Merge pull request #57 from ansible-lockdown/stig_v1r3

Stig v1r3 release to devel

README.md

@@ -2,9 +2,9 @@
 
 ## Configure a RHEL9 based system to be complaint with Disa STIG
 
-This role is based on RHEL 9 DISA STIG: [Version 1, Rel 2 released on Jan 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/U_RHEL_9_V1R2_STIG.zip).
+This role is based on RHEL 9 DISA STIG: [Version 1, Rel 3 released on Apr 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/U_RHEL_9_V1R3_STIG.zip).
 
-## Initial Relase from STIG, still many items that not quite aligned in the documentation
+## Initial Release from STIG, still many items that not quite aligned in the documentation
 
 ---
 

defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 
 ## metadata for Audit benchmark
-benchmark_version: 'v1r2'
+benchmark_version: 'v1r3'
 
 ## Benchmark name used by audting control role
 # The audit variable found at the base
@@ -323,7 +323,6 @@ rhel_09_255045: true
 rhel_09_255055: true
 rhel_09_255060: true
 rhel_09_255065: true
-rhel_09_255070: true
 rhel_09_255075: true
 rhel_09_255080: true
 rhel_09_255085: true
@@ -617,8 +616,7 @@ rhel9stig_sshd_config:
   kerbauth: 'no'
   lastlog: 'yes'
   loglevel: VERBOSE
-  macs_clients: "{{ rhel9stig_dod_macs_clients }}"
-  macs_server: "{{ rhel9stig_dod_macs_server }}"
+  macs: "{{ rhel9stig_dod_macs }}"
   pubkeyauth: 'yes'
   permitroot: 'no'
   privsep: sandbox
@@ -822,7 +820,7 @@ rhel9stig_remotelog_server:
 # Ensure this matches the filesystem where the audit logs are stored.
 # It will affect checks for control RHEL-09-653030
 
-rhel9stig_audit_log_filesystem: /var/log/audit
+rhel9stig_audit_log_filesystem: '/var/log/audit'
 rhel9stig_audit_conf:
   action_mail_acct: root
   admin_space_left: 5%

tasks/Cat1/RHEL-09-2xxxxx.yml

@@ -182,19 +182,19 @@
 
 - name: HIGH | RHEL-09-215060 | PATCH | RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
   when:
-    - "'tftp' in ansible_facts.packages"
+    - "'tftp-server' in ansible_facts.packages"
     - rhel_09_215060
   tags:
     - RHEL-09-215060
     - CAT1
     - CCI-000366
     - SRG-OS-000480-GPOS-00227
-    - SV-257835r925492_rule
+    - SV-257835r952171_rule
     - V-257835
     - NIST800-53R4_CM-6
     - tftp
   ansible.builtin.package:
-    name: tftp
+    name: tftp-server
     state: absent
 
 - name: HIGH | RHEL-09-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification
@@ -323,7 +323,7 @@
     - SRG-OS-000106-GPOS-00053
     - SRG-OS-000480-GPOS-00229
     - SRG-OS-000480-GPOS-00227
-    - SV-257984r943034_rule
+    - SV-257984r952179_rule
     - V-257984
     - NIST800-53R4_CM-6
     - NIST800-53R4_IA-2
@@ -343,7 +343,7 @@
     - CAT1
     - CCI-000877
     - SRG-OS-000125-GPOS-00065
-    - SV-257986r943038_rule
+    - SV-257986r952183_rule
     - V-257986
     - NIST800-53R4_MA-4
     - ssh

tasks/Cat2/RHEL-09-21xxxx.yml

@@ -346,7 +346,7 @@
     - CCI-001084
     - SRG-OS-000433-GPOS-00192
     - SRG-OS-000134-GPOS-00068
-    - SV-257794r925369_rule
+    - SV-257794r952164_rule
     - V-257794
     - NIST800-53R4_SC-3
     - NIST800-53R4_SI-16
@@ -602,7 +602,7 @@
     - CAT2
     - CCI-000381
     - SRG-OS-000095-GPOS-00049
-    - SV-257807r925408_rule
+    - SV-257807r952166_rule
     - V-257807
     - NIST800-53R4_CM-7
   vars:
@@ -662,7 +662,7 @@
     - CCI-001082
     - SRG-OS-000132-GPOS-00067
     - SRG-OS-000480-GPOS-00227
-    - SV-257810r942977_rule
+    - SV-257810r952168_rule
     - V-257810
     - NIST800-53R4_CM-6
     - NIST800-53R4_SC-2

tasks/Cat2/RHEL-09-25xxxx.yml

@@ -925,7 +925,7 @@
     - CCI-001388
     - SRG-OS-000023-GPOS-00006
     - SRG-OS-000228-GPOS-00088
-    - SV-257981r943028_rule
+    - SV-257981r952173_rule
     - V-257981
     - NIST800-53R4_AC-8
     - ssh
@@ -945,7 +945,7 @@
     - CAT2
     - CCI-000067
     - SRG-OS-000032-GPOS-00013
-    - SV-257982r943030_rule
+    - SV-257982r952175_rule
     - V-257982
     - NIST800-53R4_AC-17
     - ssh
@@ -971,7 +971,7 @@
     - SRG-OS-000106-GPOS-00053
     - SRG-OS-000107-GPOS-00054
     - SRG-OS-000108-GPOS-00055
-    - SV-257983r943032_rule
+    - SV-257983r952177_rule
     - V-257983
     - NIST800-53R4_IA-2
     - ssh
@@ -993,7 +993,7 @@
     - CCI-000770
     - SRG-OS-000109-GPOS-00056
     - SRG-OS-000480-GPOS-00227
-    - SV-257985r943036_rule
+    - SV-257985r952181_rule
     - V-257985
     - NIST800-53R4_CM-6
     - NIST800-53R4_IA-2
@@ -1014,7 +1014,7 @@
     - CAT2
     - CCI-001453
     - SRG-OS-000250-GPOS-00093
-    - SV-257987r925948_rule
+    - SV-257987r952185_rule
     - V-257987
     - NIST800-53R4_AC-17
     - ssh
@@ -1059,26 +1059,9 @@
     - NIST800-53R4_AC-17
   notify: Change_requires_reboot
   ansible.builtin.lineinfile:
-    path: /etc/crypto-policies/back-ends/openssh.config
-    regexp: ^Ciphers
     line: "Ciphers {{ rhel9stig_sshd_config.ciphers | join(',') }}"
-
-- name: "MEDIUM | RHEL-09-255070 | PATCH | RHEL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms."
-  when:
-    - rhel_09_255070
-  tags:
-    - RHEL-09-255070
-    - CAT2
-    - CCI-001453
-    - SRG-OS-000250-GPOS-00093
-    - SV-257990r925957_rule
-    - V-257990
-    - NIST800-53R4_AC-17
-  notify: Change_requires_reboot
-  ansible.builtin.lineinfile:
     path: /etc/crypto-policies/back-ends/openssh.config
-    regexp: ^MACs
-    line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') }}"
+    regexp: ^Ciphers
 
 - name: "MEDIUM | RHEL-09-255075 | PATCH | RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms."
   when:
@@ -1088,14 +1071,14 @@
     - CAT2
     - CCI-001453
     - SRG-OS-000250-GPOS-00093
-    - SV-257991r925960_rule
+    - SV-257991r952188_rule
     - V-257991
     - NIST800-53R4_AC-17
   notify: Change_requires_reboot
   ansible.builtin.lineinfile:
-    path: /etc/crypto-policies/back-ends/opensshserver.config
+    path: /etc/crypto-policies/back-ends/openssh.config
     regexp: ^MACs
-    line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') + ',' + rhel9stig_sshd_config.macs_server | join(',') }}"
+    line: "MACs {{ rhel9stig_sshd_config.macs | join(',') }}"
 
 - name: "MEDIUM | RHEL-09-255080 | PATCH | RHEL 9 must not allow a noncertificate trusted host SSH logon to the system."
   when:
@@ -1105,7 +1088,7 @@
     - CAT2
     - CCI-000366
     - SRG-OS-000480-GPOS-00227
-    - SV-257992r943040_rule
+    - SV-257992r952190_rule
     - V-257992
     - NIST800-53R4_CM-6
     - ssh
@@ -1125,7 +1108,7 @@
     - CAT2
     - CCI-000366
     - SRG-OS-000480-GPOS-00229
-    - SV-257993r943042_rule
+    - SV-257993r952192_rule
     - V-257993
     - NIST800-53R4_CM-6
     - ssh
@@ -1149,7 +1132,7 @@
     - SRG-OS-000423-GPOS-00187
     - SRG-OS-000033-GPOS-00014
     - SRG-OS-000424-GPOS-00188
-    - SV-257994r943044_rule
+    - SV-257994r952194_rule
     - V-257994
     - NIST800-53R4_AC-17
     - NIST800-53R4_SC-8
@@ -1173,7 +1156,7 @@
     - CCI-002421
     - SRG-OS-000163-GPOS-00072
     - SRG-OS-000279-GPOS-00109
-    - SV-257995r942963_rule
+    - SV-257995r952196_rule
     - V-257995
     - NIST800-53R4_SC-10
     - NIST800-53R4_AC-12
@@ -1200,7 +1183,7 @@
     - SRG-OS-000163-GPOS-00072
     - SRG-OS-000279-GPOS-00109
     - SRG-OS-000395-GPOS-00175
-    - SV-257996r943046_rule
+    - SV-257996r952198_rule
     - V-257996
     - NIST800-53R4_MA-4
     - NIST800-53R4_SC-10
@@ -1320,7 +1303,7 @@
     - CAT2
     - CCI-000366
     - SRG-OS-000480-GPOS-00227
-    - SV-258002r925993_rule
+    - SV-258002r952200_rule
     - V-258002
     - NIST800-53R4_CM-6
     - ssh
@@ -1342,7 +1325,7 @@
     - CCI-001813
     - SRG-OS-000364-GPOS-00151
     - SRG-OS-000480-GPOS-00227
-    - SV-258003r925996_rule
+    - SV-258003r952202_rule
     - V-258003
     - NIST800-53R4_CM-5
     - NIST800-53R4_CM-6
@@ -1365,7 +1348,7 @@
     - CCI-001813
     - SRG-OS-000364-GPOS-00151
     - SRG-OS-000480-GPOS-00227
-    - SV-258004r925999_rule
+    - SV-258004r952204_rule
     - V-258004
     - NIST800-53R4_CM-5
     - NIST800-53R4_CM-6
@@ -1386,7 +1369,7 @@
     - CAT2
     - CCI-000366
     - SRG-OS-000480-GPOS-00227
-    - SV-258005r926002_rule
+    - SV-258005r952206_rule
     - V-258005
     - NIST800-53R4_CM-6
     - ssh
@@ -1406,7 +1389,7 @@
     - CAT2
     - CCI-000366
     - SRG-OS-000480-GPOS-00227
-    - SV-258006r926005rule
+    - SV-258006r952208_rule
     - V-258006
     - NIST800-53R4_CM-6
     - ssh
@@ -1426,7 +1409,7 @@
     - CAT2
     - CCI-000366
     - SRG-OS-000480-GPOS-00227
-    - SV-258007r943048_rule
+    - SV-258007r952210_rule
     - V-258007
     - NIST800-53R4_CM-6
     - ssh
@@ -1446,7 +1429,7 @@
     - CAT2
     - CCI-000366
     - SRG-OS-000480-GPOS-00227
-    - SV-258008r926011rule
+    - SV-258008r952212_rule
     - V-258008
     - NIST800-53R4_CM-6
     - ssh
@@ -1466,7 +1449,7 @@
     - CAT2
     - CCI-000366
     - SRG-OS-000480-GPOS-00227
-    - SV-258009r926014rule
+    - SV-258009r952214_rule
     - V-258009
     - NIST800-53R4_CM-6
     - ssh
@@ -1486,7 +1469,7 @@
     - CAT2
     - CCI-000366
     - SRG-OS-000480-GPOS-00227
-    - SV-258010r926017rule
+    - SV-258010r952216_rule
     - V-258010
     - NIST800-53R4_CM-6
     - ssh
@@ -1506,7 +1489,7 @@
     - CAT2
     - CCI-000366
     - SRG-OS-000480-GPOS-00227
-    - SV-258011r943050_rule
+    - SV-258011r952218_rule
     - V-258011
     - NIST800-53R4_CM-6
     - ssh

tasks/Cat2/RHEL-09-67xxxx.yml

@@ -256,7 +256,7 @@
     warn_control_id: "MEDIUM | RHEL-09-672045"
   block:
     - name: "MEDIUM | RHEL-09-672045 | AUDIT | RHEL 9 must implement a system-wide encryption policy."
-      ansible.builtin.shell: update-crypto-policies --check
+      ansible.builtin.shell: update-crypto-policies --show
       changed_when: false
       failed_when: crypto_policies_check.rc not in [0 , 1]
       register: crypto_policies_check

templates/ansible_vars_goss.yml.j2

@@ -274,7 +274,6 @@ rhel_09_255045: {{ rhel_09_255045 }}
 rhel_09_255055: {{ rhel_09_255055 }}
 rhel_09_255060: {{ rhel_09_255060 }}
 rhel_09_255065: {{ rhel_09_255065 }}
-rhel_09_255070: {{ rhel_09_255070 }}
 rhel_09_255075: {{ rhel_09_255075 }}
 rhel_09_255080: {{ rhel_09_255080 }}
 rhel_09_255085: {{ rhel_09_255085 }}
@@ -659,16 +658,7 @@ rhel9stig_sshd_config:
   kerbauth: {{ rhel9stig_sshd_config.kerbauth }}
   lastlog: {{ rhel9stig_sshd_config.lastlog }}
   loglevel: {{ rhel9stig_sshd_config.loglevel }}
-  macs_clients:
-  {% for macs in rhel9stig_sshd_config.macs_clients %}
-  - {{ macs }}
-  {% endfor -%}
-
-  macs_server:
-  {% for macs in rhel9stig_sshd_config.macs_server %}
-  - {{ macs }}
-  {% endfor -%}
-
+  macs: {{ rhel9stig_sshd_config.macs }}
   pubkeyauth: {{ rhel9stig_sshd_config.pubkeyauth }}
   permitroot: {{ rhel9stig_sshd_config.permitroot }}
   privsep: {{ rhel9stig_sshd_config.privsep }}

vars/audit.yml

@@ -26,8 +26,8 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma
 
 ### Audit binary settings ###
 audit_bin_version:
-    release: v0.4.4
-    AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5'
+    release: v0.4.7
+    AMD64_checksum: 'sha256:1206cc17af6d529baefae79c0cad6383c75f3cc68dc152632d393be827b13d5f'
 audit_bin_path: /usr/local/bin/
 audit_bin: "{{ audit_bin_path }}goss"
 audit_format: json