diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 9fbe7aa..39af625 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -113,7 +113,7 @@ - name: Sleep for 60 seconds run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansibleplaybook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 67ee9d9..8ded701 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -102,7 +102,7 @@ - name: Sleep for 60 seconds run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansibleplaybook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/Changelog.md b/Changelog.md index c0bcafc..f2d02d0 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,34 @@ # Changes to RHEL8STIG +## 3.2 - STIV V1R13 - 24th Jan 2024 + +- Audit updated + - moved audit into prelim + - updates to audit logic for copy and archive options + +ruleid updated + +- 010001 +- 020250 +- 020290 +- 040090 + +CAT II + +- 020035 - updated rule and added handler for logind restart +- 040020 - /bin/false update and ruleid update +- 040080 - /bin/false and ruleid +- 040111 - /bin/false and ruleid + +CAT III + +- 040021 - /bin/false and ruleid +- 040022 - /bin/false and ruleid +- 040023 - /bin/false and ruleid +- 040024 - /bin/false and ruleid +- 040025 - /bin/false and ruleid +- 040026 - /bin/false and ruleid + ## 3.1 - STIG V1R12 - 25th Oct 2023 ruleid updated diff --git a/README.md b/README.md index 9ed5047..98fbeab 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL8 based system to be complaint with Disa STIG -This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R12_STIG.zip). +This role is based on RHEL 8 DISA STIG: [Version 1, Rel 13 released on Jan 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R13_STIG.zip). --- @@ -29,7 +29,6 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2 ![License](https://img.shields.io/github/license/ansible-lockdown/RHEL8-STIG?label=License) - --- ## Looking for support? @@ -195,4 +194,5 @@ pre-commit run Massive thanks to the fantastic community and all its members. This includes a huge thanks and credit to the original authors and maintainers. + Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell diff --git a/defaults/main.yml b/defaults/main.yml index acc87c4..2169f0e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r12' +benchmark_version: 'v1r13' ## Benchmark name used by audting control role # The audit variable found at the base @@ -35,7 +35,6 @@ rhel8stig_audit_disruptive: false rhel8stig_skip_for_travis: false rhel8stig_workaround_for_disa_benchmark: true -rhel8stig_workaround_for_ssg_benchmark: true # tweak role to run in a chroot, such as in kickstart %post script rhel8stig_system_is_chroot: "{{ ansible_is_chroot | default(False) }}" @@ -56,23 +55,26 @@ rhel8stig_skip_reboot: true # Defined will change if control requires change_requires_reboot: false -########################################## +########################################### ### Goss is required on the remote host ### -## Refer to vars/auditd.yml for any other settings ## +### vars/auditd.yml for other settings ### # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false # enable audits to run - this runs the audit and get the latest content run_audit: false +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true -# Only run Audit do not remediate +## Only run Audit do not remediate audit_only: false -# As part of audit_only -# This will enable files to be copied back to control node +### As part of audit_only ### +# This will enable files to be copied back to control node in audit_only mode fetch_audit_files: false -# Path to copy the files to will create dir structure +# Path to copy the files to will create dir structure in audit_only mode audit_capture_files_dir: /some/location to copy to on control node +############################# # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file @@ -85,20 +87,24 @@ get_audit_binary_method: download audit_bin_copy_location: /some/accessible/path # how to get audit files onto host options -# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# archive or copy: -audit_conf_copy: "some path to copy from" +# If using either archive, copy, get_url: +## Note will work with .tar files - zip will require extra configuration +### If using get_url this is expecting github url in tar.gz format e.g. +### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +audit_conf_source: "some path or url to copy from" -# get_url: -audit_files_url: "some url maybe s3?" +# Destination for the audit content to be placed on managed node +# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory +audit_conf_dest: "/opt" -# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system -audit_run_heavy_tests: true +# Where the audit logs are stored +audit_log_dir: '/opt' -### End Goss enablements #### -#### Detailed settings found at the end of this document #### +### Goss Settings ## +####### END ######## # These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules. # PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group @@ -501,11 +507,6 @@ rhel8stig_kdump_needed: false # or rhel8stig_gui) rhel8stig_always_configure_dconf: false -# Whether or not to run tasks related to smart card authentication enforcement -rhel8stig_smartcard: false -# Configure your smartcard driver -rhel8stig_smartcarddriver: cackey - # Set the file that sysctl should write to rhel8stig_sysctl_file: /etc/sysctl.d/99_stig_sysctl.conf @@ -528,6 +529,11 @@ rhel8stig_ipv6_required: true # When set to anything other than mcafee it will skip this control assuming localized threat prevention management rhel8stig_av_sftw: mcafee +# RHEL-08-010110 & 010130 & 010760 & 020190 & 020200 & 020231 & 020310 & 020351 +# rhel8stig_login_defs_file_perms +# Permissions set on /etc/login.defs +rhel8stig_login_defs_file_perms: 0644 + # RHEL-08-010210 # rhel8stig_var_log_messages_perm is the permissions the /var/log/messages file is set to. # To conform to STIG standards this needs to be 0640 or more restrictive @@ -559,10 +565,6 @@ rhel8stig_ssh_pub_key_perm: 0644 rhel8stig_ssh_priv_key_perm: 0600 # RHEL-08-010690 -# Set standard user paths here -# Also set whether we should automatically remediate paths in user ini files. -# rhel_08_020720_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin" -rhel8stig_standard_user_path: "PATH=$PATH:$HOME/.local/bin:$HOME/bin" rhel8stig_change_user_path: false # RHEL-08-010700 @@ -591,6 +593,19 @@ rhel8stig_local_int_home_file_perms: 0750 # To connform to STIG standards this needs to be set to 0740 or less permissive rhel8stig_local_int_perm: 0740 +# RHEL-08-020100 pamd file permissions - /etc/pam.d/(password-auth|system-auth) files +# rhel8stig_pamd_file_perms +# This needs a minimum of 0644 ( more restrictive may cause issues testing will be required) +rhel8stig_pamd_file_perms: 0644 + +# RHEL-08-020110 - pwquality file permissions +# mode: "{{ rhel8stig_pamd_file_perms }}" +rhel8stig_pwquality_file_perms: 0644 + +# RHEL-08-0400xx +# blacklist.conf - /etc/modprobe.d/blacklist.conf file permissions +rhel8stig_blacklist_conf_file_perms: 0640 + # RHEL-08-020250 # This is a check for a "supported release" # These are the minimum supported releases. @@ -707,13 +722,6 @@ rhel8stig_sssd: maprule: (userCertificate;binary={cert!bin}) domains: "{{ rhel8stig_sssd_domain }}" -# RHEL-08-020070 -# Session timeout setting file (TMOUT setting can be set in multiple files) -# Timeout value is in seconds. (60 seconds * 10 = 600) -rhel8stig_shell_session_timeout: - file: /etc/profile.d/tmout.sh - timeout: 600 - # RHEL-08-010200 | All network connections associated with SSH traffic must # terminate at the end of the session or after 10 minutes of inactivity, except # to fulfill documented and validated mission requirements. @@ -763,14 +771,6 @@ rhel8stig_pam_faillock: # RHEL-08-020035 rhel_08_020035_idlesessiontimeout: 900 -# RHEL-08-030670 -# rhel8stig_audisp_disk_full_action options are syslog, halt, and single to fit STIG standards -rhel8stig_audisp_disk_full_action: single - -# RHEL-08-030680 -# rhel8stig_audisp_network_failure_action optoins are syslog, halt, and single -rhel8stig_audisp_network_failure_action: single - # RHEL-08-030060 # rhel8stig_auditd_disk_full_action options are SYSLOG, HALT, and SINGLE to fit STIG standards rhel8stig_auditd_disk_full_action: HALT @@ -892,7 +892,6 @@ rhel8stig_existing_zone_to_copy: public # RHEL-08-040090 # This designed not work with rhel8stig_existing_zone_to_copy and when deploy new rules # rhel8stig_white_list_services is the services that you want to allow through initially for the new firewall zone -# http and ssh need to be enabled for the role to run. # This can also be a port number if no service exists rhel8stig_white_list_services: - ssh @@ -910,11 +909,6 @@ rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@open # Expected Values for FIPS KEX algorithims rhel8stig_ssh_kex: "KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512" -# This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting -# to conform to STIG standard control RHEL-08-010290 this variable must contain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256 settings -# to conform to STIG standard control RHEL-08-010291 this variable must cotnain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -rhel8stig_ssh_server_crypto_settings: "-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256" - # RHEL-08-010295 # This will be teh GnuTLS ecryption packages. The task sets the +VERS-ALL: setting, the only items needed are the DoD approved encryptions # to conform to STIG standards this variable must contain +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 diff --git a/handlers/main.yml b/handlers/main.yml index c210d6f..cd5e482 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -10,6 +10,11 @@ when: - not system_is_container +- name: Restart_systemdlogin + ansible.builtin.systemd: + name: systemd-logind + state: restarted + - name: sysctl system ansible.builtin.shell: sysctl --system when: "'procps-ng' in ansible_facts.packages" @@ -74,7 +79,7 @@ remote_src: true owner: root group: root - mode: 0755 + mode: '0755' when: - rhel8stig_grub2_user_cfg.stat.exists - rhel8stig_workaround_for_disa_benchmark @@ -97,7 +102,7 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: 0600 + mode: '0600' notify: restart auditd - name: restart auditd diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index f89014d..04597be 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -63,7 +63,7 @@ dest: /etc/default/grub owner: root group: root - mode: 0644 + mode: '0644' vars: grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}" when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler @@ -187,7 +187,7 @@ line: "GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}" owner: root group: root - mode: 0640 + mode: '0640' notify: confirm grub2 user cfg when: - not system_is_ec2 @@ -437,7 +437,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' with_items: - { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' } - { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' } diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8e50668..50effba 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -25,7 +25,7 @@ - CAT2 - CCI-001233 - SRG-OS-000191-GPOS-00080 - - SV-245540r754730_rule + - SV-245540r942951_rule - V-245540 - name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date." @@ -192,42 +192,12 @@ - V-230226 - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored." - block: - - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings info" - ansible.builtin.shell: grep '*.info' /etc/rsyslog.conf - changed_when: false - failed_when: false - register: rhel_08_010070_info_set_rsyslog - - - name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings authpriv" - ansible.builtin.shell: grep 'authpriv.* /var/log/secure' /etc/rsyslog.conf - changed_when: false - failed_when: false - register: rhel_08_010070_authpriv_set_rsyslog - - - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored. | Adjust settings no info" - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - regexp: ^(?!#).*\/var\/log\/secure - line: 'auth.*;authpriv.*;daemon.* /var/log/secure' - create: true - mode: '0644' - when: - - rhel_08_010070_info_set_rsyslog.stdout == 0 - - rhel_08_010070_authpriv_set_rsyslog.stdout > 0 - - - name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored. | Adjust settings if info set" - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - backrefs: true - regexp: ^(?!#)(.*)(authpriv\.\*)(.*\/var\/log\/secure) - line: \1authpriv.*\2/var/log/secure - create: true - mode: '0644' - when: - - rhel_08_010070_info_set_rsyslog.stdout | length > 0 - - rhel_08_010070_authpriv_set_rsyslog.stdout == 0 - + ansible.builtin.lineinfile: + path: /etc/rsyslog.conf + regexp: ^(?!#).*\/var\/log\/secure + line: 'auth.*;authpriv.*;daemon.* /var/log/secure' + create: true + mode: '0644' notify: restart rsyslog when: - rhel_08_010070 @@ -293,6 +263,9 @@ path: /etc/login.defs regexp: '^ENCRYPT_METHOD.*' line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}" + owner: root + group: root + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_010110 tags: @@ -344,6 +317,9 @@ path: /etc/login.defs regexp: ^.*SHA_CRYPT_MIN_ROUNDS\s line: SHA_CRYPT_MIN_ROUNDS {{ rhel8stig_hashing_rounds }} + owner: root + group: root + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_010130 tags: @@ -363,7 +339,7 @@ dest: /etc/grub.d/01_users owner: root group: root - mode: 0755 + mode: '0755' notify: confirm grub2 user cfg when: - rhel_08_010141 or @@ -388,7 +364,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_010151 tags: @@ -408,7 +384,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_010152 tags: @@ -842,7 +818,6 @@ - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS" ansible.builtin.shell: fips-mode-setup --enable - register: rhel_08_010290_fips_enable notify: change_requires_reboot when: '"disabled" in rhel_08_010293_pre_fips_check.stdout' when: @@ -1255,7 +1230,9 @@ regexp: '^kernel.kexec_load_disabled = 0' state: absent loop: "{{ rhel_08_010372_conflicting_settings.stdout_lines }}" - when: rhel_08_010372_conflicting_settings.stdout | length > 0 + when: + - rhel_08_010372_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file when: - rhel_08_010372 tags: @@ -1281,7 +1258,9 @@ regexp: '^fs.protected_symlinks = 0' state: absent loop: "{{ rhel_08_010373_conflicting_settings.stdout_lines }}" - when: rhel_08_010373_conflicting_settings.stdout | length > 0 + when: + - rhel_08_010373_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set sysctl" ansible.posix.sysctl: @@ -1316,7 +1295,9 @@ regexp: '^fs.protected_hardlinks = 0' state: absent loop: "{{ rhel_08_010374_conflicting_settings.stdout_lines }}" - when: rhel_08_010374_conflicting_settings.stdout | length > 0 + when: + - rhel_08_010374_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks." ansible.posix.sysctl: @@ -1605,7 +1586,9 @@ regexp: "kernel.randomize_va_space = [^2]" state: absent loop: "{{ rhel_08_010430_conflicting_settings.stdout_lines }}" - when: rhel_08_010430_conflicting_settings.stdout | length > 0 + when: + - rhel_08_010430_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Use template to create file" ansible.posix.sysctl: @@ -2258,7 +2241,9 @@ regexp: kernel.core_pattern\s*=\s*.*(? 0 + when: + - rhel_08_010671_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern." ansible.posix.sysctl: @@ -2398,7 +2383,7 @@ dest: /etc/resolv.conf owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_010680_networkmanager_check.stdout == '0' - rhel8_stig_use_resolv_template @@ -2652,6 +2637,9 @@ path: /etc/login.defs regexp: '.*?CREATE_HOME.*' line: CREATE_HOME yes + owner: root + group: root + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_010760 tags: @@ -3292,7 +3280,7 @@ regexp: '^lock-enabled' owner: root group: root - mode: 0644 + mode: '0644' line: | [org/gnome/desktop/screensaver] # Set this to true to lock the screen when the screensaver activates @@ -3315,8 +3303,12 @@ - name: "MEDIUM | RHEL-08-020035 | PATCH | RHEL 8 must terminate idle user sessions." ansible.builtin.lineinfile: path: "/etc/systemd/logind.conf" - regexp: '^StopIdleSessionSec=|^\# StopIdleSessionSec=' - line: "StopIdleSessionSec= {{ rhel_08_020035_idlesessiontimeout }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^(?#)\s*StopIdleSessionSec\s*=', line: "StopIdleSessionSec={{ rhel_08_020035_idlesessiontimeout }}" } + - { regexp: '^(?#)\s*KillUserProccesses\s*=', line: "KillUserProccesses=no" } + notify: Restart_systemdlogin when: - rhel_08_020035 tags: @@ -3324,7 +3316,7 @@ - CAT2 - CCI-001133 - SRG-OS-000163-GPOS-00072 - - SV-257258r917891_rule + - SV-257258r942953_rule - V-257258 - session @@ -3344,7 +3336,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' loop: - { regexp: '^set -g lock-command', line: 'set -g lock-command vlock' } - { regexp: '^bind X lock-session', line: 'bind X lock-session' } @@ -3401,7 +3393,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' line: | [org/gnome/settings-daemon/peripherals/smartcard] removal-action='lock-screen' @@ -3432,7 +3424,7 @@ line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action owner: root group: root - mode: 0640 + mode: '0640' when: rhel_08_020050_removal_action_file.stdout_lines | length == 0 notify: dconf update when: @@ -3461,14 +3453,14 @@ create: true owner: root group: root - mode: 0640 + mode: '0640' regexp: '^idle-delay' line: | [org/gnome/desktop/session] # Set the lock time out to 900 seconds before the session is considered idle idle-delay=uint32 900 notify: dconf update - when: rhel_08_020060_idle_delay_param.stdout | length == 0 + when: rhel_08_020060_idle_delay_param.stdout_lines | length == 0 - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists" ansible.builtin.lineinfile: @@ -3477,9 +3469,9 @@ line: idle-delay=uint32 900 owner: root group: root - mode: 0640 - loop: "{{ rhel_08_020060_idle_delay_param.stdout }}" - when: rhel_08_020060_idle_delay_param.stdout | length > 0 + mode: '0640' + loop: "{{ rhel_08_020060_idle_delay_param.stdout_lines }}" + when: rhel_08_020060_idle_delay_param.stdout_lines | length > 0 notify: dconf update when: - rhel_08_020060 @@ -3509,7 +3501,7 @@ line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}" owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_020070 tags: @@ -3528,7 +3520,7 @@ line: /org/gnome/desktop/screensaver/lock-delay owner: root group: root - mode: 0640 + mode: '0640' when: - rhel_08_020080 - "'dconf' in ansible_facts.packages" @@ -3549,7 +3541,7 @@ line: "{{ item.line }}" owner: root group: root - mode: 0600 + mode: '0600' with_items: - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } @@ -3576,7 +3568,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: - rhel_08_020100 tags: @@ -3596,7 +3588,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: - rhel_08_020101 tags: @@ -3624,7 +3616,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: rhel_08_020102_pwquality_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Replace if already exists" @@ -3664,7 +3656,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: rhel_08_020103_pwquality_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Replace if already exists" @@ -3693,6 +3685,7 @@ path: /etc/security/pwquality.conf regexp: '^retry =|^#.*retry =' line: retry = {{ rhel8stig_pam_pwquality_retry }} + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020104 - ansible_distribution_version is version('8.4', '>=') @@ -3712,7 +3705,7 @@ line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}" owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" create: true when: - rhel_08_020110 @@ -3733,7 +3726,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020120 tags: @@ -3753,7 +3746,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020130 tags: @@ -3773,7 +3766,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020140 tags: @@ -3793,7 +3786,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020150 tags: @@ -3813,7 +3806,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020160 tags: @@ -3833,7 +3826,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020170 tags: @@ -3875,7 +3868,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020190 tags: @@ -3891,11 +3884,11 @@ ansible.builtin.lineinfile: path: /etc/login.defs create: true - owner: root - group: root - mode: 0644 regexp: ^#?PASS_MAX_DAYS line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}" + owner: root + group: root + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020200 tags: @@ -3953,7 +3946,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: rhel_08_020220_pwhistory_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" @@ -3992,7 +3985,7 @@ insertafter: '^password' owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pamd_file_perms }}" when: rhel_08_020221_pwhistory_status.stdout | length == 0 - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists" @@ -4023,7 +4016,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020230 tags: @@ -4042,7 +4035,7 @@ line: "PASS_MIN_LEN 15" owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020231 tags: @@ -4100,7 +4093,7 @@ insertafter: "{{ item.insertafter }}" owner: root group: root - mode: 0600 + mode: '0600' notify: restart sssd with_items: - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } @@ -4112,7 +4105,7 @@ line: auth sufficient pam_sss.so try_cert_auth owner: root group: root - mode: 0644 + mode: '0644' notify: restart sssd when: rhel_08_020250_sc_auth_sss.stdout | length == 0 @@ -4159,7 +4152,7 @@ - CAT2 - CCI-000765 - SRG-OS-000105-GPOS-00052 - - SV-230372r627750_rule + - SV-230372r942945_rule - V-230372 - pamd @@ -4208,7 +4201,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020280 tags: @@ -4228,7 +4221,7 @@ insertafter: "{{ item.insertafter }}" owner: root group: root - mode: 0600 + mode: '0600' with_items: - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } @@ -4240,7 +4233,7 @@ - CAT2 - CCI-002007 - SRG-OS-000383-GPOS-00166 - - SV-230376r627750_rule + - SV-230376r942948_rule - V-230376 - sssd @@ -4252,7 +4245,7 @@ create: true owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_pwquality_file_perms }}" when: - rhel_08_020300 tags: @@ -4271,7 +4264,7 @@ line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}" owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020310 tags: @@ -4343,7 +4336,7 @@ line: "UMASK {{ rhel8stig_login_defaults.umask | default('077') }}" owner: root group: root - mode: 0644 + mode: "{{ rhel8stig_login_defs_file_perms }}" when: - rhel_08_020351 tags: @@ -4559,7 +4552,7 @@ ansible.builtin.file: path: "{{ rhel08_030070_auditlog_location.stdout }}" state: "{{ (rhel08_030070_auditlog.stat.exists) | ternary('file', 'touch') }}" - mode: '0600' + mode: o-x,go-rwx when: - rhel_08_030070 tags: @@ -4687,7 +4680,7 @@ - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms" ansible.builtin.file: path: "{{ rhel_08_030120_audit_log_dir.stdout }}" - mode: 0700 + mode: go-rwx state: directory when: rhel_08_030120_audit_log_dir.stdout | length > 0 when: @@ -5473,7 +5466,7 @@ - name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited." ansible.builtin.file: path: "{{ item }}" - mode: 0640 + mode: '0640' with_items: - /etc/audit/rules.d/audit.rules - /etc/audit/auditd.conf @@ -5500,7 +5493,7 @@ - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools" ansible.builtin.file: path: "{{ item }}" - mode: 0755 + mode: go-w with_items: - "{{ rhel_08_030620_tools.stdout_lines }}" when: @@ -5571,7 +5564,7 @@ line: "{{ item }}" owner: root group: root - mode: 0600 + mode: '0600' with_items: - "# Audit Tools" - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 @@ -5696,7 +5689,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' regexp: "{{ item.regexp }}" line: "{{ item.line }}" with_items: @@ -5823,12 +5816,12 @@ line: "{{ item.line }}" owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" insertafter: "{{ item.insertafter }}" notify: change_requires_reboot with_items: - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' } - - { regexp: '^install uvcvideo', line: 'install uvcvideo /bin/true', insertafter: '##Disable WebCam' } + - { regexp: '^install uvcvideo', line: 'install uvcvideo /bin/false', insertafter: '##Disable WebCam' } - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' } when: - rhel_08_040020 @@ -5837,7 +5830,7 @@ - CAT2 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230493r809316_rule + - SV-230493r942915_rule - V-230493 - camera @@ -5971,9 +5964,9 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" with_items: - - { regexp: '^install usb-storage', line: 'install usb-storage /bin/true', insertafter: 'EOF' } + - { regexp: '^install usb-storage', line: 'install usb-storage /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'} when: - rhel_08_040080 @@ -5982,7 +5975,7 @@ - CAT2 - CCI-000778 - SRG-OS-000114-GPOS-00059 - - SV-230503r809319_rule + - SV-230503r942936_rule - V-230503 - usb_devices @@ -6130,7 +6123,7 @@ - CAT2 - CCI-002314 - SRG-OS-000297-GPOS-00115 - - SV-230504r809321_rule + - SV-230504r942942_rule - V-230504 - firewall @@ -6170,11 +6163,11 @@ ansible.builtin.lineinfile: path: /etc/modprobe.d/bluetooth.conf regexp: '^install bluetooth ' - line: "install bluetooth /bin/true" + line: "install bluetooth /bin/false" create: true owner: root group: root - mode: 0640 + mode: '0640' notify: change_requires_reboot - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled. | Disable Bluetooth kernel module" @@ -6185,7 +6178,7 @@ line: "{{ item.line }}" owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" insertafter: "{{ item.insertafter }}" notify: change_requires_reboot with_items: @@ -6197,7 +6190,7 @@ - CAT2 - CCI-001443 - SRG-OS-000300-GPOS-00118 - - SV-230507r833336_rule + - SV-230507r942939_rule - V-230507 - bluetooth @@ -6670,7 +6663,9 @@ regexp: net.ipv4.conf.default.accept_redirects = [^0] state: absent loop: "{{ rhel_08_040209_conflicting_settings.stdout_lines }}" - when: rhel_08_040209_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040209_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" ansible.posix.sysctl: @@ -6705,7 +6700,9 @@ regexp: net.ipv6.conf.default.accept_redirects = [^0] state: absent loop: "{{ rhel_08_040210_conflicting_settings.stdout_lines }}" - when: rhel_08_040210_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040210_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file" ansible.posix.sysctl: @@ -6742,7 +6739,9 @@ regexp: net.ipv4.conf.all.send_redirects = [^0] state: absent loop: "{{ rhel_08_040220_conflicting_settings.stdout_lines }}" - when: rhel_08_040220_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040220_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Use template to create file" ansible.posix.sysctl: @@ -6766,7 +6765,7 @@ - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." block: - name: "MEDIUM | RHEL-08-040230 | AUDIT | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Find conflicting instances" - ansible.builtin.shell: grep -rs "net.ipv4.icmp_echo_ignore_broadcasts = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040230_conflicting_settings @@ -6774,19 +6773,22 @@ - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Replace conflicting instances" ansible.builtin.lineinfile: path: "{{ item }}" - regexp: net.ipv4.icmp_echo_ignore_broadcasts = [^1] + regexp: ^net.ipv4.icmp_echo_ignore_broadcasts.* state: absent loop: "{{ rhel_08_040230_conflicting_settings.stdout_lines }}" - when: rhel_08_040230_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040230_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file" ansible.posix.sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts - value: 0 + value: 1 state: present reload: "{{ rhel8stig_sysctl_reload }}" sysctl_set: true sysctl_file: "{{ rhel8stig_sysctl_file }}" + when: - rhel_08_040230 tags: @@ -6812,7 +6814,9 @@ regexp: net.ipv4.conf.all.accept_source_route = [^0] state: absent loop: "{{ rhel_08_040239_conflicting_settings.stdout_lines }}" - when: rhel_08_040239_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040239_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Use template to create file" ansible.posix.sysctl: @@ -6883,7 +6887,9 @@ regexp: net.ipv4.conf.default.accept_source_route = [^0] state: absent loop: "{{ rhel_08_040249_conflicting_settings.stdout_lines }}" - when: rhel_08_040249_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040249_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Use template to create file" ansible.posix.sysctl: @@ -6954,7 +6960,9 @@ regexp: net.ipv4.conf.all.forwarding = [^0] state: absent loop: "{{ rhel_08_040259_conflicting_settings.stdout_lines }}" - when: rhel_08_040259_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040259_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Use template to create file" ansible.posix.sysctl: @@ -6990,7 +6998,9 @@ regexp: net.ipv6.conf.all.forwarding = [^0] state: absent loop: "{{ rhel_08_040260_conflicting_settings.stdout_lines }}" - when: rhel_08_040260_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040260_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Use template to create file" ansible.posix.sysctl: @@ -7002,6 +7012,7 @@ sysctl_file: "{{ rhel8stig_sysctl_file }}" when: - rhel_08_040260 + - rhel8stig_ipv6_required - not rhel8stig_system_is_router tags: - RHEL-08-040260 @@ -7026,7 +7037,9 @@ regexp: net.ipv6.conf.all.accept_ra = [^0] state: absent loop: "{{ rhel_08_040261_conflicting_settings.stdout_lines }}" - when: rhel_08_040261_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040261_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Use template to create file" ansible.posix.sysctl: @@ -7063,7 +7076,9 @@ regexp: net.ipv6.conf.default.accept_ra = [^0] state: absent loop: "{{ rhel_08_040262_conflicting_settings.stdout_lines }}" - when: rhel_08_040262_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040262_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Use template to create file" ansible.posix.sysctl: @@ -7100,7 +7115,9 @@ regexp: net.ipv4.conf.default.send_redirects = [^0] state: absent loop: "{{ rhel_08_040270_conflicting_settings.stdout_lines }}" - when: rhel_08_040270_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040270_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Use template to create file" ansible.posix.sysctl: @@ -7135,7 +7152,9 @@ regexp: net.ipv4.conf.all.accept_redirects = [^0] state: absent loop: "{{ rhel_08_040279_conflicting_settings.stdout_lines }}" - when: rhel_08_040279_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040279_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" ansible.posix.sysctl: @@ -7170,7 +7189,9 @@ regexp: net.ipv6.conf.all.accept_redirects = [^0] state: absent loop: "{{ rhel_08_040280_conflicting_settings.stdout_lines }}" - when: rhel_08_040280_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040280_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file" ansible.posix.sysctl: @@ -7206,7 +7227,9 @@ regexp: kernel.unprivileged_bpf_disabled = [^1] state: absent loop: "{{ rhel_08_040281_conflicting_settings.stdout_lines }}" - when: rhel_08_040281_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040281_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Use template to create file" ansible.posix.sysctl: @@ -7230,7 +7253,7 @@ - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes." block: - name: "MEDIUM | RHEL-08-040282 | AUDIT | RHEL 8 must restrict usage of ptrace to descendant processes. | Find conflicting instances" - ansible.builtin.shell: grep -rs "kernel.yama.ptrace_scope = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 + ansible.builtin.shell: grep -rs "kernel.yama.ptrace_scope\s*=\s*1" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1 changed_when: false failed_when: false register: rhel_08_040282_conflicting_settings @@ -7238,10 +7261,12 @@ - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Replace conflicting instances" ansible.builtin.lineinfile: path: "{{ item }}" - regexp: kernel.yama.ptrace_scope = [^1] + regexp: kernel.yama.ptrace_scope.* state: absent loop: "{{ rhel_08_040282_conflicting_settings.stdout_lines }}" - when: rhel_08_040282_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040282_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Use template to create file" ansible.posix.sysctl: @@ -7276,7 +7301,9 @@ regexp: kernel.kptr_restrict = [^1] state: absent loop: "{{ rhel_08_040283_conflicting_settings.stdout_lines }}" - when: rhel_08_040283_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040283_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access. | Use template to create file" ansible.posix.sysctl: @@ -7311,7 +7338,9 @@ regexp: user.max_user_namespaces = [^0] state: absent loop: "{{ rhel_08_040284_conflicting_settings.stdout_lines }}" - when: rhel_08_040284_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040284_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces. | Use template to create file" ansible.posix.sysctl: @@ -7346,7 +7375,9 @@ regexp: net.ipv4.conf.all.rp_filter = [^1] state: absent loop: "{{ rhel_08_040285_conflicting_settings.stdout_lines }}" - when: rhel_08_040285_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040285_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Use template to create file" ansible.posix.sysctl: @@ -7381,7 +7412,9 @@ regexp: net.core.bpf_jit_harden = [^2] state: absent loop: "{{ rhel_08_040286_conflicting_settings.stdout_lines }}" - when: rhel_08_040286_conflicting_settings.stdout | length > 0 + when: + - rhel_08_040286_conflicting_settings.stdout | length > 0 + - item != rhel8stig_sysctl_file - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Use template to create file" ansible.posix.sysctl: diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index 31c8abb..6a8a5db 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -238,7 +238,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' when: - rhel_08_020024 tags: @@ -381,7 +381,7 @@ create: true owner: root group: root - mode: 0600 + mode: '0600' when: - rhel_08_030603 tags: @@ -472,10 +472,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install atm', line: 'install atm /bin/true', insertafter: 'EOF' } + - { regexp: '^install atm', line: 'install atm /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist atm', line: 'blacklist atm', insertafter: '^install atm /bin/true' } when: - rhel_08_040021 @@ -484,7 +484,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230494r792911_rule + - SV-230494r942918_rule - V-230494 - modprobe - atm @@ -498,10 +498,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install can', line: 'install can /bin/true', insertafter: 'EOF' } + - { regexp: '^install can', line: 'install can /bin/false', insertafter: 'EOF' } - { regexp: 'blacklist can', line: 'blacklist can', insertafter: '^install can /bin/true' } when: - rhel_08_040022 @@ -510,7 +510,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230495r792914_rule + - SV-230495r942921_rule - V-230495 - modprobe - can @@ -524,10 +524,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install sctp', line: 'install sctp /bin/true', insertafter: 'EOF' } + - { regexp: '^install sctp', line: 'install sctp /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist sctp', line: 'blacklist sctp', insertafter: '^install sctp' } when: - rhel_08_040023 @@ -536,7 +536,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230496r792917_rule + - SV-230496r942924_rule - V-230496 - modprobe - sctp @@ -550,10 +550,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install tipc', line: 'install tipc /bin/true', insertafter: 'EOF' } + - { regexp: '^install tipc', line: 'install tipc /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist tipc', line: 'blacklist tipc', insertafter: '^install tipc' } when: - rhel_08_040024 @@ -562,7 +562,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230497r792920_rule + - SV-230497r942927_rule - V-230497 - modprobe - tipc @@ -576,10 +576,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install cramfs', line: 'install cramfs /bin/true', insertafter: 'EOF' } + - { regexp: '^install cramfs', line: 'install cramfs /bin/false', insertafter: 'EOF' } - { regexp: 'blacklist cramfs', line: 'blacklist cramfs', insertafter: '^install cramfs' } when: - rhel_08_040025 @@ -588,7 +588,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230498r792922_rule + - SV-230497r942927_rule - V-230498 - modprobe - cramfs @@ -602,10 +602,10 @@ create: true owner: root group: root - mode: 0640 + mode: "{{ rhel8stig_blacklist_conf_file_perms }}" notify: change_requires_reboot with_items: - - { regexp: '^install firewire-core', line: 'install firewire-core /bin/true', insertafter: 'EOF' } + - { regexp: '^install firewire-core', line: 'install firewire-core /bin/false', insertafter: 'EOF' } - { regexp: '^blacklist firewire-core', line: 'blacklist firewire-core', insertafter: '^install firewire-core' } when: - rhel_08_040026 @@ -614,7 +614,7 @@ - CAT3 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-230499r792924_rule + - SV-230499r942933_rule - V-230499 - modprobe - firewire diff --git a/tasks/main.yml b/tasks/main.yml index 14a40c9..96d3f1d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -134,23 +134,6 @@ - prelim_tasks - run_audit -- name: Include audit specific variables - ansible.builtin.include_vars: audit.yml - when: - - run_audit or audit_only - - setup_audit - tags: - - setup_audit - - run_audit - -- name: Include pre-remediation audit tasks - ansible.builtin.import_tasks: pre_remediation_audit.yml - when: - - run_audit or audit_only - - setup_audit - tags: - - run_audit - - name: Include CAT I patches ansible.builtin.import_tasks: fix-cat1.yml when: rhel8stig_cat1_patch diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 2c51bbb..b3111c8 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,11 +1,11 @@ --- - name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Post Audit | ensure audit files readable by users @@ -22,7 +22,7 @@ - audit_format == "json" block: - name: capture data {{ post_audit_outfile }} - ansible.builtin.shell: cat {{ post_audit_outfile }} + ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false @@ -37,7 +37,7 @@ - audit_format == "documentation" block: - name: Post Audit | capture data {{ post_audit_outfile }} - ansible.builtin.shell: tail -2 {{ post_audit_outfile }} + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index e3a261e..d0137e8 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -5,7 +5,8 @@ - setup_audit tags: - setup_audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: @@ -32,23 +33,25 @@ when: - audit_content == 'copy' ansible.builtin.copy: - src: "{{ audit_local_copy }}" + src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server when: - - audit_content == 'archived' + - audit_content == 'archive' ansible.builtin.unarchive: - src: "{{ audit_conf_copy }}" - dest: "{{ audit_conf_dir }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url when: - audit_content == 'get_url' - ansible.builtin.get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available when: @@ -77,19 +80,19 @@ mode: '0600' - name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format when: - audit_format == "json" block: - - name: capture data {{ pre_audit_outfile }} - ansible.builtin.shell: cat {{ pre_audit_outfile }} + - name: Pre Audit | Capture data {{ pre_audit_outfile }} + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false @@ -103,8 +106,8 @@ when: - audit_format == "documentation" block: - - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} + - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 9583a07..17891e5 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,5 +1,100 @@ --- +- name: PRELIM | set bootloader type + block: + - name: "PRELIM | Check whether machine is UEFI-based" + ansible.builtin.stat: + path: /sys/firmware/efi + register: rhel8_efi_boot + + - name: "PRELIM | set fact if UEFI boot" + ansible.builtin.set_fact: + rhel8stig_bootloader_path: /boot/efi/EFI/{{ ansible_distribution | lower }} + rhel8stig_legacy_boot: false + when: + - rhel8_efi_boot.stat.exists + + - name: "PRELIM | set fact if UEFI boot | Oracle Linux" + ansible.builtin.set_fact: + rhel8stig_bootloader_path: /boot/efi/EFI/redhat + rhel8stig_legacy_boot: false + when: + - rhel8_efi_boot.stat.exists + - ansible_distribution == 'OracleLinux' + + - name: "PRELIM | set if not UEFI boot" + ansible.builtin.set_fact: + rhel8stig_bootloader_path: /boot/grub2/ + rhel8stig_legacy_boot: true + when: not rhel8_efi_boot.stat.exists + + - name: PRELIM | output bootloader and efi state + ansible.builtin.debug: + msg: + - "bootloader path set to {{ rhel8stig_bootloader_path }}" + - "legacy boot equals {{ rhel8stig_legacy_boot }}" + tags: + - always + +- name: "PRELIM | Gather interactive user ID min" + block: + - name: "PRELIM | Gather interactive user ID min" + ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: rhel8stig_min_uid + + - name: "PRELIM | Gather interactive user ID max" + ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' + changed_when: false + failed_when: false + register: rhel8stig_max_uid + + - name: "PRELIM | Setting the fact" + ansible.builtin.set_fact: + rhel8stig_interactive_uid_start: "{{ rhel8stig_min_uid.stdout | string }}" + rhel8stig_interactive_uid_stop: "{{ rhel8stig_max_uid.stdout | string }}" + tags: + - always + +- name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | set sssd.conf location" + block: + - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location" + ansible.builtin.stat: + path: "{{ rhel8stig_sssd_conf }}" + register: rhel8stig_sssd_conf_present + + - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found" + ansible.builtin.debug: + msg: "Warning!! The configured sssd config file {{ rhel8stig_sssd_conf }} has not been found, some items will skip" + changed_when: true + when: + - not rhel8stig_sssd_conf_present.stat.exists + when: + - rhel_08_010400 or + rhel_08_020090 or + rhel_08_020250 or + rhel_08_020290 + tags: + - always + +- name: "PRELIM | Include audit specific variables" + ansible.builtin.include_vars: audit.yml + when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit + - run_audit + +- name: "PRELIM | Include pre-remediation audit tasks" + ansible.builtin.import_tasks: pre_remediation_audit.yml + when: + - run_audit or audit_only + - setup_audit + tags: + - run_audit + - name: "PRELIM | RHEL-08-010020" block: - name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions" @@ -212,17 +307,6 @@ - RHEL-08-010070 - RHEL-08-030010 -# - name: "PRELIM | RHEL-08-010730 | RHEL-08-20352 | Get local interactive user home directories" -# ansible.builtin.shell: ls -d $(awk -F':' '($3>=1000)&&($1!="nobody"){print $6}' /etc/passwd) -# changed_when: false -# failed_when: false -# register: local_home_directories -# when: -# - rhel_08_010730 or -# rhel_08_020352 -# tags: -# - always - - name: "PRELIM | RHEL-08-030620 | RHEL-08-030630 | RHEL-08-030640 | RHEL-08-030650 | Install audit remote plugin." ansible.builtin.package: name: audispd-plugins @@ -339,94 +423,13 @@ - RHEL-08-010770 - complexity-high -- name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | set sssd.conf location" - block: - - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location" - ansible.builtin.stat: - path: "{{ rhel8stig_sssd_conf }}" - register: rhel8stig_sssd_conf_present - - - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found" - ansible.builtin.debug: - msg: "Warning!! The configured sssd config file {{ rhel8stig_sssd_conf }} has not been found, some items will skip" - changed_when: true - when: - - not rhel8stig_sssd_conf_present.stat.exists - when: - - rhel_08_010400 or - rhel_08_020090 or - rhel_08_020250 or - rhel_08_020290 - tags: - - always - -- name: "PRELIM | Gather interactive user ID min" - block: - - name: "PRELIM | Gather interactive user ID min" - ansible.builtin.shell: grep ^UID_MIN /etc/login.defs | awk '{print $2}' - changed_when: false - failed_when: false - register: rhel8stig_min_uid - - - name: "PRELIM | Gather interactive user ID max" - ansible.builtin.shell: grep ^UID_MAX /etc/login.defs | awk '{print $2}' - changed_when: false - failed_when: false - register: rhel8stig_max_uid - - - name: "PRELIM | Setting the fact" - ansible.builtin.set_fact: - rhel8stig_interactive_uid_start: "{{ rhel8stig_min_uid.stdout | string }}" - rhel8stig_interactive_uid_stop: "{{ rhel8stig_max_uid.stdout | string }}" - tags: - - always - - name: "PRELIM | Gather the package facts" ansible.builtin.package_facts: manager: auto tags: - always -- name: "PRELIM | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel8_efi_boot - tags: - - always - - goss_template - -- name: PRELIM | set bootloader type - block: - - name: "PRELIM | set fact if UEFI boot" - ansible.builtin.set_fact: - rhel8stig_bootloader_path: /boot/efi/EFI/{{ ansible_distribution | lower }} - rhel8stig_legacy_boot: false - when: - - rhel8_efi_boot.stat.exists - - - name: "PRELIM | set fact if UEFI boot | Oracle Linux" - ansible.builtin.set_fact: - rhel8stig_bootloader_path: /boot/efi/EFI/redhat - rhel8stig_legacy_boot: false - when: - - rhel8_efi_boot.stat.exists - - ansible_distribution == 'OracleLinux' - - - name: "PRELIM | set if not UEFI boot" - ansible.builtin.set_fact: - rhel8stig_bootloader_path: /boot/grub2/ - rhel8stig_legacy_boot: true - when: not rhel8_efi_boot.stat.exists - - - name: PRELIM | output bootloader and efi state - ansible.builtin.debug: - msg: - - "bootloader path set to {{ rhel8stig_bootloader_path }}" - - "legacy boot equals {{ rhel8stig_legacy_boot }}" - tags: - - always - -- name: "PRELIM | RHEL-08-020017 | RHEL-08-020027 | REHL-08-020028 | If using selinux set up system prereqs" +- name: "PRELIM | RHEL-08-020017 | RHEL-08-020027 | RHEL-08-020028 | If using selinux set up system prereqs" block: - name: "PRELIM | RHEL-08-020017 | Install policycoreutils-python-utils" ansible.builtin.package: @@ -438,7 +441,7 @@ ansible.builtin.file: path: "{{ rhel8stig_pam_faillock.dir }}" state: directory - mode: 0755 + mode: '0755' owner: root group: root recurse: true diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index d9af9ea..bbb1c77 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -2,7 +2,7 @@ ## metadata for Audit benchmark benchmark_version: {{ benchmark_version }} -rhel8stig_os_distribution: {{ ansible_distribution | lower }} +rhel8stig_os_distribution: {{ ansible_facts['distribution'] | lower }} gpg_keys: {% for info in gpg_keys %} @@ -11,8 +11,9 @@ gpg_keys: {% endfor %} rpm_gpg_key: {{ rpm_gpg_key }} -rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %} +rhel8stig_os_version_pre_8_2: {% if ansible_facts['distribution_version'] is version('8.1', '<=') %}true{% else %}false{% endif %} +OS_ver: {{ ansible_facts['distribution_version'] }} # Some tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact also ability to set a timeout if taking too long @@ -225,7 +226,7 @@ RHEL_08_020100: {{ rhel_08_020100 }} RHEL_08_020101: {{ rhel_08_020101 }} RHEL_08_020102: {{ rhel_08_020102 }} RHEL_08_020103: {{ rhel_08_020103 }} -RHEL_08_020104: {{ rhel_08_020104 }} +RHEL_08_020104: {% if ansible_facts['distribution_version'] is version('8.4', '>=') %}true{% else %}false{% endif %} # Only runs if 8.4 or greater RHEL_08_020110: {{ rhel_08_020110 }} RHEL_08_020120: {{ rhel_08_020120 }} RHEL_08_020130: {{ rhel_08_020130 }} @@ -407,7 +408,7 @@ RHEL_08_010292: {{ rhel_08_010292 }} RHEL_08_010375: {{ rhel_08_010375 }} RHEL_08_010376: {{ rhel_08_010376 }} RHEL_08_010440: {{ rhel_08_010440 }} -RHEL_08_010471: {{ rhel_08_010471 }} +RHEL_08_010471: {% if ansible_facts['distribution_version'] is version('8.4', '>=') %}false{% else %}true{% endif %} # Only runs if 8.3 or less RHEL_08_010540: {{ rhel_08_010540 }} RHEL_08_010541: {{ rhel_08_010541 }} RHEL_08_010542: {{ rhel_08_010542 }} diff --git a/vars/audit.yml b/vars/audit.yml index 89e61a8..2802b3e 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -15,14 +15,12 @@ audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_git_version: "benchmark_{{ benchmark_version }}_rh8" ## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" +# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected +audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" ## The following should not need changing @@ -36,6 +34,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} + The audit results are: {{ pre_audit_summary }} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} + + Full breakdown can be found in {{ audit_log_dir }}