name: Comment out any occurrences of net.ipv4.conf.default.accept_source_route from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.conf.default.accept_source_route from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.default.accept_source_route @@ -8224,6 +8401,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.conf.default.rp_filter.*$ patterns: '*.conf' file_type: any @@ -8250,7 +8428,7 @@ - reboot_required - sysctl_net_ipv4_conf_default_rp_filter -- name: Comment out any occurrences of net.ipv4.conf.default.rp_filter from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.conf.default.rp_filter from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.default.rp_filter @@ -8311,6 +8489,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.conf.default.secure_redirects.*$ patterns: '*.conf' file_type: any @@ -8337,7 +8516,7 @@ - reboot_required - sysctl_net_ipv4_conf_default_secure_redirects -- name: Comment out any occurrences of net.ipv4.conf.default.secure_redirects from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.conf.default.secure_redirects from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.default.secure_redirects @@ -8398,6 +8577,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$ patterns: '*.conf' file_type: any @@ -8416,6 +8596,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -8423,7 +8604,7 @@ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - unknown_severity -- name: Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses @@ -8443,6 +8624,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -8470,6 +8652,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 + - PCI-DSS-Req-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -8482,6 +8665,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.ip_local_port_range.*$ patterns: '*.conf' file_type: any @@ -8503,7 +8687,7 @@ - reboot_required - sysctl_net_ipv4_ip_local_port_range -- name: Comment out any occurrences of net.ipv4.ip_local_port_range from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.ip_local_port_range from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.ip_local_port_range @@ -8554,6 +8738,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.tcp_rfc1337.*$ patterns: '*.conf' file_type: any @@ -8575,7 +8760,7 @@ - reboot_required - sysctl_net_ipv4_tcp_rfc1337 -- name: Comment out any occurrences of net.ipv4.tcp_rfc1337 from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.tcp_rfc1337 from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.tcp_rfc1337 @@ -8626,6 +8811,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.tcp_syncookies.*$ patterns: '*.conf' file_type: any @@ -8648,6 +8834,7 @@ - NIST-800-53-SC-5(1) - NIST-800-53-SC-5(2) - NIST-800-53-SC-5(3)(a) + - PCI-DSS-Req-1.4.1 - disable_strategy - low_complexity - medium_disruption @@ -8655,7 +8842,7 @@ - reboot_required - sysctl_net_ipv4_tcp_syncookies -- name: Comment out any occurrences of net.ipv4.tcp_syncookies from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.tcp_syncookies from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.tcp_syncookies @@ -8679,6 +8866,7 @@ - NIST-800-53-SC-5(1) - NIST-800-53-SC-5(2) - NIST-800-53-SC-5(3)(a) + - PCI-DSS-Req-1.4.1 - disable_strategy - low_complexity - medium_disruption @@ -8710,6 +8898,7 @@ - NIST-800-53-SC-5(1) - NIST-800-53-SC-5(2) - NIST-800-53-SC-5(3)(a) + - PCI-DSS-Req-1.4.1 - disable_strategy - low_complexity - medium_disruption @@ -8722,6 +8911,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.conf.all.send_redirects.*$ patterns: '*.conf' file_type: any @@ -8752,7 +8942,7 @@ - reboot_required - sysctl_net_ipv4_conf_all_send_redirects -- name: Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.conf.all.send_redirects from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.all.send_redirects @@ -8821,6 +9011,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.conf.default.send_redirects.*$ patterns: '*.conf' file_type: any @@ -8851,7 +9042,7 @@ - reboot_required - sysctl_net_ipv4_conf_default_send_redirects -- name: Comment out any occurrences of net.ipv4.conf.default.send_redirects from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.conf.default.send_redirects from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.conf.default.send_redirects @@ -8920,6 +9111,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*net.ipv4.ip_forward.*$ patterns: '*.conf' file_type: any @@ -8940,6 +9132,8 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.3.1 + - PCI-DSS-Req-1.3.2 - disable_strategy - low_complexity - medium_disruption @@ -8947,7 +9141,7 @@ - reboot_required - sysctl_net_ipv4_ip_forward -- name: Comment out any occurrences of net.ipv4.ip_forward from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of net.ipv4.ip_forward from config files replace: path: '{{ item.path }}' regexp: ^[\s]*net.ipv4.ip_forward @@ -8969,6 +9163,8 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.3.1 + - PCI-DSS-Req-1.3.2 - disable_strategy - low_complexity - medium_disruption @@ -8998,6 +9194,8 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) + - PCI-DSS-Req-1.3.1 + - PCI-DSS-Req-1.3.2 - disable_strategy - low_complexity - medium_disruption @@ -9219,6 +9417,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*fs.protected_hardlinks.*$ patterns: '*.conf' file_type: any @@ -9244,7 +9443,7 @@ - reboot_required - sysctl_fs_protected_hardlinks -- name: Comment out any occurrences of fs.protected_hardlinks from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of fs.protected_hardlinks from config files replace: path: '{{ item.path }}' regexp: ^[\s]*fs.protected_hardlinks @@ -9303,6 +9502,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*fs.protected_symlinks.*$ patterns: '*.conf' file_type: any @@ -9328,7 +9528,7 @@ - reboot_required - sysctl_fs_protected_symlinks -- name: Comment out any occurrences of fs.protected_symlinks from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of fs.protected_symlinks from config files replace: path: '{{ item.path }}' regexp: ^[\s]*fs.protected_symlinks @@ -11740,6 +11940,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*kernel.dmesg_restrict.*$ patterns: '*.conf' file_type: any @@ -11766,7 +11967,7 @@ - reboot_required - sysctl_kernel_dmesg_restrict -- name: Comment out any occurrences of kernel.dmesg_restrict from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of kernel.dmesg_restrict from config files replace: path: '{{ item.path }}' regexp: ^[\s]*kernel.dmesg_restrict @@ -11827,6 +12028,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*kernel.modules_disabled.*$ patterns: '*.conf' file_type: any @@ -11848,7 +12050,7 @@ - reboot_required - sysctl_kernel_modules_disabled -- name: Comment out any occurrences of kernel.modules_disabled from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of kernel.modules_disabled from config files replace: path: '{{ item.path }}' regexp: ^[\s]*kernel.modules_disabled @@ -11899,6 +12101,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*kernel.perf_cpu_time_max_percent.*$ patterns: '*.conf' file_type: any @@ -11920,7 +12123,7 @@ - reboot_required - sysctl_kernel_perf_cpu_time_max_percent -- name: Comment out any occurrences of kernel.perf_cpu_time_max_percent from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of kernel.perf_cpu_time_max_percent from config files replace: path: '{{ item.path }}' regexp: ^[\s]*kernel.perf_cpu_time_max_percent @@ -11971,6 +12174,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*kernel.perf_event_max_sample_rate.*$ patterns: '*.conf' file_type: any @@ -11992,7 +12196,7 @@ - reboot_required - sysctl_kernel_perf_event_max_sample_rate -- name: Comment out any occurrences of kernel.perf_event_max_sample_rate from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of kernel.perf_event_max_sample_rate from config files replace: path: '{{ item.path }}' regexp: ^[\s]*kernel.perf_event_max_sample_rate @@ -12043,6 +12247,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*kernel.perf_event_paranoid.*$ patterns: '*.conf' file_type: any @@ -12067,7 +12272,7 @@ - reboot_required - sysctl_kernel_perf_event_paranoid -- name: Comment out any occurrences of kernel.perf_event_paranoid from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of kernel.perf_event_paranoid from config files replace: path: '{{ item.path }}' regexp: ^[\s]*kernel.perf_event_paranoid @@ -12124,6 +12329,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*kernel.pid_max.*$ patterns: '*.conf' file_type: any @@ -12145,7 +12351,7 @@ - reboot_required - sysctl_kernel_pid_max -- name: Comment out any occurrences of kernel.pid_max from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of kernel.pid_max from config files replace: path: '{{ item.path }}' regexp: ^[\s]*kernel.pid_max @@ -12196,6 +12402,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*kernel.sysrq.*$ patterns: '*.conf' file_type: any @@ -12217,7 +12424,7 @@ - reboot_required - sysctl_kernel_sysrq -- name: Comment out any occurrences of kernel.sysrq from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of kernel.sysrq from config files replace: path: '{{ item.path }}' regexp: ^[\s]*kernel.sysrq @@ -12268,6 +12475,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*kernel.yama.ptrace_scope.*$ patterns: '*.conf' file_type: any @@ -12292,7 +12500,7 @@ - reboot_required - sysctl_kernel_yama_ptrace_scope -- name: Comment out any occurrences of kernel.yama.ptrace_scope from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of kernel.yama.ptrace_scope from config files replace: path: '{{ item.path }}' regexp: ^[\s]*kernel.yama.ptrace_scope @@ -12349,6 +12557,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*vm.mmap_min_addr.*$ patterns: '*.conf' file_type: any @@ -12370,7 +12579,7 @@ - reboot_required - sysctl_vm_mmap_min_addr -- name: Comment out any occurrences of vm.mmap_min_addr from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of vm.mmap_min_addr from config files replace: path: '{{ item.path }}' regexp: ^[\s]*vm.mmap_min_addr @@ -12421,6 +12630,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*fs.suid_dumpable.*$ patterns: '*.conf' file_type: any @@ -12444,7 +12654,7 @@ - reboot_required - sysctl_fs_suid_dumpable -- name: Comment out any occurrences of fs.suid_dumpable from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of fs.suid_dumpable from config files replace: path: '{{ item.path }}' regexp: ^[\s]*fs.suid_dumpable @@ -12521,6 +12731,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*kernel.kptr_restrict.*$ patterns: '*.conf' file_type: any @@ -12548,7 +12759,7 @@ - reboot_required - sysctl_kernel_kptr_restrict -- name: Comment out any occurrences of kernel.kptr_restrict from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of kernel.kptr_restrict from config files replace: path: '{{ item.path }}' regexp: ^[\s]*kernel.kptr_restrict @@ -12611,6 +12822,7 @@ paths: - /etc/sysctl.d/ - /run/sysctl.d/ + - /usr/local/lib/sysctl.d/ contains: ^[\s]*kernel.randomize_va_space.*$ patterns: '*.conf' file_type: any @@ -12631,6 +12843,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) + - PCI-DSS-Req-2.2.1 - disable_strategy - low_complexity - medium_disruption @@ -12638,7 +12851,7 @@ - reboot_required - sysctl_kernel_randomize_va_space -- name: Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files +- name: Comment out any occurrences of kernel.randomize_va_space from config files replace: path: '{{ item.path }}' regexp: ^[\s]*kernel.randomize_va_space @@ -12660,6 +12873,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) + - PCI-DSS-Req-2.2.1 - disable_strategy - low_complexity - medium_disruption @@ -12689,6 +12903,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) + - PCI-DSS-Req-2.2.1 - disable_strategy - low_complexity - medium_disruption @@ -12836,9 +13051,9 @@ state: present when: - DISA_STIG_RHEL_08_010170 | bool + - high_severity | bool - low_complexity | bool - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - selinux_state | bool @@ -12852,9 +13067,9 @@ - NIST-800-53-AC-3(3)(a) - NIST-800-53-AU-9 - NIST-800-53-SC-7(21) + - high_severity - low_complexity - low_disruption - - medium_severity - no_reboot_needed - restrict_strategy - selinux_state @@ -13203,11 +13418,13 @@ - postfix_network_listening_disabled | bool - restrict_strategy | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '' tags: - CCE-82174-4 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - PCI-DSS-Req-2.2.4 - low_complexity - low_disruption - medium_severity @@ -13238,6 +13455,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - PCI-DSS-Req-2.2.4 - low_complexity - low_disruption - medium_severity @@ -13259,6 +13477,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-82874-9 + - PCI-DSS-Req-10.6.1 - enable_strategy - low_complexity - low_disruption @@ -13398,6 +13617,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-IA-5(1)(c) + - PCI-DSS-Req-2.2.4 - disable_strategy - high_severity - low_complexity @@ -13509,6 +13729,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - PCI-DSS-Req-2.2.4 - disable_strategy - high_severity - low_complexity @@ -13613,6 +13834,7 @@ - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-2.2.6 - configure_strategy - file_permissions_sshd_private_key - low_complexity @@ -13644,6 +13866,7 @@ - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-2.2.6 - configure_strategy - file_permissions_sshd_private_key - low_complexity @@ -13674,6 +13897,7 @@ - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-2.2.6 - configure_strategy - file_permissions_sshd_private_key - low_complexity @@ -13705,6 +13929,7 @@ - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-2.2.6 - configure_strategy - file_permissions_sshd_private_key - low_complexity @@ -13740,6 +13965,7 @@ insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s when: + - DISA_STIG_RHEL_08_010200 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -13750,6 +13976,7 @@ tags: - CCE-80907-9 - CJIS-5.5.6 + - DISA-STIG-RHEL-08-010200 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-17(a) @@ -13764,7 +13991,7 @@ - restrict_strategy - sshd_set_keepalive -- name: Set SSH Idle Timeout Interval +- name: Set SSH Client Alive Interval block: - name: Check for duplicate values lineinfile: @@ -13869,6 +14096,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-IA-2 - NIST-800-53-IA-2(5) + - PCI-DSS-Req-2.2.6 - low_complexity - low_disruption - medium_severity