diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 398d1818..fb8d454b 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -333,22 +333,6 @@ - V-204448 - yum -# - name: | -# "HIGH | RHEL-07-020210 | PATCH | The Red Hat Enterprise Linux operating system must enable SELinux." -# "HIGH | RHEL-07-020220 | PATCH | The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy." -# selinux: -# state: enforcing -# policy: targeted -# check_mode: "{{ ansible_check_mode or rhel7stig_system_is_chroot }}" -# when: -# - rhel_07_020210 or rhel_07_020220 -# - not rhel7stig_system_is_container -# - ansible_distribution_file_variety == "RedHat" -# tags: -# - RHEL-07-020210 -# - RHEL-07-020220 -# - selinux - - name: "HIGH | RHEL-07-020230 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line." systemd: name: ctrl-alt-del.target diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 2f998af4..a465e436 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1267,60 +1267,6 @@ - V-204464 - complexity-high -# - name: "MEDIUM | RHEL-07-020600 | The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file." -# block: -# - name: capture audit task for missing homedirs -# block: &r7s_homedir_audit -# - name: "MEDIUM | RHEL-07-020600 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file." -# shell: set -o pipefail ; pwck -r | grep -P {{ ld_regex | quote }} -# check_mode: no -# register: rhel7stig_users_missing_home -# changed_when: rhel7stig_07_20600_audit | length > 0 -# # failed_when: 0: success, 1: no grep match, 2: pwck found something -# failed_when: rhel7stig_users_missing_home.rc not in [0,1,2] -# when: -# - rhel7stig_disruptive -# tags: -# - disruption-high - -# ### NOTE: due to https://github.com/ansible/ansible/issues/24862 This is a shell command, and is quite frankly less than ideal. -# - name: "MEDIUM | RHEL-07-020600 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file." -# command: "mkhomedir_helper {{ item }}" -# check_mode: "{{ rhel7stig_disruptive_check_mode }}" -# with_items: "{{ rhel7stig_07_20600_audit | map(attribute='id') | list }}" -# when: -# - rhel7stig_users_missing_home is changed -# - rhel7stig_disruptive # not technically required -# tags: -# - disruption-high -# ### NOTE: Now we need to address that SELINUX will not let mkhomedir_helper create home directories for UUID < 500, so the ftp user will still show up in a pwck. Not sure this is needed, as the ftp user is removed in rhel7stig_unnecessary_accounts. However these next two tasks won't make any changes if the system accounts are removed previously in RHEL-07-020270. -# ### ^ Likely doesn't matter as 020620 defines "local interactive users" as those w/ uid 1000-4999 -# - name: replay audit task -# block: *r7s_homedir_audit -# when: -# - rhel7stig_complex -# tags: -# - complexity-high -# # CAUTION: debug loops don't show changed since 2.4: -# # Fix: https://github.com/ansible/ansible/pull/59958 -# - name: "MEDIUM | RHEL-07-020600 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file." -# debug: msg="You will need to mkdir -p {{ item }} and chown properly to the correct owner and group." -# with_items: "{{ rhel7stig_07_20600_audit | map(attribute='dir') | list }}" -# changed_when: rhel7stig_audit_complex -# when: -# - rhel7stig_users_missing_home is changed -# - rhel7stig_complex # not technically required -# tags: -# - complexity-high -# vars: -# ld_regex: >- -# ^user '(?P.*)': directory '(?P.*)' does not exist$ -# ld_users: "{{ rhel7stig_users_missing_home.stdout_lines | map('regex_replace', ld_regex, '\\g') | list }}" -# rhel7stig_07_20600_audit: "{{ rhel7stig_passwd | selectattr('uid', '>=', rhel7stig_int_gid) | selectattr('id', 'in', ld_users) | list }}" -# when: -# - rhel_07_020600 -# - ansible_distribution_file_variety == "RedHat" - - name: "MEDIUM | RHEL-07-020610 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory." lineinfile: dest: /etc/login.defs @@ -2708,62 +2654,6 @@ # ####### 040000 ####### # ###################### -# # NOTE: 040520 has to come before 040100 because the naming conventions of STIG do not lend themselves to ordered operations. IE: I need to start the service before I can audit incoming ports to what zones, etc. -# - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." -# block: -# - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." -# package: -# name: firewalld -# state: present -# vars: -# ansible_python_interpreter: "{{ python2_bin }}" -# when: -# - "'firewalld' not in ansible_facts.packages" -# - rhel_07_040520 -# - rhel7stig_firewall_service == "firewalld" -# - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container) -# tags: -# - RHEL-07-040520 -# - firewall - -# - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." -# package: -# name: iptables-services -# state: present -# vars: -# ansible_python_interpreter: "{{ python2_bin }}" -# when: -# - "'iptables-services' not in ansible_facts.packages" -# - rhel_07_040520 -# - rhel7stig_firewall_service == "iptables" -# - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container) -# tags: -# - RHEL-07-040520 -# - firewall - -# - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available." -# service: -# name: "{{ rhel7stig_firewall_service }}" -# state: "{{ rhel7stig_service_started }}" -# enabled: yes -# when: -# - rhel_07_040520 -# - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container) -# - rhel7stig_start_firewall_service -# tags: -# - RHEL-07-040520 -# - firewall -# when: -# - rhel_07_040520 -# - rhel7stig_firewall_service == 'firewalld' or rhel7stig_firewall_service == 'iptables' -# - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container) -# - rhel7stig_disruptive -# - not ansible_distribution == "OracleLinux" -# tags: -# - RHEL-07-040520 -# - firewall -# - disruption-high - - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." block: - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."