Skip to content

Commit

Permalink
Merge pull request #281 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
Initial main release of v1r13
  • Loading branch information
uk-bolly authored May 31, 2024
2 parents 26e9ed2 + 18e1cdc commit 9981f76
Show file tree
Hide file tree
Showing 15 changed files with 399 additions and 349 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/devel_pipeline_validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@
- name: Sleep for 60 seconds
run: sleep ${{ vars.BUILD_SLEEPTIME }}

# Run the Ansibleplaybook
# Run the Ansible playbook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/main_pipeline_validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@
- name: Sleep for 60 seconds
run: sleep ${{ vars.BUILD_SLEEPTIME }}

# Run the Ansibleplaybook
# Run the Ansible playbook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
Expand Down
29 changes: 29 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,34 @@
# Changes to RHEL8STIG

## 3.2 - STIV V1R13 - 24th Jan 2024

- Audit updated
- moved audit into prelim
- updates to audit logic for copy and archive options

ruleid updated

- 010001
- 020250
- 020290
- 040090

CAT II

- 020035 - updated rule and added handler for logind restart
- 040020 - /bin/false update and ruleid update
- 040080 - /bin/false and ruleid
- 040111 - /bin/false and ruleid

CAT III

- 040021 - /bin/false and ruleid
- 040022 - /bin/false and ruleid
- 040023 - /bin/false and ruleid
- 040024 - /bin/false and ruleid
- 040025 - /bin/false and ruleid
- 040026 - /bin/false and ruleid

## 3.1 - STIG V1R12 - 25th Oct 2023

ruleid updated
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

## Configure a RHEL8 based system to be complaint with Disa STIG

This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R12_STIG.zip).
This role is based on RHEL 8 DISA STIG: [Version 1, Rel 13 released on Jan 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R13_STIG.zip).

---

Expand All @@ -29,7 +29,6 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2

![License](https://img.shields.io/github/license/ansible-lockdown/RHEL8-STIG?label=License)


---

## Looking for support?
Expand Down Expand Up @@ -195,4 +194,5 @@ pre-commit run

Massive thanks to the fantastic community and all its members.
This includes a huge thanks and credit to the original authors and maintainers.

Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell
88 changes: 41 additions & 47 deletions defaults/main.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
## metadata for Audit benchmark
benchmark_version: 'v1r12'
benchmark_version: 'v1r13'

## Benchmark name used by audting control role
# The audit variable found at the base
Expand Down Expand Up @@ -35,7 +35,6 @@ rhel8stig_audit_disruptive: false
rhel8stig_skip_for_travis: false

rhel8stig_workaround_for_disa_benchmark: true
rhel8stig_workaround_for_ssg_benchmark: true

# tweak role to run in a chroot, such as in kickstart %post script
rhel8stig_system_is_chroot: "{{ ansible_is_chroot | default(False) }}"
Expand All @@ -56,23 +55,26 @@ rhel8stig_skip_reboot: true
# Defined will change if control requires
change_requires_reboot: false

##########################################
###########################################
### Goss is required on the remote host ###
## Refer to vars/auditd.yml for any other settings ##
### vars/auditd.yml for other settings ###

# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
setup_audit: false

# enable audits to run - this runs the audit and get the latest content
run_audit: false
# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
audit_run_heavy_tests: true

# Only run Audit do not remediate
## Only run Audit do not remediate
audit_only: false
# As part of audit_only
# This will enable files to be copied back to control node
### As part of audit_only ###
# This will enable files to be copied back to control node in audit_only mode
fetch_audit_files: false
# Path to copy the files to will create dir structure
# Path to copy the files to will create dir structure in audit_only mode
audit_capture_files_dir: /some/location to copy to on control node
#############################

# How to retrieve audit binary
# Options are copy or download - detailed settings at the bottom of this file
Expand All @@ -85,20 +87,24 @@ get_audit_binary_method: download
audit_bin_copy_location: /some/accessible/path

# how to get audit files onto host options
# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf
audit_content: git

# archive or copy:
audit_conf_copy: "some path to copy from"
# If using either archive, copy, get_url:
## Note will work with .tar files - zip will require extra configuration
### If using get_url this is expecting github url in tar.gz format e.g.
### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
audit_conf_source: "some path or url to copy from"

# get_url:
audit_files_url: "some url maybe s3?"
# Destination for the audit content to be placed on managed node
# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory
audit_conf_dest: "/opt"

# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
audit_run_heavy_tests: true
# Where the audit logs are stored
audit_log_dir: '/opt'

### End Goss enablements ####
#### Detailed settings found at the end of this document ####
### Goss Settings ##
####### END ########

# These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.
# PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group
Expand Down Expand Up @@ -501,11 +507,6 @@ rhel8stig_kdump_needed: false
# or rhel8stig_gui)
rhel8stig_always_configure_dconf: false

# Whether or not to run tasks related to smart card authentication enforcement
rhel8stig_smartcard: false
# Configure your smartcard driver
rhel8stig_smartcarddriver: cackey

# Set the file that sysctl should write to
rhel8stig_sysctl_file: /etc/sysctl.d/99_stig_sysctl.conf

Expand All @@ -528,6 +529,11 @@ rhel8stig_ipv6_required: true
# When set to anything other than mcafee it will skip this control assuming localized threat prevention management
rhel8stig_av_sftw: mcafee

# RHEL-08-010110 & 010130 & 010760 & 020190 & 020200 & 020231 & 020310 & 020351
# rhel8stig_login_defs_file_perms
# Permissions set on /etc/login.defs
rhel8stig_login_defs_file_perms: 0644

# RHEL-08-010210
# rhel8stig_var_log_messages_perm is the permissions the /var/log/messages file is set to.
# To conform to STIG standards this needs to be 0640 or more restrictive
Expand Down Expand Up @@ -559,10 +565,6 @@ rhel8stig_ssh_pub_key_perm: 0644
rhel8stig_ssh_priv_key_perm: 0600

# RHEL-08-010690
# Set standard user paths here
# Also set whether we should automatically remediate paths in user ini files.
# rhel_08_020720_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin"
rhel8stig_standard_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin"
rhel8stig_change_user_path: false

# RHEL-08-010700
Expand Down Expand Up @@ -591,6 +593,19 @@ rhel8stig_local_int_home_file_perms: 0750
# To connform to STIG standards this needs to be set to 0740 or less permissive
rhel8stig_local_int_perm: 0740

# RHEL-08-020100 pamd file permissions - /etc/pam.d/(password-auth|system-auth) files
# rhel8stig_pamd_file_perms
# This needs a minimum of 0644 ( more restrictive may cause issues testing will be required)
rhel8stig_pamd_file_perms: 0644

# RHEL-08-020110 - pwquality file permissions
# mode: "{{ rhel8stig_pamd_file_perms }}"
rhel8stig_pwquality_file_perms: 0644

# RHEL-08-0400xx
# blacklist.conf - /etc/modprobe.d/blacklist.conf file permissions
rhel8stig_blacklist_conf_file_perms: 0640

# RHEL-08-020250
# This is a check for a "supported release"
# These are the minimum supported releases.
Expand Down Expand Up @@ -707,13 +722,6 @@ rhel8stig_sssd:
maprule: (userCertificate;binary={cert!bin})
domains: "{{ rhel8stig_sssd_domain }}"

# RHEL-08-020070
# Session timeout setting file (TMOUT setting can be set in multiple files)
# Timeout value is in seconds. (60 seconds * 10 = 600)
rhel8stig_shell_session_timeout:
file: /etc/profile.d/tmout.sh
timeout: 600

# RHEL-08-010200 | All network connections associated with SSH traffic must
# terminate at the end of the session or after 10 minutes of inactivity, except
# to fulfill documented and validated mission requirements.
Expand Down Expand Up @@ -763,14 +771,6 @@ rhel8stig_pam_faillock:
# RHEL-08-020035
rhel_08_020035_idlesessiontimeout: 900

# RHEL-08-030670
# rhel8stig_audisp_disk_full_action options are syslog, halt, and single to fit STIG standards
rhel8stig_audisp_disk_full_action: single

# RHEL-08-030680
# rhel8stig_audisp_network_failure_action optoins are syslog, halt, and single
rhel8stig_audisp_network_failure_action: single

# RHEL-08-030060
# rhel8stig_auditd_disk_full_action options are SYSLOG, HALT, and SINGLE to fit STIG standards
rhel8stig_auditd_disk_full_action: HALT
Expand Down Expand Up @@ -892,7 +892,6 @@ rhel8stig_existing_zone_to_copy: public
# RHEL-08-040090
# This designed not work with rhel8stig_existing_zone_to_copy and when deploy new rules
# rhel8stig_white_list_services is the services that you want to allow through initially for the new firewall zone
# http and ssh need to be enabled for the role to run.
# This can also be a port number if no service exists
rhel8stig_white_list_services:
- ssh
Expand All @@ -910,11 +909,6 @@ rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@open
# Expected Values for FIPS KEX algorithims
rhel8stig_ssh_kex: "KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512"

# This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting
# to conform to STIG standard control RHEL-08-010290 this variable must contain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256 settings
# to conform to STIG standard control RHEL-08-010291 this variable must cotnain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr
rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256"

# RHEL-08-010295
# This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions
# to conform to STIG standards this variable must contain +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0
Expand Down
9 changes: 7 additions & 2 deletions handlers/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,11 @@
when:
- not system_is_container

- name: Restart_systemdlogin
ansible.builtin.systemd:
name: systemd-logind
state: restarted

- name: sysctl system
ansible.builtin.shell: sysctl --system
when: "'procps-ng' in ansible_facts.packages"
Expand Down Expand Up @@ -74,7 +79,7 @@
remote_src: true
owner: root
group: root
mode: 0755
mode: '0755'
when:
- rhel8stig_grub2_user_cfg.stat.exists
- rhel8stig_workaround_for_disa_benchmark
Expand All @@ -97,7 +102,7 @@
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: 0600
mode: '0600'
notify: restart auditd

- name: restart auditd
Expand Down
6 changes: 3 additions & 3 deletions tasks/fix-cat1.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@
dest: /etc/default/grub
owner: root
group: root
mode: 0644
mode: '0644'
vars:
grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}"
when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler
Expand Down Expand Up @@ -187,7 +187,7 @@
line: "GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}"
owner: root
group: root
mode: 0640
mode: '0640'
notify: confirm grub2 user cfg
when:
- not system_is_ec2
Expand Down Expand Up @@ -437,7 +437,7 @@
create: true
owner: root
group: root
mode: 0644
mode: '0644'
with_items:
- { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' }
- { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' }
Expand Down
Loading

0 comments on commit 9981f76

Please sign in to comment.