Skip to content

Commit

Permalink
Merge pull request #221 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
v1r11 updates release to main
  • Loading branch information
uk-bolly authored Sep 13, 2023
2 parents 85340ce + 6498dc3 commit 31b5330
Show file tree
Hide file tree
Showing 15 changed files with 251 additions and 196 deletions.
3 changes: 1 addition & 2 deletions .ansible-lint
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,11 @@ skip_list:
- 'schema'
- 'no-changed-when'
- 'var-spacing'
- 'fqcn-builtins'
- 'experimental'
- 'name[play]'
- 'name[casing]'
- 'name[template]'
- 'fqcn[action]'
- 'key-order[task]'
- '204'
- '305'
- '303'
Expand Down
42 changes: 42 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,47 @@
# Changes to RHEL8STIG

## Stig V1R11 - 26th July 2023

### 3.0.1

Issues:

- [#207](https://github.com/ansible-lockdown/RHEL8-STIG/issues/207)
- [#208](https://github.com/ansible-lockdown/RHEL8-STIG/issues/208)
- [#209](https://github.com/ansible-lockdown/RHEL8-STIG/issues/209)
- [#210](https://github.com/ansible-lockdown/RHEL8-STIG/issues/210)
- [#211](https://github.com/ansible-lockdown/RHEL8-STIG/issues/211)
- [#212](https://github.com/ansible-lockdown/RHEL8-STIG/issues/212)

### 3.0.0

Controls updated

- CAT2:
- 010030 - ruleid
- 010200 - ruleid
- 010201 - ruleid
- 010290 - ruleid and SSH MACS updated
- 010291 - ruleid and SSH Ciphers updated
- 010770 - ruleid
- 020035 - new control idlesession timeout new var rhel_08_020035_idlesessiontimeout
- 020041 - ruleid and tmux script update
- 030690 - ruleid and protocol options added
- 040159 - ruleid
- 040160 - ruleid
- 040342 - ruleid and SSH KEX algorithms updated

- CAT3
- 010471 - ruleid

- audit variables updated, new version
- tidied up the end of the playbook ordering with reboot taking place(if set and enabled) prior to audit now.

## 2.9.2

- #216 check that sudo user has a password check improvement
- thanks to manish on discord for highlighting this

## 2.9.1

- Issue #204 address
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

## Configure a RHEL8 based system to be complaint with Disa STIG

This role is based on RHEL 8 DISA STIG: [Version 1, Rel 10 released on April 24, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R10_STIG.zip).
This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R11_STIG.zip).

---

Expand Down
52 changes: 30 additions & 22 deletions defaults/main.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
## metadata for Audit benchmark
benchmark_version: 'v1r10'
benchmark_version: 'v1r11'

## Benchmark name used by audting control role
# The audit variable found at the base
Expand Down Expand Up @@ -61,7 +61,7 @@ setup_audit: false
# How to retrieve audit binary
# Options are copy or download - detailed settings at the bottom of this file
# you will need to access to either github or the file already dowmloaded
get_goss_file: download
get_audit_binary_method: download

# how to get audit files onto host options
# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
Expand Down Expand Up @@ -246,6 +246,7 @@ rhel_08_020028: true
rhel_08_020030: true
rhel_08_020031: true
rhel_08_020032: true
rhel_08_020035: true
rhel_08_020039: true
rhel_08_020040: true
rhel_08_020041: true
Expand Down Expand Up @@ -275,6 +276,7 @@ rhel_08_020210: true
rhel_08_020220: true
rhel_08_020221: true
rhel_08_020230: true
rhel_08_020235: true
rhel_08_020231: true
rhel_08_020240: true
rhel_08_020250: true
Expand Down Expand Up @@ -491,7 +493,7 @@ rhel8stig_auto_mount_home_dirs_local_mount_point: "/home/"
# The default shell command to gather local interactive user directories
## NOTE: You will need to adjust the UID range in parenthesis below.
## ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below.
local_interactive_user_dir_command: "getent passwd { {{ rhel8stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'"
local_interactive_user_dir_command: "getent passwd { {{ rhel8stig_int_gid }}..65535} | grep -v '/sbin/nologin' | cut -d: -f6 | sort -u | grep -Ev '/var/|/nonexistent/|/run/*'"

# IPv6 required
rhel8stig_ipv6_required: true
Expand Down Expand Up @@ -539,12 +541,12 @@ rhel8stig_standard_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin"
rhel8stig_change_user_path: false

# RHEL-08-010700
# rhel8stig_ww_dir_owner is the owenr of all world-writable directories
# rhel8stig_ww_dir_owner is the owner of all world-writable directories
# To conform to STIG standards this needs to be set to root, sys, bin, or an application group
rhel8stig_ww_dir_owner: root

# RHEL-08-010710
# rhel8stig_ww_dir_grpowner is the owenr of all world-writable directories
# rhel8stig_ww_dir_grpowner is the owner of all world-writable directories
# To conform to STIG standards this needs to be set to root, sys, bin, or an application group
rhel8stig_ww_dir_grpowner: root

Expand Down Expand Up @@ -730,9 +732,12 @@ rhel8stig_pam_faillock:
attempts: 3
interval: 900
unlock_time: 0
fail_for_root: true
fail_for_root: "{{ rhel_08_020023 }}"
dir: /var/log/faillock

# RHEL-08-020035
rhel_08_020035_idlesessiontimeout: 900

# RHEL-08-030670
# rhel8stig_audisp_disk_full_action options are syslog, halt, and single to fit STIG standards
rhel8stig_audisp_disk_full_action: single
Expand Down Expand Up @@ -773,9 +778,11 @@ rhel8stig_login_defaults:
create_home: 'yes'

# RHEL-08-030690 uncomment and set the value to a remote IP address that can receive audit logs
# NOTE different protocol configs '@''=UDP '@@''=TCP '':omrelp:'=RELP
rhel8stig_remotelog_server:
server: 10.10.10.10
port: 9999
protocol: '@@'

# RHEL-08-030020
rhel8stig_auditd_mail_acct: root
Expand Down Expand Up @@ -870,8 +877,10 @@ rhel8stig_white_list_services:
# This will be the MACs setting. It is a string that will be the entirety of the MAC's setting in the openssh.config file
# to conform to STIG standard control RHEL-08-010290 this variable must include hmac-sha2-512,hmac-sha2-256
# to conform to STIG standard control RHEL-08-010291 this variable must include aes256-ctr,aes192-ctr,aes128-ctr
rhel8stig_ssh_macs: 'MACS=hmac-sha2-512,hmac-sha2-256'
rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr"
rhel8stig_ssh_macs: 'MACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com'
rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com"
# RHEL-08-040342
# Expected Values for FIPS KEX algorithims
rhel8stig_ssh_kex: "KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512"

# This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting
Expand Down Expand Up @@ -901,29 +910,29 @@ audit_run_script_environment:
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"

### Goss binary settings ###
goss_version:
release: v0.3.21
checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3'
audit_bin_version:
release: v0.3.23
checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d'
audit_bin_path: /usr/local/bin/
audit_bin: "{{ audit_bin_path }}goss"
audit_format: json

# if get_goss_file == download change accordingly
goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64"
# if get_audit_binary_method == download change accordingly
audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64"

## if get_goss_file - copy the following needs to be updated for your environment
## if get_audit_binary_method - copy the following needs to be updated for your environment
## it is expected that it will be copied from somewhere accessible to the control node
## e.g copy from ansible control node to remote host
copy_goss_from_path: /some/accessible/path
audit_bin_copy_location: /some/accessible/path

### Goss Audit Benchmark file ###
#### Goss Audit Benchmark file ###
## managed by the control audit_content
# git
audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_git_version: "benchmark_{{ benchmark_version }}_rh8"

# copy:
audit_local_copy: "some path to copy from"
# archive or copy:
audit_conf_copy: "some path to copy from"

# get_url:
audit_files_url: "some url maybe s3?"
Expand All @@ -932,14 +941,13 @@ audit_files_url: "some url maybe s3?"
# Where the goss configs and outputs are stored
audit_out_dir: '/opt'
# Where the goss audit configuration will be stored
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit"

# If changed these can affect other products
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"

## The following should not need changing
goss_file: "{{ audit_conf_dir }}goss.yml"
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml"
audit_results: |
The pre remediation results are: {{ pre_audit_summary }}.
Expand Down
14 changes: 7 additions & 7 deletions tasks/LE_audit_setup.yml
Original file line number Diff line number Diff line change
@@ -1,22 +1,22 @@
---

- name: Download audit binary
- name: Pre Audit Setup | Download audit binary
ansible.builtin.get_url:
url: "{{ goss_url }}"
url: "{{ audit_bin_url }}"
dest: "{{ audit_bin }}"
owner: root
group: root
checksum: "{{ goss_version.checksum }}"
checksum: "{{ audit_bin_version.checksum }}"
mode: 0555
when:
- get_goss_file == 'download'
- get_audit_binary_method == 'download'

- name: copy audit binary
- name: Pre Audit Setup | copy audit binary
ansible.builtin.copy:
src:
src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}"
mode: 0555
owner: root
group: root
when:
- get_goss_file == 'copy'
- get_audit_binary_method == 'copy'
4 changes: 2 additions & 2 deletions tasks/fix-cat1.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
check_mode: false
changed_when: false
failed_when: rhel_08_010020_grub_cmdline_linux_audit.rc > 1
when: rhel_08_010020_default_grub_missing_audit is changed
when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler
register: rhel_08_010020_grub_cmdline_linux_audit

- name: "HIGH | RHEL-08-010020 | PATCH | Copy over a sane /etc/default/grub"
Expand All @@ -66,7 +66,7 @@
mode: 0644
vars:
grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}"
when: rhel_08_010020_default_grub_missing_audit is changed
when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler

- name: "HIGH | RHEL-08-010020 | PATCH | fips=1 must be in /etc/default/grub"
ansible.builtin.replace:
Expand Down
Loading

0 comments on commit 31b5330

Please sign in to comment.