From 2b79cdb9f8b2658d304a60dd58510c36b8373a95 Mon Sep 17 00:00:00 2001 From: Gabe Date: Wed, 12 Dec 2018 15:33:07 -0700 Subject: [PATCH] Update tasks/main.yml and vars/main.yml --- tasks/main.yml | 4077 +++++++++++++++++++++++++----------------------- vars/main.yml | 33 +- 2 files changed, 2154 insertions(+), 1956 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 6ba8188..e2e597a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,973 +1,825 @@ -- name: Test for existence /etc/group - stat: - path: /etc/group - register: file_exists -- name: Ensure owner 0 on /etc/group - file: - path: /etc/group - owner: 0 - when: file_exists.stat.exists +- name: Set architecture for audit lsetxattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_lsetxattr + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: find_lsetxattr.matched == 0 + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_lsetxattr.files | map(attribute=''path'') | list | first }}' + when: find_lsetxattr.matched > 0 + +- name: Inserts/replaces the lsetxattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true tags: - - file_owner_etc_group - - medium_severity - - configure_strategy + - audit_rules_dac_modification_lsetxattr + - unknown_severity + - restrict_strategy - low_complexity - low_disruption - - CCE-26933-2 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 -- name: Test for existence /etc/passwd - stat: - path: /etc/passwd - register: file_exists -- name: Ensure group owner 0 on /etc/passwd - file: - path: /etc/passwd - group: 0 - when: file_exists.stat.exists + - CCE-27280-7 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030460 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - file_groupowner_etc_passwd - - medium_severity - - configure_strategy + - audit_rules_dac_modification_lsetxattr + - unknown_severity + - restrict_strategy - low_complexity - low_disruption - - CCE-26639-5 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 -- name: Ensure permission 0644 on /etc/passwd - file: - path: /etc/passwd - mode: 420 + - CCE-27280-7 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030460 + +- name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules tags: - - file_permissions_etc_passwd - - medium_severity - - configure_strategy + - audit_rules_dac_modification_lsetxattr + - unknown_severity + - restrict_strategy - low_complexity - low_disruption - - CCE-26887-0 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 -- name: Test for existence /etc/passwd - stat: - path: /etc/passwd - register: file_exists -- name: Ensure owner 0 on /etc/passwd - file: - path: /etc/passwd - owner: 0 - when: file_exists.stat.exists + - CCE-27280-7 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030460 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - file_owner_etc_passwd - - medium_severity - - configure_strategy + - audit_rules_dac_modification_lsetxattr + - unknown_severity + - restrict_strategy - low_complexity - low_disruption - - CCE-27138-7 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 -- name: Test for existence /etc/shadow - stat: - path: /etc/shadow - register: file_exists -- name: Ensure group owner 0 on /etc/shadow - file: - path: /etc/shadow - group: 0 - when: file_exists.stat.exists + - CCE-27280-7 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030460 + +- name: Set architecture for audit fchmod tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchmod + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: find_fchmod.matched == 0 + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fchmod.files | map(attribute=''path'') | list | first }}' + when: find_fchmod.matched > 0 + +- name: Inserts/replaces the fchmod rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true tags: - - file_groupowner_etc_shadow - - medium_severity - - configure_strategy + - audit_rules_dac_modification_fchmod + - unknown_severity + - restrict_strategy - low_complexity - low_disruption - - CCE-27125-4 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 -- name: Ensure permission 0000 on /etc/shadow - file: - path: /etc/shadow - mode: 0 + - CCE-27393-8 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030420 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the fchmod rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - file_permissions_etc_shadow - - medium_severity - - configure_strategy + - audit_rules_dac_modification_fchmod + - unknown_severity + - restrict_strategy - low_complexity - low_disruption - - CCE-27100-7 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 -- name: Test for existence /etc/shadow - stat: - path: /etc/shadow - register: file_exists -- name: Ensure owner 0 on /etc/shadow - file: - path: /etc/shadow - owner: 0 - when: file_exists.stat.exists + - CCE-27393-8 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030420 + +- name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules tags: - - file_owner_etc_shadow - - medium_severity - - configure_strategy - - low_complexity - - low_disruption - - CCE-26795-5 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 -- name: Ensure permission 0644 on /etc/group - file: - path: /etc/group - mode: 420 - tags: - - file_permissions_etc_group - - medium_severity - - configure_strategy - - low_complexity - - low_disruption - - CCE-26949-8 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 -- name: Test for existence /etc/group - stat: - path: /etc/group - register: file_exists -- name: Ensure group owner 0 on /etc/group - file: - path: /etc/group - group: 0 - when: file_exists.stat.exists - tags: - - file_groupowner_etc_group - - medium_severity - - configure_strategy - - low_complexity - - low_disruption - - CCE-27037-1 - - NIST-800-53-AC-6 - - PCI-DSS-Req-8.7.c - - CJIS-5.5.2.2 -- name: Implement Blank Screensaver - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/desktop/screensaver - option: picture-uri - value: string '' - create: true - tags: - - dconf_gnome_screensaver_mode_blank + - audit_rules_dac_modification_fchmod - unknown_severity - - unknown_strategy + - restrict_strategy - low_complexity - - medium_disruption - - CCE-80113-4 - - NIST-800-53-AC-11(b) - - NIST-800-171-3.1.10 - - PCI-DSS-Req-8.1.8 - - CJIS-5.5.5 -- name: Prevent user modification of GNOME picture-uri + - low_disruption + - CCE-27393-8 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030420 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/picture-uri - line: /org/gnome/desktop/screensaver/picture-uri + line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - dconf_gnome_screensaver_mode_blank + - audit_rules_dac_modification_fchmod - unknown_severity - - unknown_strategy - - low_complexity - - medium_disruption - - CCE-80113-4 - - NIST-800-53-AC-11(b) - - NIST-800-171-3.1.10 - - PCI-DSS-Req-8.1.8 - - CJIS-5.5.5 -- name: Enable GNOME3 Screensaver Lock After Idle Period - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/desktop/screensaver - option: lock-enabled - value: 'true' - create: true - tags: - - dconf_gnome_screensaver_lock_enabled - - medium_severity - - unknown_strategy - - low_complexity - - medium_disruption - - CCE-80112-6 - - NIST-800-53-AC-11(b) - - NIST-800-171-3.1.10 - - PCI-DSS-Req-8.1.8 - - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010060 -- name: Prevent user modification of GNOME lock-enabled - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/lock-enabled - line: /org/gnome/desktop/screensaver/lock-enabled - create: true - tags: - - dconf_gnome_screensaver_lock_enabled - - medium_severity - - unknown_strategy - - low_complexity - - medium_disruption - - CCE-80112-6 - - NIST-800-53-AC-11(b) - - NIST-800-171-3.1.10 - - PCI-DSS-Req-8.1.8 - - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010060 -- name: Enable GNOME3 Screensaver Idle Activation - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/desktop/screensaver - option: idle_activation_enabled - value: 'true' - create: true - tags: - - dconf_gnome_screensaver_idle_activation_enabled - - medium_severity - - unknown_strategy - - low_complexity - - medium_disruption - - CCE-80111-8 - - NIST-800-53-AC-11(a) - - NIST-800-171-3.1.10 - - PCI-DSS-Req-8.1.8 - - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010100 -- name: Prevent user modification of GNOME idle_activation_enabled - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/idle-activation-enabled - line: /org/gnome/desktop/screensaver/idle-activation-enabled - create: true - tags: - - dconf_gnome_screensaver_idle_activation_enabled - - medium_severity - - unknown_strategy + - restrict_strategy - low_complexity - - medium_disruption - - CCE-80111-8 - - NIST-800-53-AC-11(a) - - NIST-800-171-3.1.10 - - PCI-DSS-Req-8.1.8 - - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010100 -- name: XCCDF Value inactivity_timeout_value + - low_disruption + - CCE-27393-8 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030420 + +- name: Set architecture for audit fchown tasks set_fact: - inactivity_timeout_value: '900' - tags: - - always -- name: Set GNOME3 Screensaver Inactivity Timeout - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/desktop/screensaver - option: idle-delay - value: '{{ inactivity_timeout_value }}' - create: true - tags: - - dconf_gnome_screensaver_idle_delay - - medium_severity - - unknown_strategy - - low_complexity - - medium_disruption - - CCE-80110-0 - - NIST-800-53-AC-11(a) - - NIST-800-171-3.1.10 - - PCI-DSS-Req-8.1.8 - - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010070 -- name: Prevent user modification of GNOME idle-delay - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/idle-delay - line: /org/gnome/desktop/screensaver/idle-delay - create: true - tags: - - dconf_gnome_screensaver_idle_delay - - medium_severity - - unknown_strategy - - low_complexity - - medium_disruption - - CCE-80110-0 - - NIST-800-53-AC-11(a) - - NIST-800-171-3.1.10 - - PCI-DSS-Req-8.1.8 - - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010070 -- name: Find All yum Repositories + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + +- name: Search /etc/audit/rules.d for other DAC audit rules find: - paths: /etc/yum.repos.d/ - patterns: '*.repo' - register: yum_find -- name: Ensure gpgcheck Enabled For All yum Package Repositories - with_items: '{{ yum_find.files }}' + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchown + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: find_fchown.matched == 0 + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fchown.files | map(attribute=''path'') | list | first }}' + when: find_fchown.matched > 0 + +- name: Inserts/replaces the fchown rule in rules.d when on x86 lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true - dest: '{{ item.path }}' - regexp: ^gpgcheck - line: gpgcheck=1 - tags: - - ensure_gpgcheck_never_disabled - - high_severity - - unknown_strategy - - low_complexity - - medium_disruption - - CCE-26876-3 - - NIST-800-53-CM-5(3) - - NIST-800-53-SI-7 - - NIST-800-53-MA-1(b) - - NIST-800-171-3.4.8 - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 -- name: Read permission of GPG key directory - stat: - path: /etc/pki/rpm-gpg/ - register: gpg_key_directory_permission - check_mode: false - tags: - - ensure_redhat_gpgkey_installed - - high_severity - - restrict_strategy - - medium_complexity - - medium_disruption - - CCE-26957-1 - - NIST-800-53-CM-5(3) - - NIST-800-53-SI-7 - - NIST-800-53-MA-1(b) - - NIST-800-171-3.4.8 - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 -- name: Read signatures in GPG key - shell: gpg --with-fingerprint '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release' | grep 'Key fingerprint =' | tr -s ' ' | sed - 's;.*= ;;g' - changed_when: false - register: gpg_fingerprints - check_mode: false - tags: - - ensure_redhat_gpgkey_installed - - high_severity - - restrict_strategy - - medium_complexity - - medium_disruption - - CCE-26957-1 - - NIST-800-53-CM-5(3) - - NIST-800-53-SI-7 - - NIST-800-53-MA-1(b) - - NIST-800-171-3.4.8 - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 -- name: Set Fact - Valid fingerprints - set_fact: - gpg_valid_fingerprints: ("567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51" "43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 - 2FA6 58E0") tags: - - ensure_redhat_gpgkey_installed - - high_severity - - restrict_strategy - - medium_complexity - - medium_disruption - - CCE-26957-1 - - NIST-800-53-CM-5(3) - - NIST-800-53-SI-7 - - NIST-800-53-MA-1(b) - - NIST-800-171-3.4.8 - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 -- name: Import RedHat GPG key - rpm_key: - state: present - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release - when: (gpg_key_directory_permission.stat.mode <= '0755') and (( gpg_fingerprints.stdout_lines | difference(gpg_valid_fingerprints)) - | length == 0) and (gpg_fingerprints.stdout_lines | length > 0) and (ansible_distribution == "RedHat") - tags: - - ensure_redhat_gpgkey_installed - - high_severity + - audit_rules_dac_modification_fchown + - unknown_severity - restrict_strategy - - medium_complexity - - medium_disruption - - CCE-26957-1 - - NIST-800-53-CM-5(3) - - NIST-800-53-SI-7 - - NIST-800-53-MA-1(b) - - NIST-800-171-3.4.8 - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 -- name: Check existence of yum on Fedora - stat: - path: /etc/yum.conf - register: yum_config_file - check_mode: false - when: ansible_distribution == "Fedora" -- name: Ensure GPG check is globally activated (yum) - ini_file: - dest: '{{item}}' - section: main - option: gpgcheck - value: 1 - create: false - with_items: /etc/yum.conf - when: ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists - tags: - - ensure_gpgcheck_globally_activated - - high_severity - - unknown_strategy - low_complexity - - medium_disruption - - CCE-26989-4 - - NIST-800-53-CM-5(3) - - NIST-800-53-SI-7 - - NIST-800-53-MA-1(b) - - NIST-800-171-3.4.8 - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-020050 -- name: Ensure GPG check is globally activated (dnf) - ini_file: - dest: '{{item}}' - section: main - option: gpgcheck - value: 1 - create: false - with_items: /etc/dnf/dnf.conf - when: ansible_distribution == "Fedora" - tags: - - ensure_gpgcheck_globally_activated - - high_severity - - unknown_strategy - - low_complexity - - medium_disruption - - CCE-26989-4 - - NIST-800-53-CM-5(3) - - NIST-800-53-SI-7 - - NIST-800-53-MA-1(b) - - NIST-800-171-3.4.8 - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-020050 -- name: Security patches are up to date - package: - name: '*' - state: latest - tags: - - security_patches_up_to_date - - high_severity - - patch_strategy - - low_complexity - - high_disruption - - CCE-26895-3 - - NIST-800-53-SI-2 - - NIST-800-53-SI-2(c) - - NIST-800-53-MA-1(b) - - PCI-DSS-Req-6.2 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-020260 -- name: Ensure AIDE is installed - package: - name: '{{item}}' - state: present - with_items: - - aide + - low_disruption + - CCE-27356-5 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030380 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the fchown rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - aide_periodic_cron_checking - - medium_severity + - audit_rules_dac_modification_fchown + - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-26952-2 - - NIST-800-53-CM-3(d) - - NIST-800-53-CM-3(e) - - NIST-800-53-CM-3(5) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 - - DISA-STIG-RHEL-07-020030 -- name: Configure Periodic Execution of AIDE - cron: - name: run AIDE check - minute: 5 - hour: 4 - weekday: 0 - user: root - job: /usr/sbin/aide --check + - CCE-27356-5 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030380 + +- name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules tags: - - aide_periodic_cron_checking - - medium_severity + - audit_rules_dac_modification_fchown + - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-26952-2 - - NIST-800-53-CM-3(d) - - NIST-800-53-CM-3(e) - - NIST-800-53-CM-3(5) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 - - DISA-STIG-RHEL-07-020030 -- name: Ensure AIDE is installed - package: - name: '{{item}}' + - CCE-27356-5 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030380 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the fchown rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present - with_items: - - aide + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - aide_build_database - - medium_severity + - audit_rules_dac_modification_fchown + - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27220-3 - - NIST-800-53-CM-3(d) - - NIST-800-53-CM-3(e) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 -- name: Build and Test AIDE Database - shell: /usr/sbin/aide --init + - CCE-27356-5 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030380 + +- name: Set architecture for audit fremovexattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fremovexattr + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: find_fremovexattr.matched == 0 + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fremovexattr.files | map(attribute=''path'') | list | first }}' + when: find_fremovexattr.matched > 0 + +- name: Inserts/replaces the fremovexattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true tags: - - aide_build_database + - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27220-3 - - NIST-800-53-CM-3(d) - - NIST-800-53-CM-3(e) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 -- name: Check whether the stock AIDE Database exists - stat: - path: /var/lib/aide/aide.db.new.gz - register: aide_database_stat + - CCE-27353-2 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030480 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - aide_build_database + - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27220-3 - - NIST-800-53-CM-3(d) - - NIST-800-53-CM-3(e) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 -- name: Stage AIDE Database - copy: - src: /var/lib/aide/aide.db.new.gz - dest: /var/lib/aide/aide.db.gz - backup: true - remote_src: true - when: aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists + - CCE-27353-2 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030480 + +- name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules tags: - - aide_build_database + - audit_rules_dac_modification_fremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27220-3 - - NIST-800-53-CM-3(d) - - NIST-800-53-CM-3(e) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 -- name: Ensure aide is installed - package: - name: aide + - CCE-27353-2 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030480 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - package_aide_installed + - audit_rules_dac_modification_fremovexattr - medium_severity - - enable_strategy + - restrict_strategy - low_complexity - low_disruption - - CCE-27096-7 - - NIST-800-53-CM-3(d) - - NIST-800-53-CM-3(e) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 -- name: Read list of files with incorrect permissions - shell: rpm -Va --nofiledigest | awk '/^.M/ {print $NF}' - register: files_with_incorrect_permissions - failed_when: false - changed_when: false - check_mode: false - tags: - - rpm_verify_permissions - - high_severity - - restrict_strategy - - high_complexity - - medium_disruption - - CCE-27209-6 - - NIST-800-53-AC-6 - - NIST-800-53-AU-9(1) - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - PCI-DSS-Req-11.5 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010010 -- name: Correct file permissions with RPM - shell: rpm --quiet --setperms $(rpm -qf '{{item}}') - with_items: '{{ files_with_incorrect_permissions.stdout_lines }}' - when: files_with_incorrect_permissions.stdout_lines | length > 0 - tags: - - rpm_verify_permissions - - high_severity - - restrict_strategy - - high_complexity - - medium_disruption - - CCE-27209-6 - - NIST-800-53-AC-6 - - NIST-800-53-AU-9(1) - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - PCI-DSS-Req-11.5 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010010 -- name: 'Set fact: Package manager reinstall command (dnf)' + - CCE-27353-2 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030480 + +- name: Set architecture for audit fsetxattr tasks set_fact: - package_manager_reinstall_cmd: dnf reinstall -y - when: ansible_distribution == "Fedora" - tags: - - rpm_verify_hashes - - high_severity - - unknown_strategy - - high_complexity - - medium_disruption - - CCE-27157-7 - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SI-7(1) - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - PCI-DSS-Req-11.5 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 -- name: 'Set fact: Package manager reinstall command (yum)' + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fsetxattr + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: - package_manager_reinstall_cmd: yum reinstall -y - when: ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux" - tags: - - rpm_verify_hashes - - high_severity - - unknown_strategy - - high_complexity - - medium_disruption - - CCE-27157-7 - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SI-7(1) - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - PCI-DSS-Req-11.5 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 -- name: Read files with incorrect hash - shell: rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | awk '{print $NF}' - register: files_with_incorrect_hash - changed_when: false - when: package_manager_reinstall_cmd is defined - check_mode: false - tags: - - rpm_verify_hashes - - high_severity - - unknown_strategy - - high_complexity - - medium_disruption - - CCE-27157-7 - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SI-7(1) - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - PCI-DSS-Req-11.5 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 -- name: Reinstall packages of files with incorrect hash - shell: '{{package_manager_reinstall_cmd}} $(rpm -qf ''{{item}}'')' - with_items: '{{ files_with_incorrect_hash.stdout_lines }}' - when: package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0) - tags: - - rpm_verify_hashes - - high_severity - - unknown_strategy - - high_complexity - - medium_disruption - - CCE-27157-7 - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SI-7(1) - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - PCI-DSS-Req-11.5 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 -- name: Does prelink file exist - stat: - path: /etc/sysconfig/prelink - register: prelink_exists + all_files: + - /etc/audit/rules.d/privileged.rules + when: find_fsetxattr.matched == 0 + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fsetxattr.files | map(attribute=''path'') | list | first }}' + when: find_fsetxattr.matched > 0 + +- name: Inserts/replaces the fsetxattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true tags: - - disable_prelink + - audit_rules_dac_modification_fsetxattr - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27078-5 - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - NIST-800-171-3.13.11 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 -- name: disable prelinking + - CCE-27389-6 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030450 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 lineinfile: - path: /etc/sysconfig/prelink - regexp: ^PRELINKING= - line: PRELINKING=no - when: prelink_exists.stat.exists == True + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - disable_prelink + - audit_rules_dac_modification_fsetxattr - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27078-5 - - NIST-800-53-CM-6(d) - - NIST-800-53-CM-6(3) - - NIST-800-53-SC-28 - - NIST-800-53-SI-7 - - NIST-800-171-3.13.11 - - PCI-DSS-Req-11.5 - - CJIS-5.10.1.3 -- name: Ensure libreswan is installed - package: - name: libreswan + - CCE-27389-6 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030450 + +- name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present + dest: /etc/audit/audit.rules tags: - - package_libreswan_installed - - medium_severity - - enable_strategy + - audit_rules_dac_modification_fsetxattr + - unknown_severity + - restrict_strategy - low_complexity - low_disruption - - CCE-80170-4 - - NIST-800-53-AC-17 - - NIST-800-53-MA-4 - - NIST-800-53-SC-9 - - PCI-DSS-Req-4.1 -- name: Search for privileged commands - shell: find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat - check_mode: false - register: find_result + - CCE-27389-6 + - NIST-800-53-AC-17(7) + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-2(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-12(a) + - NIST-800-53-AU-12(c) + - NIST-800-53-IR-5 + - NIST-800-171-3.1.7 + - PCI-DSS-Req-10.5.5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030450 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_privileged_commands - - medium_severity + - audit_rules_dac_modification_fsetxattr + - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27437-3 + - CCE-27389-6 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - - NIST-800-53-AU-2(4) - - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 -- name: Search /etc/audit/rules.d for audit rule entries + - DISA-STIG-RHEL-07-030450 + +- name: Set architecture for audit removexattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + +- name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false - contains: ^.*path={{ item }} .*$ + contains: -F key=perm_mod$ patterns: '*.rules' - with_items: - - '{{ find_result.stdout_lines }}' - register: files_result + register: find_removexattr + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: find_removexattr.matched == 0 + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_removexattr.files | map(attribute=''path'') | list | first }}' + when: find_removexattr.matched > 0 + +- name: Inserts/replaces the removexattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true tags: - - audit_rules_privileged_commands + - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27437-3 + - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - - NIST-800-53-AU-2(4) - - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 -- name: Overwrites the rule in rules.d + - DISA-STIG-RHEL-07-030470 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the removexattr rule in rules.d when on x86_64 lineinfile: - path: '{{ item.1.path }}' - line: -a always,exit -F path={{ item.0.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged - create: false - regexp: ^.*path={{ item.0.item }} .*$ - with_subelements: - - '{{ files_result.results }}' - - files + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_privileged_commands + - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27437-3 + - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - - NIST-800-53-AU-2(4) - - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 -- name: Adds the rule in rules.d + - DISA-STIG-RHEL-07-030470 + +- name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 lineinfile: - path: /etc/audit/rules.d/privileged.rules - line: -a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged - create: true - with_items: - - '{{ files_result.results }}' - when: item.matched == 0 + line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules tags: - - audit_rules_privileged_commands + - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27437-3 + - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - - NIST-800-53-AU-2(4) - - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 -- name: Inserts/replaces the rule in audit.rules + - DISA-STIG-RHEL-07-030470 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged + line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true - regexp: ^.*path={{ item.item }} .*$ - with_items: - - '{{ files_result.results }}' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_privileged_commands + - audit_rules_dac_modification_removexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27437-3 + - CCE-27367-2 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) - - NIST-800-53-AU-2(4) - - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 -- name: Set architecture for audit lchown tasks + - DISA-STIG-RHEL-07-030470 + +- name: Set architecture for audit setxattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_lchown + register: find_setxattr + - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_lchown.matched == 0 + when: find_setxattr.matched == 0 + - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_lchown.files | map(attribute=''path'') | list | first }}' - when: find_lchown.matched > 0 -- name: Inserts/replaces the lchown rule in rules.d when on x86 + - '{{ find_setxattr.files | map(attribute=''path'') | list | first }}' + when: find_setxattr.matched > 0 + +- name: Inserts/replaces the setxattr rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true tags: - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_setxattr - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27083-5 + - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -979,20 +831,23 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 -- name: Inserts/replaces the lchown rule in rules.d when on x86_64 + - DISA-STIG-RHEL-07-030440 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the setxattr rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true - when: audit_arch == 'b64' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_setxattr - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27083-5 + - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1004,19 +859,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 -- name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 + - DISA-STIG-RHEL-07-030440 + +- name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_setxattr - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27083-5 + - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1028,21 +884,24 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 -- name: Inserts/replaces the lchown rule in audit.rules when on x86_64 + - DISA-STIG-RHEL-07-030440 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true - when: audit_arch == 'b64' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_setxattr - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27083-5 + - CCE-27213-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1054,39 +913,44 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 -- name: Set architecture for audit fchownat tasks + - DISA-STIG-RHEL-07-030440 + +- name: Set architecture for audit lchown tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_fchownat + register: find_lchown + - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_fchownat.matched == 0 + when: find_lchown.matched == 0 + - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fchownat.files | map(attribute=''path'') | list | first }}' - when: find_fchownat.matched > 0 -- name: Inserts/replaces the fchownat rule in rules.d when on x86 + - '{{ find_lchown.files | map(attribute=''path'') | list | first }}' + when: find_lchown.matched > 0 + +- name: Inserts/replaces the lchown rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true tags: - - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_lchown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27387-0 + - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1098,20 +962,23 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 -- name: Inserts/replaces the fchownat rule in rules.d when on x86_64 + - DISA-STIG-RHEL-07-030390 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the lchown rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true - when: audit_arch == 'b64' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_lchown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27387-0 + - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1123,19 +990,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 -- name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 + - DISA-STIG-RHEL-07-030390 + +- name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_lchown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27387-0 + - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1147,21 +1015,24 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 -- name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 + - DISA-STIG-RHEL-07-030390 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the lchown rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true - when: audit_arch == 'b64' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_lchown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27387-0 + - CCE-27083-5 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1173,39 +1044,44 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 -- name: Set architecture for audit setxattr tasks + - DISA-STIG-RHEL-07-030390 + +- name: Set architecture for audit chown tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_setxattr + register: find_chown + - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_setxattr.matched == 0 + when: find_chown.matched == 0 + - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_setxattr.files | map(attribute=''path'') | list | first }}' - when: find_setxattr.matched > 0 -- name: Inserts/replaces the setxattr rule in rules.d when on x86 + - '{{ find_chown.files | map(attribute=''path'') | list | first }}' + when: find_chown.matched > 0 + +- name: Inserts/replaces the chown rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true tags: - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_chown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27213-8 + - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1217,20 +1093,23 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 -- name: Inserts/replaces the setxattr rule in rules.d when on x86_64 + - DISA-STIG-RHEL-07-030370 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the chown rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true - when: audit_arch == 'b64' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_chown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27213-8 + - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1242,19 +1121,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 -- name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 + - DISA-STIG-RHEL-07-030370 + +- name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_chown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27213-8 + - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1266,21 +1146,24 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 -- name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 + - DISA-STIG-RHEL-07-030370 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the chown rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true - when: audit_arch == 'b64' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_chown - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27213-8 + - CCE-27364-9 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1292,10 +1175,12 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030370 + - name: Set architecture for audit chmod tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d @@ -1303,20 +1188,23 @@ contains: -F key=perm_mod$ patterns: '*.rules' register: find_chmod + - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: find_chmod.matched == 0 + - name: Use matched file as the recipient for the rule set_fact: all_files: - '{{ find_chmod.files | map(attribute=''path'') | list | first }}' when: find_chmod.matched > 0 + - name: Inserts/replaces the chmod rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod create: true tags: - audit_rules_dac_modification_chmod @@ -1337,12 +1225,15 @@ - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + - name: Inserts/replaces the chmod rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod create: true - when: audit_arch == 'b64' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chmod - unknown_severity @@ -1362,9 +1253,10 @@ - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 + - name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules tags: @@ -1386,13 +1278,16 @@ - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + - name: Inserts/replaces the chmod rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true - when: audit_arch == 'b64' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - audit_rules_dac_modification_chmod - unknown_severity @@ -1412,38 +1307,43 @@ - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - DISA-STIG-RHEL-07-030410 -- name: Set architecture for audit removexattr tasks + +- name: Set architecture for audit lremovexattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_removexattr + register: find_lremovexattr + - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_removexattr.matched == 0 + when: find_lremovexattr.matched == 0 + - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_removexattr.files | map(attribute=''path'') | list | first }}' - when: find_removexattr.matched > 0 -- name: Inserts/replaces the removexattr rule in rules.d when on x86 + - '{{ find_lremovexattr.files | map(attribute=''path'') | list | first }}' + when: find_lremovexattr.matched > 0 + +- name: Inserts/replaces the lremovexattr rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true tags: - - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27367-2 + - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1455,20 +1355,23 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 -- name: Inserts/replaces the removexattr rule in rules.d when on x86_64 + - DISA-STIG-RHEL-07-030490 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true - when: audit_arch == 'b64' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27367-2 + - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1480,19 +1383,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 -- name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 + - DISA-STIG-RHEL-07-030490 + +- name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27367-2 + - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1504,21 +1408,24 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 -- name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 + - DISA-STIG-RHEL-07-030490 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true - when: audit_arch == 'b64' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_lremovexattr - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27367-2 + - CCE-27410-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1530,39 +1437,44 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 -- name: Set architecture for audit lsetxattr tasks + - DISA-STIG-RHEL-07-030490 + +- name: Set architecture for audit fchmodat tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_lsetxattr + register: find_fchmodat + - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_lsetxattr.matched == 0 + when: find_fchmodat.matched == 0 + - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_lsetxattr.files | map(attribute=''path'') | list | first }}' - when: find_lsetxattr.matched > 0 -- name: Inserts/replaces the lsetxattr rule in rules.d when on x86 + - '{{ find_fchmodat.files | map(attribute=''path'') | list | first }}' + when: find_fchmodat.matched > 0 + +- name: Inserts/replaces the fchmodat rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true tags: - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_fchmodat - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27280-7 + - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1574,20 +1486,23 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 -- name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 + - DISA-STIG-RHEL-07-030430 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true - when: audit_arch == 'b64' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_fchmodat - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27280-7 + - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1599,19 +1514,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 -- name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 + - DISA-STIG-RHEL-07-030430 + +- name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_fchmodat - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27280-7 + - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1623,21 +1539,24 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 -- name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 + - DISA-STIG-RHEL-07-030430 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true - when: audit_arch == 'b64' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_fchmodat - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27280-7 + - CCE-27388-8 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1649,39 +1568,44 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 -- name: Set architecture for audit chown tasks + - DISA-STIG-RHEL-07-030430 + +- name: Set architecture for audit fchownat tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + - name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_chown + register: find_fchownat + - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules - when: find_chown.matched == 0 + when: find_fchownat.matched == 0 + - name: Use matched file as the recipient for the rule set_fact: - all_files: - - '{{ find_chown.files | map(attribute=''path'') | list | first }}' - when: find_chown.matched > 0 -- name: Inserts/replaces the chown rule in rules.d when on x86 + all_files: + - '{{ find_fchownat.files | map(attribute=''path'') | list | first }}' + when: find_fchownat.matched > 0 + +- name: Inserts/replaces the fchownat rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true tags: - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchownat - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27364-9 + - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1693,20 +1617,23 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 -- name: Inserts/replaces the chown rule in rules.d when on x86_64 + - DISA-STIG-RHEL-07-030400 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the fchownat rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true - when: audit_arch == 'b64' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchownat - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27364-9 + - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1718,19 +1645,20 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 -- name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 + - DISA-STIG-RHEL-07-030400 + +- name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchownat - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27364-9 + - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1742,21 +1670,24 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 -- name: Inserts/replaces the chown rule in audit.rules when on x86_64 + - DISA-STIG-RHEL-07-030400 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true - when: audit_arch == 'b64' + when: audit_arch == 'b64' and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchownat - unknown_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27364-9 + - CCE-27387-0 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) @@ -1768,1296 +1699,1560 @@ - NIST-800-171-3.1.7 - PCI-DSS-Req-10.5.5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 -- name: Set architecture for audit fremovexattr tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_fremovexattr -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: find_fremovexattr.matched == 0 -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_fremovexattr.files | map(attribute=''path'') | list | first }}' - when: find_fremovexattr.matched > 0 -- name: Inserts/replaces the fremovexattr rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - create: true + - DISA-STIG-RHEL-07-030400 + +- name: Search for privileged commands + shell: find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat + check_mode: false + register: find_result tags: - - audit_rules_dac_modification_fremovexattr + - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27353-2 + - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) + - NIST-800-53-AU-2(4) + - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 + - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 -- name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - create: true - when: audit_arch == 'b64' + - DISA-STIG-RHEL-07-030360 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path={{ item }} .*$ + patterns: '*.rules' + with_items: + - '{{ find_result.stdout_lines }}' + register: files_result tags: - - audit_rules_dac_modification_fremovexattr + - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27353-2 + - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) + - NIST-800-53-AU-2(4) + - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 + - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 -- name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 + - DISA-STIG-RHEL-07-030360 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Overwrites the rule in rules.d lineinfile: - line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - state: present - dest: /etc/audit/audit.rules + path: '{{ item.1.path }}' + line: -a always,exit -F path={{ item.0.item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + create: false + regexp: ^.*path={{ item.0.item }} .*$ + with_subelements: + - '{{ files_result.results }}' + - files tags: - - audit_rules_dac_modification_fremovexattr + - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27353-2 + - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) + - NIST-800-53-AU-2(4) + - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 + - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 -- name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 + - DISA-STIG-RHEL-07-030360 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Adds the rule in rules.d lineinfile: - line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - state: present - dest: /etc/audit/audit.rules + path: /etc/audit/rules.d/privileged.rules + line: -a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true - when: audit_arch == 'b64' + with_items: + - '{{ files_result.results }}' + when: item.matched == 0 and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - audit_rules_dac_modification_fremovexattr + - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27353-2 + - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) + - NIST-800-53-AU-2(4) + - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 + - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 -- name: Set architecture for audit lremovexattr tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_lremovexattr -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: find_lremovexattr.matched == 0 -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_lremovexattr.files | map(attribute=''path'') | list | first }}' - when: find_lremovexattr.matched > 0 -- name: Inserts/replaces the lremovexattr rule in rules.d when on x86 + - DISA-STIG-RHEL-07-030360 + +- name: Inserts/replaces the rule in audit.rules lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + path: /etc/audit/audit.rules + line: -a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged create: true + regexp: ^.*path={{ item.item }} .*$ + with_items: + - '{{ files_result.results }}' tags: - - audit_rules_dac_modification_lremovexattr + - audit_rules_privileged_commands - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27410-0 + - CCE-27437-3 - NIST-800-53-AC-17(7) - NIST-800-53-AU-1(b) - NIST-800-53-AU-2(a) - NIST-800-53-AU-2(c) - NIST-800-53-AU-2(d) + - NIST-800-53-AU-2(4) + - NIST-800-53-AU-6(9) - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - NIST-800-53-IR-5 - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 + - PCI-DSS-Req-10.2.2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 -- name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 + - DISA-STIG-RHEL-07-030360 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Configure auditd Max Log File Size lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - create: true - when: audit_arch == 'b64' + dest: /etc/audit/auditd.conf + regexp: ^\s*max_log_file\s*=\s*.*$ + line: max_log_file = {{ var_auditd_max_log_file }} + state: present tags: - - audit_rules_dac_modification_lremovexattr + - auditd_data_retention_max_log_file - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27410-0 - - NIST-800-53-AC-17(7) + - CCE-27319-3 - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) + - NIST-800-53-AU-11 - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 + - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 -- name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Configure auditd mail_acct Action on Low Disk Space + lineinfile: + dest: /etc/audit/auditd.conf + line: action_mail_acct = {{ var_auditd_action_mail_acct }} + state: present + tags: + - auditd_data_retention_action_mail_acct + - medium_severity + - restrict_strategy + - low_complexity + - low_disruption + - CCE-27394-6 + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-4 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(a) + - NIST-800-53-IR-5 + - NIST-800-171-3.3.1 + - PCI-DSS-Req-10.7.a + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030350 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Configure auditd Number of Logs Retained + lineinfile: + dest: /etc/audit/auditd.conf + line: num_logs = {{ var_auditd_num_logs }} + regexp: ^\s*num_logs\s*=\s*.*$ + state: present + tags: + - auditd_data_retention_num_logs + - medium_severity + - restrict_strategy + - low_complexity + - low_disruption + - CCE-27348-2 + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-11 + - NIST-800-53-IR-5 + - NIST-800-171-3.3.1 + - PCI-DSS-Req-10.7 + - CJIS-5.4.1.1 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size + lineinfile: + dest: /etc/audit/auditd.conf + line: max_log_file_action = {{ var_auditd_max_log_file_action }} + regexp: ^\s*max_log_file_action\s*=\s*.*$ + state: present + tags: + - auditd_data_retention_max_log_file_action + - medium_severity + - restrict_strategy + - low_complexity + - low_disruption + - CCE-27231-0 + - NIST-800-53-AU-1(b) + - NIST-800-53-AU-4 + - NIST-800-53-AU-11 + - NIST-800-53-IR-5 + - PCI-DSS-Req-10.7 + - CJIS-5.4.1.1 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Configure auditd space_left Action on Low Disk Space lineinfile: - line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + dest: /etc/audit/auditd.conf + line: space_left_action = {{ var_auditd_space_left_action }} + regexp: ^\s*space_left_action\s*=\s*.*$ state: present - dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_lremovexattr + - auditd_data_retention_space_left_action - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27410-0 - - NIST-800-53-AC-17(7) + - CCE-27375-5 - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) + - NIST-800-53-AU-4 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(b) - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 + - NIST-800-171-3.3.1 + - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 -- name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Configure auditd admin_space_left Action on Low Disk Space lineinfile: - line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + dest: /etc/audit/auditd.conf + line: admin_space_left_action = {{ var_auditd_admin_space_left_action }} + regexp: ^\s*admin_space_left_action\s*=\s*.*$ state: present - dest: /etc/audit/audit.rules - create: true - when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_lremovexattr + - auditd_data_retention_admin_space_left_action - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27410-0 - - NIST-800-53-AC-17(7) + - CCE-27370-6 - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) + - NIST-800-53-AU-4 + - NIST-800-53-AU-5(b) - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 + - NIST-800-171-3.3.1 + - PCI-DSS-Req-10.7 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 -- name: Set architecture for audit fchmod tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_fchmod -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: find_fchmod.matched == 0 -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_fchmod.files | map(attribute=''path'') | list | first }}' - when: find_fchmod.matched > 0 -- name: Inserts/replaces the fchmod rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - create: true + - DISA-STIG-RHEL-07-030340 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Enable service auditd + service: + name: auditd + enabled: 'yes' + state: started tags: - - audit_rules_dac_modification_fchmod - - unknown_severity - - restrict_strategy + - service_auditd_enabled + - high_severity + - enable_strategy - low_complexity - low_disruption - - CCE-27393-8 - - NIST-800-53-AC-17(7) + - CCE-27407-6 + - NIST-800-53-AU-3 + - NIST-800-53-AC-17(1) - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) + - NIST-800-53-AU-10 - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) + - NIST-800-53-AU-14(1) - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 + - NIST-800-171-3.3.1 + - NIST-800-171-3.3.2 + - NIST-800-171-3.3.6 + - PCI-DSS-Req-10.1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 -- name: Inserts/replaces the fchmod rule in rules.d when on x86_64 + - DISA-STIG-RHEL-07-030000 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Set Account Expiration Following Inactivity lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod create: true - when: audit_arch == 'b64' + dest: /etc/default/useradd + regexp: ^INACTIVE + line: INACTIVE={{ var_account_disable_post_pw_expiration }} tags: - - audit_rules_dac_modification_fchmod - - unknown_severity + - account_disable_post_pw_expiration + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27393-8 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 -- name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 + - CCE-27355-7 + - NIST-800-53-AC-2(2) + - NIST-800-53-AC-2(3) + - NIST-800-53-IA-4(e) + - NIST-800-171-3.5.6 + - PCI-DSS-Req-8.1.4 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010310 + +- name: Prevent Log In to Accounts With Empty Password - system-auth + replace: + dest: /etc/pam.d/system-auth + follow: true + regexp: nullok + tags: + - no_empty_passwords + - high_severity + - configure_strategy + - low_complexity + - medium_disruption + - CCE-27286-4 + - NIST-800-53-AC-6 + - NIST-800-53-IA-5(b) + - NIST-800-53-IA-5(c) + - NIST-800-53-IA-5(1)(a) + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - PCI-DSS-Req-8.2.3 + - CJIS-5.5.2 + - DISA-STIG-RHEL-07-010290 + +- name: Prevent Log In to Accounts With Empty Password - password-auth + replace: + dest: /etc/pam.d/password-auth + follow: true + regexp: nullok + tags: + - no_empty_passwords + - high_severity + - configure_strategy + - low_complexity + - medium_disruption + - CCE-27286-4 + - NIST-800-53-AC-6 + - NIST-800-53-IA-5(b) + - NIST-800-53-IA-5(c) + - NIST-800-53-IA-5(1)(a) + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - PCI-DSS-Req-8.2.3 + - CJIS-5.5.2 + - DISA-STIG-RHEL-07-010290 + +- name: Set Password Maximum Age lineinfile: - line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - state: present - dest: /etc/audit/audit.rules + create: true + dest: /etc/login.defs + regexp: ^#?PASS_MAX_DAYS + line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }} tags: - - audit_rules_dac_modification_fchmod - - unknown_severity + - accounts_maximum_age_login_defs + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27393-8 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 -- name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 - lineinfile: - line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true - when: audit_arch == 'b64' + - CCE-27051-2 + - NIST-800-53-IA-5(f) + - NIST-800-53-IA-5(g) + - NIST-800-53-IA-5(1)(d) + - NIST-800-171-3.5.6 + - PCI-DSS-Req-8.2.4 + - CJIS-5.6.2.1 + - DISA-STIG-RHEL-07-010250 + +- name: Do not allow users to reuse recent passwords - system-auth (change) + replace: + dest: /etc/pam.d/system-auth + follow: true + regexp: ^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$ + replace: \g<1>{{ var_password_pam_unix_remember }}\g<3> + tags: + - accounts_password_pam_unix_remember + - medium_severity + - configure_strategy + - low_complexity + - medium_disruption + - CCE-26923-3 + - NIST-800-53-IA-5(f) + - NIST-800-53-IA-5(1)(e) + - NIST-800-171-3.5.8 + - PCI-DSS-Req-8.2.5 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010270 + +- name: Do not allow users to reuse recent passwords - system-auth (add) + replace: + dest: /etc/pam.d/system-auth + follow: true + regexp: ^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$ + replace: \g<0> remember={{ var_password_pam_unix_remember }} + tags: + - accounts_password_pam_unix_remember + - medium_severity + - configure_strategy + - low_complexity + - medium_disruption + - CCE-26923-3 + - NIST-800-53-IA-5(f) + - NIST-800-53-IA-5(1)(e) + - NIST-800-171-3.5.8 + - PCI-DSS-Req-8.2.5 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010270 + +- name: set auth pam_faillock before pam_unix.so + pamd: + name: system-auth + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: required + new_module_path: pam_faillock.so + module_arguments: 'preauth silent deny: {{ var_accounts_passwords_pam_faillock_deny }} unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time + }} fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' + state: before tags: - - audit_rules_dac_modification_fchmod - - unknown_severity + - accounts_passwords_pam_faillock_deny + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27393-8 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 -- name: Set architecture for audit fchmodat tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_fchmodat -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: find_fchmodat.matched == 0 -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_fchmodat.files | map(attribute=''path'') | list | first }}' - when: find_fchmodat.matched > 0 -- name: Inserts/replaces the fchmodat rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - create: true + - CCE-27350-8 + - NIST-800-53-AC-7(b) + - NIST-800-171-3.1.8 + - PCI-DSS-Req-8.1.6 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 + +- name: set auth pam_faillock after pam_unix.so + pamd: + name: system-auth + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: '[default=die]' + new_module_path: pam_faillock.so + module_arguments: 'preauth silent deny: {{ var_accounts_passwords_pam_faillock_deny }} unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time + }} fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' + state: after tags: - - audit_rules_dac_modification_fchmodat - - unknown_severity + - accounts_passwords_pam_faillock_deny + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27388-8 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 -- name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - create: true - when: audit_arch == 'b64' + - CCE-27350-8 + - NIST-800-53-AC-7(b) + - NIST-800-171-3.1.8 + - PCI-DSS-Req-8.1.6 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 + +- name: set account pam_faillock before pam_unix.so + pamd: + name: system-auth + type: account + control: required + module_path: pam_unix.so + new_type: account + new_control: required + new_module_path: pam_faillock.so + state: before tags: - - audit_rules_dac_modification_fchmodat - - unknown_severity + - accounts_passwords_pam_faillock_deny + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27388-8 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 -- name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 + - CCE-27350-8 + - NIST-800-53-AC-7(b) + - NIST-800-171-3.1.8 + - PCI-DSS-Req-8.1.6 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 + +- name: Set Password Hashing Algorithm in /etc/login.defs lineinfile: - line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + dest: /etc/login.defs + regexp: ^#?ENCRYPT_METHOD + line: ENCRYPT_METHOD SHA512 state: present - dest: /etc/audit/audit.rules tags: - - audit_rules_dac_modification_fchmodat - - unknown_severity + - set_password_hashing_algorithm_logindefs + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27388-8 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 -- name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 + - CCE-27124-7 + - NIST-800-53-IA-5(b) + - NIST-800-53-IA-5(c) + - NIST-800-53-IA-5(1)(c) + - NIST-800-53-IA-7 + - NIST-800-171-3.13.11 + - PCI-DSS-Req-8.2.1 + - CJIS-5.6.2.2 + - DISA-STIG-RHEL-07-010210 + +- name: Set Password Hashing Algorithm in /etc/libuser.conf lineinfile: - line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + dest: /etc/libuser.conf + insertafter: ^\s*\[defaults] + regexp: ^#?crypt_style + line: crypt_style = sha512 state: present - dest: /etc/audit/audit.rules + tags: + - set_password_hashing_algorithm_libuserconf + - medium_severity + - restrict_strategy + - low_complexity + - low_disruption + - CCE-27053-8 + - NIST-800-53-IA-5(b) + - NIST-800-53-IA-5(c) + - NIST-800-53-IA-5(1)(c) + - NIST-800-53-IA-7 + - NIST-800-171-3.13.11 + - PCI-DSS-Req-8.2.1 + - CJIS-5.6.2.2 + - DISA-STIG-RHEL-07-010220 + +- name: Ensure PAM variable ucredit is set accordingly + lineinfile: create: true - when: audit_arch == 'b64' + dest: /etc/security/pwquality.conf + regexp: ^#?\s*ucredit + line: ucredit = {{ var_password_pam_ucredit }} tags: - - audit_rules_dac_modification_fchmodat - - unknown_severity + - accounts_password_pam_ucredit + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27388-8 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 -- name: Set architecture for audit fsetxattr tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_fsetxattr -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: find_fsetxattr.matched == 0 -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_fsetxattr.files | map(attribute=''path'') | list | first }}' - when: find_fsetxattr.matched > 0 -- name: Inserts/replaces the fsetxattr rule in rules.d when on x86 + - CCE-27200-5 + - NIST-800-53-IA-5(b) + - NIST-800-53-IA-5(c) + - NIST-800-53-IA-5(1)(a) + - PCI-DSS-Req-8.2.3 + - DISA-STIG-RHEL-07-010120 + +- name: Ensure PAM variable minlen is set accordingly lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*minlen + line: minlen = {{ var_password_pam_minlen }} tags: - - audit_rules_dac_modification_fsetxattr - - unknown_severity + - accounts_password_pam_minlen + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27389-6 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 -- name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 + - CCE-27293-0 + - NIST-800-53-IA-5(1)(a) + - PCI-DSS-Req-8.2.3 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010280 + +- name: Ensure PAM variable lcredit is set accordingly lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod create: true - when: audit_arch == 'b64' + dest: /etc/security/pwquality.conf + regexp: ^#?\s*lcredit + line: lcredit = {{ var_password_pam_lcredit }} tags: - - audit_rules_dac_modification_fsetxattr - - unknown_severity + - accounts_password_pam_lcredit + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27389-6 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 -- name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 + - CCE-27345-8 + - NIST-800-53-IA-5(b) + - NIST-800-53-IA-5(c) + - NIST-800-53-IA-5(1)(a) + - PCI-DSS-Req-8.2.3 + - DISA-STIG-RHEL-07-010130 + +- name: Ensure PAM variable dcredit is set accordingly lineinfile: - line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - state: present - dest: /etc/audit/audit.rules + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*dcredit + line: dcredit = {{ var_password_pam_dcredit }} tags: - - audit_rules_dac_modification_fsetxattr - - unknown_severity + - accounts_password_pam_dcredit + - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27389-6 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 -- name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 - lineinfile: - line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - state: present - dest: /etc/audit/audit.rules + - CCE-27214-6 + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(b) + - NIST-800-53-IA-5(c) + - NIST-800-53-194 + - PCI-DSS-Req-8.2.3 + - DISA-STIG-RHEL-07-010140 + +- name: Implement Blank Screensaver + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver + option: picture-uri + value: string '' create: true - when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_fsetxattr + - dconf_gnome_screensaver_mode_blank - unknown_severity - - restrict_strategy + - unknown_strategy - low_complexity - - low_disruption - - CCE-27389-6 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 -- name: Set architecture for audit fchown tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_fchown -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: find_fchown.matched == 0 -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_fchown.files | map(attribute=''path'') | list | first }}' - when: find_fchown.matched > 0 -- name: Inserts/replaces the fchown rule in rules.d when on x86 + - medium_disruption + - CCE-80113-4 + - NIST-800-53-AC-11(b) + - NIST-800-171-3.1.10 + - PCI-DSS-Req-8.1.8 + - CJIS-5.5.5 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Prevent user modification of GNOME picture-uri lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/picture-uri + line: /org/gnome/desktop/screensaver/picture-uri create: true tags: - - audit_rules_dac_modification_fchown + - dconf_gnome_screensaver_mode_blank - unknown_severity - - restrict_strategy + - unknown_strategy - low_complexity - - low_disruption - - CCE-27356-5 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 -- name: Inserts/replaces the fchown rule in rules.d when on x86_64 + - medium_disruption + - CCE-80113-4 + - NIST-800-53-AC-11(b) + - NIST-800-171-3.1.10 + - PCI-DSS-Req-8.1.8 + - CJIS-5.5.5 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Set GNOME3 Screensaver Inactivity Timeout + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver + option: idle-delay + value: '{{ inactivity_timeout_value }}' + create: true + tags: + - dconf_gnome_screensaver_idle_delay + - medium_severity + - unknown_strategy + - low_complexity + - medium_disruption + - CCE-80110-0 + - NIST-800-53-AC-11(a) + - NIST-800-171-3.1.10 + - PCI-DSS-Req-8.1.8 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010070 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Prevent user modification of GNOME idle-delay lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/idle-delay + line: /org/gnome/desktop/screensaver/idle-delay create: true - when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_fchown - - unknown_severity - - restrict_strategy + - dconf_gnome_screensaver_idle_delay + - medium_severity + - unknown_strategy - low_complexity - - low_disruption - - CCE-27356-5 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 -- name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 + - medium_disruption + - CCE-80110-0 + - NIST-800-53-AC-11(a) + - NIST-800-171-3.1.10 + - PCI-DSS-Req-8.1.8 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010070 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Enable GNOME3 Screensaver Lock After Idle Period + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver + option: lock-enabled + value: 'true' + create: true + tags: + - dconf_gnome_screensaver_lock_enabled + - medium_severity + - unknown_strategy + - low_complexity + - medium_disruption + - CCE-80112-6 + - NIST-800-53-AC-11(b) + - NIST-800-171-3.1.10 + - PCI-DSS-Req-8.1.8 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Prevent user modification of GNOME lock-enabled lineinfile: - line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - state: present - dest: /etc/audit/audit.rules + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/lock-enabled + line: /org/gnome/desktop/screensaver/lock-enabled + create: true tags: - - audit_rules_dac_modification_fchown - - unknown_severity - - restrict_strategy + - dconf_gnome_screensaver_lock_enabled + - medium_severity + - unknown_strategy - low_complexity - - low_disruption - - CCE-27356-5 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 -- name: Inserts/replaces the fchown rule in audit.rules when on x86_64 + - medium_disruption + - CCE-80112-6 + - NIST-800-53-AC-11(b) + - NIST-800-171-3.1.10 + - PCI-DSS-Req-8.1.8 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Enable GNOME3 Screensaver Idle Activation + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver + option: idle_activation_enabled + value: 'true' + create: true + tags: + - dconf_gnome_screensaver_idle_activation_enabled + - medium_severity + - unknown_strategy + - low_complexity + - medium_disruption + - CCE-80111-8 + - NIST-800-53-AC-11(a) + - NIST-800-171-3.1.10 + - PCI-DSS-Req-8.1.8 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010100 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Prevent user modification of GNOME idle_activation_enabled lineinfile: - line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - state: present - dest: /etc/audit/audit.rules + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/idle-activation-enabled + line: /org/gnome/desktop/screensaver/idle-activation-enabled create: true - when: audit_arch == 'b64' tags: - - audit_rules_dac_modification_fchown - - unknown_severity - - restrict_strategy + - dconf_gnome_screensaver_idle_activation_enabled + - medium_severity + - unknown_strategy - low_complexity - - low_disruption - - CCE-27356-5 - - NIST-800-53-AC-17(7) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-2(a) - - NIST-800-53-AU-2(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-IR-5 - - NIST-800-171-3.1.7 - - PCI-DSS-Req-10.5.5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 -- name: XCCDF Value var_auditd_max_log_file + - medium_disruption + - CCE-80111-8 + - NIST-800-53-AC-11(a) + - NIST-800-171-3.1.10 + - PCI-DSS-Req-8.1.8 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010100 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: 'Set fact: Package manager reinstall command (dnf)' set_fact: - var_auditd_max_log_file: '6' + package_manager_reinstall_cmd: dnf reinstall -y + when: ansible_distribution == "Fedora" and True tags: - - always -- name: Configure auditd Max Log File Size - lineinfile: - dest: /etc/audit/auditd.conf - regexp: ^\s*max_log_file\s*=\s*.*$ - line: max_log_file = {{ var_auditd_max_log_file }} + - rpm_verify_hashes + - high_severity + - unknown_strategy + - high_complexity + - medium_disruption + - CCE-27157-7 + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SI-7(1) + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - PCI-DSS-Req-11.5 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010020 + +- name: 'Set fact: Package manager reinstall command (yum)' + set_fact: + package_manager_reinstall_cmd: yum reinstall -y + when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") and True + tags: + - rpm_verify_hashes + - high_severity + - unknown_strategy + - high_complexity + - medium_disruption + - CCE-27157-7 + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SI-7(1) + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - PCI-DSS-Req-11.5 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010020 + +- name: Read files with incorrect hash + shell: rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | awk '{print $NF}' + args: + warn: false + register: files_with_incorrect_hash + changed_when: false + when: (package_manager_reinstall_cmd is defined) and True + check_mode: false + tags: + - rpm_verify_hashes + - high_severity + - unknown_strategy + - high_complexity + - medium_disruption + - CCE-27157-7 + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SI-7(1) + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - PCI-DSS-Req-11.5 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010020 + +- name: Reinstall packages of files with incorrect hash + shell: '{{package_manager_reinstall_cmd}} $(rpm -qf ''{{item}}'')' + args: + warn: false + with_items: '{{ files_with_incorrect_hash.stdout_lines }}' + when: (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) and True + tags: + - rpm_verify_hashes + - high_severity + - unknown_strategy + - high_complexity + - medium_disruption + - CCE-27157-7 + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SI-7(1) + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - PCI-DSS-Req-11.5 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010020 + +- name: Read list of files with incorrect permissions + shell: rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }' + args: + warn: false + register: files_with_incorrect_permissions + failed_when: false + changed_when: false + check_mode: false + tags: + - rpm_verify_permissions + - high_severity + - restrict_strategy + - high_complexity + - medium_disruption + - CCE-27209-6 + - NIST-800-53-AC-6 + - NIST-800-53-AU-9(1) + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - PCI-DSS-Req-11.5 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010010 + +- name: Correct file permissions with RPM + shell: rpm --quiet --setperms $(rpm -qf '{{item}}') + args: + warn: false + with_items: '{{ files_with_incorrect_permissions.stdout_lines }}' + when: (files_with_incorrect_permissions.stdout_lines | length > 0) and True + tags: + - rpm_verify_permissions + - high_severity + - restrict_strategy + - high_complexity + - medium_disruption + - CCE-27209-6 + - NIST-800-53-AC-6 + - NIST-800-53-AU-9(1) + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - PCI-DSS-Req-11.5 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010010 + +- name: Ensure aide is installed + package: + name: aide state: present tags: - - auditd_data_retention_max_log_file + - package_aide_installed - medium_severity - - restrict_strategy + - enable_strategy - low_complexity - low_disruption - - CCE-27319-3 - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-11 - - NIST-800-53-IR-5 - - PCI-DSS-Req-10.7 - - CJIS-5.4.1.1 -- name: XCCDF Value var_auditd_max_log_file_action - set_fact: - var_auditd_max_log_file_action: rotate - tags: - - always -- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size - lineinfile: - dest: /etc/audit/auditd.conf - line: max_log_file_action = {{ var_auditd_max_log_file_action }} - regexp: ^\s*max_log_file_action\s*=\s*.*$ + - CCE-27096-7 + - NIST-800-53-CM-3(d) + - NIST-800-53-CM-3(e) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 + +- name: Ensure AIDE is installed + package: + name: '{{item}}' state: present + with_items: + - aide tags: - - auditd_data_retention_max_log_file_action + - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27231-0 - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-4 - - NIST-800-53-AU-11 - - NIST-800-53-IR-5 - - PCI-DSS-Req-10.7 - - CJIS-5.4.1.1 -- name: XCCDF Value var_auditd_space_left_action - set_fact: - var_auditd_space_left_action: email - tags: - - always -- name: Configure auditd space_left Action on Low Disk Space - lineinfile: - dest: /etc/audit/auditd.conf - line: space_left_action = {{ var_auditd_space_left_action }} - regexp: ^\s*space_left_action\s*=\s*.*$ - state: present + - CCE-27220-3 + - NIST-800-53-CM-3(d) + - NIST-800-53-CM-3(e) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 + +- name: Build and Test AIDE Database + shell: /usr/sbin/aide --init tags: - - auditd_data_retention_space_left_action + - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27375-5 - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-4 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(b) - - NIST-800-53-IR-5 - - NIST-800-171-3.3.1 - - PCI-DSS-Req-10.7 - - CJIS-5.4.1.1 -- name: XCCDF Value var_auditd_admin_space_left_action - set_fact: - var_auditd_admin_space_left_action: single - tags: - - always -- name: Configure auditd admin_space_left Action on Low Disk Space - lineinfile: - dest: /etc/audit/auditd.conf - line: admin_space_left_action = {{ var_auditd_admin_space_left_action }} - regexp: ^\s*admin_space_left_action\s*=\s*.*$ - state: present + - CCE-27220-3 + - NIST-800-53-CM-3(d) + - NIST-800-53-CM-3(e) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 + +- name: Check whether the stock AIDE Database exists + stat: + path: /var/lib/aide/aide.db.new.gz + register: aide_database_stat tags: - - auditd_data_retention_admin_space_left_action + - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27370-6 - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-4 - - NIST-800-53-AU-5(b) - - NIST-800-53-IR-5 - - NIST-800-171-3.3.1 - - PCI-DSS-Req-10.7 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030340 -- name: XCCDF Value var_auditd_action_mail_acct - set_fact: - var_auditd_action_mail_acct: root - tags: - - always -- name: Configure auditd mail_acct Action on Low Disk Space - lineinfile: - dest: /etc/audit/auditd.conf - line: action_mail_acct = {{ var_auditd_action_mail_acct }} - state: present + - CCE-27220-3 + - NIST-800-53-CM-3(d) + - NIST-800-53-CM-3(e) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 + +- name: Stage AIDE Database + copy: + src: /var/lib/aide/aide.db.new.gz + dest: /var/lib/aide/aide.db.gz + backup: true + remote_src: true + when: (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists) and True tags: - - auditd_data_retention_action_mail_acct + - aide_build_database - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27394-6 - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-4 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(a) - - NIST-800-53-IR-5 - - NIST-800-171-3.3.1 - - PCI-DSS-Req-10.7.a - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030350 -- name: XCCDF Value var_auditd_num_logs - set_fact: - var_auditd_num_logs: '5' - tags: - - always -- name: Configure auditd Number of Logs Retained - lineinfile: - dest: /etc/audit/auditd.conf - line: num_logs = {{ var_auditd_num_logs }} - regexp: ^\s*num_logs\s*=\s*.*$ + - CCE-27220-3 + - NIST-800-53-CM-3(d) + - NIST-800-53-CM-3(e) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 + +- name: Ensure AIDE is installed + package: + name: '{{item}}' state: present + with_items: + - aide tags: - - auditd_data_retention_num_logs + - aide_periodic_cron_checking - medium_severity - restrict_strategy - low_complexity - low_disruption - - CCE-27348-2 - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-11 - - NIST-800-53-IR-5 - - NIST-800-171-3.3.1 - - PCI-DSS-Req-10.7 - - CJIS-5.4.1.1 -- name: Enable service auditd - service: - name: auditd - enabled: 'yes' - state: started + - CCE-26952-2 + - NIST-800-53-CM-3(d) + - NIST-800-53-CM-3(e) + - NIST-800-53-CM-3(5) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 + - DISA-STIG-RHEL-07-020030 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Configure Periodic Execution of AIDE + cron: + name: run AIDE check + minute: 5 + hour: 4 + weekday: 0 + user: root + job: /usr/sbin/aide --check tags: - - service_auditd_enabled - - high_severity - - enable_strategy + - aide_periodic_cron_checking + - medium_severity + - restrict_strategy - low_complexity - low_disruption - - CCE-27407-6 - - NIST-800-53-AU-3 - - NIST-800-53-AC-17(1) - - NIST-800-53-AU-1(b) - - NIST-800-53-AU-10 - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-14(1) - - NIST-800-53-IR-5 - - NIST-800-171-3.3.1 - - NIST-800-171-3.3.2 - - NIST-800-171-3.3.6 - - PCI-DSS-Req-10.1 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030000 -- name: Test for existence /boot/grub2/grub.cfg + - CCE-26952-2 + - NIST-800-53-CM-3(d) + - NIST-800-53-CM-3(e) + - NIST-800-53-CM-3(5) + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 + - DISA-STIG-RHEL-07-020030 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + +- name: Does prelink file exist stat: - path: /boot/grub2/grub.cfg - register: file_exists -- name: Ensure group owner 0 on /boot/grub2/grub.cfg - file: - path: /boot/grub2/grub.cfg - group: 0 - when: file_exists.stat.exists + path: /etc/sysconfig/prelink + register: prelink_exists tags: - - file_groupowner_grub2_cfg - - medium_severity - - configure_strategy + - disable_prelink + - unknown_severity + - restrict_strategy - low_complexity - low_disruption - - CCE-26812-8 - - NIST-800-53-AC-6(7) - - NIST-800-171-3.4.5 - - PCI-DSS-Req-7.1 - - CJIS-5.5.2.2 -- name: Test for existence /boot/grub2/grub.cfg - stat: - path: /boot/grub2/grub.cfg - register: file_exists -- name: Ensure owner 0 on /boot/grub2/grub.cfg - file: - path: /boot/grub2/grub.cfg - owner: 0 - when: file_exists.stat.exists + - CCE-27078-5 + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - NIST-800-171-3.13.11 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 + +- name: disable prelinking + lineinfile: + path: /etc/sysconfig/prelink + regexp: ^PRELINKING= + line: PRELINKING=no + when: prelink_exists.stat.exists == True and True tags: - - file_owner_grub2_cfg - - medium_severity - - configure_strategy + - disable_prelink + - unknown_severity + - restrict_strategy - low_complexity - low_disruption - - CCE-26860-7 - - NIST-800-53-AC-6(7) - - NIST-800-171-3.4.5 - - PCI-DSS-Req-7.1 - - CJIS-5.5.2.2 -- name: XCCDF Value var_password_pam_unix_remember - set_fact: - var_password_pam_unix_remember: '4' + - CCE-27078-5 + - NIST-800-53-CM-6(d) + - NIST-800-53-CM-6(3) + - NIST-800-53-SC-28 + - NIST-800-53-SI-7 + - NIST-800-171-3.13.11 + - PCI-DSS-Req-11.5 + - CJIS-5.10.1.3 + +- name: Security patches are up to date + package: + name: '*' + state: latest tags: - - always -- name: Do not allow users to reuse recent passwords - system-auth (change) - replace: - dest: /etc/pam.d/system-auth - follow: true - regexp: ^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$ - replace: \g<1>{{ var_password_pam_unix_remember }}\g<3> + - security_patches_up_to_date + - high_severity + - patch_strategy + - low_complexity + - high_disruption + - CCE-26895-3 + - NIST-800-53-SI-2 + - NIST-800-53-SI-2(c) + - NIST-800-53-MA-1(b) + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-020260 + +- name: Find All yum Repositories + find: + paths: /etc/yum.repos.d/ + patterns: '*.repo' + register: yum_find + +- name: Ensure gpgcheck Enabled For All yum Package Repositories + with_items: '{{ yum_find.files }}' + lineinfile: + create: true + dest: '{{ item.path }}' + regexp: ^gpgcheck + line: gpgcheck=1 tags: - - accounts_password_pam_unix_remember - - medium_severity - - configure_strategy + - ensure_gpgcheck_never_disabled + - high_severity + - unknown_strategy - low_complexity - medium_disruption - - CCE-26923-3 - - NIST-800-53-IA-5(f) - - NIST-800-53-IA-5(1)(e) - - NIST-800-171-3.5.8 - - PCI-DSS-Req-8.2.5 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010270 -- name: Do not allow users to reuse recent passwords - system-auth (add) - replace: - dest: /etc/pam.d/system-auth - follow: true - regexp: ^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$ - replace: \g<0> remember={{ var_password_pam_unix_remember }} + - CCE-26876-3 + - NIST-800-53-CM-5(3) + - NIST-800-53-SI-7 + - NIST-800-53-MA-1(b) + - NIST-800-171-3.4.8 + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 + +- name: Read permission of GPG key directory + stat: + path: /etc/pki/rpm-gpg/ + register: gpg_key_directory_permission + check_mode: false tags: - - accounts_password_pam_unix_remember - - medium_severity - - configure_strategy - - low_complexity + - ensure_redhat_gpgkey_installed + - high_severity + - restrict_strategy + - medium_complexity - medium_disruption - - CCE-26923-3 - - NIST-800-53-IA-5(f) - - NIST-800-53-IA-5(1)(e) - - NIST-800-171-3.5.8 - - PCI-DSS-Req-8.2.5 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010270 -- name: XCCDF Value var_accounts_passwords_pam_faillock_deny - set_fact: - var_accounts_passwords_pam_faillock_deny: '6' - tags: - - always -- name: XCCDF Value var_accounts_passwords_pam_faillock_unlock_time - set_fact: - var_accounts_passwords_pam_faillock_unlock_time: '1800' + - CCE-26957-1 + - NIST-800-53-CM-5(3) + - NIST-800-53-SI-7 + - NIST-800-53-MA-1(b) + - NIST-800-171-3.4.8 + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 + +- name: Read signatures in GPG key + shell: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" | grep "^fpr" | cut -d ":" -f + 10 + changed_when: false + register: gpg_fingerprints + check_mode: false tags: - - always -- name: XCCDF Value var_accounts_passwords_pam_faillock_fail_interval + - ensure_redhat_gpgkey_installed + - high_severity + - restrict_strategy + - medium_complexity + - medium_disruption + - CCE-26957-1 + - NIST-800-53-CM-5(3) + - NIST-800-53-SI-7 + - NIST-800-53-MA-1(b) + - NIST-800-171-3.4.8 + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 + +- name: Set Fact - Valid fingerprints set_fact: - var_accounts_passwords_pam_faillock_fail_interval: '900' - tags: - - always -- name: set auth pam_faillock before pam_unix.so - pamd: - name: system-auth - type: auth - control: sufficient - module_path: pam_unix.so - new_type: auth - new_control: required - new_module_path: pam_faillock.so - module_arguments: 'preauth silent deny: {{ var_accounts_passwords_pam_faillock_deny }} unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time - }} fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' - state: before + gpg_valid_fingerprints: ("567E347AD0044ADE55BA8A5F199E2F91FD431D51" "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0") tags: - - accounts_passwords_pam_faillock_deny - - medium_severity + - ensure_redhat_gpgkey_installed + - high_severity - restrict_strategy - - low_complexity - - low_disruption - - CCE-27350-8 - - NIST-800-53-AC-7(b) - - NIST-800-171-3.1.8 - - PCI-DSS-Req-8.1.6 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 -- name: set auth pam_faillock after pam_unix.so - pamd: - name: system-auth - type: auth - control: sufficient - module_path: pam_unix.so - new_type: auth - new_control: '[default=die]' - new_module_path: pam_faillock.so - module_arguments: 'preauth silent deny: {{ var_accounts_passwords_pam_faillock_deny }} unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time - }} fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' - state: after + - medium_complexity + - medium_disruption + - CCE-26957-1 + - NIST-800-53-CM-5(3) + - NIST-800-53-SI-7 + - NIST-800-53-MA-1(b) + - NIST-800-171-3.4.8 + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 + +- name: Import RedHat GPG key + rpm_key: + state: present + key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + when: (gpg_key_directory_permission.stat.mode <= '0755') and (( gpg_fingerprints.stdout_lines | difference(gpg_valid_fingerprints)) + | length == 0) and (gpg_fingerprints.stdout_lines | length > 0) and (ansible_distribution == "RedHat") and True tags: - - accounts_passwords_pam_faillock_deny - - medium_severity + - ensure_redhat_gpgkey_installed + - high_severity - restrict_strategy + - medium_complexity + - medium_disruption + - CCE-26957-1 + - NIST-800-53-CM-5(3) + - NIST-800-53-SI-7 + - NIST-800-53-MA-1(b) + - NIST-800-171-3.4.8 + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 + +- name: Check existence of yum on Fedora + stat: + path: /etc/yum.conf + register: yum_config_file + check_mode: false + when: ansible_distribution == "Fedora" + +- name: Ensure GPG check is globally activated (yum) + ini_file: + dest: '{{item}}' + section: main + option: gpgcheck + value: 1 + create: false + with_items: /etc/yum.conf + when: (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists) and True + tags: + - ensure_gpgcheck_globally_activated + - high_severity + - unknown_strategy - low_complexity - - low_disruption - - CCE-27350-8 - - NIST-800-53-AC-7(b) - - NIST-800-171-3.1.8 - - PCI-DSS-Req-8.1.6 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 -- name: set account pam_faillock before pam_unix.so - pamd: - name: system-auth - type: account - control: required - module_path: pam_unix.so - new_type: account - new_control: required - new_module_path: pam_faillock.so - state: before + - medium_disruption + - CCE-26989-4 + - NIST-800-53-CM-5(3) + - NIST-800-53-SI-7 + - NIST-800-53-MA-1(b) + - NIST-800-171-3.4.8 + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-020050 + +- name: Ensure GPG check is globally activated (dnf) + ini_file: + dest: '{{item}}' + section: main + option: gpgcheck + value: 1 + create: false + with_items: /etc/dnf/dnf.conf + when: ansible_distribution == "Fedora" and True tags: - - accounts_passwords_pam_faillock_deny - - medium_severity - - restrict_strategy + - ensure_gpgcheck_globally_activated + - high_severity + - unknown_strategy - low_complexity - - low_disruption - - CCE-27350-8 - - NIST-800-53-AC-7(b) - - NIST-800-171-3.1.8 - - PCI-DSS-Req-8.1.6 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 -- name: Set Password Hashing Algorithm in /etc/login.defs - lineinfile: - dest: /etc/login.defs - regexp: ^#?ENCRYPT_METHOD - line: ENCRYPT_METHOD SHA512 + - medium_disruption + - CCE-26989-4 + - NIST-800-53-CM-5(3) + - NIST-800-53-SI-7 + - NIST-800-53-MA-1(b) + - NIST-800-171-3.4.8 + - PCI-DSS-Req-6.2 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-020050 + +- name: Ensure libreswan is installed + package: + name: libreswan state: present tags: - - set_password_hashing_algorithm_logindefs + - package_libreswan_installed - medium_severity - - restrict_strategy + - enable_strategy - low_complexity - low_disruption - - CCE-27124-7 - - NIST-800-53-IA-5(b) - - NIST-800-53-IA-5(c) - - NIST-800-53-IA-5(1)(c) - - NIST-800-53-IA-7 - - NIST-800-171-3.13.11 - - PCI-DSS-Req-8.2.1 - - CJIS-5.6.2.2 - - DISA-STIG-RHEL-07-010210 -- name: Set Password Hashing Algorithm in /etc/libuser.conf - lineinfile: - dest: /etc/libuser.conf - insertafter: ^\s*\[defaults] - regexp: ^#?crypt_style - line: crypt_style = sha512 - state: present + - CCE-80170-4 + - NIST-800-53-AC-17 + - NIST-800-53-MA-4 + - NIST-800-53-SC-9 + - PCI-DSS-Req-4.1 + +- name: Test for existence /etc/group + stat: + path: /etc/group + register: file_exists + +- name: Ensure owner 0 on /etc/group + file: + path: /etc/group + owner: 0 + when: file_exists.stat.exists and True tags: - - set_password_hashing_algorithm_libuserconf + - file_owner_etc_group - medium_severity - - restrict_strategy + - configure_strategy - low_complexity - low_disruption - - CCE-27053-8 - - NIST-800-53-IA-5(b) - - NIST-800-53-IA-5(c) - - NIST-800-53-IA-5(1)(c) - - NIST-800-53-IA-7 - - NIST-800-171-3.13.11 - - PCI-DSS-Req-8.2.1 - - CJIS-5.6.2.2 - - DISA-STIG-RHEL-07-010220 -- name: XCCDF Value var_password_pam_lcredit - set_fact: - var_password_pam_lcredit: '-1' - tags: - - always -- name: Ensure PAM variable lcredit is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*lcredit - line: lcredit = {{ var_password_pam_lcredit }} + - CCE-26933-2 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 + +- name: Test for existence /etc/group + stat: + path: /etc/group + register: file_exists + +- name: Ensure group owner 0 on /etc/group + file: + path: /etc/group + group: 0 + when: file_exists.stat.exists and True tags: - - accounts_password_pam_lcredit + - file_groupowner_etc_group - medium_severity - - restrict_strategy + - configure_strategy - low_complexity - low_disruption - - CCE-27345-8 - - NIST-800-53-IA-5(b) - - NIST-800-53-IA-5(c) - - NIST-800-53-IA-5(1)(a) - - PCI-DSS-Req-8.2.3 - - DISA-STIG-RHEL-07-010130 -- name: XCCDF Value var_password_pam_dcredit - set_fact: - var_password_pam_dcredit: '-1' - tags: - - always -- name: Ensure PAM variable dcredit is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*dcredit - line: dcredit = {{ var_password_pam_dcredit }} + - CCE-27037-1 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 + +- name: Test for existence /etc/shadow + stat: + path: /etc/shadow + register: file_exists + +- name: Ensure group owner 0 on /etc/shadow + file: + path: /etc/shadow + group: 0 + when: file_exists.stat.exists and True tags: - - accounts_password_pam_dcredit + - file_groupowner_etc_shadow - medium_severity - - restrict_strategy + - configure_strategy - low_complexity - low_disruption - - CCE-27214-6 - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(b) - - NIST-800-53-IA-5(c) - - NIST-800-53-194 - - PCI-DSS-Req-8.2.3 - - DISA-STIG-RHEL-07-010140 -- name: XCCDF Value var_password_pam_minlen - set_fact: - var_password_pam_minlen: '7' - tags: - - always -- name: Ensure PAM variable minlen is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*minlen - line: minlen = {{ var_password_pam_minlen }} + - CCE-27125-4 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 + +- name: Ensure permission 0644 on /etc/passwd + file: + path: /etc/passwd + mode: 420 tags: - - accounts_password_pam_minlen + - file_permissions_etc_passwd - medium_severity - - restrict_strategy + - configure_strategy - low_complexity - low_disruption - - CCE-27293-0 - - NIST-800-53-IA-5(1)(a) - - PCI-DSS-Req-8.2.3 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010280 -- name: XCCDF Value var_password_pam_ucredit - set_fact: - var_password_pam_ucredit: '-1' - tags: - - always -- name: Ensure PAM variable ucredit is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*ucredit - line: ucredit = {{ var_password_pam_ucredit }} + - CCE-26887-0 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 + +- name: Test for existence /etc/passwd + stat: + path: /etc/passwd + register: file_exists + +- name: Ensure owner 0 on /etc/passwd + file: + path: /etc/passwd + owner: 0 + when: file_exists.stat.exists and True tags: - - accounts_password_pam_ucredit + - file_owner_etc_passwd - medium_severity - - restrict_strategy + - configure_strategy - low_complexity - low_disruption - - CCE-27200-5 - - NIST-800-53-IA-5(b) - - NIST-800-53-IA-5(c) - - NIST-800-53-IA-5(1)(a) - - PCI-DSS-Req-8.2.3 - - DISA-STIG-RHEL-07-010120 -- name: XCCDF Value var_account_disable_post_pw_expiration - set_fact: - var_account_disable_post_pw_expiration: '90' - tags: - - always -- name: Set Account Expiration Following Inactivity - lineinfile: - create: true - dest: /etc/default/useradd - regexp: ^INACTIVE - line: INACTIVE={{ var_account_disable_post_pw_expiration }} + - CCE-27138-7 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 + +- name: Ensure permission 0000 on /etc/shadow + file: + path: /etc/shadow + mode: 0 tags: - - account_disable_post_pw_expiration + - file_permissions_etc_shadow - medium_severity - - restrict_strategy + - configure_strategy - low_complexity - low_disruption - - CCE-27355-7 - - NIST-800-53-AC-2(2) - - NIST-800-53-AC-2(3) - - NIST-800-53-IA-4(e) - - NIST-800-171-3.5.6 - - PCI-DSS-Req-8.1.4 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010310 -- name: XCCDF Value var_accounts_maximum_age_login_defs - set_fact: - var_accounts_maximum_age_login_defs: '90' - tags: - - always -- name: Set Password Maximum Age - lineinfile: - create: true - dest: /etc/login.defs - regexp: ^#?PASS_MAX_DAYS - line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }} + - CCE-27100-7 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 + +- name: Test for existence /etc/passwd + stat: + path: /etc/passwd + register: file_exists + +- name: Ensure group owner 0 on /etc/passwd + file: + path: /etc/passwd + group: 0 + when: file_exists.stat.exists and True tags: - - accounts_maximum_age_login_defs + - file_groupowner_etc_passwd - medium_severity - - restrict_strategy + - configure_strategy - low_complexity - low_disruption - - CCE-27051-2 - - NIST-800-53-IA-5(f) - - NIST-800-53-IA-5(g) - - NIST-800-53-IA-5(1)(d) - - NIST-800-171-3.5.6 - - PCI-DSS-Req-8.2.4 - - CJIS-5.6.2.1 - - DISA-STIG-RHEL-07-010250 -- name: Prevent Log In to Accounts With Empty Password - system-auth - replace: - dest: /etc/pam.d/system-auth - follow: true - regexp: nullok + - CCE-26639-5 + - NIST-800-53-AC-6 + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 + +- name: Ensure permission 0644 on /etc/group + file: + path: /etc/group + mode: 420 tags: - - no_empty_passwords - - high_severity + - file_permissions_etc_group + - medium_severity - configure_strategy - low_complexity - - medium_disruption - - CCE-27286-4 + - low_disruption + - CCE-26949-8 - NIST-800-53-AC-6 - - NIST-800-53-IA-5(b) - - NIST-800-53-IA-5(c) - - NIST-800-53-IA-5(1)(a) - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 - - PCI-DSS-Req-8.2.3 - - CJIS-5.5.2 - - DISA-STIG-RHEL-07-010290 -- name: Prevent Log In to Accounts With Empty Password - password-auth - replace: - dest: /etc/pam.d/password-auth - follow: true - regexp: nullok + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 + +- name: Test for existence /etc/shadow + stat: + path: /etc/shadow + register: file_exists + +- name: Ensure owner 0 on /etc/shadow + file: + path: /etc/shadow + owner: 0 + when: file_exists.stat.exists and True tags: - - no_empty_passwords - - high_severity + - file_owner_etc_shadow + - medium_severity - configure_strategy - low_complexity - - medium_disruption - - CCE-27286-4 + - low_disruption + - CCE-26795-5 - NIST-800-53-AC-6 - - NIST-800-53-IA-5(b) - - NIST-800-53-IA-5(c) - - NIST-800-53-IA-5(1)(a) - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 - - PCI-DSS-Req-8.2.3 - - CJIS-5.5.2 - - DISA-STIG-RHEL-07-010290 -- name: XCCDF Value sshd_idle_timeout_value - set_fact: - sshd_idle_timeout_value: '900' + - PCI-DSS-Req-8.7.c + - CJIS-5.5.2.2 + +- name: Test for existence /boot/grub2/grub.cfg + stat: + path: /boot/grub2/grub.cfg + register: file_exists + +- name: Ensure group owner 0 on /boot/grub2/grub.cfg + file: + path: /boot/grub2/grub.cfg + group: 0 + when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") + tags: + - file_groupowner_grub2_cfg + - medium_severity + - configure_strategy + - low_complexity + - low_disruption + - CCE-26812-8 + - NIST-800-53-AC-6(7) + - NIST-800-171-3.4.5 + - PCI-DSS-Req-7.1 + - CJIS-5.5.2.2 + +- name: Test for existence /boot/grub2/grub.cfg + stat: + path: /boot/grub2/grub.cfg + register: file_exists + +- name: Ensure owner 0 on /boot/grub2/grub.cfg + file: + path: /boot/grub2/grub.cfg + owner: 0 + when: file_exists.stat.exists and (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") tags: - - always + - file_owner_grub2_cfg + - medium_severity + - configure_strategy + - low_complexity + - low_disruption + - CCE-26860-7 + - NIST-800-53-AC-6(7) + - NIST-800-171-3.4.5 + - PCI-DSS-Req-7.1 + - CJIS-5.5.2.2 + - name: Set SSH Idle Timeout Interval lineinfile: create: true @@ -3079,3 +3274,5 @@ - PCI-DSS-Req-8.1.8 - CJIS-5.5.6 - DISA-STIG-RHEL-07-040320 + when: + - (ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker") diff --git a/vars/main.yml b/vars/main.yml index 31f8091..707a222 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,17 +1,18 @@ -inactivity_timeout_value: 900 -sshd_idle_timeout_value: 900 -var_account_disable_post_pw_expiration: 90 -var_accounts_maximum_age_login_defs: 90 -var_accounts_passwords_pam_faillock_deny: 6 -var_accounts_passwords_pam_faillock_fail_interval: 100000000 -var_accounts_passwords_pam_faillock_unlock_time: 1800 -var_auditd_action_mail_acct: admin -var_auditd_admin_space_left_action: suspend -var_auditd_max_log_file: 1 +var_auditd_max_log_file: '6' +var_auditd_action_mail_acct: root +var_auditd_num_logs: '5' var_auditd_max_log_file_action: rotate -var_auditd_space_left_action: suspend -var_password_pam_dcredit: -1 -var_password_pam_lcredit: -1 -var_password_pam_minlen: 7 -var_password_pam_ucredit: -1 -var_password_pam_unix_remember: 4 +var_auditd_space_left_action: email +var_auditd_admin_space_left_action: single +var_account_disable_post_pw_expiration: '90' +var_accounts_maximum_age_login_defs: '90' +var_password_pam_unix_remember: '4' +var_accounts_passwords_pam_faillock_deny: '6' +var_accounts_passwords_pam_faillock_unlock_time: '1800' +var_accounts_passwords_pam_faillock_fail_interval: '900' +var_password_pam_ucredit: '-1' +var_password_pam_minlen: '7' +var_password_pam_lcredit: '-1' +var_password_pam_dcredit: '-1' +inactivity_timeout_value: '900' +sshd_idle_timeout_value: '900'