Groupw bugfixes

defaults/main.yml

@@ -361,6 +361,7 @@ rhel_09_271075: true
 rhel_09_271080: true
 rhel_09_271085: true
 rhel_09_271090: true
+rhel_09_271095: true
 rhel_09_271100: true
 rhel_09_271105: true
 rhel_09_271110: true
@@ -690,8 +691,7 @@ rhel9stig_home_filesystem: '/home'
 # rhel9stig_custom_firewall_zone is the desired name for the firewall zone
 rhel9stig_custom_firewall:
   zone: "drop"
-  interface:
-  - "{{ ansible_default_ipv4.interface }}"
+  interface: "{{ ansible_default_ipv4.interface }}"
 
 # rhel9stig_white_list_services is the services that you want to allow through initially for the new firewall zone
 # http and ssh need to be enabled for the role to run.
@@ -825,7 +825,7 @@ rhel9stig_remotelog_server:
 rhel9stig_audit_log_filesystem: /var/log/audit
 rhel9stig_audit_conf:
   action_mail_acct: root
-  admin_space_left: 5
+  admin_space_left: 5%
   admin_space_left_action: single
   disk_error_action: HALT  # Can be one of "SYSLOG", "SINGLE", or "HALT"
   disk_full_action: HALT  # Can be one of "SYSLOG", "SINGLE", or "HALT"
@@ -837,7 +837,7 @@ rhel9stig_audit_conf:
   max_log_file_action: ROTATE
   name_format: hostname
   overflow_action: syslog
-  space_left: 25
+  space_left: 25%
   space_left_action: email
   write_logs: 'yes'
 

tasks/Cat1/RHEL-09-2xxxxx.yml

@@ -197,7 +197,7 @@
     name: tftp
     state: absent
 
-- name: HIGH | RHEL-08-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification
+- name: HIGH | RHEL-09-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification
     of all information that requires at rest protection.
   when:
     - rhel_09_231190
@@ -218,22 +218,22 @@
   vars:
     warn_control_id: "HIGH | RHEL-09-231190"
   block:
-    - name: HIGH | RHEL-08-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification
+    - name: HIGH | RHEL-09-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification
         of all information that requires at rest protection. | Get partition layout
       ansible.builtin.shell: blkid
       changed_when: false
       failed_when: false
       register: rhel_09_231190_partition_layout
 
-    - name: HIGH | RHEL-08-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification
+    - name: HIGH | RHEL-09-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification
         of all information that requires at rest protection. | Message out warning
       ansible.builtin.debug:
         msg:
           - WARNING!! Below is the partition layout. Please run the "blkid" command to confirm every persistent disk partition has an entry for TYPE=crypto_LUKS.
           - If partitions other than pseudo file systems (such as /proc or /sys or tmpfs) this is a finding
           - "{{ rhel_09_231190_partition_layout.stdout_lines }}"
 
-    - name: HIGH | RHEL-08-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification
+    - name: HIGH | RHEL-09-231190 | WARN | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification
         of all information that requires at rest protection. | Message out warning
       ansible.builtin.import_tasks:
         file: warning_facts.yml

tasks/Cat2/RHEL-09-21xxxx.yml

@@ -690,7 +690,7 @@
   ansible.posix.sysctl:
     name: kernel.yama.ptrace_scope
     state: present
-    sysctl_file: "{{ rhel9stig_sysctl_file.kernel }}"
+    sysctl_file: /usr/lib/sysctl.d/10-default-yama-scope.conf
     sysctl_set: true
     value: '1'
   notify: Reload_sysctl

tasks/Cat2/RHEL-09-23xxxx.yml

@@ -838,7 +838,7 @@
     warn_control_id: "MEDIUM | RHEL-09-231200"
   block:
     - name: "MEDIUM | RHEL-09-231200 | AUDIT | RHEL 9 must prevent special devices on non-root local partitions. | discover partition"
-      ansible.builtin.shell: mount | grep '^/dev\S* on /\S' | grep nodev | awk -F" " '{ print $3}'
+      ansible.builtin.shell: mount | grep '^/dev\S* on /\S' | grep -v nodev | awk -F" " '{ print $3}'
       changed_when: false
       failed_when: rhel9stig_non_root_missing_nodev.rc not in [ 0, 1 ]
       register: rhel9stig_non_root_missing_nodev
@@ -921,7 +921,7 @@
     - NIST800-53R4_CM-5
   block:
     - name: "MEDIUM | RHEL-09-232020 | AUDIT | RHEL 9 library files must have mode 755 or less permissive."
-      ansible.builtin.shell: find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \; | awk '{ print $NF}'
+      ansible.builtin.shell: find /lib /lib64 /usr/lib /usr/lib64 -perm /7022 -type f -exec ls -l {} \; | awk '{ print $NF}'
       changed_when: false
       failed_when: rhel9stig_library_directory_perms.rc not in [ 0, 1 ]
       register: rhel9stig_library_directory_perms
@@ -931,8 +931,7 @@
       ansible.builtin.file:
         mode: '0755'
         path: "{{ item }}"
-      loop:
-        - "{{ rhel9stig_library_directory_perms.stdout_lines }}"
+      loop: "{{ rhel9stig_library_directory_perms.stdout_lines }}"
 
 - name: "MEDIUM | RHEL-09-232025 | PATCH | RHEL 9 /var/log directory must have mode 0755 or less permissive."
   when:
@@ -1036,7 +1035,7 @@
         depth: 3
         file_type: file
         hidden: true
-        path: "{{ rhel9stig_home_filesystem }}"
+        paths: ["{{ rhel9stig_home_filesystem }}", /root]
         patterns: ".*"
         recurse: true
       register: user_dot_files
@@ -1840,8 +1839,7 @@
       ansible.builtin.file:
         path: "{{ item }}"
         mode: +t
-      loop:
-        - "{{ rhel9stig_public_dirs_stickybit.stdout_lines }}"
+      loop: "{{ rhel9stig_public_dirs_stickybit.stdout_lines }}"
 
     - name: "RHEL-09-232245 | WARN | A sticky bit must be set on all RHEL 9 public directories."
       when:

tasks/Cat2/RHEL-09-25xxxx.yml

@@ -310,6 +310,7 @@
     section: main
     state: present
     value: none
+    no_extra_spaces: true
   register: rhel09stig_dns_nm_set
 
 - name: "MEDIUM | RHEL-09-252035 | PATCH | RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured."
@@ -1052,7 +1053,7 @@
   notify: Change_requires_reboot
   ansible.builtin.lineinfile:
     line: "Ciphers {{ rhel9stig_sshd_config.ciphers | join(',') }}"
-    path: /etc/crypto-policies/back-ends/opensshserver.config
+    path: /etc/crypto-policies/back-ends/openssh.config
     regexp: ^Ciphers
 
 - name: "MEDIUM | RHEL-09-255070 | PATCH | RHEL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms."
@@ -1426,7 +1427,7 @@
   ansible.builtin.lineinfile:
     create: true
     line: "X11forwarding {{ rhel9stig_sshd_config.x11forward }}"
-    path: "{{ rhel9stig_sshd_config_file }}"
+    path: /etc/ssh/sshd_config.d/50-redhat.conf
     regexp: ^(?i)(#|)X11forwarding\s*(yes|no)
     validate: sshd -t -f %s
 

tasks/Cat2/RHEL-09-27xxxx.yml

@@ -45,10 +45,10 @@
     - NIST800-53R4_CM-6
   notify: Update_dconf
   ansible.builtin.lineinfile:
-    line: banner-message-enable
+    create: true
+    line: /org/gnome/login-screen/banner-message-enable
     path: "/etc/dconf/db/{{ item }}.d/locks/session"
     mode: '0644'
-    modification_time: preserve
     state: present
   loop: "{{ rhel9stig_dconf_db.stdout_lines }}"
 
@@ -164,6 +164,7 @@
   notify: Update_dconf
   community.general.ini_file:
     create: true
+    no_extra_spaces: true
     option: removal-action
     path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
     section: 'org/gnome/settings-daemon/peripherals/smartcard'
@@ -209,7 +210,7 @@
   community.general.ini_file:
     create: true
     option: lock-enabled
-    path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
+    path: "/etc/dconf/db/{{ item }}.d/00-screensaver"
     section: 'org/gnome/desktop/screensaver'
     value: 'true'
   loop: "{{ rhel9stig_dconf_db.stdout_lines }}"
@@ -339,7 +340,7 @@
         option: picture-uri
         path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
         section: 'org/gnome/desktop/screensaver'
-        value: ''
+        value: "''"
       loop: "{{ rhel9stig_dconf_db.stdout_lines }}"
 
     - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image."
@@ -380,9 +381,10 @@
   community.general.ini_file:
     create: true
     option: disable-restart-buttons
-    path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
-    section: 'org/gnome/settings-daemon/peripherals/smartcard'
-    value: 'true'
+    path: "/etc/dconf/db/{{ item }}.d/02-login-screen"
+    section: 'org/gnome/login-screen'
+    value: "true"
+    no_extra_spaces: true
   loop: "{{ rhel9stig_dconf_db.stdout_lines }}"
 
 - name: "MEDIUM | RHEL-09-271100 | PATCH | RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface."
@@ -440,7 +442,7 @@
   notify: Update_dconf
   ansible.builtin.lineinfile:
     create: true
-    line: org/gnome/settings-daemon/plugins/media-keys/logout
+    line: /org/gnome/settings-daemon/plugins/media-keys/logout
     path: "/etc/dconf/db/{{ item }}.d/locks/session"
   loop: "{{ rhel9stig_dconf_db.stdout_lines }}"
 

tasks/Cat2/RHEL-09-4xxxxx.yml

@@ -44,8 +44,7 @@
         - "item in rhel9stig_interactive_users.stdout_lines"
       ansible.builtin.shell: "chage -M 60 {{ item }}"
       failed_when: rhel9stig_users_passwd_max.rc not in [ 0, 1 ]
-      loop:
-        - "{{ rhel9stig_users_passwd_max.stdout_lines }}"
+      loop: "{{ rhel9stig_users_passwd_max.stdout_lines }}"
 
     - name: "MEDIUM | RHEL-09-411015 | WARN | RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs."
       when:
@@ -259,7 +258,7 @@
     - name: "MEDIUM | RHEL-09-411050 | PATCH | RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity."
       when:
         - rhel9stig_inactive_user_setting is defined
-        - "'-1' not in rhel9stig_inactive_user_setting.stdout"
+        - "'-1' in rhel9stig_inactive_user_setting.stdout"
         - "rhel9stig_user_inactive_days not in rhel9stig_inactive_user_setting.stdout"
       ansible.builtin.shell: "useradd -D -f {{ rhel9stig_user_inactive_days }}"
 

tasks/Cat2/RHEL-09-61xxxx.yml

@@ -482,7 +482,7 @@
     warn_control_id: "MEDIUM | RHEL-09-611085"
   block:
     - name: "MEDIUM | RHEL-09-611085 | AUDIT | RHEL 9 must require users to provide a password for privilege escalation"
-      ansible.builtin.shell: grep NOPASSWD /etc/sudoers /etc/sudoers.d/*
+      ansible.builtin.shell: grep -r NOPASSWD /etc/sudoers /etc/sudoers.d/
       changed_when: false
       failed_when: rhel9stig_sudo_nopasswd.rc not in [ 0, 1 ]
       register: rhel9stig_sudo_nopasswd
@@ -787,6 +787,25 @@
         password_lock: true
       loop: "{{ rhel9stig_empty_password_accounts.stdout_lines }}"
 
+- name: "MEDIUM | RHEL-09-611185 | PATCH | RHEL 9 must have the opensc package installed."
+  when:
+    - rhel_09_611185
+    - "'opensc' not in ansible_facts.packages"
+    - rhel9stig_smartcard_reader
+  tags:
+    - RHEL-09-611185
+    - CAT2
+    - CCI-001948
+    - CCI-001953
+    - SRG-OS-000375-GPOS-00160
+    - SRG-OS-000376-GPOS-00161
+    - V-2581126r926365_rule
+    - V-258126
+    - NIST800-53R4_IA-2
+  ansible.builtin.package:
+    name: opensc
+    state: present
+
 - name: "MEDIUM | RHEL-09-611160 | PATCH | RHEL 9 must use the CAC smart card driver."
   when:
     - rhel_09_611160
@@ -881,7 +900,7 @@
       ansible.builtin.lineinfile:
         backrefs: true
         line: '#\1'
-        path: "{{ item }}"
+        path: "{{ item.split(':').0 }}"
         regexp: ^((#|)certificate_verification =.*)
       loop: "{{ rhel9stig_sssd_cert_verification_files.stdout_lines }}"
 
@@ -919,25 +938,6 @@
     name: pcscd
     state: started
 
-- name: "MEDIUM | RHEL-09-611185 | PATCH | RHEL 9 must have the opensc package installed."
-  when:
-    - rhel_09_611185
-    - "'opensc' not in ansible_facts.packages"
-    - rhel9stig_smartcard_reader
-  tags:
-    - RHEL-09-611185
-    - CAT2
-    - CCI-001948
-    - CCI-001953
-    - SRG-OS-000375-GPOS-00160
-    - SRG-OS-000376-GPOS-00161
-    - V-2581126r926365_rule
-    - V-258126
-    - NIST800-53R4_IA-2
-  ansible.builtin.package:
-    name: opensc
-    state: present
-
 - name: "MEDIUM | RHEL-09-611190 | PATCH | RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key."
   when:
     - rhel_09_611190
@@ -1017,6 +1017,6 @@
       when:
         - rhel9stig_keytab_files.matched > 0
       ansible.builtin.file:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
         state: absent
       loop: "{{ rhel9stig_keytab_files.files }}"

tasks/Cat2/RHEL-09-65xxxx.yml

@@ -183,8 +183,7 @@
         line: '#\1\2\3'
         path: "{{ item.path }}"
         regex: (Input|ModLoad)(TCP|UDP|RELP|imtcp|imudp|imrelp)(.*)
-      loop:
-        - "{{ rhel9stig_rsyslog_conf.files }}"
+      loop: "{{ rhel9stig_rsyslog_conf.files }}"
 
 - name: "MEDIUM | RHEL-09-652030 | PATCH | All RHEL 9 remote access methods must be monitored."
   when:

tasks/Cat2/RHEL-09-67xxxx.yml

@@ -140,7 +140,7 @@
     warn_control_id: "MEDIUM | RHEL-09-672020"
   block:
     - name: "MEDIUM | RHEL-09-672020 | AUDIT | RHEL 9 crypto policy must not be overridden."
-      ansible.builtin.shell: ls -l /etc/crypto-policies/back-ends/ | grep -V FIPS
+      ansible.builtin.shell: ls -l /etc/crypto-policies/back-ends/ | grep -v FIPS
       changed_when: false
       failed_when: rhel9stig_crypto_policies_fips.rc not in [ 0, 1 ]
       register: rhel9stig_crypto_policies_fips
@@ -283,10 +283,10 @@
 
 - name: "MEDIUM | RHEL-09-672050 | PATCH | RHEL 9 must implement DOD-approved encryption in the bind package."
   when:
-    - rhel_09_672045
+    - rhel_09_672050
     - "'bind' in ansible_facts.packages"
   tags:
-    - RHEL-09-672045
+    - RHEL-09-672050
     - CAT2
     - CCI-002418
     - CCI-002422
@@ -300,4 +300,4 @@
   ansible.builtin.lineinfile:
     line: 'include "/etc/crypto-policies/back-ends/bind.config";'
     path: /etc/named.conf
-    regexp: ^(|\s*)\include = /etc/crypto-policies
+    regexp: ^(|\s*)include = /etc/crypto-policies

tasks/Cat3/RHEL-09-4xxxxx.yml

@@ -50,8 +50,16 @@
     - V-258076
     - NIST800-53R4_CM-6
     - pam
-  ansible.builtin.lineinfile:
-    insertbefore: BOF
-    line: session required pam_lastlog.so showfailed
-    path: /etc/pam.d/postlogin
-    regex: session required pam_lastlog.so showfailed
+  block:
+    - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon."
+      ansible.builtin.lineinfile:
+        insertbefore: BOF
+        line: session required pam_lastlog.so showfailed
+        path: /etc/pam.d/postlogin
+        regex: session required pam_lastlog.so showfailed
+
+    - name: "LOW | RHEL-09-412075 | PATCH | RHEL 9 must display the date and time of the last successful account logon upon logon."
+      ansible.builtin.replace:
+        path: /etc/pam.d/postlogin
+        replace: '\1\2'
+        regexp: '^(.*\spam_lastlog\.so\s.*)silent(\s.*)$'

templates/etc/audit/rules.d/audit.rules.j2

@@ -171,10 +171,11 @@
 -a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown
 {% endif %}
 {% if rhel_09_654030 %}
-# RHEL9-STIG rule 654205 Overruled by 654030
+# RHEL9-STIG rule 654030
 #-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod
 #-a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod
-{% elif rhel_09_654205 %}
+{% endif %}
+{% if rhel_09_654205 %}
 # RHEL9-STIG rule 654205
 -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod
 -a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -k perm_mod