Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stig V3R11 release #427

Merged
merged 20 commits into from
May 22, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions .ansible-lint
Original file line number Diff line number Diff line change
@@ -1,20 +1,24 @@
---

parseable: true
quiet: true
skip_list:
- 'schema'
- 'no-changed-when'
- 'var-spacing'
- 'fqcn-builtins'
- 'experimental'
- 'name[play]'
- 'fqcn[action-core]'
- 'fqcn[action]'
- 'name[casing]'
- 'name[template]'
- 'fqcn[action]'
- 'jinja[spacing]'
- 'var-naming' # Older playbook no new release
- '204'
- '208'
- '305'
- '303'
- '403'
- '306'
- '602'
- '208'
use_default_rules: true
verbosity: 0
53 changes: 29 additions & 24 deletions .yamllint
Original file line number Diff line number Diff line change
@@ -1,28 +1,33 @@
---
# Based on ansible-lint config
extends: default

ignore: |
tests/
molecule/
.github/
.gitlab-ci.yml
*molecule.yml

rules:
braces: {max-spaces-inside: 1, level: error}
brackets: {max-spaces-inside: 1, level: error}
colons: {max-spaces-after: -1, level: error}
commas: {max-spaces-after: -1, level: error}
comments: disable
comments-indentation: disable
document-start: disable
empty-lines: {max: 3, level: error}
hyphens: {level: error}
indentation:
# Requiring 4 space indentation
spaces: 4
# Requiring consistent indentation within a file, either indented or not
indent-sequences: consistent
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: enable
new-lines:
type: unix
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: true
indentation:
# Requiring 4 space indentation
spaces: 4
# Requiring consistent indentation within a file, either indented or not
indent-sequences: consistent
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
empty-lines:
max: 1
line-length: disable
key-duplicates: enable
new-line-at-end-of-file: enable
new-lines:
type: unix
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: false
18 changes: 18 additions & 0 deletions ChangeLog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,23 @@
# Changelog

## 2.1 Stig V3r11 27th April 2023

Consistent on ansible version
Improvement in checking ansible user has password 010340
tidy of boootloader discovery and paths

- New controls
- RHEL-07-010019
- RHEL-07-010063
- RHEL-07-020028

- rule id updates and changes
- RHEL-07-010119
- RHEL-07-010199
- RHEL-07-010271
- RHEL-07-020028
- RHEL-07-020030

## 2.0.1

update lint inline with galaxy requirements
Expand Down
140 changes: 93 additions & 47 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,17 +1,52 @@
# RHEL 7 DISA STIG

![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL7-STIG/CommunityToDevel?label=Devel%20Build%20Status&style=plastic)
![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL7-STIG/DevelToMain?label=Main%20Build%20Status&style=plastic)
![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL7-STIG?style=plastic)
## Configure a RHEL7 based system to be complaint with Disa STIG

Configure a RHEL 7 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`.
This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on April 27, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R11_STIG.zip).

This role is based on RHEL 7 DISA STIG: [Version 3, Rel 10 released on Jan 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R10_STIG.zip).
---

## Join us
![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social)
![Stars](https://img.shields.io/github/stars/ansible-lockdown/RHEL7-STIG?label=Repo%20Stars&style=social)
![Forks](https://img.shields.io/github/forks/ansible-lockdown/RHEL7-STIG?style=social)
![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)

![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61792?label=Quality&&logo=ansible)
![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)

![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status)
![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL7-STIG/devel?color=dark%20green&label=Devel%20Branch%20commits)

![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Build%20Status)
![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL7-STIG?label=Release%20Date)
![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL7-STIG?label=Release%20Tag&&color=success)

![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL7-STIG?label=Open%20Issues)
![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL7-STIG?label=Closed%20Issues&&color=success)
![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL7-STIG?label=Pull%20Requests)

![License](https://img.shields.io/github/license/ansible-lockdown/RHEL7-STIG?label=License)

---

## Looking for support?

[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH7_stig)

[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH7_stig)

### Community

On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users

---

Configure a RHEL 7 system to be DISA STIG compliant.
Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default.
Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `true`.

## Updating

Coming from a previous release.
Expand All @@ -27,7 +62,7 @@ More information can be found in the [ChangeLog](./ChangeLog.md)

## Auditing (new)

This can be turned on or off within the defaults/main.yml file with the variable rhel7stig_run_audit. The value is false by default, please refer to the wiki for more details.
This can be turned on or off within the defaults/main.yml file with the variable run_audit. The value is false by default, please refer to the wiki for more details.

This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings.

Expand All @@ -38,63 +73,51 @@ Refer to

- [RHEL7-STIG-Audit](https://github.com/ansible-lockdown/RHEL7-STIG-Audit).

## Documentation

- [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/)
- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_RH7_stig)
- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_RH7_stig)
- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_RH7_stig)
- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_RH7_stig)

## Requirements

RHEL 7 or CentOS 7 - Other versions are not supported.
Access to download or add the goss binary and content to the system if using auditing. options are available on how to get the content to the system.

**General:**

- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible

- [Main Ansible documentation page](https://docs.ansible.com)
- [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
- [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
- [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/RHEL7-STIG/wiki/Main-Variables).
- While check_mode may work, This is not supported.

### Please be aware

- This does set the single user password for grub this does need to be defined - You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'
- Some controls make changes to sudo, please ensure a sudo password is set for the user and it is added to the way to run your playbook.

## Documentation

- [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL7-STIG/)
- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)
- [Wiki](https://github.com/ansible-lockdown/RHEL7-STIG/wiki)

## Dependencies

The following packages must be installed on the controlling host/host where ansible is executed:

- Python3 (preferred)
- Ansible 2.9+
- jmespath

Ansible is set to run in a python3 environment.
- python2-passlib (or just passlib, if using python3)
- python-lxml
- python-xmltodict
- python-jmespath

Dependencies required for the playbook are installed on the endpoint if required.
Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible.

## Role Variables

This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/RHEL7-STIG/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions.
This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc.

## Tags
### Tags

There are many tags available for added control precision. Each control has it's own set of tags noting the control number as well as what parts of the system that control addresses.

Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag ssh, this task will be skipped. The
opposite can also happen where you run only controls tagged with ssh.
Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag dconf, this task will be skipped. The opposite can also happen where you run only controls tagged with dconf.

```sh
tags:
- RHEL-07-010050
- ssh
- dod_logon_banner
- RHEL-07-010060
- CAT2
- CCI-000056
- SRG-OS-000028-GPOS-00009
- SV-204396r880746_rule
- V-204396
- dconf
```

## Example Audit Summary
Expand Down Expand Up @@ -126,6 +149,25 @@ rhel7test : ok=369 changed=192 unreachable=0 failed=0 skipped=125 r
- **gh_pages** - github pages
- **all other branches** - Individual community member branches

## Containers - Testing

- system_is_container

This is set to false by defaults/main.yml
If discovered it is a container type or ansible_connection == docker it will convert to run to with with true.
Some controls will skip is this is true as they are not applicable at all. Others runs a subset of controls found in vars/is_container.yml based on a vendor supplied un altered image.

**NON altered vendor image.**

- container_vars_file: is_container.yml

This vars file runs controls are grouped into tags so if the container does later have ssh it could be re-enabled by loading an alternative vars file.

### Please Be Aware

- This does set the single user password for grub this does need to be defined - You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'
- Some controls make changes to sudo, please ensure a sudo password is set for the user and it is added to the way to run your playbook.

## Community Contribution

We encourage you (the community) to contribute to this role. Please read the rules below.
Expand All @@ -139,11 +181,15 @@ We encourage you (the community) to contribute to this role. Please read the rul

uses:

- Ansible-core 2.12
- Ansible collections - pulls in the latest version based on requirements file
- Runs the audit using the devel branch
- ansible-core 2.12
- ansible collections - pulls in the latest version based on requirements file
- runs the audit using the devel branch
- This is an automated test that occurs on pull requests into devel

## Known Issues

None

## Support

This is a community project at its core and will be managed as such.
Expand Down
28 changes: 19 additions & 9 deletions ansible-lint
Original file line number Diff line number Diff line change
@@ -1,14 +1,24 @@
---

parseable: true
quiet: true
skip_list:
- 'schema'
- 'no-changed-when'
- 'fqcn-builtins'
- '204'
- '305'
- '303'
- '403'
- '306'
- '602'
- 'schema'
- 'no-changed-when'
- 'fqcn-builtins'
- 'experimental'
- 'fqcn[action-core]'
- 'fqcn[action]'
- 'name[casing]'
- 'name[template]'
- 'jinja[spacing]'
- 'var-naming' # Older playbook no new release
- '204'
- '208'
- '305'
- '303'
- '403'
- '306'
- '602'
use_default_rules: true
verbosity: 0
Loading