From f858e3f7a53611d1762bbce2b925b39277f5bf72 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Fri, 12 Apr 2024 14:28:26 -0400 Subject: [PATCH 01/34] Add rhel_09_271095 switch to defaults The missing variable caused an error message. Adding it to the role's defaults with a true value eliminates the message. Signed-off-by: PoundsOfFlesh --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index 121d357..348afa5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -361,6 +361,7 @@ rhel_09_271075: true rhel_09_271080: true rhel_09_271085: true rhel_09_271090: true +rhel_09_271095: true rhel_09_271100: true rhel_09_271105: true rhel_09_271110: true From 7d3cb24aa87f8770aabaff65cdf1c7757514fd33 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 11:59:22 -0400 Subject: [PATCH 02/34] Fix loop on RHEL-09-652025 Removed the hyphen on the loop statement. The rhel9stig_rsyslog_conf.files variable is already an array. The hyphen creates an array containing this array as an element. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-65xxxx.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml index d2edc1f..34169df 100644 --- a/tasks/Cat2/RHEL-09-65xxxx.yml +++ b/tasks/Cat2/RHEL-09-65xxxx.yml @@ -183,8 +183,7 @@ line: '#\1\2\3' path: "{{ item.path }}" regex: (Input|ModLoad)(TCP|UDP|RELP|imtcp|imudp|imrelp)(.*) - loop: - - "{{ rhel9stig_rsyslog_conf.files }}" + loop: "{{ rhel9stig_rsyslog_conf.files }}" - name: "MEDIUM | RHEL-09-652030 | PATCH | All RHEL 9 remote access methods must be monitored." when: From d812ac2fd12550a8dd68a7f955ba116c4e42c1d1 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 12:16:41 -0400 Subject: [PATCH 03/34] Add create directive to the lineinfile module for RHEL-09-271015 The lineinfile module produces a error if the file does not exist. Adding the directive allows the module to create the file. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-27xxxx.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index feacd20..e57a4e6 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -45,6 +45,7 @@ - NIST800-53R4_CM-6 notify: Update_dconf ansible.builtin.lineinfile: + create: true line: banner-message-enable path: "/etc/dconf/db/{{ item }}.d/locks/session" mode: '0644' From 48d82c70b32d17dd9024308198cc8816ff087580 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 12:27:38 -0400 Subject: [PATCH 04/34] Fix references to 672045 in RHEL_09_672050 Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-67xxxx.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/Cat2/RHEL-09-67xxxx.yml b/tasks/Cat2/RHEL-09-67xxxx.yml index 3d8f028..37a6f23 100644 --- a/tasks/Cat2/RHEL-09-67xxxx.yml +++ b/tasks/Cat2/RHEL-09-67xxxx.yml @@ -283,10 +283,10 @@ - name: "MEDIUM | RHEL-09-672050 | PATCH | RHEL 9 must implement DOD-approved encryption in the bind package." when: - - rhel_09_672045 + - rhel_09_672050 - "'bind' in ansible_facts.packages" tags: - - RHEL-09-672045 + - RHEL-09-672050 - CAT2 - CCI-002418 - CCI-002422 From 2b7efd6bc974cfba3edbea07024e3645df434a65 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 12:31:39 -0400 Subject: [PATCH 05/34] Fix filename for rhel_09_213080 The value stored in rhel9stig_sysctl_file.kernel was not the correct file to modify. Changed the sysctl module to modify /usr/lib/sysctl.d/10-default-yama-scope.conf. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-21xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-21xxxx.yml b/tasks/Cat2/RHEL-09-21xxxx.yml index f64b9bb..8c8401f 100644 --- a/tasks/Cat2/RHEL-09-21xxxx.yml +++ b/tasks/Cat2/RHEL-09-21xxxx.yml @@ -690,7 +690,7 @@ ansible.posix.sysctl: name: kernel.yama.ptrace_scope state: present - sysctl_file: "{{ rhel9stig_sysctl_file.kernel }}" + sysctl_file: /usr/lib/sysctl.d/10-default-yama-scope.conf sysctl_set: true value: '1' notify: Reload_sysctl From 49a2b81caaaecf2953d4b1bbfee5a39e60e49c99 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 12:38:07 -0400 Subject: [PATCH 06/34] Fix filename modified by RHEL_09_255065 The SCAP tool checks the openssh.config file for the correct cyphers. Changed the lineinfile module to update openssh.conf instead of opensshserver.config. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-25xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index dcf2d3a..54bea43 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -1052,7 +1052,7 @@ notify: Change_requires_reboot ansible.builtin.lineinfile: line: "Ciphers {{ rhel9stig_sshd_config.ciphers | join(',') }}" - path: /etc/crypto-policies/back-ends/opensshserver.config + path: /etc/crypto-policies/back-ends/openssh.config regexp: ^Ciphers - name: "MEDIUM | RHEL-09-255070 | PATCH | RHEL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms." From 2baae26008d39d1798958f5a4e6a3089226365e7 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 12:40:20 -0400 Subject: [PATCH 07/34] Add % to space_left attributes of rhel9stig_audit_conf Signed-off-by: PoundsOfFlesh --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 348afa5..a2418a2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -826,7 +826,7 @@ rhel9stig_remotelog_server: rhel9stig_audit_log_filesystem: /var/log/audit rhel9stig_audit_conf: action_mail_acct: root - admin_space_left: 5 + admin_space_left: 5% admin_space_left_action: single disk_error_action: HALT # Can be one of "SYSLOG", "SINGLE", or "HALT" disk_full_action: HALT # Can be one of "SYSLOG", "SINGLE", or "HALT" @@ -838,7 +838,7 @@ rhel9stig_audit_conf: max_log_file_action: ROTATE name_format: hostname overflow_action: syslog - space_left: 25 + space_left: 25% space_left_action: email write_logs: 'yes' From 615bfc02d4e44cd446de149790721b875dcb69d9 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 12:44:20 -0400 Subject: [PATCH 08/34] Correct the filename in RHEL-09-255155 The X11forwarding option should be in the file /etc/ssh/sshd_config.d/50-redhat.conf. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-25xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index 54bea43..2fda8fd 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -1426,7 +1426,7 @@ ansible.builtin.lineinfile: create: true line: "X11forwarding {{ rhel9stig_sshd_config.x11forward }}" - path: "{{ rhel9stig_sshd_config_file }}" + path: /etc/ssh/sshd_config.d/50-redhat.conf regexp: ^(?i)(#|)X11forwarding\s*(yes|no) validate: sshd -t -f %s From 6713656a7e880c974654f598fd04f6296c17d000 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 12:52:43 -0400 Subject: [PATCH 09/34] Add full dconf path to banner-message-enable in RHEL-09-271015 The full dconf path is /org/gnome/login-screen/banner-message-enable. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-27xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index e57a4e6..dd9372b 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -46,7 +46,7 @@ notify: Update_dconf ansible.builtin.lineinfile: create: true - line: banner-message-enable + line: /org/gnome/login-screen/banner-message-enable path: "/etc/dconf/db/{{ item }}.d/locks/session" mode: '0644' modification_time: preserve From d3b3d20655c521b4c5c3a143d560490e07b96bd3 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 12:55:18 -0400 Subject: [PATCH 10/34] Fix RHEL-09-271045 to remove extra spaces The SCAP tool does not handle extra spaces when checking this rule. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-27xxxx.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index dd9372b..887d258 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -165,6 +165,7 @@ notify: Update_dconf community.general.ini_file: create: true + no_extra_spaces: true option: removal-action path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/settings-daemon/peripherals/smartcard' From 50b80bdb225e91efd26534024eea7adc0c7de4d1 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 12:56:31 -0400 Subject: [PATCH 11/34] Correct the filename modified by RHEL-09-271055 Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-27xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index 887d258..77fe33a 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -211,7 +211,7 @@ community.general.ini_file: create: true option: lock-enabled - path: "/etc/dconf/db/{{ item }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-screensaver" section: 'org/gnome/desktop/screensaver' value: 'true' loop: "{{ rhel9stig_dconf_db.stdout_lines }}" From fe46a8e341f53a969f774241fa5b7b44fa5afc50 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 13:00:34 -0400 Subject: [PATCH 12/34] Fix picture-uri setting in RHEL-09-271085 The picture-uri cannot be blank. It must be an empty string (""). Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-27xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index 77fe33a..ba7cb7a 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -341,7 +341,7 @@ option: picture-uri path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/screensaver' - value: '' + value: '""' loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image." From bd12ca3de8cbdb412b1ff776a4e41d58cc9c682b Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 13:05:49 -0400 Subject: [PATCH 13/34] Fix disable-restart-buttons setting in RHEL-09-271095 The RHEL-09-271095 rule modified security settings. This appeared to be copy/paste error. Corrected the rule to update the 02-login-screen file. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-27xxxx.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index ba7cb7a..4f536ed 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -382,8 +382,8 @@ community.general.ini_file: create: true option: disable-restart-buttons - path: "/etc/dconf/db/{{ item }}.d/00-security-settings" - section: 'org/gnome/settings-daemon/peripherals/smartcard' + path: "/etc/dconf/db/{{ item }}.d/02-login-screen" + section: 'org/gnome/login-screen' value: 'true' loop: "{{ rhel9stig_dconf_db.stdout_lines }}" From 5dcb7219da8f96efdf225283bbe350a4842d7e6d Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 13:06:57 -0400 Subject: [PATCH 14/34] Fix missing '/' in RHEL-09-271110 Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-27xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index 4f536ed..e1f1b79 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -442,7 +442,7 @@ notify: Update_dconf ansible.builtin.lineinfile: create: true - line: org/gnome/settings-daemon/plugins/media-keys/logout + line: /org/gnome/settings-daemon/plugins/media-keys/logout path: "/etc/dconf/db/{{ item }}.d/locks/session" loop: "{{ rhel9stig_dconf_db.stdout_lines }}" From fcff2aa98c67d3fe0f26f3023ef3d1cc8bae6a91 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 13:10:31 -0400 Subject: [PATCH 15/34] Fix loop on RHEL-09-232245 The stdout_lines var is already an array. The hyphen in the loop clause creates an array containing an array. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-23xxxx.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index 962aedd..fe204fc 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -1840,8 +1840,7 @@ ansible.builtin.file: path: "{{ item }}" mode: +t - loop: - - "{{ rhel9stig_public_dirs_stickybit.stdout_lines }}" + loop: "{{ rhel9stig_public_dirs_stickybit.stdout_lines }}" - name: "RHEL-09-232245 | WARN | A sticky bit must be set on all RHEL 9 public directories." when: From 2c3c457b948d4c8acd3f0d5bbfcba65d0a91c09e Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 13:15:41 -0400 Subject: [PATCH 16/34] Fix RHEL_09_611085 grep statement If the /etc/sudoers.d folder is empty, grep produces an error when the file glob '*' is used. The -r option was added to recurse into the empty folder without an error. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-61xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-61xxxx.yml b/tasks/Cat2/RHEL-09-61xxxx.yml index 3eeb897..7b03e42 100644 --- a/tasks/Cat2/RHEL-09-61xxxx.yml +++ b/tasks/Cat2/RHEL-09-61xxxx.yml @@ -482,7 +482,7 @@ warn_control_id: "MEDIUM | RHEL-09-611085" block: - name: "MEDIUM | RHEL-09-611085 | AUDIT | RHEL 9 must require users to provide a password for privilege escalation" - ansible.builtin.shell: grep NOPASSWD /etc/sudoers /etc/sudoers.d/* + ansible.builtin.shell: grep -r NOPASSWD /etc/sudoers /etc/sudoers.d/ changed_when: false failed_when: rhel9stig_sudo_nopasswd.rc not in [ 0, 1 ] register: rhel9stig_sudo_nopasswd From c8197db1d2a5fa50ad0a5763e0693305033ebd13 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 13:20:08 -0400 Subject: [PATCH 17/34] Fix path in RHEL-09-611170 The grep command separates the filename from the matched text with a colon. Split the output on the colon character and use the first element as the filename. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-61xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-61xxxx.yml b/tasks/Cat2/RHEL-09-61xxxx.yml index 7b03e42..cea79cd 100644 --- a/tasks/Cat2/RHEL-09-61xxxx.yml +++ b/tasks/Cat2/RHEL-09-61xxxx.yml @@ -881,7 +881,7 @@ ansible.builtin.lineinfile: backrefs: true line: '#\1' - path: "{{ item }}" + path: "{{ item.split(':').0 }}" regexp: ^((#|)certificate_verification =.*) loop: "{{ rhel9stig_sssd_cert_verification_files.stdout_lines }}" From 975b49392e9657b1343906bb65198930a14ee2f0 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:00:04 -0400 Subject: [PATCH 18/34] Fix RHEL_09_672050 regex The regular expression had an erroneous "\". Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-67xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-67xxxx.yml b/tasks/Cat2/RHEL-09-67xxxx.yml index 37a6f23..7875a05 100644 --- a/tasks/Cat2/RHEL-09-67xxxx.yml +++ b/tasks/Cat2/RHEL-09-67xxxx.yml @@ -300,4 +300,4 @@ ansible.builtin.lineinfile: line: 'include "/etc/crypto-policies/back-ends/bind.config";' path: /etc/named.conf - regexp: ^(|\s*)\include = /etc/crypto-policies + regexp: ^(|\s*)include = /etc/crypto-policies From b3a5015bda78c8e49db0b31ebdae8c423d101f6c Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:04:44 -0400 Subject: [PATCH 19/34] Fix names of tasks Several names had the prefix RHEL-08 instead of RHEL-09. Signed-off-by: PoundsOfFlesh --- tasks/Cat1/RHEL-09-2xxxxx.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/Cat1/RHEL-09-2xxxxx.yml b/tasks/Cat1/RHEL-09-2xxxxx.yml index 569b3ad..e5f37a4 100644 --- a/tasks/Cat1/RHEL-09-2xxxxx.yml +++ b/tasks/Cat1/RHEL-09-2xxxxx.yml @@ -197,7 +197,7 @@ name: tftp state: absent -- name: HIGH | RHEL-08-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification +- name: HIGH | RHEL-09-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. when: - rhel_09_231190 @@ -218,14 +218,14 @@ vars: warn_control_id: "HIGH | RHEL-09-231190" block: - - name: HIGH | RHEL-08-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification + - name: HIGH | RHEL-09-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout ansible.builtin.shell: blkid changed_when: false failed_when: false register: rhel_09_231190_partition_layout - - name: HIGH | RHEL-08-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification + - name: HIGH | RHEL-09-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning ansible.builtin.debug: msg: @@ -233,7 +233,7 @@ - If partitions other than pseudo file systems (such as /proc or /sys or tmpfs) this is a finding - "{{ rhel_09_231190_partition_layout.stdout_lines }}" - - name: HIGH | RHEL-08-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification + - name: HIGH | RHEL-09-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning ansible.builtin.import_tasks: file: warning_facts.yml From f14b93f0ab75addf0d811cc8a8f3a3dd628af3eb Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:06:25 -0400 Subject: [PATCH 20/34] Remove hyphen from rhel9stig_custom_firewall.interface Signed-off-by: PoundsOfFlesh --- defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a2418a2..3def906 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -691,8 +691,7 @@ rhel9stig_home_filesystem: '/home' # rhel9stig_custom_firewall_zone is the desired name for the firewall zone rhel9stig_custom_firewall: zone: "drop" - interface: - - "{{ ansible_default_ipv4.interface }}" + interface: "{{ ansible_default_ipv4.interface }}" # rhel9stig_white_list_services is the services that you want to allow through initially for the new firewall zone # http and ssh need to be enabled for the role to run. From c8dfa34d565af9e2674557e09979c386ba652259 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:10:36 -0400 Subject: [PATCH 21/34] Fix RHEL_09_411050 conditional execution Correct conditional check so task runs if inactive user setting *is* set to -1. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-4xxxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-4xxxxx.yml b/tasks/Cat2/RHEL-09-4xxxxx.yml index ad564fc..03862e2 100644 --- a/tasks/Cat2/RHEL-09-4xxxxx.yml +++ b/tasks/Cat2/RHEL-09-4xxxxx.yml @@ -259,7 +259,7 @@ - name: "MEDIUM | RHEL-09-411050 | PATCH | RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity." when: - rhel9stig_inactive_user_setting is defined - - "'-1' not in rhel9stig_inactive_user_setting.stdout" + - "'-1' in rhel9stig_inactive_user_setting.stdout" - "rhel9stig_user_inactive_days not in rhel9stig_inactive_user_setting.stdout" ansible.builtin.shell: "useradd -D -f {{ rhel9stig_user_inactive_days }}" From 35eb82708569018384c49bb204a78e53caeb09e7 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:13:00 -0400 Subject: [PATCH 22/34] Modify RHEL_09_232045 to check /root The SCAP tool checks the permissions on the root user home folder. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-23xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index fe204fc..f70067f 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -1036,7 +1036,7 @@ depth: 3 file_type: file hidden: true - path: "{{ rhel9stig_home_filesystem }}" + paths: ["{{ rhel9stig_home_filesystem }}", /root] patterns: ".*" recurse: true register: user_dot_files From db714446cf8bbce5445a66f3a1e84f53d39bf0fa Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:15:32 -0400 Subject: [PATCH 23/34] Fix loop on RHEL-09-232020 The variable, rhel9stig_library_directory_perms.stdout_lines, is already an array. Remove the hyphen in the loop statement. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-23xxxx.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index f70067f..299170c 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -921,7 +921,7 @@ - NIST800-53R4_CM-5 block: - name: "MEDIUM | RHEL-09-232020 | AUDIT | RHEL 9 library files must have mode 755 or less permissive." - ansible.builtin.shell: find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \; | awk '{ print $NF}' + ansible.builtin.shell: find /lib /lib64 /usr/lib /usr/lib64 -perm /7022 -type f -exec ls -l {} \; | awk '{ print $NF}' changed_when: false failed_when: rhel9stig_library_directory_perms.rc not in [ 0, 1 ] register: rhel9stig_library_directory_perms @@ -931,8 +931,7 @@ ansible.builtin.file: mode: '0755' path: "{{ item }}" - loop: - - "{{ rhel9stig_library_directory_perms.stdout_lines }}" + loop: "{{ rhel9stig_library_directory_perms.stdout_lines }}" - name: "MEDIUM | RHEL-09-232025 | PATCH | RHEL 9 /var/log directory must have mode 0755 or less permissive." when: From e545d735e5872f389822a00b4e359c336db06859 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:20:46 -0400 Subject: [PATCH 24/34] Set the option no_extra_spaces to true for RHEL-09-252040 The SCAP tool does not consider spaces when scanning NetworkManager.conf. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-25xxxx.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index 2fda8fd..ca6306f 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -310,6 +310,7 @@ section: main state: present value: none + no_extra_spaces: true register: rhel09stig_dns_nm_set - name: "MEDIUM | RHEL-09-252035 | PATCH | RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured." From 88597d5d16ae47ba292a3a7c103cbdb431a3e9e2 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:23:33 -0400 Subject: [PATCH 25/34] Include quotes in value for RHEL-09-271095 The SCAP tool looks for 'true' (with quotes) when scanning the 02-login-screen file. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-27xxxx.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index e1f1b79..d955223 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -341,7 +341,7 @@ option: picture-uri path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/screensaver' - value: '""' + value: "''" loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image." @@ -384,7 +384,8 @@ option: disable-restart-buttons path: "/etc/dconf/db/{{ item }}.d/02-login-screen" section: 'org/gnome/login-screen' - value: 'true' + value: "'true'" + no_extra_spaces: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271100 | PATCH | RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface." From 7d2d8c040d36004868660f682860c83657d61b71 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:25:09 -0400 Subject: [PATCH 26/34] Fix RHEL-09-611205 path The file objects returned by the find module have a path attribute. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-61xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-61xxxx.yml b/tasks/Cat2/RHEL-09-61xxxx.yml index cea79cd..b48241e 100644 --- a/tasks/Cat2/RHEL-09-61xxxx.yml +++ b/tasks/Cat2/RHEL-09-61xxxx.yml @@ -1017,6 +1017,6 @@ when: - rhel9stig_keytab_files.matched > 0 ansible.builtin.file: - path: "{{ item }}" + path: "{{ item.path }}" state: absent loop: "{{ rhel9stig_keytab_files.files }}" From 0d3f69844f5fee5a3ea3122cd78179a4e2e2b8e1 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:29:34 -0400 Subject: [PATCH 27/34] Fix execution order of tasks The opensc package installs the opensc.conf file. Move RHEL_09_611185 before RHEL_09_611160 so that opensc is installed before trying to modify opensc.conf. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-61xxxx.yml | 38 +++++++++++++++++------------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/tasks/Cat2/RHEL-09-61xxxx.yml b/tasks/Cat2/RHEL-09-61xxxx.yml index b48241e..e4c6129 100644 --- a/tasks/Cat2/RHEL-09-61xxxx.yml +++ b/tasks/Cat2/RHEL-09-61xxxx.yml @@ -787,6 +787,25 @@ password_lock: true loop: "{{ rhel9stig_empty_password_accounts.stdout_lines }}" +- name: "MEDIUM | RHEL-09-611185 | PATCH | RHEL 9 must have the opensc package installed." + when: + - rhel_09_611185 + - "'opensc' not in ansible_facts.packages" + - rhel9stig_smartcard_reader + tags: + - RHEL-09-611185 + - CAT2 + - CCI-001948 + - CCI-001953 + - SRG-OS-000375-GPOS-00160 + - SRG-OS-000376-GPOS-00161 + - V-2581126r926365_rule + - V-258126 + - NIST800-53R4_IA-2 + ansible.builtin.package: + name: opensc + state: present + - name: "MEDIUM | RHEL-09-611160 | PATCH | RHEL 9 must use the CAC smart card driver." when: - rhel_09_611160 @@ -919,25 +938,6 @@ name: pcscd state: started -- name: "MEDIUM | RHEL-09-611185 | PATCH | RHEL 9 must have the opensc package installed." - when: - - rhel_09_611185 - - "'opensc' not in ansible_facts.packages" - - rhel9stig_smartcard_reader - tags: - - RHEL-09-611185 - - CAT2 - - CCI-001948 - - CCI-001953 - - SRG-OS-000375-GPOS-00160 - - SRG-OS-000376-GPOS-00161 - - V-2581126r926365_rule - - V-258126 - - NIST800-53R4_IA-2 - ansible.builtin.package: - name: opensc - state: present - - name: "MEDIUM | RHEL-09-611190 | PATCH | RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key." when: - rhel_09_611190 From 340dddb3a269366355d41b83bd4b5f22b89043e4 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:32:27 -0400 Subject: [PATCH 28/34] Modify RHEL_09_412075 to remove silent Add a task to RHEL_09_412075 to remove the silent option from pam_lastlog in the postlogin file. Signed-off-by: PoundsOfFlesh --- tasks/Cat3/RHEL-09-4xxxxx.yml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/tasks/Cat3/RHEL-09-4xxxxx.yml b/tasks/Cat3/RHEL-09-4xxxxx.yml index d49835a..657ada8 100644 --- a/tasks/Cat3/RHEL-09-4xxxxx.yml +++ b/tasks/Cat3/RHEL-09-4xxxxx.yml @@ -50,8 +50,16 @@ - V-258076 - NIST800-53R4_CM-6 - pam - ansible.builtin.lineinfile: - insertbefore: BOF - line: session required pam_lastlog.so showfailed - path: /etc/pam.d/postlogin - regex: session required pam_lastlog.so showfailed + block: + - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon." + ansible.builtin.lineinfile: + insertbefore: BOF + line: session required pam_lastlog.so showfailed + path: /etc/pam.d/postlogin + regex: session required pam_lastlog.so showfailed + + - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon." + ansible.builtin.replace: + path: /etc/pam.d/postlogin + replace: '\1\2' + regexp: '^(.*\spam_lastlog\.so\s.*)silent(\s.*)$' From 757304b96cd7994d26de08d26098c5db300c54ca Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:34:41 -0400 Subject: [PATCH 29/34] Fix template logic so RHEL_09_654205 is implemented The SCAP tool always checks for umount auditing. Signed-off-by: PoundsOfFlesh --- templates/etc/audit/rules.d/audit.rules.j2 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/templates/etc/audit/rules.d/audit.rules.j2 b/templates/etc/audit/rules.d/audit.rules.j2 index aa94650..4601ab9 100644 --- a/templates/etc/audit/rules.d/audit.rules.j2 +++ b/templates/etc/audit/rules.d/audit.rules.j2 @@ -171,10 +171,11 @@ -a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown {% endif %} {% if rhel_09_654030 %} -# RHEL9-STIG rule 654205 Overruled by 654030 +# RHEL9-STIG rule 654030 #-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod #-a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod -{% elif rhel_09_654205 %} +{% endif %} +{% if rhel_09_654205 %} # RHEL9-STIG rule 654205 -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod From f0f7f68c8ba22aedf7649da60da832acd6f54af2 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:36:23 -0400 Subject: [PATCH 30/34] Fix loop on RHEL-09-411015 The rhel9stig_users_passwd_max.stdout_lines variable is already an array. Adding the hyphen creates an array within an array. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-4xxxxx.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/Cat2/RHEL-09-4xxxxx.yml b/tasks/Cat2/RHEL-09-4xxxxx.yml index 03862e2..8f1ec70 100644 --- a/tasks/Cat2/RHEL-09-4xxxxx.yml +++ b/tasks/Cat2/RHEL-09-4xxxxx.yml @@ -44,8 +44,7 @@ - "item in rhel9stig_interactive_users.stdout_lines" ansible.builtin.shell: "chage -M 60 {{ item }}" failed_when: rhel9stig_users_passwd_max.rc not in [ 0, 1 ] - loop: - - "{{ rhel9stig_users_passwd_max.stdout_lines }}" + loop: "{{ rhel9stig_users_passwd_max.stdout_lines }}" - name: "MEDIUM | RHEL-09-411015 | WARN | RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs." when: From 3bdd76be839481b3d1bc6d1f430d048927d8ef74 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:38:02 -0400 Subject: [PATCH 31/34] Fix RHEL-09-231200 grep command Correct grep to find mounts without the nodev option. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-23xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index 299170c..42ebd27 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -838,7 +838,7 @@ warn_control_id: "MEDIUM | RHEL-09-231200" block: - name: "MEDIUM | RHEL-09-231200 | AUDIT | RHEL 9 must prevent special devices on non-root local partitions. | discover partition" - ansible.builtin.shell: mount | grep '^/dev\S* on /\S' | grep nodev | awk -F" " '{ print $3}' + ansible.builtin.shell: mount | grep '^/dev\S* on /\S' | grep -v nodev | awk -F" " '{ print $3}' changed_when: false failed_when: rhel9stig_non_root_missing_nodev.rc not in [ 0, 1 ] register: rhel9stig_non_root_missing_nodev From f07ff0adb11c72660dd3c75ccb7efd5056a82db1 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 16:41:14 -0400 Subject: [PATCH 32/34] Fix RHEL-09-672020 grep The grep to search for FIPS contained -V, which prints the version. The intent was a lowercase v to find lines not containing FIPS. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-67xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-67xxxx.yml b/tasks/Cat2/RHEL-09-67xxxx.yml index 7875a05..cd6fdac 100644 --- a/tasks/Cat2/RHEL-09-67xxxx.yml +++ b/tasks/Cat2/RHEL-09-67xxxx.yml @@ -140,7 +140,7 @@ warn_control_id: "MEDIUM | RHEL-09-672020" block: - name: "MEDIUM | RHEL-09-672020 | AUDIT | RHEL 9 crypto policy must not be overridden." - ansible.builtin.shell: ls -l /etc/crypto-policies/back-ends/ | grep -V FIPS + ansible.builtin.shell: ls -l /etc/crypto-policies/back-ends/ | grep -v FIPS changed_when: false failed_when: rhel9stig_crypto_policies_fips.rc not in [ 0, 1 ] register: rhel9stig_crypto_policies_fips From cca030021f5bbba137a679ff451dc85a8fcbd9cf Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Thu, 16 May 2024 17:31:26 -0400 Subject: [PATCH 33/34] Remove modification_time parameter for RHEL-09-271015 The lineinfile module does not have a modification_time parameter. Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-27xxxx.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index d955223..7ecfef1 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -49,7 +49,6 @@ line: /org/gnome/login-screen/banner-message-enable path: "/etc/dconf/db/{{ item }}.d/locks/session" mode: '0644' - modification_time: preserve state: present loop: "{{ rhel9stig_dconf_db.stdout_lines }}" From 9c1f6a8a7ddacab685377534252f3c3fc69e9e89 Mon Sep 17 00:00:00 2001 From: PoundsOfFlesh Date: Fri, 7 Jun 2024 08:32:40 -0400 Subject: [PATCH 34/34] removed quotes around true, SCAP tool incorrectly requires them Signed-off-by: PoundsOfFlesh --- tasks/Cat2/RHEL-09-27xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index 7ecfef1..b66bb90 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -383,7 +383,7 @@ option: disable-restart-buttons path: "/etc/dconf/db/{{ item }}.d/02-login-screen" section: 'org/gnome/login-screen' - value: "'true'" + value: "true" no_extra_spaces: true loop: "{{ rhel9stig_dconf_db.stdout_lines }}"