From 522b9a0e2d3bfab00fac5cf40d781f80086da52f Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Mon, 24 Jul 2023 20:28:46 -0400 Subject: [PATCH] Updated tasks/main.yml --- tasks/main.yml | 769 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 593 insertions(+), 176 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 6e83480..1dacfc4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -9,6 +9,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-SC-13 - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - disable_prelink - low_complexity - low_disruption @@ -23,7 +24,7 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: disable prelinking +- name: Disable prelinking lineinfile: path: /etc/sysconfig/prelink regexp: ^PRELINKING= @@ -43,6 +44,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-SC-13 - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - disable_prelink - low_complexity - low_disruption @@ -75,6 +77,7 @@ - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - high_complexity - high_severity - medium_disruption @@ -107,6 +110,7 @@ - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - high_complexity - high_severity - medium_disruption @@ -139,6 +143,7 @@ - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - high_complexity - high_severity - medium_disruption @@ -174,6 +179,7 @@ - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - high_complexity - high_severity - medium_disruption @@ -211,6 +217,7 @@ - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - high_complexity - high_severity - medium_disruption @@ -244,6 +251,7 @@ - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - high_complexity - high_severity - medium_disruption @@ -271,6 +279,7 @@ - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - high_complexity - high_severity - medium_disruption @@ -316,6 +325,7 @@ - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - high_complexity - high_severity - medium_disruption @@ -349,6 +359,7 @@ - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - high_complexity - high_severity - medium_disruption @@ -375,6 +386,7 @@ - DISA-STIG-RHEL-07-020029 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - enable_strategy - low_complexity - low_disruption @@ -403,6 +415,7 @@ - DISA-STIG-RHEL-07-020029 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - aide_build_database - low_complexity - low_disruption @@ -428,6 +441,7 @@ - DISA-STIG-RHEL-07-020029 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - aide_build_database - low_complexity - low_disruption @@ -454,6 +468,7 @@ - DISA-STIG-RHEL-07-020029 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - aide_build_database - low_complexity - low_disruption @@ -483,6 +498,7 @@ - DISA-STIG-RHEL-07-020029 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - aide_build_database - low_complexity - low_disruption @@ -492,10 +508,10 @@ - name: Ensure AIDE is installed package: - name: '{{ item }}' + name: + - aide + - crontabs state: present - with_items: - - aide when: - DISA_STIG_RHEL_07_020030 | bool - aide_periodic_cron_checking | bool @@ -513,6 +529,7 @@ - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - aide_periodic_cron_checking - low_complexity - low_disruption @@ -541,6 +558,7 @@ - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - aide_periodic_cron_checking - low_complexity - low_disruption @@ -569,6 +587,7 @@ - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - aide_periodic_cron_checking - low_complexity - low_disruption @@ -597,6 +616,7 @@ - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - aide_periodic_cron_checking - low_complexity - low_disruption @@ -629,6 +649,7 @@ - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - PCI-DSS-Req-11.5 + - PCI-DSSv4-11.5.2 - aide_periodic_cron_checking - low_complexity - low_disruption @@ -647,6 +668,7 @@ - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - medium_disruption @@ -688,6 +710,7 @@ - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - medium_disruption @@ -719,6 +742,7 @@ - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - medium_disruption @@ -746,6 +770,7 @@ - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - medium_disruption @@ -764,6 +789,7 @@ - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption @@ -805,6 +831,7 @@ - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption @@ -832,6 +859,7 @@ - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption @@ -849,6 +877,7 @@ - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption @@ -884,6 +913,7 @@ - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption @@ -917,6 +947,7 @@ - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption @@ -948,6 +979,7 @@ - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption @@ -981,6 +1013,7 @@ - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption @@ -1012,6 +1045,7 @@ - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption @@ -1040,6 +1074,7 @@ - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption @@ -1067,6 +1102,7 @@ - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption @@ -1093,6 +1129,7 @@ - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption @@ -1111,6 +1148,7 @@ - NIST-800-53-AC-11(1).1 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_mode_blank - low_complexity - medium_disruption @@ -1150,6 +1188,7 @@ - NIST-800-53-AC-11(1).1 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_mode_blank - low_complexity - medium_disruption @@ -1180,6 +1219,7 @@ - NIST-800-53-AC-11(1).1 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_mode_blank - low_complexity - medium_disruption @@ -1206,6 +1246,7 @@ - NIST-800-53-AC-11(1).1 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - dconf_gnome_screensaver_mode_blank - low_complexity - medium_disruption @@ -1231,6 +1272,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - configure_strategy - ensure_gpgcheck_globally_activated - high_severity @@ -1278,6 +1320,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - configure_strategy - ensure_gpgcheck_globally_activated - high_severity @@ -1292,7 +1335,7 @@ ' register: repo_grep_results - ignore_errors: true + failed_when: repo_grep_results.rc not in [0, 1] changed_when: false tags: - CCE-26876-3 @@ -1308,6 +1351,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - enable_strategy - ensure_gpgcheck_never_disabled - high_severity @@ -1344,6 +1388,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - enable_strategy - ensure_gpgcheck_never_disabled - high_severity @@ -1516,6 +1561,7 @@ - NIST-800-53-SI-2(5) - NIST-800-53-SI-2(c) - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - high_disruption - low_complexity - medium_severity @@ -1543,6 +1589,7 @@ - NIST-800-53-AC-9 - NIST-800-53-AC-9(1) - PCI-DSS-Req-10.2.4 + - PCI-DSSv4-10.2.1.4 - configure_strategy - display_login_attempts - low_complexity @@ -1578,6 +1625,7 @@ - NIST-800-53-AC-9 - NIST-800-53-AC-9(1) - PCI-DSS-Req-10.2.4 + - PCI-DSSv4-10.2.1.4 - configure_strategy - display_login_attempts - low_complexity @@ -1601,12 +1649,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Ensure PAM Displays Last Logon/Access Notification - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -1741,10 +1789,11 @@ - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b - when: 'result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is - defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed)) - - ' + when: + - result_authselect_present is defined + - result_authselect_present.stat.exists + - "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\ + \ result_pam_module_edit.changed)" when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 @@ -1773,8 +1822,8 @@ cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - - (result_pam_showfailed_add is defined and result_pam_showfailed_add.changed) or (result_pam_showfailed_edit is defined - and result_pam_showfailed_edit.changed) + - "(result_pam_showfailed_add is defined and result_pam_showfailed_add.changed)\n or (result_pam_showfailed_edit is defined\ + \ and result_pam_showfailed_edit.changed)" when: - DISA_STIG_RHEL_07_040530 | bool - configure_strategy | bool @@ -1792,6 +1841,7 @@ - NIST-800-53-AC-9 - NIST-800-53-AC-9(1) - PCI-DSS-Req-10.2.4 + - PCI-DSSv4-10.2.1.4 - configure_strategy - display_login_attempts - low_complexity @@ -1819,6 +1869,7 @@ - NIST-800-53-AC-9 - NIST-800-53-AC-9(1) - PCI-DSS-Req-10.2.4 + - PCI-DSSv4-10.2.1.4 - configure_strategy - display_login_attempts - low_complexity @@ -1842,12 +1893,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Ensure PAM Displays Last Logon/Access Notification - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -1971,6 +2022,7 @@ - NIST-800-53-AC-9 - NIST-800-53-AC-9(1) - PCI-DSS-Req-10.2.4 + - PCI-DSSv4-10.2.1.4 - configure_strategy - display_login_attempts - low_complexity @@ -1988,6 +2040,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -2021,6 +2074,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -2049,6 +2103,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -2063,11 +2118,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Limit Password Reuse - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -2113,6 +2168,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -2136,11 +2192,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Limit Password Reuse - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -2267,10 +2323,11 @@ - name: Limit Password Reuse - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b - when: 'result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is - defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed)) - - ' + when: + - result_authselect_present is defined + - result_authselect_present.stat.exists + - "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\ + \ result_pam_module_edit.changed)" when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 @@ -2293,6 +2350,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -2319,6 +2377,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -2356,11 +2415,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Limit Password Reuse - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile @@ -2482,6 +2541,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -2505,11 +2565,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Limit Password Reuse - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -2635,10 +2695,11 @@ - name: Limit Password Reuse - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b - when: 'result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is - defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed)) - - ' + when: + - result_authselect_present is defined + - result_authselect_present.stat.exists + - "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\ + \ result_pam_module_edit.changed)" when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 @@ -2693,6 +2754,7 @@ - NIST-800-53-IA-5(1)(e) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.5 + - PCI-DSSv4-8.3.7 - accounts_password_pam_unix_remember - configure_strategy - low_complexity @@ -2711,6 +2773,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -2747,6 +2810,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -2761,11 +2825,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -2812,6 +2876,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -2880,6 +2945,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -2908,6 +2974,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -2939,6 +3006,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -2968,11 +3036,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -3100,11 +3168,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Lock Accounts After Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -3230,6 +3298,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -3318,6 +3387,7 @@ - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.6 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption @@ -3336,6 +3406,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -3372,6 +3443,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -3386,11 +3458,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -3437,6 +3509,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -3505,6 +3578,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -3533,6 +3607,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -3564,6 +3639,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -3593,12 +3669,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -3726,12 +3802,12 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Set Lockout Time for Failed Password Attempts - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -3857,6 +3933,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -3945,6 +4022,7 @@ - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.7 + - PCI-DSSv4-8.3.4 - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption @@ -3963,6 +4041,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_dcredit - low_complexity - low_disruption @@ -4001,6 +4081,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_dcredit - low_complexity - low_disruption @@ -4019,6 +4101,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_lcredit - low_complexity - low_disruption @@ -4057,6 +4141,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_lcredit - low_complexity - low_disruption @@ -4076,6 +4162,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_minlen - low_complexity - low_disruption @@ -4115,6 +4203,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_minlen - low_complexity - low_disruption @@ -4133,6 +4223,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_ucredit - low_complexity - low_disruption @@ -4171,6 +4263,8 @@ - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - accounts_password_pam_ucredit - low_complexity - low_disruption @@ -4190,6 +4284,7 @@ - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 + - PCI-DSSv4-8.3.2 - low_complexity - low_disruption - medium_severity @@ -4231,6 +4326,7 @@ - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 + - PCI-DSSv4-8.3.2 - low_complexity - low_disruption - medium_severity @@ -4250,6 +4346,7 @@ - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 + - PCI-DSSv4-8.3.2 - low_complexity - low_disruption - medium_severity @@ -4290,6 +4387,7 @@ - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 + - PCI-DSSv4-8.3.2 - low_complexity - low_disruption - medium_severity @@ -4309,6 +4407,7 @@ - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 + - PCI-DSSv4-8.3.2 - configure_strategy - low_complexity - medium_disruption @@ -4346,6 +4445,7 @@ - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 + - PCI-DSSv4-8.3.2 - configure_strategy - low_complexity - medium_disruption @@ -4369,11 +4469,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Set PAM's Password Hashing Algorithm - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is @@ -4501,10 +4601,11 @@ - name: Set PAM's Password Hashing Algorithm - Ensure authselect changes are applied ansible.builtin.command: cmd: authselect apply-changes -b - when: 'result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is - defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed)) - - ' + when: + - result_authselect_present is defined + - result_authselect_present.stat.exists + - "(result_pam_module_add is defined and result_pam_module_add.changed)\n or (result_pam_module_edit is defined and\ + \ result_pam_module_edit.changed)" when: - result_pam_line_present.found is defined - result_pam_line_present.found == 0 @@ -4532,7 +4633,7 @@ cmd: authselect apply-changes -b when: - result_authselect_present.stat.exists - - (result_pam_sha512_add is defined and result_pam_sha512_add.changed) or (result_pam_sha512_edit is defined and result_pam_sha512_edit.changed) + - "(result_pam_sha512_add is defined and result_pam_sha512_add.changed)\n or (result_pam_sha512_edit is defined and result_pam_sha512_edit.changed)" when: - DISA_STIG_RHEL_07_010200 | bool - configure_strategy | bool @@ -4552,6 +4653,7 @@ - NIST-800-53-IA-5(1)(c) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.1 + - PCI-DSSv4-8.3.2 - configure_strategy - low_complexity - medium_disruption @@ -4571,6 +4673,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IA-4(e) - PCI-DSS-Req-8.1.4 + - PCI-DSSv4-8.2.6 - account_disable_post_pw_expiration - low_complexity - low_disruption @@ -4610,6 +4713,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IA-4(e) - PCI-DSS-Req-8.1.4 + - PCI-DSSv4-8.2.6 - account_disable_post_pw_expiration - low_complexity - low_disruption @@ -4629,6 +4733,7 @@ - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.4 + - PCI-DSSv4-8.3.10.1 - accounts_maximum_age_login_defs - low_complexity - low_disruption @@ -4668,6 +4773,7 @@ - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.4 + - PCI-DSSv4-8.3.10.1 - accounts_maximum_age_login_defs - low_complexity - low_disruption @@ -4698,6 +4804,8 @@ - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - configure_strategy - high_severity - low_complexity @@ -4712,11 +4820,11 @@ cmd: authselect check register: result_authselect_check_cmd changed_when: false - ignore_errors: true + failed_when: false - name: Prevent Login to Accounts With Empty Password - Informative message based on the authselect integrity check result ansible.builtin.assert: that: - - result_authselect_check_cmd is success + - result_authselect_check_cmd.rc == 0 fail_msg: - authselect integrity check failed. Remediation aborted! - This remediation could not be applied because an authselect profile was not selected or the selected profile is not @@ -4765,6 +4873,8 @@ - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - configure_strategy - high_severity - low_complexity @@ -4799,6 +4909,8 @@ - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 + - PCI-DSSv4-8.3.6 + - PCI-DSSv4-8.3.9 - configure_strategy - high_severity - low_complexity @@ -4826,6 +4938,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-SI-4(23) - PCI-DSS-Req-10.1 + - PCI-DSSv4-10.2.1 - enable_strategy - low_complexity - low_disruption @@ -4847,7 +4960,7 @@ package_facts: manager: auto - name: Enable service auditd - service: + systemd: name: auditd enabled: 'yes' state: started @@ -4881,6 +4994,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-SI-4(23) - PCI-DSS-Req-10.1 + - PCI-DSSv4-10.2.1 - enable_strategy - low_complexity - low_disruption @@ -4901,6 +5015,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IR-5(1) - PCI-DSS-Req-10.3 + - PCI-DSSv4-10.7 - grub2_audit_argument - low_disruption - low_severity @@ -4938,6 +5053,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IR-5(1) - PCI-DSS-Req-10.3 + - PCI-DSSv4-10.7 - grub2_audit_argument - low_disruption - low_severity @@ -4970,6 +5086,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IR-5(1) - PCI-DSS-Req-10.3 + - PCI-DSSv4-10.7 - grub2_audit_argument - low_disruption - low_severity @@ -5002,6 +5119,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IR-5(1) - PCI-DSS-Req-10.3 + - PCI-DSSv4-10.7 - grub2_audit_argument - low_disruption - low_severity @@ -5030,6 +5148,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IR-5(1) - PCI-DSS-Req-10.3 + - PCI-DSSv4-10.7 - grub2_audit_argument - low_disruption - low_severity @@ -5048,6 +5167,7 @@ - NIST-800-53-AC-6(9) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.2 - audit_rules_immutable - low_complexity - low_disruption @@ -5084,6 +5204,7 @@ - NIST-800-53-AC-6(9) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.2 - audit_rules_immutable - low_complexity - low_disruption @@ -5114,6 +5235,7 @@ - NIST-800-53-AC-6(9) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.2 - audit_rules_immutable - low_complexity - low_disruption @@ -5147,6 +5269,7 @@ - NIST-800-53-AC-6(9) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.2 - audit_rules_immutable - low_complexity - low_disruption @@ -5165,6 +5288,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption @@ -5202,6 +5326,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption @@ -5233,6 +5358,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption @@ -5263,6 +5389,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption @@ -5293,6 +5420,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption @@ -5324,6 +5452,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption @@ -5354,6 +5483,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption @@ -5386,6 +5516,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_mac_modification - low_complexity - low_disruption @@ -5406,6 +5537,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 + - PCI-DSSv4-10.2.1.7 - audit_rules_media_export - low_complexity - low_disruption @@ -5446,6 +5578,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 + - PCI-DSSv4-10.2.1.7 - audit_rules_media_export - low_complexity - low_disruption @@ -5562,6 +5695,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 + - PCI-DSSv4-10.2.1.7 - audit_rules_media_export - low_complexity - low_disruption @@ -5679,6 +5813,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 + - PCI-DSSv4-10.2.1.7 - audit_rules_media_export - low_complexity - low_disruption @@ -5698,6 +5833,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -5735,6 +5871,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -5855,6 +5992,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -5976,6 +6114,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6007,6 +6146,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6039,6 +6179,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6070,6 +6211,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6101,6 +6243,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6133,6 +6276,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6164,6 +6308,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6197,6 +6342,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6228,6 +6374,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6260,6 +6407,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6291,6 +6439,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6322,6 +6471,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6354,6 +6504,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6385,6 +6536,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6418,6 +6570,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6449,6 +6602,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6481,6 +6635,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6512,6 +6667,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6543,6 +6699,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6575,6 +6732,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6606,6 +6764,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6639,6 +6798,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6670,6 +6830,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6702,6 +6863,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6733,6 +6895,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6764,6 +6927,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6796,6 +6960,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6827,6 +6992,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6860,6 +7026,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_networkconfig_modification - low_complexity - low_disruption @@ -6878,6 +7045,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -6915,6 +7083,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -6946,6 +7115,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -6976,6 +7146,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7006,6 +7177,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7037,6 +7209,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7067,6 +7240,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7099,6 +7273,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7129,6 +7304,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7160,6 +7336,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7190,6 +7367,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7220,6 +7398,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7251,6 +7430,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7281,6 +7461,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7313,6 +7494,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7343,6 +7525,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7374,6 +7557,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7404,6 +7588,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7434,6 +7619,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7465,6 +7651,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7495,6 +7682,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7527,6 +7715,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.3 + - PCI-DSSv4-10.2.1.3 - audit_rules_session_events - low_complexity - low_disruption @@ -7547,9 +7736,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -7591,9 +7781,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -7628,9 +7819,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -7664,9 +7856,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -7700,9 +7893,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -7737,9 +7931,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -7773,9 +7968,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -7811,9 +8007,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -7847,9 +8044,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -7884,9 +8082,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -7920,9 +8119,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -7956,9 +8156,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -7993,9 +8194,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -8029,9 +8231,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -8067,9 +8270,10 @@ - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1.5 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -8089,6 +8293,7 @@ - NIST-800-53-AU-9(4) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5 + - PCI-DSSv4-10.3.1 - file_permissions_var_log_audit - low_complexity - low_disruption @@ -8127,6 +8332,7 @@ - NIST-800-53-AU-9(4) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5 + - PCI-DSSv4-10.3.1 - file_permissions_var_log_audit - low_complexity - low_disruption @@ -8157,6 +8363,7 @@ - NIST-800-53-AU-9(4) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5 + - PCI-DSSv4-10.3.1 - file_permissions_var_log_audit - low_complexity - low_disruption @@ -8187,6 +8394,7 @@ - NIST-800-53-AU-9(4) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5 + - PCI-DSSv4-10.3.1 - file_permissions_var_log_audit - low_complexity - low_disruption @@ -8217,6 +8425,7 @@ - NIST-800-53-AU-9(4) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5 + - PCI-DSSv4-10.3.1 - file_permissions_var_log_audit - low_complexity - low_disruption @@ -8248,6 +8457,7 @@ - NIST-800-53-AU-9(4) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5 + - PCI-DSSv4-10.3.1 - file_permissions_var_log_audit - low_complexity - low_disruption @@ -8267,6 +8477,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_chmod - low_complexity - low_disruption @@ -8306,6 +8517,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_chmod - low_complexity - low_disruption @@ -8427,6 +8639,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_chmod - low_complexity - low_disruption @@ -8549,6 +8762,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_chmod - low_complexity - low_disruption @@ -8568,6 +8782,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_chown - low_complexity - low_disruption @@ -8607,6 +8822,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_chown - low_complexity - low_disruption @@ -8730,6 +8946,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_chown - low_complexity - low_disruption @@ -8854,6 +9071,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_chown - low_complexity - low_disruption @@ -8873,6 +9091,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchmod - low_complexity - low_disruption @@ -8912,6 +9131,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchmod - low_complexity - low_disruption @@ -9033,6 +9253,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchmod - low_complexity - low_disruption @@ -9155,6 +9376,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchmod - low_complexity - low_disruption @@ -9174,6 +9396,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption @@ -9213,6 +9436,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption @@ -9334,6 +9558,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption @@ -9456,6 +9681,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption @@ -9475,6 +9701,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchown - low_complexity - low_disruption @@ -9514,6 +9741,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchown - low_complexity - low_disruption @@ -9637,6 +9865,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchown - low_complexity - low_disruption @@ -9761,6 +9990,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchown - low_complexity - low_disruption @@ -9780,6 +10010,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchownat - low_complexity - low_disruption @@ -9819,6 +10050,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchownat - low_complexity - low_disruption @@ -9942,6 +10174,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchownat - low_complexity - low_disruption @@ -10066,6 +10299,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fchownat - low_complexity - low_disruption @@ -10085,6 +10319,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption @@ -10124,6 +10359,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption @@ -10251,6 +10487,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption @@ -10379,6 +10616,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption @@ -10398,6 +10636,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption @@ -10437,6 +10676,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption @@ -10564,6 +10804,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption @@ -10692,6 +10933,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption @@ -10711,6 +10953,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lchown - low_complexity - low_disruption @@ -10750,6 +10993,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lchown - low_complexity - low_disruption @@ -10873,6 +11117,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lchown - low_complexity - low_disruption @@ -10997,6 +11242,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lchown - low_complexity - low_disruption @@ -11016,6 +11262,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption @@ -11055,6 +11302,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption @@ -11182,6 +11430,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption @@ -11310,6 +11559,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption @@ -11329,6 +11579,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption @@ -11368,6 +11619,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption @@ -11495,6 +11747,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption @@ -11623,6 +11876,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption @@ -11642,6 +11896,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_removexattr - low_complexity - low_disruption @@ -11681,6 +11936,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_removexattr - low_complexity - low_disruption @@ -11808,6 +12064,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_removexattr - low_complexity - low_disruption @@ -11936,6 +12193,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_removexattr - low_complexity - low_disruption @@ -11955,6 +12213,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_setxattr - low_complexity - low_disruption @@ -11994,6 +12253,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_setxattr - low_complexity - low_disruption @@ -12121,6 +12381,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_setxattr - low_complexity - low_disruption @@ -12249,6 +12510,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 + - PCI-DSSv4-10.3.4 - audit_rules_dac_modification_setxattr - low_complexity - low_disruption @@ -12268,6 +12530,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 + - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading - low_complexity - low_disruption @@ -12305,6 +12568,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 + - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading - low_complexity - low_disruption @@ -12429,6 +12693,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 + - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading - low_complexity - low_disruption @@ -12554,6 +12819,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 + - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading - low_complexity - low_disruption @@ -12574,77 +12840,33 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 + - PCI-DSSv4-10.2.1.2 - audit_rules_privileged_commands + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy - when: - - audit_rules_privileged_commands | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - -- name: Search for privileged commands - shell: 'set -o pipefail - - find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype - ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs - -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o - -perm -2000 \) 2> /dev/null - - ' - args: - executable: /bin/bash - check_mode: false - register: find_result - changed_when: false - failed_when: false when: - audit_rules_privileged_commands | bool + - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-27437-3 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*path={{ item }} .*$ - patterns: '*.rules' - with_items: - - '{{ find_result.stdout_lines }}' - register: files_result +- name: Ensure auditd Collects Information on the Use of Privileged Commands - Set List of Mount Points Which Permits Execution + of Privileged Commands + ansible.builtin.set_fact: + privileged_mount_points: '{{(ansible_facts.mounts | rejectattr(''options'', ''search'', ''noexec|nosuid'') | rejectattr(''mount'', + ''match'', ''/proc($|/.*$)'') | map(attribute=''mount'') | list ) }}' when: - audit_rules_privileged_commands | bool + - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: @@ -12657,29 +12879,29 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 + - PCI-DSSv4-10.2.1.2 - audit_rules_privileged_commands + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Overwrites the rule in rules.d - lineinfile: - path: '{{ item.1.path }}' - line: -a always,exit -F path={{ item.0.item }} -F auid>=1000 -F auid!=unset -F key=privileged - create: false - regexp: ^.*path={{ item.0.item }} .*$ - with_subelements: - - '{{ files_result.results }}' - - files +- name: Ensure auditd Collects Information on the Use of Privileged Commands - Search for Privileged Commands in Eligible + Mount Points + ansible.builtin.shell: + cmd: find {{ item }} -xdev -perm /6000 -type f 2>/dev/null + register: result_privileged_commands_search + changed_when: false + failed_when: false + with_items: '{{ privileged_mount_points }}' when: - audit_rules_privileged_commands | bool + - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: @@ -12692,30 +12914,28 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 + - PCI-DSSv4-10.2.1.2 - audit_rules_privileged_commands + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Adds the rule in rules.d - lineinfile: - path: /etc/audit/rules.d/privileged.rules - line: -a always,exit -F path={{ item.item }} -F auid>=1000 -F auid!=unset -F key=privileged - create: true - with_items: - - '{{ files_result.results }}' +- name: Ensure auditd Collects Information on the Use of Privileged Commands - Set List of Privileged Commands Found in Eligible + Mount Points + ansible.builtin.set_fact: + privileged_commands: '{{( result_privileged_commands_search.results | map(attribute=''stdout_lines'') | select() | list + )[-1] }}' when: - audit_rules_privileged_commands | bool + - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - files_result.results is defined and item.matched == 0 tags: - CCE-27437-3 - CJIS-5.4.1.1 @@ -12726,30 +12946,64 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 + - PCI-DSSv4-10.2.1.2 - audit_rules_privileged_commands + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Inserts/replaces the rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path={{ item.item }} -F auid>=1000 -F auid!=unset -F key=privileged - create: true - regexp: ^.*path={{ item.item }} .*$ - with_items: - - '{{ files_result.results }}' +- name: Ensure auditd Collects Information on the Use of Privileged Commands - Privileged Commands are Present in the System + block: + - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure Rules for All Privileged Commands + in augenrules Format + ansible.builtin.lineinfile: + path: /etc/audit/rules.d/privileged.rules + line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + regexp: ^.*path={{ item | regex_escape() }} .*$ + create: true + with_items: + - '{{ privileged_commands }}' + - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure Rules for All Privileged Commands + in auditctl Format + ansible.builtin.lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path={{ item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + regexp: ^.*path={{ item | regex_escape() }} .*$ + create: true + with_items: + - '{{ privileged_commands }}' + - name: Ensure auditd Collects Information on the Use of Privileged Commands - Search for Duplicated Rules in Other Files + ansible.builtin.find: + paths: /etc/audit/rules.d + recurse: false + contains: ^-a always,exit -F path={{ item }} .*$ + patterns: '*.rules' + with_items: + - '{{ privileged_commands }}' + register: result_augenrules_files + - name: Ensure auditd Collects Information on the Use of Privileged Commands - Ensure Rules for Privileged Commands are + Defined Only in One File + ansible.builtin.lineinfile: + path: '{{ item.1.path }}' + regexp: ^-a always,exit -F path={{ item.0.item }} .*$ + state: absent + with_subelements: + - '{{ result_augenrules_files.results }}' + - files + when: + - item.1.path != '/etc/audit/rules.d/privileged.rules' when: - audit_rules_privileged_commands | bool + - configure_strategy | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - privileged_commands is defined tags: - CCE-27437-3 - CJIS-5.4.1.1 @@ -12760,12 +13014,13 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 + - PCI-DSSv4-10.2.1.2 - audit_rules_privileged_commands + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy - name: Gather the package facts package_facts: @@ -12779,6 +13034,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 - audit_rules_time_adjtimex - low_complexity - low_disruption @@ -12816,6 +13072,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 - audit_rules_time_adjtimex - low_complexity - low_disruption @@ -12936,6 +13193,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 - audit_rules_time_adjtimex - low_complexity - low_disruption @@ -13056,6 +13314,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 - audit_rules_time_adjtimex - low_complexity - low_disruption @@ -13075,6 +13334,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 - audit_rules_time_clock_settime - low_complexity - low_disruption @@ -13112,6 +13372,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 - audit_rules_time_clock_settime - low_complexity - low_disruption @@ -13226,6 +13487,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 - audit_rules_time_clock_settime - low_complexity - low_disruption @@ -13341,6 +13603,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 - audit_rules_time_clock_settime - low_complexity - low_disruption @@ -13360,6 +13623,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 - audit_rules_time_settimeofday - low_complexity - low_disruption @@ -13397,6 +13661,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 - audit_rules_time_settimeofday - low_complexity - low_disruption @@ -13517,6 +13782,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 - audit_rules_time_settimeofday - low_complexity - low_disruption @@ -13638,6 +13904,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 - audit_rules_time_settimeofday - low_complexity - low_disruption @@ -13657,6 +13924,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 - audit_rules_time_stime - low_complexity - low_disruption @@ -13784,6 +14052,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 - audit_rules_time_stime - low_complexity - low_disruption @@ -13803,6 +14072,8 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption @@ -13841,6 +14112,8 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption @@ -13873,6 +14146,8 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption @@ -13904,6 +14179,8 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption @@ -13935,6 +14212,8 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption @@ -13967,6 +14246,8 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption @@ -13998,6 +14279,8 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption @@ -14031,6 +14314,8 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.2.b + - PCI-DSSv4-10.6.3 + - PCI-DSSv4-10.6.3 - audit_rules_time_watch_localtime - low_complexity - low_disruption @@ -14048,6 +14333,7 @@ - NIST-800-53-AU-4(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.3 + - PCI-DSSv4-10.3.3 - auditd_audispd_syslog_plugin_activated - configure_strategy - low_complexity @@ -14062,7 +14348,7 @@ - medium_severity | bool - no_reboot_needed | bool -- name: enable syslog plugin +- name: Enable syslog plugin lineinfile: dest: /etc/audisp/plugins.d/syslog.conf regexp: ^active @@ -14084,6 +14370,7 @@ - NIST-800-53-AU-4(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.3 + - PCI-DSSv4-10.3.3 - auditd_audispd_syslog_plugin_activated - configure_strategy - low_complexity @@ -14104,6 +14391,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1) - PCI-DSS-Req-10.7.a + - PCI-DSSv4-10.5.1 - auditd_data_retention_action_mail_acct - low_complexity - low_disruption @@ -14145,6 +14433,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1) - PCI-DSS-Req-10.7.a + - PCI-DSSv4-10.5.1 - auditd_data_retention_action_mail_acct - low_complexity - low_disruption @@ -14165,6 +14454,7 @@ - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - auditd_data_retention_admin_space_left_action - low_complexity - low_disruption @@ -14205,6 +14495,7 @@ - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - auditd_data_retention_admin_space_left_action - low_complexity - low_disruption @@ -14221,6 +14512,7 @@ - NIST-800-53-AU-11 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - auditd_data_retention_max_log_file - low_complexity - low_disruption @@ -14257,6 +14549,7 @@ - NIST-800-53-AU-11 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - auditd_data_retention_max_log_file - low_complexity - low_disruption @@ -14276,6 +14569,7 @@ - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - auditd_data_retention_max_log_file_action - low_complexity - low_disruption @@ -14315,6 +14609,7 @@ - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - auditd_data_retention_max_log_file_action - low_complexity - low_disruption @@ -14332,6 +14627,7 @@ - NIST-800-53-AU-11 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - auditd_data_retention_num_logs - low_complexity - low_disruption @@ -14369,6 +14665,7 @@ - NIST-800-53-AU-11 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - auditd_data_retention_num_logs - low_complexity - low_disruption @@ -14390,6 +14687,7 @@ - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - auditd_data_retention_space_left_action - low_complexity - low_disruption @@ -14433,6 +14731,7 @@ - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - auditd_data_retention_space_left_action - low_complexity - low_disruption @@ -14450,6 +14749,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 + - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_grub2_cfg - low_complexity @@ -14485,6 +14785,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 + - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_grub2_cfg - low_complexity @@ -14514,6 +14815,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 + - PCI-DSSv4-2.2.6 - configure_strategy - file_groupowner_grub2_cfg - low_complexity @@ -14531,6 +14833,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 + - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_grub2_cfg - low_complexity @@ -14566,6 +14869,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 + - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_grub2_cfg - low_complexity @@ -14595,6 +14899,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-7.1 + - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_grub2_cfg - low_complexity @@ -14619,6 +14924,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -14648,6 +14955,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -14678,6 +14987,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -14702,6 +15013,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -14733,6 +15046,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -14743,8 +15058,11 @@ - name: Ensure Log Files Are Owned By Appropriate Group - Extract log files old format ansible.builtin.shell: 'set -o pipefail - grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} |awk ''{print $NF}''|sed -e ''s/^-//'' - || true + grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} | \ + + awk ''{print $NF}'' | \ + + sed -e ''s/^-//'' || true ' loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' @@ -14764,6 +15082,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -14774,8 +15094,13 @@ - name: Ensure Log Files Are Owned By Appropriate Group - Extract log files new format ansible.builtin.shell: 'set -o pipefail - grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep - -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true + grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \ + + grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \ + + grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \ + + tr -d "\""|| true ' loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' @@ -14795,6 +15120,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -14804,7 +15131,8 @@ - name: Ensure Log Files Are Owned By Appropriate Group - Sum all log files found ansible.builtin.set_fact: - log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + log_files: '{{ log_files_new.results | map(attribute=''stdout_lines'') | list | flatten | unique + log_files_old.results + | map(attribute=''stdout_lines'') | list | flatten | unique }}' when: - configure_strategy | bool - low_complexity | bool @@ -14819,6 +15147,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -14829,7 +15159,7 @@ - name: Ensure Log Files Are Owned By Appropriate Group -Setup log files attribute ansible.builtin.file: path: '{{ item }}' - group: 0 + group: '0' state: file loop: '{{ log_files | list | flatten | unique }}' failed_when: false @@ -14847,6 +15177,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -14871,6 +15203,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -14900,6 +15234,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -14930,6 +15266,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -14954,6 +15292,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -14985,6 +15325,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -14995,8 +15337,11 @@ - name: Ensure Log Files Are Owned By Appropriate User - Extract log files old format ansible.builtin.shell: 'set -o pipefail - grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} |awk ''{print $NF}''|sed -e ''s/^-//'' - || true + grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} | \ + + awk ''{print $NF}'' | \ + + sed -e ''s/^-//'' || true ' loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' @@ -15016,6 +15361,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -15026,8 +15373,13 @@ - name: Ensure Log Files Are Owned By Appropriate User - Extract log files new format ansible.builtin.shell: 'set -o pipefail - grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep - -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true + grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \ + + grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \ + + grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \ + + tr -d "\""|| true ' loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' @@ -15047,6 +15399,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -15056,7 +15410,8 @@ - name: Ensure Log Files Are Owned By Appropriate User - Sum all log files found ansible.builtin.set_fact: - log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + log_files: '{{ log_files_new.results | map(attribute=''stdout_lines'') | list | flatten | unique + log_files_old.results + | map(attribute=''stdout_lines'') | list | flatten | unique }}' when: - configure_strategy | bool - low_complexity | bool @@ -15071,6 +15426,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -15081,7 +15438,7 @@ - name: Ensure Log Files Are Owned By Appropriate User -Setup log files attribute ansible.builtin.file: path: '{{ item }}' - owner: 0 + owner: '0' state: file loop: '{{ log_files | list | flatten | unique }}' failed_when: false @@ -15099,6 +15456,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -15123,6 +15482,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -15152,6 +15513,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -15182,6 +15545,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -15206,6 +15571,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -15237,6 +15604,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -15247,8 +15616,11 @@ - name: Ensure System Log Files Have Correct Permissions - Extract log files old format ansible.builtin.shell: 'set -o pipefail - grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} |awk ''{print $NF}''|sed -e ''s/^-//'' - || true + grep -oP ''^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$'' {{ item.1.path }} | \ + + awk ''{print $NF}'' | \ + + sed -e ''s/^-//'' || true ' loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' @@ -15268,6 +15640,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -15278,8 +15652,13 @@ - name: Ensure System Log Files Have Correct Permissions - Extract log files new format ansible.builtin.shell: 'set -o pipefail - grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep - -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true + grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \ + + grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \ + + grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \ + + tr -d "\""|| true ' loop: '{{ rsyslog_config_files.results | subelements(''files'') }}' @@ -15299,6 +15678,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -15308,7 +15689,8 @@ - name: Ensure System Log Files Have Correct Permissions - Sum all log files found ansible.builtin.set_fact: - log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique }}' + log_files: '{{ log_files_new.results | map(attribute=''stdout_lines'') | list | flatten | unique + log_files_old.results + | map(attribute=''stdout_lines'') | list | flatten | unique }}' when: - configure_strategy | bool - low_complexity | bool @@ -15323,6 +15705,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -15333,7 +15717,7 @@ - name: Ensure System Log Files Have Correct Permissions -Setup log files attribute ansible.builtin.file: path: '{{ item }}' - mode: 384 + mode: '0640' state: file loop: '{{ log_files | list | flatten | unique }}' failed_when: false @@ -15351,6 +15735,8 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 + - PCI-DSSv4-10.3.1 + - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -15376,6 +15762,7 @@ - CCE-80195-1 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - configure_strategy - ensure_logrotate_activated - low_complexity @@ -15401,6 +15788,7 @@ - CCE-80195-1 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - configure_strategy - ensure_logrotate_activated - low_complexity @@ -15433,6 +15821,7 @@ - CCE-80195-1 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - configure_strategy - ensure_logrotate_activated - low_complexity @@ -15448,6 +15837,7 @@ - CCE-80170-4 - NIST-800-53-CM-6(a) - PCI-DSS-Req-4.1 + - PCI-DSSv4-4.2.1 - enable_strategy - low_complexity - low_disruption @@ -15472,6 +15862,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_groupowner_etc_group - low_complexity @@ -15504,6 +15895,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_groupowner_etc_group - low_complexity @@ -15521,6 +15913,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_groupowner_etc_passwd - low_complexity @@ -15553,6 +15946,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_groupowner_etc_passwd - low_complexity @@ -15570,6 +15964,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_groupowner_etc_shadow - low_complexity @@ -15602,6 +15997,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_groupowner_etc_shadow - low_complexity @@ -15619,6 +16015,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_owner_etc_group - low_complexity @@ -15651,6 +16048,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_owner_etc_group - low_complexity @@ -15668,6 +16066,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_owner_etc_passwd - low_complexity @@ -15700,6 +16099,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_owner_etc_passwd - low_complexity @@ -15717,6 +16117,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_owner_etc_shadow - low_complexity @@ -15749,6 +16150,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_owner_etc_shadow - low_complexity @@ -15766,6 +16168,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_permissions_etc_group - low_complexity @@ -15798,6 +16201,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_permissions_etc_group - low_complexity @@ -15815,6 +16219,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_permissions_etc_passwd - low_complexity @@ -15847,6 +16252,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_permissions_etc_passwd - low_complexity @@ -15864,6 +16270,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_permissions_etc_shadow - low_complexity @@ -15896,6 +16303,7 @@ - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c + - PCI-DSSv4-7.2.6 - configure_strategy - file_permissions_etc_shadow - low_complexity @@ -15913,6 +16321,7 @@ - NIST-800-53-AU-8(1)(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.1 + - PCI-DSSv4-10.6.1 - enable_strategy - low_complexity - low_disruption @@ -15945,6 +16354,7 @@ - NIST-800-53-AU-8(1)(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.1 + - PCI-DSSv4-10.6.1 - enable_strategy - low_complexity - low_disruption @@ -15953,7 +16363,7 @@ - service_chronyd_or_ntpd_enabled - name: Start ntpd service if ntp installed - service: + systemd: name: ntpd enabled: 'yes' state: started @@ -15967,7 +16377,6 @@ - service_chronyd_or_ntpd_enabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - '''ntp'' in ansible_facts.packages' - ignore_errors: true tags: - CCE-27444-9 - NIST-800-171-3.3.7 @@ -15975,6 +16384,7 @@ - NIST-800-53-AU-8(1)(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.1 + - PCI-DSSv4-10.6.1 - enable_strategy - low_complexity - low_disruption @@ -15983,7 +16393,7 @@ - service_chronyd_or_ntpd_enabled - name: Start chronyd service if chrony or chronyd installed - service: + systemd: name: chronyd enabled: 'yes' state: started @@ -15997,7 +16407,6 @@ - service_chronyd_or_ntpd_enabled | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ('chrony' in ansible_facts.packages) or ('chronyd' in ansible_facts.packages) - ignore_errors: true tags: - CCE-27444-9 - NIST-800-171-3.3.7 @@ -16005,6 +16414,7 @@ - NIST-800-53-AU-8(1)(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.1 + - PCI-DSSv4-10.6.1 - enable_strategy - low_complexity - low_disruption @@ -16032,6 +16442,7 @@ - NIST-800-53-AU-8(2) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.3 + - PCI-DSSv4-10.6.2 - chronyd_or_ntpd_specify_multiple_servers - configure_strategy - low_complexity @@ -16062,6 +16473,7 @@ - NIST-800-53-AU-8(2) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.3 + - PCI-DSSv4-10.6.2 - chronyd_or_ntpd_specify_multiple_servers - configure_strategy - low_complexity @@ -16089,6 +16501,7 @@ - NIST-800-53-AU-8(2) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.3 + - PCI-DSSv4-10.6.2 - chronyd_or_ntpd_specify_multiple_servers - configure_strategy - low_complexity @@ -16119,6 +16532,7 @@ - NIST-800-53-AU-8(2) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.4.3 + - PCI-DSSv4-10.6.2 - chronyd_or_ntpd_specify_multiple_servers - configure_strategy - low_complexity @@ -16173,6 +16587,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - low_complexity - low_disruption - medium_severity @@ -16216,6 +16631,7 @@ - restrict_strategy | bool - sshd_set_idle_timeout | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_distribution == 'RedHat' and ansible_distribution_version is version('8.5', '<=') tags: - CCE-27433-2 - CJIS-5.5.6 @@ -16229,6 +16645,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSS-Req-8.1.8 + - PCI-DSSv4-8.2.8 - low_complexity - low_disruption - medium_severity