Skip to content

Commit

Permalink
Merge pull request #11 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
Minor Fixes
Signed-off-by: George Nalen <[email protected]>
  • Loading branch information
georgenalen authored Apr 14, 2021
2 parents 2cf8d51 + ca5397a commit cf84c5c
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 27 deletions.
12 changes: 3 additions & 9 deletions defaults/main.yml
Original file line number Diff line number Diff line change
@@ -1,9 +1,4 @@
---
# If you would like a report at the end accordin to OpenSCAP as to the report results
# then you should set rhel8stig_oscap_scan to true/yes.
# NOTE: This requires the python_xmltojson package on the control host.
rhel8stig_oscap_scan: no
rhel8stig_report_dir: /tmp

rhel8stig_cat1_patch: true
rhel8stig_cat2_patch: true
Expand Down Expand Up @@ -108,9 +103,8 @@ rhel_08_010360: true
rhel_08_010372: true
rhel_08_010373: true
rhel_08_010374: true
# !!!!!!!!!!!!!!!--------------!!!!!!!!!!!!!!!!!!CHANGE TO TRUE BEFORE FINALIZATION. SET TO FALSE TO PREVENT THE VAGRANT USER FROM AUTHENTICATING WHEN USING SUDO (380/381)
rhel_08_010380: false
rhel_08_010381: false
rhel_08_010380: true
rhel_08_010381: true
rhel_08_010390: true
rhel_08_010400: true
rhel_08_010410: true
Expand Down Expand Up @@ -155,7 +149,7 @@ rhel_08_010720: true
rhel_08_010730: true
rhel_08_010740: true
rhel_08_010750: true
rhel_01_010760: true
rhel_08_010760: true
rhel_08_010770: true
rhel_08_010780: true
rhel_08_010790: true
Expand Down
39 changes: 21 additions & 18 deletions tasks/fix-cat2.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,15 @@
"MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message""
"MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message""
copy:
dest: /etc/issue
dest: "{{ item }}"
content: "{{ rhel8stig_logon_banner }}"
owner: root
group: root
mode: '0644'
notify: restart sshd
with_items:
- /etc/issue
- /etc/issue.net
when:
# - not system_is_ec2
- rhel_08_010040 or
Expand Down Expand Up @@ -247,8 +250,8 @@
- kerberos

- name: |
"HIGH | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services."
"HIGH | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy."
"MEDIUM | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services."
"MEDIUM | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy."
selinux:
state: enforcing
policy: targeted
Expand Down Expand Up @@ -296,7 +299,7 @@
file:
path: "{{ item }}"
mode: '1777'
with_items:
with_items:
- "{{ rhel_08_010190_world_writable_files.stdout_lines }}"
when:
- rhel_08_010190
Expand Down Expand Up @@ -651,7 +654,7 @@
name: esc
state: present
when: rhel8stig_gui

- name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed. | Install non-GUI related packages"
dnf:
name: openssl-pkcs11
Expand Down Expand Up @@ -1575,15 +1578,15 @@
tags:
- RHEL-08-010750

- name: "MEDIUM | REHL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation."
- name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation."
lineinfile:
path: /etc/login.defs
regexp: '.*?CREATE_HOME.*'
line: CREATE_HOME yes
when:
- rhel_01_010760
- rhel_08_010760
tags:
- REHL-08-010760
- RHEL-08-010760
- login
- home

Expand All @@ -1597,7 +1600,7 @@
- rhel_08_010770
- rhel8stig_disruption_high
- rhel_08_stig_interactive_homedir_inifiles is defined
tags:
tags:
- RHEL-08-010770
- complexity-high

Expand Down Expand Up @@ -1671,7 +1674,7 @@

- name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less."
debug:
msg:
msg:
- "ALERT!!!! Please check temporary accounts for expiration dates to be 72 hours or less."
- "To do this please run sudo chage -l account_name for the accounts you need to check"
- "The results will display the Account Expires information"
Expand Down Expand Up @@ -2218,7 +2221,7 @@
lineinfile:
path: "/etc/pam.d/{{ item }}"
regexp: '^auth required pam_faillock.so preauth'
line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
line: "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}sfail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
insertafter: '^auth'
notify: restart sssd
with_items:
Expand Down Expand Up @@ -2881,7 +2884,7 @@
path: /etc/security/pwquality.conf
create: yes
regexp: '^#?\s*dictcheck'
line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}"
line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}"
when:
- rhel_08_020300
tags:
Expand Down Expand Up @@ -3373,7 +3376,7 @@
with_items:
- -a always,exit -F arch=b32 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod
- -a always,exit -F arch=b64 -S lsetxattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod
- -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
- -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
- -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
notify: restart auditd
when:
Expand Down Expand Up @@ -3406,7 +3409,7 @@
- -a always,exit -F arch=b32 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod
- -a always,exit -F arch=b64 -S fremovexattr -F auid>={{ rhel8stig_interactive_uid_start }} -F auid!=unset -k perm_mod
- -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
- -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
- -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
notify: restart auditd
when:
- rhel_08_030240
Expand Down Expand Up @@ -3623,7 +3626,7 @@
tags:
- RHEL-08-030340
- auditd

- name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record."
lineinfile:
path: /etc/audit/rules.d/audit.rules
Expand Down Expand Up @@ -4319,7 +4322,7 @@

- name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings"
debug:
msg:
msg:
- "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}."
- "{{ rhel8stig_PPSM_CLSA_check_firewalld.stdout_lines }}"
changed_when: true
Expand Down Expand Up @@ -4487,7 +4490,7 @@
- rhel_08_040090
tags:
- RHEL-08-040090
- firewall
- firewall

- name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled."
block:
Expand Down Expand Up @@ -5177,7 +5180,7 @@
tags:
- RHEL-08-040330

- name: "HIGH | RHEL-08-040340 | PATCH | Remote X connections for interactive users must be encrypted in RHEL 8."
- name: "MEDIUM | RHEL-08-040340 | PATCH | Remote X connections for interactive users must be encrypted in RHEL 8."
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^.*X11Forwarding'
Expand Down

0 comments on commit cf84c5c

Please sign in to comment.