From 5b3cfe13b389a2cb1883ca260c3bf476d9d51028 Mon Sep 17 00:00:00 2001 From: Stuart Whitman Date: Fri, 12 Apr 2024 14:28:26 -0400 Subject: [PATCH 1/9] add rhel_09_271095 to default --- defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index ede0d14..1a1f061 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -343,6 +343,7 @@ rhel_09_271075: true rhel_09_271080: true rhel_09_271085: true rhel_09_271090: true +rhel_09_271095: true rhel_09_271100: true rhel_09_271105: true rhel_09_271110: true @@ -675,7 +676,7 @@ rhel9stig_custom_firewall: interface: - "{{ ansible_default_ipv4.interface }}" -# rhel9stig_white_list_services is the services that you want to allow through initially for teh new firewall zone +# rhel9stig_white_list_services is the services that you want to allow through initially for the new firewall zone # http and ssh need to be enabled for the role to run. # This can also be a port number if no service exists rhel9stig_white_list_services: From fd7dcbea97a83f5f8909c74b2aaf0d2a3dd81add Mon Sep 17 00:00:00 2001 From: Stuart Whitman Date: Fri, 12 Apr 2024 14:30:21 -0400 Subject: [PATCH 2/9] fix loop on RHEL-09-652025 --- tasks/Cat2/RHEL-09-65xxxx.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/Cat2/RHEL-09-65xxxx.yml b/tasks/Cat2/RHEL-09-65xxxx.yml index ba4d828..b88799b 100644 --- a/tasks/Cat2/RHEL-09-65xxxx.yml +++ b/tasks/Cat2/RHEL-09-65xxxx.yml @@ -183,8 +183,7 @@ line: '#\1\2\3' path: "{{ item.path }}" regex: (Input|ModLoad)(TCP|UDP|RELP|imtcp|imudp|imrelp)(.*) - loop: - - "{{ rhel9stig_rsyslog_conf.files }}" + loop: "{{ rhel9stig_rsyslog_conf.files }}" - name: "MEDIUM | RHEL-09-652030 | PATCH | All RHEL 9 remote access methods must be monitored." when: From 36e12e6c88732d20d9febac0e9c5161c9f894bba Mon Sep 17 00:00:00 2001 From: Stuart Whitman Date: Fri, 12 Apr 2024 14:32:29 -0400 Subject: [PATCH 3/9] fix find cmd to return FQFN --- tasks/Cat2/RHEL-09-23xxxx.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/Cat2/RHEL-09-23xxxx.yml b/tasks/Cat2/RHEL-09-23xxxx.yml index d3a1e8b..962aedd 100644 --- a/tasks/Cat2/RHEL-09-23xxxx.yml +++ b/tasks/Cat2/RHEL-09-23xxxx.yml @@ -1588,7 +1588,7 @@ - NIST800-53R4_CM-5 block: - name: "RHEL-09-232200 | AUDIT | RHEL 9 library files must be owned by root." - ansible.builtin.shell: find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls {} \; + ansible.builtin.shell: find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root changed_when: false failed_when: rhel9stig_lib_files_owner.rc not in [ 0, 1 ] register: rhel9stig_lib_files_owner @@ -1597,9 +1597,8 @@ when: rhel9stig_lib_files_owner.stdout | length > 0 ansible.builtin.file: owner: root - path: "{{ path }}" - loop: - - "{{ rhel9stig_lib_files_owner.stdout_lines }}" + path: "{{ item }}" + loop: "{{ rhel9stig_lib_files_owner.stdout_lines }}" - name: "RHEL-09-232205 | PATCH | RHEL 9 library files must be group-owned by root or a system account." when: From 6144fd264daaade403f173787e505fe44ed8e865 Mon Sep 17 00:00:00 2001 From: Stuart Whitman Date: Fri, 12 Apr 2024 14:37:47 -0400 Subject: [PATCH 4/9] touch is not a valid state for lineinfile --- tasks/Cat2/RHEL-09-27xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index c728158..0842e33 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -48,7 +48,7 @@ line: banner-message-enable path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" mode: '0644' - modification_time: preserve + state: present state: touch - name: "MEDIUM | RHEL-09-271020 | PATCH | RHEL 9 must disable the graphical user interface automount function unless required." From 071cfc4b13d7cd5eb041970dd286ecf1663cd159 Mon Sep 17 00:00:00 2001 From: Stuart Whitman Date: Fri, 12 Apr 2024 14:42:47 -0400 Subject: [PATCH 5/9] add create to lineinfile to handle missing file --- tasks/Cat2/RHEL-09-27xxxx.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index 0842e33..6cb3b5f 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -45,6 +45,7 @@ - NIST800-53R4_CM-6 notify: Update_dconf ansible.builtin.lineinfile: + create: true line: banner-message-enable path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" mode: '0644' From 43b9792251b06a765c33f0d0429ddc5a517749fb Mon Sep 17 00:00:00 2001 From: Stuart Whitman Date: Fri, 12 Apr 2024 14:44:20 -0400 Subject: [PATCH 6/9] correct options to option for ini_file --- tasks/Cat2/RHEL-09-27xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index 6cb3b5f..a4c4486 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -72,7 +72,7 @@ community.general.ini_file: create: true mode: '0644' - options: automount-open + option: automount-open path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" section: 'org/gnome/desktop/media-handling' value: 'false' From 5758f5e454c177960bc99644d6e1ae018eea2e7c Mon Sep 17 00:00:00 2001 From: Stuart Whitman Date: Fri, 12 Apr 2024 14:45:20 -0400 Subject: [PATCH 7/9] lock-screen must be enclosed in single quotes --- tasks/Cat2/RHEL-09-27xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index a4c4486..03e79b6 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -163,7 +163,7 @@ option: removal-action path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" section: 'org/gnome/settings-daemon/peripherals/smartcard' - value: 'lock-screen' + value: "'lock-screen'" - name: "MEDIUM | RHEL-09-271050 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action." when: From 41d721e75e8c722fbd66076a6a7bb35e04e78d00 Mon Sep 17 00:00:00 2001 From: Stuart Whitman Date: Fri, 12 Apr 2024 14:46:44 -0400 Subject: [PATCH 8/9] picture-uri cannot be empty --- tasks/Cat2/RHEL-09-27xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index 03e79b6..e4d7cdf 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -327,7 +327,7 @@ option: picture-uri path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" section: 'org/gnome/desktop/screensaver' - value: '' + value: '"file:///usr/share/backgrounds/pink-contacts.jpg"' - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image." ansible.builtin.lineinfile: From e7d90af15d880a5d92d63d7607ad6ebe75589e1a Mon Sep 17 00:00:00 2001 From: Stuart Whitman Date: Fri, 12 Apr 2024 14:47:57 -0400 Subject: [PATCH 9/9] account for multiple stdout_lines in rhel9stig_dconf_db --- tasks/Cat2/RHEL-09-27xxxx.yml | 61 +++++++++++++++++++++++------------ 1 file changed, 40 insertions(+), 21 deletions(-) diff --git a/tasks/Cat2/RHEL-09-27xxxx.yml b/tasks/Cat2/RHEL-09-27xxxx.yml index e4d7cdf..411a805 100644 --- a/tasks/Cat2/RHEL-09-27xxxx.yml +++ b/tasks/Cat2/RHEL-09-27xxxx.yml @@ -47,10 +47,10 @@ ansible.builtin.lineinfile: create: true line: banner-message-enable - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + path: "/etc/dconf/db/{{ item }}.d/locks/session" mode: '0644' state: present - state: touch + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271020 | PATCH | RHEL 9 must disable the graphical user interface automount function unless required." when: @@ -73,9 +73,10 @@ create: true mode: '0644' option: automount-open - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/media-handling' value: 'false' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271025 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function." when: @@ -98,7 +99,8 @@ ansible.builtin.lineinfile: create: true line: /org/gnome/desktop/media-handling/automount-open - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock" + path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271030 | PATCH | RHEL 9 must disable the graphical user interface autorun function unless required." when: @@ -116,9 +118,10 @@ community.general.ini_file: create: true option: autorun-never - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/media-handling' value: 'true' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271035 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function." when: @@ -141,7 +144,8 @@ ansible.builtin.lineinfile: create: true line: /org/gnome/desktop/media-handling/autorun-never - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock" + path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271045 | PATCH | RHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed." when: @@ -161,9 +165,10 @@ community.general.ini_file: create: true option: removal-action - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/settings-daemon/peripherals/smartcard' value: "'lock-screen'" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271050 | PATCH | RHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action." when: @@ -183,7 +188,8 @@ ansible.builtin.lineinfile: create: true line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock" + path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271055 | PATCH | RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions." when: @@ -203,9 +209,10 @@ community.general.ini_file: create: true option: lock-enabled - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/screensaver' value: 'true' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271060 | PATCH | RHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface." when: @@ -225,7 +232,8 @@ ansible.builtin.lineinfile: create: true line: /org/gnome/desktop/screensaver/lock-enabled - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + path: "/etc/dconf/db/{{ item }}.d/locks/session" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271065 | PATCH | RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity." when: @@ -245,9 +253,10 @@ community.general.ini_file: create: true option: idle-delay - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-screensaver" + path: "/etc/dconf/db/{{ item }}.d/00-screensaver" section: 'org/gnome/desktop/session' value: 'uint32 900' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271070 | PATCH | RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface" when: @@ -267,7 +276,8 @@ ansible.builtin.lineinfile: create: true line: /org/gnome/desktop/session/idle-delay - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + path: "/etc/dconf/db/{{ item }}.d/locks/session" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271075 | PATCH | RHEL 9 must initiate a session lock for graphical user interfaces when the screensaver is activated." when: @@ -285,9 +295,10 @@ community.general.ini_file: create: true option: lock-delay - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-screensaver" + path: "/etc/dconf/db/{{ item }}.d/00-screensaver" section: 'org/gnome/desktop/screensaver' value: 'uint32 5' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271080 | PATCH | RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface" when: @@ -305,7 +316,8 @@ ansible.builtin.lineinfile: create: true line: /org/gnome/desktop/screensaver/lock-delay - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + path: "/etc/dconf/db/{{ item }}.d/locks/session" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image." when: @@ -325,15 +337,17 @@ community.general.ini_file: create: true option: picture-uri - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/desktop/screensaver' value: '"file:///usr/share/backgrounds/pink-contacts.jpg"' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271085 | PATCH | RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image." ansible.builtin.lineinfile: create: true line: /org/gnome/desktop/screensaver/picture-uri - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/00-security-settings-lock" + path: "/etc/dconf/db/{{ item }}.d/locks/00-security-settings-lock" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271090 | PATCH | RHEL 9 effective dconf policy must match the policy keyfiles." when: @@ -366,9 +380,10 @@ community.general.ini_file: create: true option: disable-restart-buttons - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/settings-daemon/peripherals/smartcard' value: 'true' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271100 | PATCH | RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface." when: @@ -386,7 +401,8 @@ ansible.builtin.lineinfile: create: true line: /org/gnome/login-screen/disable-restart-buttons - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + path: "/etc/dconf/db/{{ item }}.d/locks/session" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271105 | PATCH | RHEL 9 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause a system to shut down or reboot." when: @@ -404,9 +420,10 @@ community.general.ini_file: create: true option: logout - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/00-security-settings" + path: "/etc/dconf/db/{{ item }}.d/00-security-settings" section: 'org/gnome/settings-daemon/plugins/media-keys' value: "['']" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271110 | PATCH | RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface." when: @@ -424,7 +441,8 @@ ansible.builtin.lineinfile: create: true line: org/gnome/settings-daemon/plugins/media-keys/logout - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/locks/session" + path: "/etc/dconf/db/{{ item }}.d/locks/session" + loop: "{{ rhel9stig_dconf_db.stdout_lines }}" - name: "MEDIUM | RHEL-09-271115 | PATCH | RHEL 9 must disable the user list at logon for graphical user interfaces." when: @@ -442,6 +460,7 @@ community.general.ini_file: create: true option: disable-user-list - path: "/etc/dconf/db/{{ rhel9stig_dconf_db.stdout }}.d/02-login-screen" + path: "/etc/dconf/db/{{ item }}.d/02-login-screen" section: 'org/gnome/login-screen' value: 'true' + loop: "{{ rhel9stig_dconf_db.stdout_lines }}"