From b645dbd5eec44f74e43408adb2cee41693bf8c73 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jun 2024 15:34:26 +0100 Subject: [PATCH 01/10] updates for v1r3 Signed-off-by: Mark Bolwell --- README.md | 4 +-- tasks/Cat1/RHEL-09-2xxxxx.yml | 10 +++--- tasks/Cat2/RHEL-09-21xxxx.yml | 6 ++-- tasks/Cat2/RHEL-09-25xxxx.yml | 65 +++++++++++++---------------------- vars/main.yml | 10 +++--- 5 files changed, 39 insertions(+), 56 deletions(-) diff --git a/README.md b/README.md index bf896d0..793dfcf 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,9 @@ ## Configure a RHEL9 based system to be complaint with Disa STIG -This role is based on RHEL 9 DISA STIG: [Version 1, Rel 2 released on Jan 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/U_RHEL_9_V1R2_STIG.zip). +This role is based on RHEL 9 DISA STIG: [Version 1, Rel 3 released on Apr 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/U_RHEL_9_V1R3_STIG.zip). -## Initial Relase from STIG, still many items that not quite aligned in the documentation +## Initial Release from STIG, still many items that not quite aligned in the documentation --- diff --git a/tasks/Cat1/RHEL-09-2xxxxx.yml b/tasks/Cat1/RHEL-09-2xxxxx.yml index 569b3ad..2ccf854 100644 --- a/tasks/Cat1/RHEL-09-2xxxxx.yml +++ b/tasks/Cat1/RHEL-09-2xxxxx.yml @@ -182,19 +182,19 @@ - name: HIGH | RHEL-09-215060 | PATCH | RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed. when: - - "'tftp' in ansible_facts.packages" + - "'tftp-server' in ansible_facts.packages" - rhel_09_215060 tags: - RHEL-09-215060 - CAT1 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257835r925492_rule + - SV-257835r952171_rule - V-257835 - NIST800-53R4_CM-6 - tftp ansible.builtin.package: - name: tftp + name: tftp-server state: absent - name: HIGH | RHEL-08-231190 | AUDIT | All RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification @@ -323,7 +323,7 @@ - SRG-OS-000106-GPOS-00053 - SRG-OS-000480-GPOS-00229 - SRG-OS-000480-GPOS-00227 - - SV-257984r943034_rule + - SV-257984r952179_rule - V-257984 - NIST800-53R4_CM-6 - NIST800-53R4_IA-2 @@ -343,7 +343,7 @@ - CAT1 - CCI-000877 - SRG-OS-000125-GPOS-00065 - - SV-257986r943038_rule + - SV-257986r952183_rule - V-257986 - NIST800-53R4_MA-4 - ssh diff --git a/tasks/Cat2/RHEL-09-21xxxx.yml b/tasks/Cat2/RHEL-09-21xxxx.yml index f64b9bb..57e0874 100644 --- a/tasks/Cat2/RHEL-09-21xxxx.yml +++ b/tasks/Cat2/RHEL-09-21xxxx.yml @@ -346,7 +346,7 @@ - CCI-001084 - SRG-OS-000433-GPOS-00192 - SRG-OS-000134-GPOS-00068 - - SV-257794r925369_rule + - SV-257794r952164_rule - V-257794 - NIST800-53R4_SC-3 - NIST800-53R4_SI-16 @@ -601,7 +601,7 @@ - CAT2 - CCI-000381 - SRG-OS-000095-GPOS-00049 - - SV-257807r925408_rule + - SV-257807r952166_rule - V-257807 - NIST800-53R4_CM-7 vars: @@ -661,7 +661,7 @@ - CCI-001082 - SRG-OS-000132-GPOS-00067 - SRG-OS-000480-GPOS-00227 - - SV-257810r942977_rule + - SV-257810r952168_rule - V-257810 - NIST800-53R4_CM-6 - NIST800-53R4_SC-2 diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index dcf2d3a..9d86813 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -917,7 +917,7 @@ - CCI-001388 - SRG-OS-000023-GPOS-00006 - SRG-OS-000228-GPOS-00088 - - SV-257981r943028_rule + - SV-257981r952173_rule - V-257981 - NIST800-53R4_AC-8 - ssh @@ -937,7 +937,7 @@ - CAT2 - CCI-000067 - SRG-OS-000032-GPOS-00013 - - SV-257982r943030_rule + - SV-257982r952175_rule - V-257982 - NIST800-53R4_AC-17 - ssh @@ -963,7 +963,7 @@ - SRG-OS-000106-GPOS-00053 - SRG-OS-000107-GPOS-00054 - SRG-OS-000108-GPOS-00055 - - SV-257983r943032_rule + - SV-257983r952177_rule - V-257983 - NIST800-53R4_IA-2 - ssh @@ -985,7 +985,7 @@ - CCI-000770 - SRG-OS-000109-GPOS-00056 - SRG-OS-000480-GPOS-00227 - - SV-257985r943036_rule + - SV-257985r952181_rule - V-257985 - NIST800-53R4_CM-6 - NIST800-53R4_IA-2 @@ -1006,7 +1006,7 @@ - CAT2 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-257987r925948_rule + - SV-257987r952185_rule - V-257987 - NIST800-53R4_AC-17 - ssh @@ -1052,25 +1052,8 @@ notify: Change_requires_reboot ansible.builtin.lineinfile: line: "Ciphers {{ rhel9stig_sshd_config.ciphers | join(',') }}" - path: /etc/crypto-policies/back-ends/opensshserver.config - regexp: ^Ciphers - -- name: "MEDIUM | RHEL-09-255070 | PATCH | RHEL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms." - when: - - rhel_09_255070 - tags: - - RHEL-09-255070 - - CAT2 - - CCI-001453 - - SRG-OS-000250-GPOS-00093 - - SV-257990r925957_rule - - V-257990 - - NIST800-53R4_AC-17 - notify: Change_requires_reboot - ansible.builtin.lineinfile: - line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') }}" path: /etc/crypto-policies/back-ends/openssh.config - regexp: ^MACs + regexp: ^Ciphers - name: "MEDIUM | RHEL-09-255075 | PATCH | RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms." when: @@ -1080,13 +1063,13 @@ - CAT2 - CCI-001453 - SRG-OS-000250-GPOS-00093 - - SV-257991r925960_rule + - SV-257991r952188_rule - V-257991 - NIST800-53R4_AC-17 notify: Change_requires_reboot ansible.builtin.lineinfile: - line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') + ',' + rhel9stig_sshd_config.macs_server | join(',') }}" - path: /etc/crypto-policies/back-ends/opensshserver.config + line: "MACs {{ rhel9stig_sshd_config.macs | join(',') }}" + path: /etc/crypto-policies/back-ends/openssh.config regexp: ^MACs - name: "MEDIUM | RHEL-09-255080 | PATCH | RHEL 9 must not allow a noncertificate trusted host SSH logon to the system." @@ -1097,7 +1080,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-257992r943040_rule + - SV-257992r952190_rule - V-257992 - NIST800-53R4_CM-6 - ssh @@ -1117,7 +1100,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00229 - - SV-257993r943042_rule + - SV-257993r952192_rule - V-257993 - NIST800-53R4_CM-6 - ssh @@ -1141,7 +1124,7 @@ - SRG-OS-000423-GPOS-00187 - SRG-OS-000033-GPOS-00014 - SRG-OS-000424-GPOS-00188 - - SV-257994r943044_rule + - SV-257994r952194_rule - V-257994 - NIST800-53R4_AC-17 - NIST800-53R4_SC-8 @@ -1165,7 +1148,7 @@ - CCI-002421 - SRG-OS-000163-GPOS-00072 - SRG-OS-000279-GPOS-00109 - - SV-257995r942963_rule + - SV-257995r952196_rule - V-257995 - NIST800-53R4_SC-10 - NIST800-53R4_AC-12 @@ -1192,7 +1175,7 @@ - SRG-OS-000163-GPOS-00072 - SRG-OS-000279-GPOS-00109 - SRG-OS-000395-GPOS-00175 - - SV-257996r943046_rule + - SV-257996r952198_rule - V-257996 - NIST800-53R4_MA-4 - NIST800-53R4_SC-10 @@ -1312,7 +1295,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258002r925993_rule + - SV-258002r952200_rule - V-258002 - NIST800-53R4_CM-6 - ssh @@ -1334,7 +1317,7 @@ - CCI-001813 - SRG-OS-000364-GPOS-00151 - SRG-OS-000480-GPOS-00227 - - SV-258003r925996_rule + - SV-258003r952202_rule - V-258003 - NIST800-53R4_CM-5 - NIST800-53R4_CM-6 @@ -1357,7 +1340,7 @@ - CCI-001813 - SRG-OS-000364-GPOS-00151 - SRG-OS-000480-GPOS-00227 - - SV-258004r925999_rule + - SV-258004r952204_rule - V-258004 - NIST800-53R4_CM-5 - NIST800-53R4_CM-6 @@ -1378,7 +1361,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258005r926002_rule + - SV-258005r952206_rule - V-258005 - NIST800-53R4_CM-6 - ssh @@ -1398,7 +1381,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258006r926005rule + - SV-258006r952208_rule - V-258006 - NIST800-53R4_CM-6 - ssh @@ -1418,7 +1401,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258007r943048_rule + - SV-258007r952210_rule - V-258007 - NIST800-53R4_CM-6 - ssh @@ -1438,7 +1421,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258008r926011rule + - SV-258008r952212_rule - V-258008 - NIST800-53R4_CM-6 - ssh @@ -1458,7 +1441,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258009r926014rule + - SV-258009r952214_rule - V-258009 - NIST800-53R4_CM-6 - ssh @@ -1478,7 +1461,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258010r926017rule + - SV-258010r952216_rule - V-258010 - NIST800-53R4_CM-6 - ssh @@ -1498,7 +1481,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-258011r943050_rule + - SV-258011r952218_rule - V-258011 - NIST800-53R4_CM-6 - ssh diff --git a/vars/main.yml b/vars/main.yml index ddc557a..ee59a1b 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -36,14 +36,14 @@ rhel9stig_dod_ciphers: - aes256-ctr - aes128-gcm@openssh.com - aes128-ctr -rhel9stig_dod_macs_clients: +rhel9stig_dod_macs: - hmac-sha2-256-etm@openssh.com -- hmac-sha2-256 -- hmac-sha2-512-etm@openssh.com -- hmac-sha2-512 -rhel9stig_dod_macs_server: # Server also has client mac listed above don't duplicate - hmac-sha1-etm@openssh.com - umac-128-etm@openssh.com +- hmac-sha2-512-etm@openssh.com +- hmac-sha2-256 - hmac-sha1 +- hmac-sha2-512-etm@openssh.com - umac-128@openssh.com +- hmac-sha2-512 rhel9stig_dod_kex: From eb6a252afed1752d04ded3fb924879a589249b8b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jun 2024 16:30:29 +0100 Subject: [PATCH 02/10] updated for v1r3 Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 ++---- templates/ansible_vars_goss.yml.j2 | 12 +----------- 2 files changed, 3 insertions(+), 15 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 121d357..1b8e037 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,7 @@ --- ## metadata for Audit benchmark -benchmark_version: 'v1r2' +benchmark_version: 'v1r3' ## Benchmark name used by audting control role # The audit variable found at the base @@ -323,7 +323,6 @@ rhel_09_255045: true rhel_09_255055: true rhel_09_255060: true rhel_09_255065: true -rhel_09_255070: true rhel_09_255075: true rhel_09_255080: true rhel_09_255085: true @@ -616,8 +615,7 @@ rhel9stig_sshd_config: kerbauth: 'no' lastlog: 'yes' loglevel: VERBOSE - macs_clients: "{{ rhel9stig_dod_macs_clients }}" - macs_server: "{{ rhel9stig_dod_macs_server }}" + macs: "{{ rhel9stig_dod_macs }}" pubkeyauth: 'yes' permitroot: 'no' privsep: sandbox diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e684480..18ac52c 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -274,7 +274,6 @@ rhel_09_255045: {{ rhel_09_255045 }} rhel_09_255055: {{ rhel_09_255055 }} rhel_09_255060: {{ rhel_09_255060 }} rhel_09_255065: {{ rhel_09_255065 }} -rhel_09_255070: {{ rhel_09_255070 }} rhel_09_255075: {{ rhel_09_255075 }} rhel_09_255080: {{ rhel_09_255080 }} rhel_09_255085: {{ rhel_09_255085 }} @@ -659,16 +658,7 @@ rhel9stig_sshd_config: kerbauth: {{ rhel9stig_sshd_config.kerbauth }} lastlog: {{ rhel9stig_sshd_config.lastlog }} loglevel: {{ rhel9stig_sshd_config.loglevel }} - macs_clients: - {% for macs in rhel9stig_sshd_config.macs_clients %} - - {{ macs }} - {% endfor -%} - - macs_server: - {% for macs in rhel9stig_sshd_config.macs_server %} - - {{ macs }} - {% endfor -%} - + macs: {{ rhel9stig_sshd_config.macs }} pubkeyauth: {{ rhel9stig_sshd_config.pubkeyauth }} permitroot: {{ rhel9stig_sshd_config.permitroot }} privsep: {{ rhel9stig_sshd_config.privsep }} From 75eababcf7368cc9a23edb6b26cc529bc9764cb1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jun 2024 16:34:45 +0100 Subject: [PATCH 03/10] updated to latest pipeline Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 291 ++++++++++-------- .../workflows/main_pipeline_validation.yml | 277 +++++++++-------- 2 files changed, 309 insertions(+), 259 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 9fbe7aa..e02fe1f 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -1,138 +1,159 @@ --- - name: Devel pipeline - - on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - - # A workflow run is made up of one or more jobs - # that can run sequentially or in parallel - jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - - # This workflow contains a single job that tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v4 + name: Devel pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + # Allow manual running of workflow + workflow_dispatch: + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: self-hosted + + steps: + - uses: actions/first-interaction@main with: - ref: ${{ github.event.pull_request.head.sha }} - - # Pull in terraform code for linux servers - - name: Clone GitHub IaC plan - uses: actions/checkout@v4 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - pwd - ls - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Init - id: init - run: terraform init - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Validate - id: validate - run: terraform validate - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Apply - id: apply - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep ${{ vars.BUILD_SLEEPTIME }} - - # Run the Ansibleplaybook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/github_linux_IaC/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION: "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows + + steps: + + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} + + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} + + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + + # Remove test system - User secrets to keep if necessary + + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 67ee9d9..4a5adc9 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -1,127 +1,156 @@ --- - name: Main pipeline - - on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - - # A workflow run is made up of one or more jobs - # that can run sequentially or in parallel - jobs: - - # This workflow contains a single job that tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v4 + name: Main pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: self-hosted + + steps: + - uses: actions/first-interaction@main with: - ref: ${{ github.event.pull_request.head.sha }} - - # Pull in terraform code for linux servers - - name: Clone GitHub IaC plan - uses: actions/checkout@v4 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - pwd - ls - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Init - id: init - run: terraform init - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Validate - id: validate - run: terraform validate - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Apply - id: apply - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep ${{ vars.BUILD_SLEEPTIME }} - - # Run the Ansibleplaybook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/github_linux_IaC/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION : "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows + + steps: + + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} + + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} + + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + + # Remove test system - User secrets to keep if necessary + + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false From 42b0ac947d98c59d9d1d95c880e4bfe2638fa27a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jun 2024 17:00:27 +0100 Subject: [PATCH 04/10] updated macs Signed-off-by: Mark Bolwell --- vars/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index ee59a1b..fd7fa4c 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -43,7 +43,6 @@ rhel9stig_dod_macs: - hmac-sha2-512-etm@openssh.com - hmac-sha2-256 - hmac-sha1 -- hmac-sha2-512-etm@openssh.com - umac-128@openssh.com - hmac-sha2-512 rhel9stig_dod_kex: From 18018c42794c64d07ea29f0dc9657e0007931689 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jun 2024 17:29:57 +0100 Subject: [PATCH 05/10] fixed quotes Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 1b8e037..9b5fcf7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -820,7 +820,7 @@ rhel9stig_remotelog_server: # Ensure this matches the filesystem where the audit logs are stored. # It will affect checks for control RHEL-09-653030 -rhel9stig_audit_log_filesystem: /var/log/audit +rhel9stig_audit_log_filesystem: '/var/log/audit' rhel9stig_audit_conf: action_mail_acct: root admin_space_left: 5 From ced335590f6f38df59b2be9d9f85b7a0a578e02b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jun 2024 17:30:48 +0100 Subject: [PATCH 06/10] fixed mountpoint conditionals Signed-off-by: Mark Bolwell --- tasks/Cat3/RHEL-09-2xxxxx.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/Cat3/RHEL-09-2xxxxx.yml b/tasks/Cat3/RHEL-09-2xxxxx.yml index 8b29b1e..ab7564c 100644 --- a/tasks/Cat3/RHEL-09-2xxxxx.yml +++ b/tasks/Cat3/RHEL-09-2xxxxx.yml @@ -110,7 +110,7 @@ - name: "LOW | RHEL-09-231020 | AUDIT | RHEL 9 must use a separate file system for /var." when: - rhel_09_231020 - - ansible_facts['mounts']| selectattr('mount', '==', '/var') + - "'/var' not in mount_names" tags: - RHEL-09-231020 - CAT2 @@ -134,7 +134,7 @@ - name: "LOW | RHEL-09-231025 | AUDIT | RHEL 9 must use a separate file system for /var/log." when: - rhel_09_231025 - - ansible_facts['mounts']| selectattr('mount', '==', '/var/log') + - "'/var/log' not in mount_names" tags: - RHEL-09-231025 - CAT2 @@ -158,7 +158,7 @@ - name: "LOW | RHEL-09-231030 | AUDIT | RHEL 9 must use a separate file system for /var/log/audit." when: - rhel_09_231030 - - ansible_facts['mounts']| selectattr('mount', '==', rhel9stig_audit_log_filesystem ) + - "rhel9stig_audit_log_filesystem not in mount_names" tags: - RHEL-09-231030 - CAT2 From 0d38c775eead0b8b8ed7871bd29f567ab1c5f1fc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 13 Jun 2024 17:31:40 +0100 Subject: [PATCH 07/10] updated audit goss version Signed-off-by: Mark Bolwell --- vars/audit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vars/audit.yml b/vars/audit.yml index bb50f6d..d5ea44e 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -26,8 +26,8 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma ### Audit binary settings ### audit_bin_version: - release: v0.4.4 - AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' + release: v0.4.7 + AMD64_checksum: 'sha256:1206cc17af6d529baefae79c0cad6383c75f3cc68dc152632d393be827b13d5f' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json From d14dca69727d94c2dfdfac9619e345b5d9d7c66a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 29 Oct 2024 12:17:16 +0000 Subject: [PATCH 08/10] updated gitleaks Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 494540a..cb848d4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,7 +36,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.21.1 + rev: v8.21.2 hooks: - id: gitleaks From 6b2547a7de5b17964f8f937c2fc0b7d24b215287 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 29 Oct 2024 12:23:38 +0000 Subject: [PATCH 09/10] Updated ciphers and Macs info Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-25xxxx.yml | 21 ++------------------- vars/main.yml | 12 ++++++------ 2 files changed, 8 insertions(+), 25 deletions(-) diff --git a/tasks/Cat2/RHEL-09-25xxxx.yml b/tasks/Cat2/RHEL-09-25xxxx.yml index fd29783..df5d11d 100644 --- a/tasks/Cat2/RHEL-09-25xxxx.yml +++ b/tasks/Cat2/RHEL-09-25xxxx.yml @@ -1063,23 +1063,6 @@ path: /etc/crypto-policies/back-ends/openssh.config regexp: ^Ciphers -- name: "MEDIUM | RHEL-09-255070 | PATCH | RHEL 9 SSH client must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms." - when: - - rhel_09_255070 - tags: - - RHEL-09-255070 - - CAT2 - - CCI-001453 - - SRG-OS-000250-GPOS-00093 - - SV-257990r925957_rule - - V-257990 - - NIST800-53R4_AC-17 - notify: Change_requires_reboot - ansible.builtin.lineinfile: - line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') }}" - path: /etc/crypto-policies/back-ends/openssh.config - regexp: ^MACs - - name: "MEDIUM | RHEL-09-255075 | PATCH | RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms." when: - rhel_09_255075 @@ -1093,9 +1076,9 @@ - NIST800-53R4_AC-17 notify: Change_requires_reboot ansible.builtin.lineinfile: - path: /etc/crypto-policies/back-ends/opensshserver.config + path: /etc/crypto-policies/back-ends/openssh.config regexp: ^MACs - line: "MACs {{ rhel9stig_sshd_config.macs_clients | join(',') + ',' + rhel9stig_sshd_config.macs_server | join(',') }}" + line: "MACs {{ rhel9stig_sshd_config.macs | join(',') }}" - name: "MEDIUM | RHEL-09-255080 | PATCH | RHEL 9 must not allow a noncertificate trusted host SSH logon to the system." when: diff --git a/vars/main.yml b/vars/main.yml index 4e5f891..490834c 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -32,18 +32,18 @@ update_audit_template: false # DOD encryption rhel9stig_dod_ciphers: - aes256-gcm@openssh.com -- chacha20-poly1305@openssh.com +# - chacha20-poly1305@openssh.com # Removed due to terrapin ssh cve - aes256-ctr - aes128-gcm@openssh.com - aes128-ctr rhel9stig_dod_macs: - hmac-sha2-256-etm@openssh.com -- hmac-sha1-etm@openssh.com -- umac-128-etm@openssh.com -- hmac-sha2-512-etm@openssh.com +# - hmac-sha1-etm@openssh.com +# - umac-128-etm@openssh.com - hmac-sha2-256 -- hmac-sha1 -- umac-128@openssh.com +- hmac-sha2-512-etm@openssh.com +# - hmac-sha1 +# - umac-128@openssh.com - hmac-sha2-512 rhel9stig_dod_kex: From 63c17c7374148a157f1c0569715f8bac5fb9416d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 29 Oct 2024 12:38:52 +0000 Subject: [PATCH 10/10] Improved 672045 Signed-off-by: Mark Bolwell --- tasks/Cat2/RHEL-09-67xxxx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/Cat2/RHEL-09-67xxxx.yml b/tasks/Cat2/RHEL-09-67xxxx.yml index c349ba9..e0d79bb 100644 --- a/tasks/Cat2/RHEL-09-67xxxx.yml +++ b/tasks/Cat2/RHEL-09-67xxxx.yml @@ -256,7 +256,7 @@ warn_control_id: "MEDIUM | RHEL-09-672045" block: - name: "MEDIUM | RHEL-09-672045 | AUDIT | RHEL 9 must implement a system-wide encryption policy." - ansible.builtin.shell: update-crypto-policies --check + ansible.builtin.shell: update-crypto-policies --show changed_when: false failed_when: crypto_policies_check.rc not in [0 , 1] register: crypto_policies_check