From 6f31284f44a4db243f2dac0da9c294de1c2467b8 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Mon, 19 Jul 2021 10:28:40 -0400 Subject: [PATCH] Updated tasks/main.yml --- tasks/main.yml | 13105 +++++++++++++++++++++++++---------------------- 1 file changed, 6946 insertions(+), 6159 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 3d78441..485b7ad 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,3041 +1,2967 @@ -- name: Ensure PAM variable minlen is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*minlen - line: minlen = {{ var_password_pam_minlen }} +- name: Does prelink file exist + stat: + path: /etc/sysconfig/prelink + register: prelink_exists tags: - - CCE-27293-0 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010280 + - CCE-27078-5 + - CJIS-5.10.1.3 + - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_minlen + - NIST-800-53-SC-13 + - PCI-DSS-Req-11.5 + - disable_prelink - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy when: - - accounts_password_pam_minlen | bool + - disable_prelink | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool -- name: Ensure PAM variable ucredit is set accordingly +- name: disable prelinking lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*ucredit - line: ucredit = {{ var_password_pam_ucredit }} - tags: - - CCE-27200-5 - - DISA-STIG-RHEL-07-010120 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_ucredit - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy + path: /etc/sysconfig/prelink + regexp: ^PRELINKING= + line: PRELINKING=no when: + - disable_prelink | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - accounts_password_pam_ucredit | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - -- name: Ensure PAM variable dcredit is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*dcredit - line: dcredit = {{ var_password_pam_dcredit }} + - prelink_exists.stat.exists tags: - - CCE-27214-6 - - DISA-STIG-RHEL-07-010140 + - CCE-27078-5 + - CJIS-5.10.1.3 + - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_dcredit + - NIST-800-53-SC-13 + - PCI-DSS-Req-11.5 + - disable_prelink - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy + +- name: 'Set fact: Package manager reinstall command (dnf)' + set_fact: + package_manager_reinstall_cmd: dnf reinstall -y when: - - accounts_password_pam_dcredit | bool + - high_complexity | bool + - high_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - -- name: Ensure PAM variable lcredit is set accordingly - lineinfile: - create: true - dest: /etc/security/pwquality.conf - regexp: ^#?\s*lcredit - line: lcredit = {{ var_password_pam_lcredit }} + - rpm_verify_hashes | bool + - ansible_distribution == "Fedora" tags: - - CCE-27345-8 - - DISA-STIG-RHEL-07-010130 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(4) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - accounts_password_pam_lcredit - - low_complexity - - low_disruption - - medium_severity + - CCE-27157-7 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010020 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption - no_reboot_needed - restrict_strategy + - rpm_verify_hashes + +- name: 'Set fact: Package manager reinstall command (yum)' + set_fact: + package_manager_reinstall_cmd: yum reinstall -y when: + - high_complexity | bool + - high_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool - - accounts_password_pam_lcredit | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - -- name: Set Password Hashing Algorithm in /etc/libuser.conf - lineinfile: - dest: /etc/libuser.conf - insertafter: ^\s*\[defaults] - regexp: ^#?crypt_style - line: crypt_style = sha512 - state: present - create: true + - rpm_verify_hashes | bool + - (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") tags: - - CCE-82038-1 - - CJIS-5.6.2.2 - - DISA-STIG-RHEL-07-010220 - - NIST-800-171-3.13.11 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(c) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.1 - - low_complexity - - low_disruption - - medium_severity + - CCE-27157-7 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010020 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption - no_reboot_needed - restrict_strategy - - set_password_hashing_algorithm_libuserconf + - rpm_verify_hashes + +- name: Read files with incorrect hash + command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig + args: + warn: false + register: files_with_incorrect_hash + changed_when: false + failed_when: files_with_incorrect_hash.rc > 1 + check_mode: false when: + - high_complexity | bool + - high_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - - set_password_hashing_algorithm_libuserconf | bool - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - -- name: Set Password Hashing Algorithm in /etc/login.defs - lineinfile: - dest: /etc/login.defs - regexp: ^#?ENCRYPT_METHOD - line: ENCRYPT_METHOD SHA512 - state: present - create: true + - rpm_verify_hashes | bool + - (package_manager_reinstall_cmd is defined) tags: - - CCE-82050-6 - - CJIS-5.6.2.2 - - DISA-STIG-RHEL-07-010210 - - NIST-800-171-3.13.11 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(c) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.1 - - low_complexity - - low_disruption - - medium_severity + - CCE-27157-7 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010020 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption - no_reboot_needed - restrict_strategy - - set_password_hashing_algorithm_logindefs + - rpm_verify_hashes + +- name: Create list of packages + command: rpm -qf "{{ item }}" + args: + warn: false + with_items: '{{ files_with_incorrect_hash.stdout_lines | map(''regex_findall'', ''^[.]+[5]+.* (\/.*)'', ''\1'') | map(''join'') + | select(''match'', ''(\/.*)'') | list | unique }}' + register: list_of_packages + changed_when: false + check_mode: false when: + - high_complexity | bool + - high_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool - - set_password_hashing_algorithm_logindefs | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - -- name: Do not allow users to reuse recent passwords - system-auth (change) - replace: - dest: /etc/pam.d/system-auth - follow: true - regexp: ^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$ - replace: \g<1>{{ var_password_pam_unix_remember }}\g<3> + - rpm_verify_hashes | bool + - files_with_incorrect_hash.stdout_lines is defined + - (files_with_incorrect_hash.stdout_lines | length > 0) tags: - - CCE-82030-8 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010270 - - NIST-800-171-3.5.8 - - NIST-800-53-IA-5(1)(e) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.5 - - accounts_password_pam_unix_remember - - configure_strategy - - low_complexity + - CCE-27157-7 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010020 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity - medium_disruption - - medium_severity - no_reboot_needed + - restrict_strategy + - rpm_verify_hashes + +- name: Reinstall packages of files with incorrect hash + command: '{{ package_manager_reinstall_cmd }} ''{{ item }}''' + args: + warn: false + with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list | unique }}' when: - - no_reboot_needed | bool - - configure_strategy | bool - - medium_severity | bool + - high_complexity | bool + - high_severity | bool - medium_disruption | bool - - accounts_password_pam_unix_remember | bool - - low_complexity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - rpm_verify_hashes | bool + - files_with_incorrect_hash.stdout_lines is defined + - (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) + tags: + - CCE-27157-7 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010020 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_hashes -- name: Do not allow users to reuse recent passwords - system-auth (add) - replace: - dest: /etc/pam.d/system-auth - follow: true - regexp: ^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$ - replace: \g<0> remember={{ var_password_pam_unix_remember }} +- name: Read list of files with incorrect permissions + command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup + args: + warn: false + register: files_with_incorrect_permissions + failed_when: files_with_incorrect_permissions.rc > 1 + changed_when: false + check_mode: false tags: - - CCE-82030-8 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010270 - - NIST-800-171-3.5.8 - - NIST-800-53-IA-5(1)(e) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.5 - - accounts_password_pam_unix_remember - - configure_strategy - - low_complexity + - CCE-27209-6 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010010 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity - medium_disruption - - medium_severity - no_reboot_needed + - restrict_strategy + - rpm_verify_permissions when: - - no_reboot_needed | bool - - configure_strategy | bool - - medium_severity | bool + - high_complexity | bool + - high_severity | bool - medium_disruption | bool - - accounts_password_pam_unix_remember | bool - - low_complexity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - rpm_verify_permissions | bool -- name: Add auth pam_faillock preauth unlock_time before pam_unix.so - pamd: - name: '{{ item }}' - type: auth - control: sufficient - module_path: pam_unix.so - new_type: auth - new_control: required - new_module_path: pam_faillock.so - module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} - state: before - loop: - - system-auth - - password-auth +- name: Create list of packages + command: rpm -qf "{{ item }}" + args: + warn: false + with_items: '{{ files_with_incorrect_permissions.stdout_lines | map(''regex_findall'', ''^[.]+[M]+.* (\/.*)'', ''\1'') | + map(''join'') | select(''match'', ''(\/.*)'') | list | unique }}' + register: list_of_packages + changed_when: false + check_mode: false + when: + - high_complexity | bool + - high_severity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - rpm_verify_permissions | bool + - (files_with_incorrect_permissions.stdout_lines | length > 0) tags: - - CCE-26884-7 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(b) + - CCE-27209-6 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010010 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.7 - - accounts_passwords_pam_faillock_unlock_time - - low_complexity - - low_disruption - - medium_severity + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption - no_reboot_needed - restrict_strategy + - rpm_verify_permissions + +- name: Correct file permissions with RPM + command: rpm --setperms '{{ item }}' + args: + warn: false + with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list | unique }}' when: + - high_complexity | bool + - high_severity | bool + - medium_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool - - medium_severity | bool - - accounts_passwords_pam_faillock_unlock_time | bool - - low_disruption | bool - - low_complexity | bool + - rpm_verify_permissions | bool + - (files_with_incorrect_permissions.stdout_lines | length > 0) + tags: + - CCE-27209-6 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-010010 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_permissions -- name: Add unlock_time argument to pam_faillock preauth - pamd: - name: '{{ item }}' - type: auth - control: required - module_path: pam_faillock.so - module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} - state: args_present - loop: - - system-auth - - password-auth +- name: Ensure aide is installed + package: + name: aide + state: present + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_aide_installed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-26884-7 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(b) + - CCE-27096-7 + - CJIS-5.10.1.3 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.7 - - accounts_passwords_pam_faillock_unlock_time + - PCI-DSS-Req-11.5 + - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - package_aide_installed + +- name: Ensure AIDE is installed + package: + name: '{{ item }}' + state: present + with_items: + - aide when: + - aide_build_database | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - medium_severity | bool - - accounts_passwords_pam_faillock_unlock_time | bool - - low_disruption | bool - - low_complexity | bool - -- name: Add auth pam_faillock authfail unlock_interval after pam_unix.so - pamd: - name: '{{ item }}' - type: auth - control: sufficient - module_path: pam_unix.so - new_type: auth - new_control: '[default=die]' - new_module_path: pam_faillock.so - module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} - state: after - loop: - - system-auth - - password-auth + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-26884-7 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(b) + - CCE-27220-3 + - CJIS-5.10.1.3 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.7 - - accounts_passwords_pam_faillock_unlock_time + - PCI-DSS-Req-11.5 + - aide_build_database - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy + +- name: Build and Test AIDE Database + command: /usr/sbin/aide --init + changed_when: true when: + - aide_build_database | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - medium_severity | bool - - accounts_passwords_pam_faillock_unlock_time | bool - - low_disruption | bool - - low_complexity | bool - -- name: Add unlock_time argument to auth pam_faillock authfail - pamd: - name: '{{ item }}' - type: auth - control: '[default=die]' - module_path: pam_faillock.so - module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} - state: args_present - loop: - - system-auth - - password-auth + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-26884-7 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(b) + - CCE-27220-3 + - CJIS-5.10.1.3 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.7 - - accounts_passwords_pam_faillock_unlock_time + - PCI-DSS-Req-11.5 + - aide_build_database - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy + +- name: Check whether the stock AIDE Database exists + stat: + path: /var/lib/aide/aide.db.new.gz + register: aide_database_stat when: + - aide_build_database | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - medium_severity | bool - - accounts_passwords_pam_faillock_unlock_time | bool - - low_disruption | bool - - low_complexity | bool - -- name: Add account pam_faillock before pam_unix.so - pamd: - name: '{{ item }}' - type: account - control: required - module_path: pam_unix.so - new_type: account - new_control: required - new_module_path: pam_faillock.so - state: before - loop: - - system-auth - - password-auth + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-26884-7 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(b) + - CCE-27220-3 + - CJIS-5.10.1.3 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.7 - - accounts_passwords_pam_faillock_unlock_time + - PCI-DSS-Req-11.5 + - aide_build_database - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy + +- name: Stage AIDE Database + copy: + src: /var/lib/aide/aide.db.new.gz + dest: /var/lib/aide/aide.db.gz + backup: true + remote_src: true when: + - aide_build_database | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - medium_severity | bool - - accounts_passwords_pam_faillock_unlock_time | bool - - low_disruption | bool - - low_complexity | bool - -- name: Add auth pam_faillock preauth deny before pam_unix.so - pamd: - name: '{{ item }}' - type: auth - control: sufficient - module_path: pam_unix.so - new_type: auth - new_control: required - new_module_path: pam_faillock.so - module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny }} - state: before - loop: - - system-auth - - password-auth + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists) tags: - - CCE-27350-8 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(a) + - CCE-27220-3 + - CJIS-5.10.1.3 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.6 - - accounts_passwords_pam_faillock_deny + - PCI-DSS-Req-11.5 + - aide_build_database - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy + +- name: Ensure AIDE is installed + package: + name: '{{ item }}' + state: present + with_items: + - aide when: - - accounts_passwords_pam_faillock_deny | bool + - aide_periodic_cron_checking | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - -- name: Add deny argument to auth pam_faillock preauth - pamd: - name: '{{ item }}' - type: auth - control: required - module_path: pam_faillock.so - module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny }} - state: args_present - loop: - - system-auth - - password-auth + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27350-8 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(a) + - CCE-26952-2 + - CJIS-5.10.1.3 + - DISA-STIG-RHEL-07-020030 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.6 - - accounts_passwords_pam_faillock_deny + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - PCI-DSS-Req-11.5 + - aide_periodic_cron_checking - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy + +- name: Configure Periodic Execution of AIDE + cron: + name: run AIDE check + minute: 5 + hour: 4 + weekday: 0 + user: root + job: /usr/sbin/aide --check when: - - accounts_passwords_pam_faillock_deny | bool + - aide_periodic_cron_checking | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - -- name: Add auth pam_faillock authfail deny after pam_unix.so - pamd: - name: '{{ item }}' - type: auth - control: sufficient - module_path: pam_unix.so - new_type: auth - new_control: '[default=die]' - new_module_path: pam_faillock.so - module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }} - state: after - loop: - - system-auth - - password-auth + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27350-8 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(a) + - CCE-26952-2 + - CJIS-5.10.1.3 + - DISA-STIG-RHEL-07-020030 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.6 - - accounts_passwords_pam_faillock_deny + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - PCI-DSS-Req-11.5 + - aide_periodic_cron_checking - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - when: - - accounts_passwords_pam_faillock_deny | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool -- name: Add deny argument to auth pam_faillock authfail - pamd: - name: '{{ item }}' - type: auth - new_type: auth - control: '[default=die]' - module_path: pam_faillock.so - module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }} - state: args_present - loop: - - system-auth - - password-auth +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27350-8 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(a) + - CCE-80111-8 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010100 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.6 - - accounts_passwords_pam_faillock_deny + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - unknown_strategy when: - - accounts_passwords_pam_faillock_deny | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - dconf_gnome_screensaver_idle_activation_enabled | bool - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool -- name: Add account pam_faillock before pam_unix.so - pamd: - name: '{{ item }}' - type: account - control: required - module_path: pam_unix.so - new_type: account - new_control: required - new_module_path: pam_faillock.so - state: before - loop: - - system-auth - - password-auth +- name: Enable GNOME3 Screensaver Idle Activation + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver + option: idle-activation-enabled + value: 'true' + create: true + no_extra_spaces: true + when: + - dconf_gnome_screensaver_idle_activation_enabled | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27350-8 - - CJIS-5.5.3 - - DISA-STIG-RHEL-07-010320 - - NIST-800-171-3.1.8 - - NIST-800-53-AC-7(a) + - CCE-80111-8 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010100 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.6 - - accounts_passwords_pam_faillock_deny + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - - restrict_strategy - when: - - accounts_passwords_pam_faillock_deny | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool + - unknown_strategy -- name: Set Password Maximum Age +- name: Prevent user modification of GNOME idle-activation-enabled lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/idle-activation-enabled$ + line: /org/gnome/desktop/screensaver/idle-activation-enabled create: true - dest: /etc/login.defs - regexp: ^#?PASS_MAX_DAYS - line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }} + when: + - dconf_gnome_screensaver_idle_activation_enabled | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27051-2 - - CJIS-5.6.2.1 - - DISA-STIG-RHEL-07-010250 - - NIST-800-171-3.5.6 + - CCE-80111-8 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010100 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(d) - - NIST-800-53-IA-5(f) - - PCI-DSS-Req-8.2.4 - - accounts_maximum_age_login_defs + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - unknown_strategy + +- name: Dconf Update + command: dconf update when: - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - accounts_maximum_age_login_defs | bool - - low_disruption | bool + - dconf_gnome_screensaver_idle_activation_enabled | bool - low_complexity | bool - -- name: Set Account Expiration Following Inactivity - lineinfile: - create: true - dest: /etc/default/useradd - regexp: ^INACTIVE - line: INACTIVE={{ var_account_disable_post_pw_expiration }} + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27355-7 - - CJIS-5.6.2.1.1 - - DISA-STIG-RHEL-07-010310 - - NIST-800-171-3.5.6 - - NIST-800-53-AC-2(3) + - CCE-80111-8 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010100 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-4(e) - - PCI-DSS-Req-8.1.4 - - account_disable_post_pw_expiration + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - - restrict_strategy - when: - - account_disable_post_pw_expiration | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool + - unknown_strategy -- name: Prevent Log In to Accounts With Empty Password - system-auth - replace: - dest: /etc/pam.d/system-auth - follow: true - regexp: nullok +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27286-4 - - CJIS-5.5.2 - - DISA-STIG-RHEL-07-010290 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 + - CCE-80110-0 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010070 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - configure_strategy - - high_severity + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption - - no_empty_passwords + - medium_severity - no_reboot_needed + - unknown_strategy when: - - no_empty_passwords | bool - - no_reboot_needed | bool - - high_severity | bool - - configure_strategy | bool - - medium_disruption | bool + - dconf_gnome_screensaver_idle_delay | bool - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool -- name: Prevent Log In to Accounts With Empty Password - password-auth - replace: - dest: /etc/pam.d/password-auth - follow: true - regexp: nullok +- name: Set GNOME3 Screensaver Inactivity Timeout + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/session + option: idle-delay + value: uint32 {{ inactivity_timeout_value }} + create: true + no_extra_spaces: true + when: + - dconf_gnome_screensaver_idle_delay | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27286-4 - - CJIS-5.5.2 - - DISA-STIG-RHEL-07-010290 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 + - CCE-80110-0 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010070 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - configure_strategy - - high_severity + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption - - no_empty_passwords + - medium_severity - no_reboot_needed - when: - - no_empty_passwords | bool - - no_reboot_needed | bool - - high_severity | bool - - configure_strategy | bool - - medium_disruption | bool - - low_complexity | bool + - unknown_strategy -- name: Enable service auditd - block: - - name: Gather the package facts - package_facts: - manager: auto - - name: Enable service auditd - service: - name: auditd - enabled: 'yes' - state: started - when: - - '"audit" in ansible_facts.packages' +- name: Prevent user modification of GNOME idle-delay + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/session/idle-delay$ + line: /org/gnome/desktop/session/idle-delay + create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - high_severity | bool - - enable_strategy | bool + - dconf_gnome_screensaver_idle_delay | bool - low_complexity | bool - - low_disruption | bool - - service_auditd_enabled | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27407-6 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030000 - - NIST-800-171-3.3.1 - - NIST-800-171-3.3.2 - - NIST-800-171-3.3.6 - - NIST-800-53-AC-2(g) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-10 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-14(1) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-3 + - CCE-80110-0 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010070 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.1 - - enable_strategy - - high_severity + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay - low_complexity - - low_disruption + - medium_disruption + - medium_severity - no_reboot_needed - - service_auditd_enabled + - unknown_strategy -- name: check audit argument exists - command: grep 'GRUB_CMDLINE_LINUX.*audit=' /etc/default/grub - failed_when: false - register: argcheck +- name: Dconf Update + command: dconf update when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - grub2_audit_argument | bool - - restrict_strategy | bool - - reboot_required | bool + - dconf_gnome_screensaver_idle_delay | bool + - low_complexity | bool + - medium_disruption | bool - medium_severity | bool - - medium_complexity | bool - - low_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27212-0 - - CJIS-5.4.1.1 - - NIST-800-171-3.3.1 - - NIST-800-53-AC-17(1) - - NIST-800-53-AU-10 - - NIST-800-53-AU-14(1) + - CCE-80110-0 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010070 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - - NIST-800-53-IR-5(1) - - PCI-DSS-Req-10.3 - - grub2_audit_argument - - low_disruption - - medium_complexity + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay + - low_complexity + - medium_disruption - medium_severity - - reboot_required - - restrict_strategy + - no_reboot_needed + - unknown_strategy -- name: replace existing audit argument - replace: - path: /etc/default/grub - regexp: audit=\w+ - replace: audit=1 - when: - - argcheck.rc == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - grub2_audit_argument | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - medium_complexity | bool - - low_disruption | bool +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27212-0 - - CJIS-5.4.1.1 - - NIST-800-171-3.3.1 - - NIST-800-53-AC-17(1) - - NIST-800-53-AU-10 - - NIST-800-53-AU-14(1) + - CCE-80112-6 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 + - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - - NIST-800-53-IR-5(1) - - PCI-DSS-Req-10.3 - - grub2_audit_argument - - low_disruption - - medium_complexity + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled + - low_complexity + - medium_disruption - medium_severity - - reboot_required - - restrict_strategy - -- name: add audit argument - replace: - path: /etc/default/grub - regexp: (GRUB_CMDLINE_LINUX=.*)" - replace: \1 audit=1" + - no_reboot_needed + - unknown_strategy when: - - argcheck.rc != 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - grub2_audit_argument | bool - - restrict_strategy | bool - - reboot_required | bool + - dconf_gnome_screensaver_lock_enabled | bool + - low_complexity | bool + - medium_disruption | bool - medium_severity | bool - - medium_complexity | bool - - low_disruption | bool - tags: - - CCE-27212-0 - - CJIS-5.4.1.1 - - NIST-800-171-3.3.1 - - NIST-800-53-AC-17(1) - - NIST-800-53-AU-10 - - NIST-800-53-AU-14(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-IR-5(1) - - PCI-DSS-Req-10.3 - - grub2_audit_argument - - low_disruption - - medium_complexity - - medium_severity - - reboot_required - - restrict_strategy + - no_reboot_needed | bool + - unknown_strategy | bool -- name: update bootloader menu - command: /sbin/grubby --update-kernel=ALL --args="audit=1" +- name: Dconf Update + command: dconf update when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - grub2_audit_argument | bool - - restrict_strategy | bool - - reboot_required | bool + - dconf_gnome_screensaver_lock_enabled | bool + - low_complexity | bool + - medium_disruption | bool - medium_severity | bool - - medium_complexity | bool - - low_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_distribution == 'SLES' tags: - - CCE-27212-0 - - CJIS-5.4.1.1 - - NIST-800-171-3.3.1 - - NIST-800-53-AC-17(1) - - NIST-800-53-AU-10 - - NIST-800-53-AU-14(1) + - CCE-80112-6 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 + - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - - NIST-800-53-IR-5(1) - - PCI-DSS-Req-10.3 - - grub2_audit_argument - - low_disruption - - medium_complexity + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled + - low_complexity + - medium_disruption - medium_severity - - reboot_required - - restrict_strategy + - no_reboot_needed + - unknown_strategy -- name: Configure auditd Max Log File Size - lineinfile: - dest: /etc/audit/auditd.conf - regexp: ^\s*max_log_file\s*=\s*.*$ - line: max_log_file = {{ var_auditd_max_log_file }} - state: present +- name: Enable GNOME3 Screensaver Lock After Idle Period + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver + option: lock-enabled + value: 'true' create: true + no_extra_spaces: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - auditd_data_retention_max_log_file | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27319-3 - - CJIS-5.4.1.1 - - NIST-800-53-AU-11 + - CCE-80112-6 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 + - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - auditd_data_retention_max_log_file + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - unknown_strategy -- name: Configure auditd space_left Action on Low Disk Space +- name: Prevent user modification of GNOME lock-enabled lineinfile: - dest: /etc/audit/auditd.conf - line: space_left_action = {{ var_auditd_space_left_action }} - regexp: ^\s*space_left_action\s*=\s*.*$ - state: present + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/lock-enabled$ + line: /org/gnome/desktop/screensaver/lock-enabled create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - restrict_strategy | bool - - auditd_data_retention_space_left_action | bool - - medium_severity | bool - - low_disruption | bool + - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27375-5 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030340 - - NIST-800-171-3.3.1 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) + - CCE-80112-6 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 + - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - auditd_data_retention_space_left_action + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - unknown_strategy -- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size - lineinfile: - dest: /etc/audit/auditd.conf - line: max_log_file_action = {{ var_auditd_max_log_file_action }} - regexp: ^\s*max_log_file_action\s*=\s*.*$ - state: present - create: true +- name: Check GNOME3 screenserver disable-lock-screen false + command: gsettings get org.gnome.desktop.lockdown disable-lock-screen + register: cmd_out when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" + - dconf_gnome_screensaver_lock_enabled | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - auditd_data_retention_max_log_file_action | bool - - low_complexity | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_distribution == 'SLES' tags: - - CCE-27231-0 - - CJIS-5.4.1.1 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) + - CCE-80112-6 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 + - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - auditd_data_retention_max_log_file_action + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - unknown_strategy -- name: enable syslog plugin - lineinfile: - dest: /etc/audisp/plugins.d/syslog.conf - regexp: ^active - line: active = yes - create: true +- name: Update GNOME3 screenserver disable-lock-screen false + command: gsettings set org.gnome.desktop.lockdown disable-lock-screen false when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - auditd_audispd_syslog_plugin_activated | bool - - no_reboot_needed | bool - - medium_severity | bool - - configure_strategy | bool - - low_disruption | bool + - dconf_gnome_screensaver_lock_enabled | bool - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_distribution == 'SLES' tags: - - CCE-27341-7 - - CJIS-5.4.1.1 - - NIST-800-171-3.3.1 - - NIST-800-53-AU-4(1) + - CCE-80112-6 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 + - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.3 - - auditd_audispd_syslog_plugin_activated - - configure_strategy + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed + - unknown_strategy -- name: Configure auditd Number of Logs Retained - lineinfile: - dest: /etc/audit/auditd.conf - line: num_logs = {{ var_auditd_num_logs }} - regexp: ^\s*num_logs\s*=\s*.*$ - state: present - create: true +- name: Dconf Update + command: dconf update when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - auditd_data_retention_num_logs | bool - - restrict_strategy | bool + - dconf_gnome_screensaver_lock_enabled | bool + - low_complexity | bool + - medium_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - low_disruption | bool - - low_complexity | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27348-2 - - CJIS-5.4.1.1 - - NIST-800-171-3.3.1 - - NIST-800-53-AU-11 + - CCE-80112-6 + - CJIS-5.5.5 + - DISA-STIG-RHEL-07-010060 + - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - auditd_data_retention_num_logs + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - unknown_strategy -- name: Configure auditd mail_acct Action on Low Disk Space - lineinfile: - dest: /etc/audit/auditd.conf - line: action_mail_acct = {{ var_auditd_action_mail_acct }} - state: present - create: true - when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - restrict_strategy | bool - - auditd_data_retention_action_mail_acct | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27394-6 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030350 - - NIST-800-171-3.3.1 - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(a) + - CCE-80113-4 + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(1) + - NIST-800-53-AC-11(1).1 - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1) - - PCI-DSS-Req-10.7.a - - auditd_data_retention_action_mail_acct + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_mode_blank - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - unknown_strategy + when: + - dconf_gnome_screensaver_mode_blank | bool + - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool -- name: Configure auditd admin_space_left Action on Low Disk Space - lineinfile: - dest: /etc/audit/auditd.conf - line: admin_space_left_action = {{ var_auditd_admin_space_left_action }} - regexp: ^\s*admin_space_left_action\s*=\s*.*$ - state: present +- name: Implement Blank Screensaver + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver + option: picture-uri + value: string '' create: true + no_extra_spaces: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - medium_severity | bool - - restrict_strategy | bool - - auditd_data_retention_admin_space_left_action | bool - - low_disruption | bool + - dconf_gnome_screensaver_mode_blank | bool - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27370-6 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030340 - - NIST-800-171-3.3.1 - - NIST-800-53-AU-5(1) - - NIST-800-53-AU-5(2) - - NIST-800-53-AU-5(4) - - NIST-800-53-AU-5(b) + - CCE-80113-4 + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(1) + - NIST-800-53-AC-11(1).1 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - auditd_data_retention_admin_space_left_action + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_mode_blank - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - unknown_strategy -- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*/etc/sudoers.*$ - patterns: '*.rules' - register: find_audit_sysadmin_actions +- name: Prevent user modification of GNOME picture-uri + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/picture-uri$ + line: /org/gnome/desktop/screensaver/picture-uri + create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_sysadmin_actions | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - dconf_gnome_screensaver_mode_blank | bool - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27461-3 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030700 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-80113-4 + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(1) + - NIST-800-53-AC-11(1).1 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_mode_blank - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - unknown_strategy -- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule - set_fact: - all_sysadmin_actions_files: - - /etc/audit/rules.d/actions.rules +- name: Dconf Update + command: dconf update when: - - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_sysadmin_actions | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - dconf_gnome_screensaver_mode_blank | bool - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27461-3 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030700 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-80113-4 + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(1) + - NIST-800-53-AC-11(1).1 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_mode_blank - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - unknown_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_sysadmin_actions_files: - - '{{ find_audit_sysadmin_actions.files | map(attribute=''path'') | list | first }}' - when: - - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_sysadmin_actions | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27461-3 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030700 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-26989-4 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-020050 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed - - restrict_strategy - -- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d - lineinfile: - path: '{{ all_sysadmin_actions_files[0] }}' - line: -w /etc/sudoers -p wa -k actions - create: true + - unknown_strategy when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_sysadmin_actions | bool + - ensure_gpgcheck_globally_activated | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - unknown_strategy | bool + +- name: Check existence of yum on Fedora + stat: + path: /etc/yum.conf + register: yum_config_file + check_mode: false + when: + - ensure_gpgcheck_globally_activated | bool + - high_severity | bool - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"yum" in ansible_facts.packages' + - ansible_distribution == "Fedora" tags: - - CCE-27461-3 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030700 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-26989-4 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-020050 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed - - restrict_strategy + - unknown_strategy -- name: Inserts/replaces audit rule for /etc/sudoers.d rule in rules.d - lineinfile: - path: '{{ all_sysadmin_actions_files[0] }}' - line: -w /etc/sudoers.d/ -p wa -k actions - create: true +- name: Ensure GPG check is globally activated (yum) + ini_file: + dest: /etc/yum.conf + section: main + option: gpgcheck + value: 1 + no_extra_spaces: true + create: false when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_sysadmin_actions | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - ensure_gpgcheck_globally_activated | bool + - high_severity | bool - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"yum" in ansible_facts.packages' + - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "Scientific" or yum_config_file.stat.exists) tags: - - CCE-27461-3 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030700 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-26989-4 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-020050 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed - - restrict_strategy + - unknown_strategy -- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -w /etc/sudoers -p wa -k actions - create: true +- name: Ensure GPG check is globally activated (dnf) + ini_file: + dest: /etc/dnf/dnf.conf + section: main + option: gpgcheck + value: 1 + no_extra_spaces: true + create: false when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_sysadmin_actions | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - ensure_gpgcheck_globally_activated | bool + - high_severity | bool - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - unknown_strategy | bool + - '"yum" in ansible_facts.packages' + - ansible_distribution == "Fedora" tags: - - CCE-27461-3 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030700 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-26989-4 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-020050 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed - - restrict_strategy + - unknown_strategy -- name: Inserts/replaces audit rule for /etc/sudoers.d in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -w /etc/sudoers.d/ -p wa -k actions - create: true - when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_sysadmin_actions | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool +- name: Grep for yum repo section names + shell: 'set -o pipefail + + grep -HEr ''^\[.+\]'' -r /etc/yum.repos.d/ + + ' + register: repo_grep_results + ignore_errors: true + changed_when: false tags: - - CCE-27461-3 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030700 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-26876-3 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - enable_strategy + - ensure_gpgcheck_never_disabled + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed - - restrict_strategy - -- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - enable_strategy | bool + - ensure_gpgcheck_never_disabled | bool + - high_severity | bool - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + +- name: Set gpgcheck=1 for each yum repo + ini_file: + path: '{{ item[0] }}' + section: '{{ item[1] }}' + option: gpgcheck + value: '1' + no_extra_spaces: true + loop: '{{ repo_grep_results.stdout | regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) }}' tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-26876-3 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - enable_strategy + - ensure_gpgcheck_never_disabled + - high_severity - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Search /etc/audit/rules.d for other rules with specified key session - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)session$ - patterns: '*.rules' - register: find_watch_key + - medium_disruption + - no_reboot_needed when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - enable_strategy | bool + - ensure_gpgcheck_never_disabled | bool + - high_severity | bool - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + +- name: Read permission of GPG key directory + stat: + path: /etc/pki/rpm-gpg/ + register: gpg_key_directory_permission + check_mode: false tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-26957-1 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events - - low_complexity - - low_disruption - - medium_severity - - reboot_required + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_redhat_gpgkey_installed + - high_severity + - medium_complexity + - medium_disruption + - no_reboot_needed - restrict_strategy - -- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/session.rules when: - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool + - ensure_redhat_gpgkey_installed | bool + - high_severity | bool + - medium_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool + +- name: Read signatures in GPG key + command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + args: + warn: false + changed_when: false + register: gpg_fingerprints + check_mode: false tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-26957-1 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events - - low_complexity - - low_disruption - - medium_severity - - reboot_required + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_redhat_gpgkey_installed + - high_severity + - medium_complexity + - medium_disruption + - no_reboot_needed - restrict_strategy - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool + - ensure_redhat_gpgkey_installed | bool + - high_severity | bool + - medium_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool + +- name: Set Fact - Installed GPG Fingerprints + set_fact: + gpg_installed_fingerprints: '{{ gpg_fingerprints.stdout | regex_findall(''^pub.* + + (?:^fpr[:]*)([0-9A-Fa-f]*)'', ''\1'') | list }}' tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-26957-1 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events - - low_complexity - - low_disruption - - medium_severity - - reboot_required + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_redhat_gpgkey_installed + - high_severity + - medium_complexity + - medium_disruption + - no_reboot_needed - restrict_strategy - -- name: Add watch rule for /var/run/utmp in /etc/audit/rules.d/ - lineinfile: - path: '{{ all_files[0] }}' - line: -w /var/run/utmp -p wa -k session - create: true when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool + - ensure_redhat_gpgkey_installed | bool + - high_severity | bool + - medium_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool + +- name: Set Fact - Valid fingerprints + set_fact: + gpg_valid_fingerprints: ("567E347AD0044ADE55BA8A5F199E2F91FD431D51" "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0") tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-26957-1 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events - - low_complexity - - low_disruption - - medium_severity - - reboot_required + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_redhat_gpgkey_installed + - high_severity + - medium_complexity + - medium_disruption + - no_reboot_needed - restrict_strategy - -- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool + - ensure_redhat_gpgkey_installed | bool + - high_severity | bool + - medium_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy -- name: Add watch rule for /var/run/utmp in /etc/audit/audit.rules - lineinfile: - line: -w /var/run/utmp -p wa -k session +- name: Import RedHat GPG key + rpm_key: state: present - dest: /etc/audit/audit.rules - create: true + key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release when: - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool + - ensure_redhat_gpgkey_installed | bool + - high_severity | bool + - medium_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool + - gpg_key_directory_permission.stat.mode <= '0755' + - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0 + - gpg_installed_fingerprints | length > 0 + - ansible_distribution == "RedHat" tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-26957-1 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events - - low_complexity - - low_disruption - - medium_severity - - reboot_required + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_redhat_gpgkey_installed + - high_severity + - medium_complexity + - medium_disruption + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: Security patches are up to date + package: + name: '*' + state: latest + tags: + - CCE-26895-3 + - CJIS-5.10.4.1 + - DISA-STIG-RHEL-07-020260 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-2(5) + - NIST-800-53-SI-2(c) + - PCI-DSS-Req-6.2 + - high_disruption + - high_severity + - low_complexity + - patch_strategy + - reboot_required + - security_patches_up_to_date + - skip_ansible_lint when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - high_disruption | bool + - high_severity | bool - low_complexity | bool + - patch_strategy | bool + - reboot_required | bool + - security_patches_up_to_date | bool + - skip_ansible_lint | bool + +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27275-7 + - CJIS-5.5.2 + - DISA-STIG-RHEL-07-040530 + - NIST-800-53-AC-9(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-10.2.4 + - configure_strategy + - display_login_attempts - low_complexity - low_disruption - - medium_severity - - reboot_required - - restrict_strategy + - low_severity + - no_reboot_needed + when: + - configure_strategy | bool + - display_login_attempts | bool + - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool -- name: Search /etc/audit/rules.d for other rules with specified key session +- name: Check if pam_lastlog.so is set find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)session$ - patterns: '*.rules' - register: find_watch_key + path: /etc/pam.d/ + pattern: postlogin + contains: ^\s*(session)(\s+)[^\s]+(\s+)(pam_lastlog\.so)(\s+)(.*) + register: pam_lastlog_exists when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - configure_strategy | bool + - display_login_attempts | bool - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27275-7 + - CJIS-5.5.2 + - DISA-STIG-RHEL-07-040530 + - NIST-800-53-AC-9(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-10.2.4 + - configure_strategy + - display_login_attempts - low_complexity - low_disruption - - medium_severity - - reboot_required - - restrict_strategy + - low_severity + - no_reboot_needed -- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/session.rules +- name: Make sure pam_lastlog.so control is required + replace: + path: /etc/pam.d/postlogin + regexp: ^\s*(session)(\s+)[^\s]+(\s+)(pam_lastlog\.so)(\s+)(.*) + replace: \1\2required\3\4\5\6 + register: control_update_result when: - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - configure_strategy | bool + - display_login_attempts | bool - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27275-7 + - CJIS-5.5.2 + - DISA-STIG-RHEL-07-040530 + - NIST-800-53-AC-9(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-10.2.4 + - configure_strategy + - display_login_attempts - low_complexity - low_disruption - - medium_severity - - reboot_required - - restrict_strategy + - low_severity + - no_reboot_needed -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' +- name: Add control for pam_lastlog.so module + lineinfile: + path: /etc/pam.d/postlogin + line: session required pam_lastlog.so showfailed when: - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - configure_strategy | bool + - display_login_attempts | bool - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + - pam_lastlog_exists.matched == 0 + register: add_new_pam_lastlog_control_result tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27275-7 + - CJIS-5.5.2 + - DISA-STIG-RHEL-07-040530 + - NIST-800-53-AC-9(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-10.2.4 + - configure_strategy + - display_login_attempts - low_complexity - low_disruption - - medium_severity - - reboot_required - - restrict_strategy + - low_severity + - no_reboot_needed -- name: Add watch rule for /var/log/btmp in /etc/audit/rules.d/ - lineinfile: - path: '{{ all_files[0] }}' - line: -w /var/log/btmp -p wa -k session - create: true +- name: Add 'showfailed' arg to pam_lastlog.so module + pamd: + name: postlogin + type: session + control: required + module_path: pam_lastlog.so + module_arguments: showfailed + state: args_present when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - configure_strategy | bool + - display_login_attempts | bool - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + - not add_new_pam_lastlog_control_result.changed tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27275-7 + - CJIS-5.5.2 + - DISA-STIG-RHEL-07-040530 + - NIST-800-53-AC-9(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-10.2.4 + - configure_strategy + - display_login_attempts - low_complexity - low_disruption - - medium_severity - - reboot_required - - restrict_strategy + - low_severity + - no_reboot_needed -- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules +- name: Remove 'silent' arg for pam_lastlog.so module + pamd: + name: postlogin + type: session + control: required + module_path: pam_lastlog.so + module_arguments: silent + state: args_absent when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - configure_strategy | bool + - display_login_attempts | bool - low_complexity | bool + - low_disruption | bool + - low_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' + - not add_new_pam_lastlog_control_result.changed tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27275-7 + - CJIS-5.5.2 + - DISA-STIG-RHEL-07-040530 + - NIST-800-53-AC-9(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-10.2.4 + - configure_strategy + - display_login_attempts - low_complexity - low_disruption - - medium_severity - - reboot_required - - restrict_strategy + - low_severity + - no_reboot_needed -- name: Add watch rule for /var/log/btmp in /etc/audit/audit.rules - lineinfile: - line: -w /var/log/btmp -p wa -k session - state: present - dest: /etc/audit/audit.rules - create: true - when: - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - CCE-82030-8 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010270 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_unix_remember + - configure_strategy - low_complexity - - low_disruption + - medium_disruption - medium_severity - - reboot_required - - restrict_strategy - -- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d + - no_reboot_needed when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool + - accounts_password_pam_unix_remember | bool + - configure_strategy | bool + - low_complexity | bool + - medium_disruption | bool - medium_severity | bool - - low_disruption | bool + - no_reboot_needed | bool + +- name: Do not allow users to reuse recent passwords - system-auth (change) + replace: + dest: /etc/pam.d/system-auth + regexp: ^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$ + replace: \g<1>{{ var_password_pam_unix_remember }}\g<3> + when: + - accounts_password_pam_unix_remember | bool + - configure_strategy | bool - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - CCE-82030-8 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010270 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_unix_remember + - configure_strategy - low_complexity - - low_disruption + - medium_disruption - medium_severity - - reboot_required - - restrict_strategy + - no_reboot_needed -- name: Search /etc/audit/rules.d for other rules with specified key session - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)session$ - patterns: '*.rules' - register: find_watch_key +- name: Do not allow users to reuse recent passwords - system-auth (add) + replace: + dest: /etc/pam.d/system-auth + regexp: ^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$ + replace: \g<0> remember={{ var_password_pam_unix_remember }} when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - accounts_password_pam_unix_remember | bool + - configure_strategy | bool - low_complexity | bool + - medium_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - CCE-82030-8 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010270 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_unix_remember + - configure_strategy - low_complexity - - low_disruption + - medium_disruption - medium_severity - - reboot_required - - restrict_strategy + - no_reboot_needed -- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/session.rules - when: - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27350-8 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-8.1.6 + - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool + - accounts_passwords_pam_faillock_deny | bool + - low_complexity | bool - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Add auth pam_faillock preauth deny before pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: required + new_module_path: pam_faillock.so + module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny }} + state: before + loop: + - system-auth + - password-auth + when: + - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27350-8 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-8.1.6 + - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /var/log/wtmp in /etc/audit/rules.d/ - lineinfile: - path: '{{ all_files[0] }}' - line: -w /var/log/wtmp -p wa -k session - create: true +- name: Add deny argument to auth pam_faillock preauth + pamd: + name: '{{ item }}' + type: auth + control: required + module_path: pam_faillock.so + module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny }} + state: args_present + loop: + - system-auth + - password-auth when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27350-8 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-8.1.6 + - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules +- name: Add auth pam_faillock authfail deny after pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: '[default=die]' + new_module_path: pam_faillock.so + module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }} + state: after + loop: + - system-auth + - password-auth when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27350-8 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-8.1.6 + - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /var/log/wtmp in /etc/audit/audit.rules - lineinfile: - line: -w /var/log/wtmp -p wa -k session - state: present - dest: /etc/audit/audit.rules - create: true +- name: Add deny argument to auth pam_faillock authfail + pamd: + name: '{{ item }}' + type: auth + new_type: auth + control: '[default=die]' + module_path: pam_faillock.so + module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }} + state: args_present + loop: + - system-auth + - password-auth when: - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_session_events | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27301-1 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27350-8 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-8.1.6 + - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: Add account pam_faillock before pam_unix.so + pamd: + name: '{{ item }}' + type: account + control: required + module_path: pam_unix.so + new_type: account + new_control: required + new_module_path: pam_faillock.so + state: before + loop: + - system-auth + - password-auth when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_mac_modification | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27168-4 - - CJIS-5.4.1.1 + - CCE-27350-8 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 - NIST-800-171-3.1.8 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification + - PCI-DSS-Req-8.1.6 + - accounts_passwords_pam_faillock_deny - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key MAC-policy - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)MAC-policy$ - patterns: '*.rules' - register: find_watch_key - when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_mac_modification | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27168-4 - - CJIS-5.4.1.1 + - CCE-26884-7 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 - NIST-800-171-3.1.8 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - -- name: Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/MAC-policy.rules when: - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_mac_modification | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool + - accounts_passwords_pam_faillock_unlock_time | bool + - low_complexity | bool - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Add auth pam_faillock preauth unlock_time before pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: required + new_module_path: pam_faillock.so + module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} + state: before + loop: + - system-auth + - password-auth + when: + - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27168-4 - - CJIS-5.4.1.1 + - CCE-26884-7 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 - NIST-800-171-3.1.8 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' +- name: Add unlock_time argument to pam_faillock preauth + pamd: + name: '{{ item }}' + type: auth + control: required + module_path: pam_faillock.so + module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} + state: args_present + loop: + - system-auth + - password-auth when: - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_mac_modification | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27168-4 - - CJIS-5.4.1.1 + - CCE-26884-7 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 - NIST-800-171-3.1.8 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/selinux/ in /etc/audit/rules.d/ - lineinfile: - path: '{{ all_files[0] }}' - line: -w /etc/selinux/ -p wa -k MAC-policy - create: true +- name: Add auth pam_faillock authfail unlock_interval after pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: '[default=die]' + new_module_path: pam_faillock.so + module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} + state: after + loop: + - system-auth + - password-auth when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_mac_modification | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27168-4 - - CJIS-5.4.1.1 + - CCE-26884-7 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 - NIST-800-171-3.1.8 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules +- name: Add unlock_time argument to auth pam_faillock authfail + pamd: + name: '{{ item }}' + type: auth + control: '[default=die]' + module_path: pam_faillock.so + module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} + state: args_present + loop: + - system-auth + - password-auth when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_mac_modification | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27168-4 - - CJIS-5.4.1.1 + - CCE-26884-7 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 - NIST-800-171-3.1.8 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/selinux/ in /etc/audit/audit.rules - lineinfile: - line: -w /etc/selinux/ -p wa -k MAC-policy - state: present - dest: /etc/audit/audit.rules - create: true +- name: Add account pam_faillock before pam_unix.so + pamd: + name: '{{ item }}' + type: account + control: required + module_path: pam_unix.so + new_type: account + new_control: required + new_module_path: pam_faillock.so + state: before + loop: + - system-auth + - password-auth when: - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_mac_modification | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27168-4 - - CJIS-5.4.1.1 + - CCE-26884-7 + - CJIS-5.5.3 + - DISA-STIG-RHEL-07-010320 - NIST-800-171-3.1.8 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit media export tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} - when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_media_export | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27447-2 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030740 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27214-6 + - DISA-STIG-RHEL-07-010140 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_dcredit - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - -- name: Check if the rule for x86_64 is already present in /etc/audit/rules.d/* - find: - paths: /etc/audit/rules.d/ - contains: ^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+mount\s+-F\s+auid>=1000\s+-F\s+auid!=unset(\s|$)+ - patterns: '*.rules' - register: find_existing_media_export_64_rules_d when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_media_export | bool - - medium_severity | bool + - accounts_password_pam_dcredit | bool + - low_complexity | bool - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Ensure PAM variable dcredit is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*dcredit + line: dcredit = {{ var_password_pam_dcredit }} + when: + - accounts_password_pam_dcredit | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27447-2 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030740 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27214-6 + - DISA-STIG-RHEL-07-010140 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_dcredit - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if the rule for x86 is already present in /etc/audit/rules.d/* - find: - paths: /etc/audit/rules.d/ - contains: ^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+mount\s+-F\s+auid>=1000\s+-F\s+auid!=unset(\s|$)+ - patterns: '*.rules' - register: find_existing_media_export_32_rules_d - when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_media_export | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27447-2 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030740 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27345-8 + - DISA-STIG-RHEL-07-010130 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_lcredit - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - -- name: Check if the rule for x86_64 is already present in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+mount\s+-F\s+auid>=1000\s+-F\s+auid!=unset(\s|$)+ - patterns: audit.rules - register: find_existing_media_export_64_audit_rules when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_media_export | bool - - medium_severity | bool + - accounts_password_pam_lcredit | bool + - low_complexity | bool - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Ensure PAM variable lcredit is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*lcredit + line: lcredit = {{ var_password_pam_lcredit }} + when: + - accounts_password_pam_lcredit | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27447-2 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030740 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27345-8 + - DISA-STIG-RHEL-07-010130 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_lcredit - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if the rule for x86 is already present in /etc/audit/rules.d/* - find: - paths: /etc/audit/ - contains: ^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+mount\s+-F\s+auid>=1000\s+-F\s+auid!=unset(\s|$)+ - patterns: audit.rules - register: find_existing_media_export_32_audit_rules - when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_media_export | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27447-2 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030740 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27293-0 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010280 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_minlen - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - -- name: Search /etc/audit/rules.d for other media export audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=export$ - patterns: '*.rules' - register: find_mount when: - - (find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched == 0) or (find_existing_media_export_64_rules_d - is defined and find_existing_media_export_64_rules_d.matched == 0) - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_media_export | bool - - medium_severity | bool - - low_disruption | bool + - accounts_password_pam_minlen | bool - low_complexity | bool - tags: - - CCE-27447-2 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030740 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool -- name: If existing media export ruleset not found, use /etc/audit/rules.d/export.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/export.rules +- name: Ensure PAM variable minlen is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*minlen + line: minlen = {{ var_password_pam_minlen }} when: - - find_mount.matched is defined and find_mount.matched == 0 and ((find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched - == 0) or (find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched == 0)) - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_media_export | bool - - medium_severity | bool - - low_disruption | bool + - accounts_password_pam_minlen | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27447-2 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030740 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27293-0 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010280 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_minlen - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_mount.files | map(attribute=''path'') | list | first }}' - when: - - find_mount.matched is defined and find_mount.matched > 0 and ((find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched - == 0) or (find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched == 0)) - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_media_export | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27447-2 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030740 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27200-5 + - DISA-STIG-RHEL-07-010120 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_ucredit - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy + when: + - accounts_password_pam_ucredit | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool -- name: Inserts/replaces the media export rule in rules.d when on x86 +- name: Ensure PAM variable ucredit is set accordingly lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=export create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*ucredit + line: ucredit = {{ var_password_pam_ucredit }} when: - - find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_media_export | bool - - medium_severity | bool - - low_disruption | bool + - accounts_password_pam_ucredit | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' tags: - - CCE-27447-2 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030740 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27200-5 + - DISA-STIG-RHEL-07-010120 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_ucredit - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the media export rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=export - create: true - when: - - audit_arch is defined and audit_arch == 'b64' and find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched - == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_media_export | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27447-2 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030740 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-82038-1 + - CJIS-5.6.2.2 + - DISA-STIG-RHEL-07-010220 + - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - NIST-800-53-IA-5(1)(c) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.1 - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy + - set_password_hashing_algorithm_libuserconf + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - set_password_hashing_algorithm_libuserconf | bool -- name: Inserts/replaces the media export rule in /etc/audit/audit.rules when on x86 +- name: Set Password Hashing Algorithm in /etc/libuser.conf lineinfile: - line: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=export + dest: /etc/libuser.conf + insertafter: ^\s*\[defaults] + regexp: ^#?crypt_style + line: crypt_style = sha512 state: present - dest: /etc/audit/audit.rules create: true when: - - find_existing_media_export_32_audit_rules is defined and find_existing_media_export_32_audit_rules.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_media_export | bool - - medium_severity | bool - - low_disruption | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - set_password_hashing_algorithm_libuserconf | bool + - '"libuser" in ansible_facts.packages' tags: - - CCE-27447-2 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030740 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-82038-1 + - CJIS-5.6.2.2 + - DISA-STIG-RHEL-07-010220 + - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - NIST-800-53-IA-5(1)(c) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.1 - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy + - set_password_hashing_algorithm_libuserconf -- name: Inserts/replaces the media export rule in audit.rules when on x86_64 - lineinfile: - line: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=export - state: present - dest: /etc/audit/audit.rules - create: true +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-82050-6 + - CJIS-5.6.2.2 + - DISA-STIG-RHEL-07-010210 + - NIST-800-171-3.13.11 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(c) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.1 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - set_password_hashing_algorithm_logindefs when: - - audit_arch is defined and audit_arch == 'b64' and find_existing_media_export_64_audit_rules is defined and find_existing_media_export_64_audit_rules.matched - == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_media_export | bool - - medium_severity | bool + - low_complexity | bool - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - set_password_hashing_algorithm_logindefs | bool + +- name: Set Password Hashing Algorithm in /etc/login.defs + lineinfile: + dest: /etc/login.defs + regexp: ^#?ENCRYPT_METHOD + line: ENCRYPT_METHOD {{ var_password_hashing_algorithm }} + state: present + create: true + when: - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - set_password_hashing_algorithm_logindefs | bool + - '"shadow-utils" in ansible_facts.packages' tags: - - CCE-27447-2 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030740 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-82050-6 + - CJIS-5.6.2.2 + - DISA-STIG-RHEL-07-010210 + - NIST-800-171-3.13.11 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - NIST-800-53-IA-5(1)(c) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.1 - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy + - set_password_hashing_algorithm_logindefs -- name: Set architecture for audit tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-27355-7 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010310 + - NIST-800-171-3.5.6 + - NIST-800-53-AC-2(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-4(e) + - PCI-DSS-Req-8.1.4 + - account_disable_post_pw_expiration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool + - account_disable_post_pw_expiration | bool + - low_complexity | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - low_disruption | bool + - restrict_strategy | bool + +- name: Set Account Expiration Following Inactivity + lineinfile: + create: true + dest: /etc/default/useradd + regexp: ^INACTIVE + line: INACTIVE={{ var_account_disable_post_pw_expiration }} + when: + - account_disable_post_pw_expiration | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"shadow-utils" in ansible_facts.packages' tags: - - CCE-27076-9 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27355-7 + - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-07-010310 + - NIST-800-171-3.5.6 + - NIST-800-53-AC-2(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - NIST-800-53-IA-4(e) + - PCI-DSS-Req-8.1.4 + - account_disable_post_pw_expiration - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Remediate audit rules for network configuration for x86 - block: - - name: Declare list of syscals - set_fact: - syscalls: - - sethostname - - setdomainname - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_rules_networkconfig_modification - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - sethostname - - setdomainname - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-27051-2 + - CJIS-5.6.2.1 + - DISA-STIG-RHEL-07-010250 + - NIST-800-171-3.5.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(d) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.4 + - accounts_maximum_age_login_defs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool + - accounts_maximum_age_login_defs | bool + - low_complexity | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - low_disruption | bool + - restrict_strategy | bool + +- name: Set Password Maximum Age + lineinfile: + create: true + dest: /etc/login.defs + regexp: ^#?PASS_MAX_DAYS + line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }} + when: + - accounts_maximum_age_login_defs | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"shadow-utils" in ansible_facts.packages' tags: - - CCE-27076-9 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27051-2 + - CJIS-5.6.2.1 + - DISA-STIG-RHEL-07-010250 + - NIST-800-171-3.5.6 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - NIST-800-53-IA-5(1)(d) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.4 + - accounts_maximum_age_login_defs - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Remediate audit rules for network configuration for x86_64 - block: - - name: Declare list of syscals - set_fact: - syscalls: - - sethostname - - setdomainname - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b64_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_rules_networkconfig_modification - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - sethostname - - setdomainname - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b64_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls +- name: Prevent Log In to Accounts With Empty Password - system-auth + replace: + dest: /etc/pam.d/system-auth + regexp: nullok when: - - audit_arch == "b64" - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - configure_strategy | bool + - high_severity | bool - low_complexity | bool + - medium_disruption | bool + - no_empty_passwords | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27286-4 + - CJIS-5.5.2 + - DISA-STIG-RHEL-07-010290 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - configure_strategy + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption + - no_empty_passwords - no_reboot_needed - - restrict_strategy -- name: Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: Prevent Log In to Accounts With Empty Password - password-auth + replace: + dest: /etc/pam.d/password-auth + regexp: nullok when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - configure_strategy | bool + - high_severity | bool - low_complexity | bool + - medium_disruption | bool + - no_empty_passwords | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-27286-4 + - CJIS-5.5.2 + - DISA-STIG-RHEL-07-010290 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - configure_strategy + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption + - no_empty_passwords - no_reboot_needed - - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ - patterns: '*.rules' - register: find_watch_key +- name: Enable service auditd + block: + - name: Gather the package facts + package_facts: + manager: auto + - name: Enable service auditd + service: + name: auditd + enabled: 'yes' + state: started + masked: 'no' + when: + - '"audit" in ansible_facts.packages' when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - low_disruption | bool - - low_complexity | bool + - service_auditd_enabled | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27407-6 - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - DISA-STIG-RHEL-07-030000 + - NIST-800-171-3.3.1 + - NIST-800-171-3.3.2 + - NIST-800-171-3.3.6 + - NIST-800-53-AC-2(g) - NIST-800-53-AC-6(9) + - NIST-800-53-AU-10 - NIST-800-53-AU-12(c) + - NIST-800-53-AU-14(1) - NIST-800-53-AU-2(d) + - NIST-800-53-AU-3 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.1 + - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - service_auditd_enabled -- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules - when: - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool - - low_complexity | bool +- name: Gather the package facts + package_facts: + manager: auto tags: - - CCE-27076-9 + - CCE-27212-0 - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification - - low_complexity + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - grub2_audit_argument - low_disruption + - medium_complexity - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool + - grub2_audit_argument | bool - low_disruption | bool - - low_complexity | bool - tags: - - CCE-27076-9 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification - - low_complexity + - medium_complexity | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + +- name: check audit argument exists + command: grep 'GRUB_CMDLINE_LINUX.*audit=' /etc/default/grub + failed_when: false + register: argcheck + when: + - grub2_audit_argument | bool + - low_disruption | bool + - medium_complexity | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' + tags: + - CCE-27212-0 + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - grub2_audit_argument - low_disruption + - medium_complexity - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/issue in /etc/audit/rules.d/ - lineinfile: - path: '{{ all_files[0] }}' - line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification - create: true +- name: replace existing audit argument + replace: + path: /etc/default/grub + regexp: audit=\w+ + replace: audit=1 when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool + - grub2_audit_argument | bool - low_disruption | bool - - low_complexity | bool + - medium_complexity | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' + - argcheck.rc == 0 tags: - - CCE-27076-9 + - CCE-27212-0 - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification - - low_complexity + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - grub2_audit_argument - low_disruption + - medium_complexity - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules +- name: add audit argument + replace: + path: /etc/default/grub + regexp: (GRUB_CMDLINE_LINUX=.*)" + replace: \1 audit=1" when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool + - grub2_audit_argument | bool - low_disruption | bool - - low_complexity | bool + - medium_complexity | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' + - argcheck.rc != 0 tags: - - CCE-27076-9 + - CCE-27212-0 - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification - - low_complexity + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - grub2_audit_argument - low_disruption + - medium_complexity - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/issue in /etc/audit/audit.rules - lineinfile: - line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification - state: present - dest: /etc/audit/audit.rules - create: true +- name: update bootloader menu + command: /sbin/grubby --update-kernel=ALL --args="audit=1" when: - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool + - grub2_audit_argument | bool - low_disruption | bool - - low_complexity | bool + - medium_complexity | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' tags: - - CCE-27076-9 + - CCE-27212-0 - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification - - low_complexity + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - grub2_audit_argument - low_disruption + - medium_complexity - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/ +- name: Collect all files from /etc/audit/rules.d with .rules extension find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ + paths: /etc/audit/rules.d/ patterns: '*.rules' - register: find_existing_watch_rules_d + register: find_rules_d when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - audit_rules_immutable | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27097-5 - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - NIST-800-171-3.3.1 + - NIST-800-171-3.4.3 - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.5.2 + - audit_rules_immutable - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ - patterns: '*.rules' - register: find_watch_key +- name: Remove the -e option from all Audit config files + lineinfile: + path: '{{ item }}' + regexp: ^\s*(?:-e)\s+.*$ + state: absent + loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules''] }}' when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - audit_rules_immutable | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27097-5 - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - NIST-800-171-3.3.1 + - NIST-800-171-3.4.3 - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.5.2 + - audit_rules_immutable - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules +- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules + lineinfile: + path: '{{ item }}' + create: true + line: -e 2 + loop: + - /etc/audit/audit.rules + - /etc/audit/rules.d/immutable.rules when: - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - audit_rules_immutable | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27097-5 - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 + - NIST-800-171-3.3.1 + - NIST-800-171-3.4.3 - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.5.2 + - audit_rules_immutable - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required + - restrict_strategy + +- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: + - audit_rules_mac_modification | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27168-4 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.8 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key MAC-policy + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)MAC-policy$ + patterns: '*.rules' + register: find_watch_key + when: + - audit_rules_mac_modification | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-27168-4 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.8 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/MAC-policy.rules + when: + - audit_rules_mac_modification | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-27168-4 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.8 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification + - low_complexity + - low_disruption + - medium_severity + - reboot_required - restrict_strategy - name: Use matched file as the recipient for the rule @@ -3043,379 +2969,375 @@ all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: + - audit_rules_mac_modification | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool - - low_complexity | bool tags: - - CCE-27076-9 + - CCE-27168-4 - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) + - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/issue.net in /etc/audit/rules.d/ +- name: Add watch rule for /etc/selinux/ in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification + line: -w /etc/selinux/ -p wa -k MAC-policy create: true + mode: '0640' when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - audit_rules_mac_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-27076-9 + - CCE-27168-4 - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) + - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules +- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/audit.rules find: paths: /etc/audit/ - contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ + contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - audit_rules_mac_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27168-4 - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) + - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/issue.net in /etc/audit/audit.rules +- name: Add watch rule for /etc/selinux/ in /etc/audit/audit.rules lineinfile: - line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification + line: -w /etc/selinux/ -p wa -k MAC-policy state: present dest: /etc/audit/audit.rules create: true + mode: '0640' when: - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - audit_rules_mac_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-27076-9 + - CCE-27168-4 - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) + - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: Set architecture for audit mount tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - audit_rules_media_export | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27447-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030740 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification +- name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + recurse: false + contains: -F key=perm_mod$ patterns: '*.rules' - register: find_watch_key + register: find_mount when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - audit_rules_media_export | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27447-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030740 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + - /etc/audit/rules.d/privileged.rules when: - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - audit_rules_media_export | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_mount.matched is defined and find_mount.matched == 0 tags: - - CCE-27076-9 + - CCE-27447-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030740 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + - '{{ find_mount.files | map(attribute=''path'') | list | first }}' when: - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - audit_rules_media_export | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_mount.matched is defined and find_mount.matched > 0 tags: - - CCE-27076-9 + - CCE-27447-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030740 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/hosts in /etc/audit/rules.d/ +- name: Inserts/replaces the mount rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification + line: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - audit_rules_media_export | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27447-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030740 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules +- name: Inserts/replaces the mount rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - audit_rules_media_export | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27076-9 + - CCE-27447-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030740 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/hosts in /etc/audit/audit.rules +- name: Inserts/replaces the mount rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification + line: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - audit_rules_media_export | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27076-9 + - CCE-27447-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030740 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: Inserts/replaces the mount rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool + - audit_rules_media_export | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27076-9 + - CCE-27447-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030740 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ - patterns: '*.rules' - register: find_watch_key +- name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool + - low_complexity | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - low_disruption | bool - - low_complexity | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-27076-9 - CJIS-5.4.1.1 @@ -3432,20 +3354,100 @@ - no_reboot_needed - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules +- name: Remediate audit rules for network configuration for x86 + block: + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls when: - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool + - low_complexity | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - low_disruption | bool - - low_complexity | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-27076-9 - CJIS-5.4.1.1 @@ -3462,21 +3464,102 @@ - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' - when: - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool - - medium_severity | bool - - no_reboot_needed | bool - - low_disruption | bool - - low_complexity | bool - tags: +- name: Remediate audit rules for network configuration for x86_64 + block: + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls + when: + - audit_rules_networkconfig_modification | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch == "b64" + tags: - CCE-27076-9 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 @@ -3492,20 +3575,20 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/ - lineinfile: - path: '{{ all_files[0] }}' - line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification - create: true +- name: Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool + - low_complexity | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - low_disruption | bool - - low_complexity | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-27076-9 - CJIS-5.4.1.1 @@ -3522,20 +3605,21 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules +- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification find: - paths: /etc/audit/ - contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_watch_key when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool + - low_complexity | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - low_disruption | bool - - low_complexity | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-27076-9 - CJIS-5.4.1.1 @@ -3552,21 +3636,20 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules - lineinfile: - line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification - state: present - dest: /etc/audit/audit.rules - create: true +- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - audit_rules_networkconfig_modification | bool - - restrict_strategy | bool + - low_complexity | bool + - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - low_disruption | bool - - low_complexity | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - CCE-27076-9 - CJIS-5.4.1.1 @@ -3583,819 +3666,853 @@ - no_reboot_needed - restrict_strategy -- name: Collect all files from /etc/audit/rules.d with .rules extension - find: - paths: /etc/audit/rules.d/ - patterns: '*.rules' - register: find_rules_d +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_immutable | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - - CCE-27097-5 + - CCE-27076-9 - CJIS-5.4.1.1 - - NIST-800-171-3.3.1 - - NIST-800-171-3.4.3 + - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.2 - - audit_rules_immutable + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Remove the -e option from all Audit config files +- name: Add watch rule for /etc/issue in /etc/audit/rules.d/ lineinfile: - path: '{{ item }}' - regexp: ^\s*(?:-e)\s+.*$ - state: absent - loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules''] }}' + path: '{{ all_files[0] }}' + line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification + create: true + mode: '0640' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_immutable | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-27097-5 + - CCE-27076-9 - CJIS-5.4.1.1 - - NIST-800-171-3.3.1 - - NIST-800-171-3.4.3 + - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.2 - - audit_rules_immutable + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules - lineinfile: - path: '{{ item }}' - create: true - line: -e 2 - loop: - - /etc/audit/audit.rules - - /etc/audit/rules.d/immutable.rules +- name: Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_immutable | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27097-5 + - CCE-27076-9 - CJIS-5.4.1.1 - - NIST-800-171-3.3.1 - - NIST-800-171-3.4.3 + - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.2 - - audit_rules_immutable + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search for privileged commands - shell: find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null - args: - warn: false - executable: /bin/bash - check_mode: false - register: find_result - changed_when: false +- name: Add watch rule for /etc/issue in /etc/audit/audit.rules + lineinfile: + line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification + state: present + dest: /etc/audit/audit.rules + create: true + mode: '0640' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" + - audit_rules_networkconfig_modification | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - - audit_rules_privileged_commands | bool - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-27437-3 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries +- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d - recurse: false - contains: ^.*path={{ item }} .*$ + contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ patterns: '*.rules' - with_items: - - '{{ find_result.stdout_lines }}' - register: files_result + register: find_existing_watch_rules_d when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" + - audit_rules_networkconfig_modification | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - - audit_rules_privileged_commands | bool - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27437-3 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Overwrites the rule in rules.d - lineinfile: - path: '{{ item.1.path }}' - line: -a always,exit -F path={{ item.0.item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes - create: false - regexp: ^.*path={{ item.0.item }} .*$ - with_subelements: - - '{{ files_result.results }}' - - files +- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_watch_key when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" + - audit_rules_networkconfig_modification | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - - audit_rules_privileged_commands | bool - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-27437-3 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Adds the rule in rules.d - lineinfile: - path: /etc/audit/rules.d/privileged.rules - line: -a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes - create: true - with_items: - - '{{ files_result.results }}' +- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: - - files_result.results is defined and item.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" + - audit_rules_networkconfig_modification | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - - audit_rules_privileged_commands | bool - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - - CCE-27437-3 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes - create: true - regexp: ^.*path={{ item.item }} .*$ - with_items: - - '{{ files_result.results }}' +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" + - audit_rules_networkconfig_modification | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - - audit_rules_privileged_commands | bool - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - - CCE-27437-3 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030360 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - audit_rules_privileged_commands + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy -- name: Set architecture for audit lchown tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Add watch rule for /etc/issue.net in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification + create: true + mode: '0640' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-27083-5 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules +- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_lchown + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27083-5 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules +- name: Add watch rule for /etc/issue.net in /etc/audit/audit.rules + lineinfile: + line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification + state: present + dest: /etc/audit/audit.rules + create: true + mode: '0640' when: - - find_lchown.matched is defined and find_lchown.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-27083-5 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_lchown.files | map(attribute=''path'') | list | first }}' +- name: Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: - - find_lchown.matched is defined and find_lchown.matched > 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27083-5 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lchown rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true +- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_watch_key when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool + - low_complexity | bool + - low_disruption | bool - medium_severity | bool - - audit_rules_dac_modification_lchown | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CCE-27076-9 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + when: + - audit_rules_networkconfig_modification | bool + - low_complexity | bool - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 + tags: + - CCE-27076-9 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - - CCE-27083-5 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lchown rule in rules.d when on x86_64 +- name: Add watch rule for /etc/hosts in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification create: true + mode: '0640' when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-27083-5 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27083-5 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lchown rule in audit.rules when on x86_64 +- name: Add watch rule for /etc/hosts in /etc/audit/audit.rules lineinfile: - line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification state: present dest: /etc/audit/audit.rules create: true + mode: '0640' when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lchown | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-27083-5 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit fsetxattr tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27389-6 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules +- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification find: paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ patterns: '*.rules' - register: find_fsetxattr + register: find_watch_key when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-27389-6 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/privileged.rules + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: - - find_fsetxattr.matched is defined and find_fsetxattr.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - - CCE-27389-6 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fsetxattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - find_fsetxattr.matched is defined and find_fsetxattr.matched > 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - - CCE-27389-6 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the fsetxattr rule in rules.d when on x86 +- name: Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification create: true + mode: '0640' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool - tags: - - CCE-27389-6 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true - when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - low_disruption | bool - - low_complexity | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-27389-6 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27389-6 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 +- name: Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules lineinfile: - line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification state: present dest: /etc/audit/audit.rules create: true + mode: '0640' when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-27389-6 + - CCE-27076-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit lremovexattr tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27410-0 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules +- name: Search /etc/audit/rules.d for other rules with specified key session find: paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ + contains: ^.*(?:-F key=|-k\s+)session$ patterns: '*.rules' - register: find_lremovexattr + register: find_watch_key when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-27410-0 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/privileged.rules + - /etc/audit/rules.d/session.rules when: - - find_lremovexattr.matched is defined and find_lremovexattr.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - - CCE-27410-0 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity @@ -4405,233 +4522,204 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_lremovexattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - find_lremovexattr.matched is defined and find_lremovexattr.matched > 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - - CCE-27410-0 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lremovexattr rule in rules.d when on x86 +- name: Add watch rule for /var/run/utmp in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -w /var/run/utmp -p wa -k session create: true + mode: '0640' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-27410-0 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true +- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27410-0 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 +- name: Add watch rule for /var/run/utmp in /etc/audit/audit.rules lineinfile: - line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -w /var/run/utmp -p wa -k session state: present dest: /etc/audit/audit.rules create: true + mode: '0640' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool - tags: - - CCE-27410-0 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 - lineinfile: - line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true - when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_lremovexattr | bool - low_disruption | bool - - low_complexity | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-27410-0 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit removexattr tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27367-2 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules +- name: Search /etc/audit/rules.d for other rules with specified key session find: paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ + contains: ^.*(?:-F key=|-k\s+)session$ patterns: '*.rules' - register: find_removexattr + register: find_watch_key when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-27367-2 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/privileged.rules + - /etc/audit/rules.d/session.rules when: - - find_removexattr.matched is defined and find_removexattr.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - - CCE-27367-2 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity @@ -4641,233 +4729,204 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_removexattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - find_removexattr.matched is defined and find_removexattr.matched > 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - - CCE-27367-2 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the removexattr rule in rules.d when on x86 +- name: Add watch rule for /var/log/btmp in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -w /var/log/btmp -p wa -k session create: true + mode: '0640' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-27367-2 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the removexattr rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true +- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27367-2 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 +- name: Add watch rule for /var/log/btmp in /etc/audit/audit.rules lineinfile: - line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -w /var/log/btmp -p wa -k session state: present dest: /etc/audit/audit.rules create: true + mode: '0640' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-27367-2 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 - lineinfile: - line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_removexattr | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27367-2 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030470 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit fchownat tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} - when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchownat | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - tags: - - CCE-27387-0 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Search /etc/audit/rules.d for other DAC audit rules +- name: Search /etc/audit/rules.d for other rules with specified key session find: paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ + contains: ^.*(?:-F key=|-k\s+)session$ patterns: '*.rules' - register: find_fchownat + register: find_watch_key when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchownat | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-27387-0 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/privileged.rules + - /etc/audit/rules.d/session.rules when: - - find_fchownat.matched is defined and find_fchownat.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchownat | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - - CCE-27387-0 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity @@ -4877,409 +4936,369 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fchownat.files | map(attribute=''path'') | list | first }}' + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - find_fchownat.matched is defined and find_fchownat.matched > 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchownat | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - - CCE-27387-0 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchownat rule in rules.d when on x86 +- name: Add watch rule for /var/log/wtmp in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -w /var/log/wtmp -p wa -k session create: true + mode: '0640' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchownat | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-27387-0 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchownat rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true +- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchownat | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27387-0 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 +- name: Add watch rule for /var/log/wtmp in /etc/audit/audit.rules lineinfile: - line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -w /var/log/wtmp -p wa -k session state: present dest: /etc/audit/audit.rules create: true + mode: '0640' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchownat | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_session_events | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-27387-0 + - CCE-27301-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 - lineinfile: - line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*/etc/sudoers.*$ + patterns: '*.rules' + register: find_audit_sysadmin_actions when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchownat | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_sysadmin_actions | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27387-0 + - CCE-27461-3 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030400 + - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit lsetxattr tasks +- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + all_sysadmin_actions_files: + - /etc/audit/rules.d/actions.rules when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_lsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_sysadmin_actions | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0 tags: - - CCE-27280-7 + - CCE-27461-3 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 + - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_lsetxattr +- name: Use matched file as the recipient for the rule + set_fact: + all_sysadmin_actions_files: + - '{{ find_audit_sysadmin_actions.files | map(attribute=''path'') | list | first }}' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_lsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_sysadmin_actions | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0 tags: - - CCE-27280-7 + - CCE-27461-3 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 + - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: - - find_lsetxattr.matched is defined and find_lsetxattr.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_lsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - tags: - - CCE-27280-7 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_lsetxattr.files | map(attribute=''path'') | list | first }}' - when: - - find_lsetxattr.matched is defined and find_lsetxattr.matched > 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_lsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool - tags: - - CCE-27280-7 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lsetxattr rule in rules.d when on x86 +- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + path: '{{ all_sysadmin_actions_files[0] }}' + line: -w /etc/sudoers -p wa -k actions create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_lsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_sysadmin_actions | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27280-7 + - CCE-27461-3 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 + - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 +- name: Inserts/replaces audit rule for /etc/sudoers.d rule in rules.d lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + path: '{{ all_sysadmin_actions_files[0] }}' + line: -w /etc/sudoers.d/ -p wa -k actions create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_lsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_sysadmin_actions | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27280-7 + - CCE-27461-3 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 + - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules lineinfile: - line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules + path: /etc/audit/audit.rules + line: -w /etc/sudoers -p wa -k actions create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_lsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_sysadmin_actions | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27280-7 + - CCE-27461-3 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 + - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 +- name: Inserts/replaces audit rule for /etc/sudoers.d in audit.rules lineinfile: - line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules + path: /etc/audit/audit.rules + line: -w /etc/sudoers.d/ -p wa -k actions create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_lsetxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_sysadmin_actions | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27280-7 + - CCE-27461-3 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030460 + - DISA-STIG-RHEL-07-030700 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit setxattr tasks +- name: Set architecture for audit chmod tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_setxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_chmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27213-8 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity @@ -5292,25 +5311,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_setxattr + register: find_chmod when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_setxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_chmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27213-8 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity @@ -5322,24 +5341,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: - - find_setxattr.matched is defined and find_setxattr.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_setxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_chmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chmod.matched is defined and find_chmod.matched == 0 tags: - - CCE-27213-8 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity @@ -5349,173 +5368,173 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_setxattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_chmod.files | map(attribute=''path'') | list | first }}' when: - - find_setxattr.matched is defined and find_setxattr.matched > 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_setxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_chmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chmod.matched is defined and find_chmod.matched > 0 tags: - - CCE-27213-8 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the setxattr rule in rules.d when on x86 +- name: Inserts/replaces the chmod rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_setxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_chmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27213-8 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the setxattr rule in rules.d when on x86_64 +- name: Inserts/replaces the chmod rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_setxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_chmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27213-8 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_setxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_chmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27213-8 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 +- name: Inserts/replaces the chmod rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_setxattr | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_chmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27213-8 + - CCE-27339-1 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030440 + - DISA-STIG-RHEL-07-030410 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit fchmod tasks +- name: Set architecture for audit chown tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - - low_disruption | bool + - audit_rules_dac_modification_chown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27393-8 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity @@ -5528,25 +5547,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_fchmod + register: find_chown when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - - low_disruption | bool + - audit_rules_dac_modification_chown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27393-8 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity @@ -5558,24 +5577,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: - - find_fchmod.matched is defined and find_fchmod.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - - low_disruption | bool + - audit_rules_dac_modification_chown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chown.matched is defined and find_chown.matched == 0 tags: - - CCE-27393-8 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity @@ -5585,173 +5604,173 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fchmod.files | map(attribute=''path'') | list | first }}' + - '{{ find_chown.files | map(attribute=''path'') | list | first }}' when: - - find_fchmod.matched is defined and find_fchmod.matched > 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - - low_disruption | bool + - audit_rules_dac_modification_chown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chown.matched is defined and find_chown.matched > 0 tags: - - CCE-27393-8 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmod rule in rules.d when on x86 +- name: Inserts/replaces the chown rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - - low_disruption | bool + - audit_rules_dac_modification_chown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27393-8 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmod rule in rules.d when on x86_64 +- name: Inserts/replaces the chown rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - - low_disruption | bool + - audit_rules_dac_modification_chown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27393-8 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - - low_disruption | bool + - audit_rules_dac_modification_chown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27393-8 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 +- name: Inserts/replaces the chown rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fchmod | bool - - low_disruption | bool + - audit_rules_dac_modification_chown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27393-8 + - CCE-27364-9 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030420 + - DISA-STIG-RHEL-07-030370 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit fremovexattr tasks +- name: Set architecture for audit fchmod tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27353-2 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity @@ -5764,25 +5783,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_fremovexattr + register: find_fchmod when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27353-2 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity @@ -5794,24 +5813,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: - - find_fremovexattr.matched is defined and find_fremovexattr.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchmod.matched is defined and find_fchmod.matched == 0 tags: - - CCE-27353-2 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity @@ -5821,173 +5840,173 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fremovexattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_fchmod.files | map(attribute=''path'') | list | first }}' when: - - find_fremovexattr.matched is defined and find_fremovexattr.matched > 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchmod.matched is defined and find_fchmod.matched > 0 tags: - - CCE-27353-2 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fremovexattr rule in rules.d when on x86 +- name: Inserts/replaces the fchmod rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27353-2 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 +- name: Inserts/replaces the fchmod rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27353-2 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27353-2 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 +- name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - audit_rules_dac_modification_fremovexattr | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmod | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27353-2 + - CCE-27393-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030480 + - DISA-STIG-RHEL-07-030420 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit fchown tasks +- name: Set architecture for audit fchmodat tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27356-5 + - CCE-27388-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity @@ -6000,25 +6019,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_fchown + register: find_fchmodat when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27356-5 + - CCE-27388-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity @@ -6030,24 +6049,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: - - find_fchown.matched is defined and find_fchown.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchmodat.matched is defined and find_fchmodat.matched == 0 tags: - - CCE-27356-5 + - CCE-27388-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity @@ -6057,173 +6076,173 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fchown.files | map(attribute=''path'') | list | first }}' + - '{{ find_fchmodat.files | map(attribute=''path'') | list | first }}' when: - - find_fchown.matched is defined and find_fchown.matched > 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchmodat.matched is defined and find_fchmodat.matched > 0 tags: - - CCE-27356-5 + - CCE-27388-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchown rule in rules.d when on x86 +- name: Inserts/replaces the fchmodat rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27356-5 + - CCE-27388-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchown rule in rules.d when on x86_64 +- name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27356-5 + - CCE-27388-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27356-5 + - CCE-27388-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchown rule in audit.rules when on x86_64 +- name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_fchown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27356-5 + - CCE-27388-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030380 + - DISA-STIG-RHEL-07-030430 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit chmod tasks +- name: Set architecture for audit fchown tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity @@ -6236,25 +6255,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_chmod + register: find_fchown when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity @@ -6266,24 +6285,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: - - find_chmod.matched is defined and find_chmod.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchown.matched is defined and find_fchown.matched == 0 tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity @@ -6293,173 +6312,173 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_chmod.files | map(attribute=''path'') | list | first }}' + - '{{ find_fchown.files | map(attribute=''path'') | list | first }}' when: - - find_chmod.matched is defined and find_chmod.matched > 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchown.matched is defined and find_fchown.matched > 0 tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chmod rule in rules.d when on x86 +- name: Inserts/replaces the fchown rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chmod rule in rules.d when on x86_64 +- name: Inserts/replaces the fchown rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chmod rule in audit.rules when on x86_64 +- name: Inserts/replaces the fchown rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - audit_rules_dac_modification_chmod | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27339-1 + - CCE-27356-5 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030410 + - DISA-STIG-RHEL-07-030380 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit chown tasks +- name: Set architecture for audit fchownat tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_chown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchownat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27364-9 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity @@ -6472,25 +6491,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_chown + register: find_fchownat when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_chown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchownat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27364-9 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity @@ -6502,24 +6521,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: - - find_chown.matched is defined and find_chown.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_chown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchownat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchownat.matched is defined and find_fchownat.matched == 0 tags: - - CCE-27364-9 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity @@ -6529,173 +6548,173 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_chown.files | map(attribute=''path'') | list | first }}' + - '{{ find_fchownat.files | map(attribute=''path'') | list | first }}' when: - - find_chown.matched is defined and find_chown.matched > 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_chown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchownat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchownat.matched is defined and find_fchownat.matched > 0 tags: - - CCE-27364-9 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chown rule in rules.d when on x86 +- name: Inserts/replaces the fchownat rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_chown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchownat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27364-9 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chown rule in rules.d when on x86_64 +- name: Inserts/replaces the fchownat rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_chown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchownat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27364-9 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_chown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchownat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27364-9 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the chown rule in audit.rules when on x86_64 +- name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_dac_modification_chown | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fchownat | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27364-9 + - CCE-27387-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030370 + - DISA-STIG-RHEL-07-030400 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit fchmodat tasks +- name: Set architecture for audit fremovexattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool + - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27388-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity @@ -6708,25 +6727,25 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_fchmodat + register: find_fremovexattr when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool + - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27388-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity @@ -6738,24 +6757,24 @@ all_files: - /etc/audit/rules.d/privileged.rules when: - - find_fchmodat.matched is defined and find_fchmodat.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool + - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fremovexattr.matched is defined and find_fremovexattr.matched == 0 tags: - - CCE-27388-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity @@ -6765,2570 +6784,3274 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fchmodat.files | map(attribute=''path'') | list | first }}' + - '{{ find_fremovexattr.files | map(attribute=''path'') | list | first }}' when: - - find_fchmodat.matched is defined and find_fchmodat.matched > 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool + - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fremovexattr.matched is defined and find_fremovexattr.matched > 0 tags: - - CCE-27388-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmodat rule in rules.d when on x86 +- name: Inserts/replaces the fremovexattr rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool + - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27388-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 +- name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool + - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27388-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool + - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27388-8 + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 +- name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true when: - - audit_arch is defined and audit_arch == 'b64' - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool - - audit_rules_dac_modification_fchmodat | bool + - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool - tags: - - CCE-27388-8 + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CCE-27353-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-07-030430 + - DISA-STIG-RHEL-07-030480 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit tasks +- name: Set architecture for audit fsetxattr tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_kernel_module_loading | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27129-6 + - CCE-27389-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for kernel module loading for x86 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - init_module - - delete_module - - finit_module - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key modules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)modules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/modules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k modules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - init_module - - delete_module - - finit_module - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k modules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fsetxattr when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_kernel_module_loading | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27129-6 + - CCE-27389-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for kernel module loading for x86_64 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - init_module - - delete_module - - finit_module - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b64_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key modules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)modules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/modules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k modules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - init_module - - delete_module - - finit_module - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b64_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k modules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_arch == "b64" - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_kernel_module_loading | bool - - restrict_strategy | bool - - reboot_required | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fsetxattr.matched is defined and find_fsetxattr.matched == 0 tags: - - CCE-27129-6 + - CCE-27389-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit tasks +- name: Use matched file as the recipient for the rule set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + all_files: + - '{{ find_fsetxattr.files | map(attribute=''path'') | list | first }}' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - audit_rules_time_clock_settime | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fsetxattr.matched is defined and find_fsetxattr.matched > 0 tags: - - CCE-27219-5 + - CCE-27389-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_clock_settime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for clock_settime for x86 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - clock_settime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key time-change - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)time-change$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/time-change.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/time-change.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - clock_settime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls +- name: Inserts/replaces the fsetxattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - audit_rules_time_clock_settime | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27219-5 + - CCE-27389-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_clock_settime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for clock_settime for x86_64 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - clock_settime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b64_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key time-change - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)time-change$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/time-change.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/time-change.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - clock_settime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b64_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls +- name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - audit_arch == "b64" - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - audit_rules_time_clock_settime | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27219-5 + - CCE-27389-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_clock_settime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Set architecture for audit tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - audit_rules_time_settimeofday | bool - - low_disruption | bool + - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27216-1 + - CCE-27389-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_settimeofday + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for settimeofday for x86 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - settimeofday - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - settimeofday - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls +- name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - audit_rules_time_settimeofday | bool - - low_disruption | bool + - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27216-1 + - CCE-27389-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030450 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_settimeofday + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for settimeofday for x86_64 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - settimeofday - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b64_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - settimeofday - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b64_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls +- name: Set architecture for audit lchown tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_arch == "b64" - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - audit_rules_time_settimeofday | bool - - low_disruption | bool + - audit_rules_dac_modification_lchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27216-1 + - CCE-27083-5 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_settimeofday + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for stime syscall for x86 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - stime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - stime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_lchown when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_time_stime | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_lchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27299-7 + - CCE-27083-5 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_stime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_time_watch_localtime | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_lchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lchown.matched is defined and find_lchown.matched == 0 tags: - - CCE-27310-2 + - CCE-27083-5 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_watch_key +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_lchown.files | map(attribute=''path'') | list | first }}' when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_time_watch_localtime | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_lchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lchown.matched is defined and find_lchown.matched > 0 tags: - - CCE-27310-2 + - CCE-27083-5 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules +- name: Inserts/replaces the lchown rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_time_watch_localtime | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_lchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27310-2 + - CCE-27083-5 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the lchown rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_time_watch_localtime | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_lchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27310-2 + - CCE-27083-5 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/localtime in /etc/audit/rules.d/ +- name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 lineinfile: - path: '{{ all_files[0] }}' - line: -w /etc/localtime -p wa -k audit_time_rules + line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true when: - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_time_watch_localtime | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool + - audit_rules_dac_modification_lchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27310-2 + - CCE-27083-5 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules - when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_time_watch_localtime | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool +- name: Inserts/replaces the lchown rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - audit_rules_dac_modification_lchown | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27310-2 + - CCE-27083-5 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030390 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/localtime in /etc/audit/audit.rules - lineinfile: - line: -w /etc/localtime -p wa -k audit_time_rules - state: present - dest: /etc/audit/audit.rules - create: true +- name: Set architecture for audit lremovexattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - audit_rules_time_watch_localtime | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool + - low_complexity | bool - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27410-0 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030490 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_lremovexattr + when: + - audit_rules_dac_modification_lremovexattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27310-2 + - CCE-27410-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Set architecture for audit tasks +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + all_files: + - /etc/audit/rules.d/privileged.rules when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - audit_rules_time_adjtimex | bool - - low_disruption | bool + - audit_rules_dac_modification_lremovexattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lremovexattr.matched is defined and find_lremovexattr.matched == 0 tags: - - CCE-27290-6 + - CCE-27410-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_adjtimex + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for adjtimex for x86 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - adjtimex - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - adjtimex - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_lremovexattr.files | map(attribute=''path'') | list | first }}' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - audit_rules_time_adjtimex | bool + - audit_rules_dac_modification_lremovexattr | bool + - low_complexity | bool - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lremovexattr.matched is defined and find_lremovexattr.matched > 0 + tags: + - CCE-27410-0 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030490 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lremovexattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - audit_rules_dac_modification_lremovexattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27290-6 + - CCE-27410-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_adjtimex + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for adjtimex for x86_64 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - adjtimex - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b64_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - adjtimex - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b64_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls +- name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - audit_arch == "b64" - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - audit_rules_time_adjtimex | bool - - low_disruption | bool + - audit_rules_dac_modification_lremovexattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27290-6 + - CCE-27410-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030490 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_adjtimex + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Does prelink file exist - stat: - path: /etc/sysconfig/prelink - register: prelink_exists +- name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - audit_rules_dac_modification_lremovexattr | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27078-5 - - CJIS-5.10.1.3 - - NIST-800-171-3.13.11 + - CCE-27410-0 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030490 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-SC-13 - - PCI-DSS-Req-11.5 - - disable_prelink + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy - when: - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - disable_prelink | bool - - low_disruption | bool - - low_complexity | bool -- name: disable prelinking +- name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 lineinfile: - path: /etc/sysconfig/prelink - regexp: ^PRELINKING= - line: PRELINKING=no + line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - prelink_exists.stat.exists - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - disable_prelink | bool - - low_disruption | bool + - audit_rules_dac_modification_lremovexattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27078-5 - - CJIS-5.10.1.3 - - NIST-800-171-3.13.11 + - CCE-27410-0 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030490 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-SC-13 - - PCI-DSS-Req-11.5 - - disable_prelink + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Ensure aide is installed - package: - name: aide - state: present +- name: Set architecture for audit lsetxattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - package_aide_installed | bool - - no_reboot_needed | bool - - medium_severity | bool - - enable_strategy | bool - - low_disruption | bool + - audit_rules_dac_modification_lsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27096-7 - - CJIS-5.10.1.3 + - CCE-27280-7 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030460 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-11.5 - - enable_strategy + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed - - package_aide_installed + - reboot_required + - restrict_strategy -- name: Ensure AIDE is installed - package: - name: '{{ item }}' - state: present - with_items: - - aide +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_lsetxattr when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - aide_build_database | bool - - low_disruption | bool + - audit_rules_dac_modification_lsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27220-3 - - CJIS-5.10.1.3 + - CCE-27280-7 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030460 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-11.5 - - aide_build_database + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Build and Test AIDE Database - command: /usr/sbin/aide --init - changed_when: true +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - aide_build_database | bool - - low_disruption | bool + - audit_rules_dac_modification_lsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lsetxattr.matched is defined and find_lsetxattr.matched == 0 tags: - - CCE-27220-3 - - CJIS-5.10.1.3 + - CCE-27280-7 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030460 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-11.5 - - aide_build_database + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check whether the stock AIDE Database exists - stat: - path: /var/lib/aide/aide.db.new.gz - register: aide_database_stat +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_lsetxattr.files | map(attribute=''path'') | list | first }}' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - aide_build_database | bool - - low_disruption | bool + - audit_rules_dac_modification_lsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lsetxattr.matched is defined and find_lsetxattr.matched > 0 tags: - - CCE-27220-3 - - CJIS-5.10.1.3 + - CCE-27280-7 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030460 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-11.5 - - aide_build_database + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Stage AIDE Database - copy: - src: /var/lib/aide/aide.db.new.gz - dest: /var/lib/aide/aide.db.gz - backup: true - remote_src: true +- name: Inserts/replaces the lsetxattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists) - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - aide_build_database | bool - - low_disruption | bool + - audit_rules_dac_modification_lsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27220-3 - - CJIS-5.10.1.3 + - CCE-27280-7 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030460 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-11.5 - - aide_build_database + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Ensure AIDE is installed - package: - name: '{{ item }}' - state: present - with_items: - - aide +- name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - aide_periodic_cron_checking | bool - - low_disruption | bool + - audit_rules_dac_modification_lsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-26952-2 - - CJIS-5.10.1.3 - - DISA-STIG-RHEL-07-020030 + - CCE-27280-7 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030460 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - PCI-DSS-Req-11.5 - - aide_periodic_cron_checking + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Configure Periodic Execution of AIDE - cron: - name: run AIDE check - minute: 5 - hour: 4 - weekday: 0 - user: root - job: /usr/sbin/aide --check +- name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - restrict_strategy | bool - - medium_severity | bool - - aide_periodic_cron_checking | bool - - low_disruption | bool + - audit_rules_dac_modification_lsetxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-26952-2 - - CJIS-5.10.1.3 - - DISA-STIG-RHEL-07-020030 + - CCE-27280-7 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030460 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - PCI-DSS-Req-11.5 - - aide_periodic_cron_checking + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Read list of files with incorrect permissions - command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup - args: - warn: false - register: files_with_incorrect_permissions - failed_when: files_with_incorrect_permissions.rc > 1 - changed_when: false - check_mode: false +- name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - audit_rules_dac_modification_lsetxattr | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27209-6 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010010 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) + - CCE-27280-7 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030460 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity - - high_severity - - medium_disruption - - no_reboot_needed + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required - restrict_strategy - - rpm_verify_permissions - when: - - high_complexity | bool - - no_reboot_needed | bool - - rpm_verify_permissions | bool - - restrict_strategy | bool - - high_severity | bool - - medium_disruption | bool -- name: Create list of packages - command: rpm -qf "{{ item }}" - args: - warn: false - with_items: '{{ files_with_incorrect_permissions.stdout_lines | map(''regex_findall'', ''^[.]+[M]+.* (\/.*)'', ''\1'') | - map(''join'') | select(''match'', ''(\/.*)'') | list | unique }}' - register: list_of_packages - changed_when: false - check_mode: false +- name: Set architecture for audit removexattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - (files_with_incorrect_permissions.stdout_lines | length > 0) - - high_complexity | bool - - no_reboot_needed | bool - - rpm_verify_permissions | bool + - audit_rules_dac_modification_removexattr | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool - restrict_strategy | bool - - high_severity | bool - - medium_disruption | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27209-6 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010010 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) + - CCE-27367-2 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity - - high_severity - - medium_disruption - - no_reboot_needed + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required - restrict_strategy - - rpm_verify_permissions -- name: Correct file permissions with RPM - command: rpm --setperms '{{ item }}' - args: - warn: false - with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list | unique }}' +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_removexattr when: - - (files_with_incorrect_permissions.stdout_lines | length > 0) - - high_complexity | bool - - no_reboot_needed | bool - - rpm_verify_permissions | bool + - audit_rules_dac_modification_removexattr | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool - restrict_strategy | bool - - high_severity | bool - - medium_disruption | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27209-6 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010010 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) + - CCE-27367-2 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity - - high_severity - - medium_disruption - - no_reboot_needed + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required - restrict_strategy - - rpm_verify_permissions -- name: 'Set fact: Package manager reinstall command (dnf)' +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: - package_manager_reinstall_cmd: dnf reinstall -y + all_files: + - /etc/audit/rules.d/privileged.rules when: - - ansible_distribution == "Fedora" - - high_complexity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_removexattr | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool - restrict_strategy | bool - - high_severity | bool - - rpm_verify_hashes | bool - - medium_disruption | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_removexattr.matched is defined and find_removexattr.matched == 0 tags: - - CCE-27157-7 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity - - high_severity - - medium_disruption - - no_reboot_needed + - CCE-27367-2 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required - restrict_strategy - - rpm_verify_hashes -- name: 'Set fact: Package manager reinstall command (yum)' +- name: Use matched file as the recipient for the rule set_fact: - package_manager_reinstall_cmd: yum reinstall -y + all_files: + - '{{ find_removexattr.files | map(attribute=''path'') | list | first }}' when: - - (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") - - high_complexity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_removexattr | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool - restrict_strategy | bool - - high_severity | bool - - rpm_verify_hashes | bool - - medium_disruption | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_removexattr.matched is defined and find_removexattr.matched > 0 tags: - - CCE-27157-7 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity - - high_severity - - medium_disruption - - no_reboot_needed + - CCE-27367-2 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required - restrict_strategy - - rpm_verify_hashes -- name: Read files with incorrect hash - command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noconfig --noghost - args: - warn: false - register: files_with_incorrect_hash - changed_when: false - failed_when: files_with_incorrect_hash.rc > 1 - check_mode: false +- name: Inserts/replaces the removexattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - (package_manager_reinstall_cmd is defined) - - high_complexity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_removexattr | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool - restrict_strategy | bool - - high_severity | bool - - rpm_verify_hashes | bool - - medium_disruption | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27157-7 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity - - high_severity - - medium_disruption - - no_reboot_needed + - CCE-27367-2 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required - restrict_strategy - - rpm_verify_hashes -- name: Create list of packages - command: rpm -qf "{{ item }}" - args: - warn: false - with_items: '{{ files_with_incorrect_hash.stdout_lines | map(''regex_findall'', ''^[.]+[5]+.* (\/.*)'', ''\1'') | map(''join'') - | select(''match'', ''(\/.*)'') | list | unique }}' - register: list_of_packages - changed_when: false - check_mode: false +- name: Inserts/replaces the removexattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - files_with_incorrect_hash.stdout_lines is defined - - (files_with_incorrect_hash.stdout_lines | length > 0) - - high_complexity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_removexattr | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool - restrict_strategy | bool - - high_severity | bool - - rpm_verify_hashes | bool - - medium_disruption | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-27157-7 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity - - high_severity - - medium_disruption - - no_reboot_needed + - CCE-27367-2 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required - restrict_strategy - - rpm_verify_hashes -- name: Reinstall packages of files with incorrect hash - command: '{{ package_manager_reinstall_cmd }} ''{{ item }}''' - args: - warn: false - with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list | unique }}' +- name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - files_with_incorrect_hash.stdout_lines is defined - - (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) - - high_complexity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_removexattr | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool - restrict_strategy | bool - - high_severity | bool - - rpm_verify_hashes | bool - - medium_disruption | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27157-7 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-010020 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity - - high_severity - - medium_disruption - - no_reboot_needed + - CCE-27367-2 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required - restrict_strategy - - rpm_verify_hashes -- name: Enable GNOME3 Screensaver Lock After Idle Period - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/desktop/screensaver - option: lock-enabled - value: 'true' +- name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - medium_severity | bool - - unknown_strategy | bool - - medium_disruption | bool - - dconf_gnome_screensaver_lock_enabled | bool + - audit_rules_dac_modification_removexattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80112-6 - - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010060 - - NIST-800-171-3.1.10 + - CCE-27367-2 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030470 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_lock_enabled + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - - medium_disruption + - low_disruption - medium_severity - - no_reboot_needed - - unknown_strategy + - reboot_required + - restrict_strategy -- name: Prevent user modification of GNOME lock-enabled - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/lock-enabled - line: /org/gnome/desktop/screensaver/lock-enabled - create: true +- name: Set architecture for audit setxattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - medium_severity | bool - - unknown_strategy | bool - - medium_disruption | bool - - dconf_gnome_screensaver_lock_enabled | bool + - audit_rules_dac_modification_setxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80112-6 - - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010060 - - NIST-800-171-3.1.10 + - CCE-27213-8 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030440 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_lock_enabled + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr - low_complexity - - medium_disruption + - low_disruption - medium_severity - - no_reboot_needed - - unknown_strategy + - reboot_required + - restrict_strategy -- name: Enable GNOME3 Screensaver Idle Activation - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/desktop/screensaver - option: idle_activation_enabled - value: 'true' - create: true +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_setxattr when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - dconf_gnome_screensaver_idle_activation_enabled | bool - - medium_severity | bool - - unknown_strategy | bool - - medium_disruption | bool + - audit_rules_dac_modification_setxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80111-8 - - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010100 - - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(a) + - CCE-27213-8 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030440 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_activation_enabled + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr - low_complexity - - medium_disruption + - low_disruption - medium_severity - - no_reboot_needed - - unknown_strategy + - reboot_required + - restrict_strategy -- name: Prevent user modification of GNOME idle_activation_enabled - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/idle-activation-enabled - line: /org/gnome/desktop/screensaver/idle-activation-enabled - create: true +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - dconf_gnome_screensaver_idle_activation_enabled | bool - - medium_severity | bool - - unknown_strategy | bool - - medium_disruption | bool + - audit_rules_dac_modification_setxattr | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_setxattr.matched is defined and find_setxattr.matched == 0 tags: - - CCE-80111-8 - - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010100 - - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(a) + - CCE-27213-8 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030440 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_activation_enabled + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr - low_complexity - - medium_disruption + - low_disruption - medium_severity - - no_reboot_needed - - unknown_strategy + - reboot_required + - restrict_strategy -- name: Set GNOME3 Screensaver Inactivity Timeout - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/desktop/screensaver - option: idle-delay - value: '{{ inactivity_timeout_value }}' - create: true +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_setxattr.files | map(attribute=''path'') | list | first }}' when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - medium_severity | bool - - dconf_gnome_screensaver_idle_delay | bool - - unknown_strategy | bool - - medium_disruption | bool + - audit_rules_dac_modification_setxattr | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_setxattr.matched is defined and find_setxattr.matched > 0 + tags: + - CCE-27213-8 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030440 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the setxattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - audit_rules_dac_modification_setxattr | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27213-8 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030440 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the setxattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - audit_rules_dac_modification_setxattr | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CCE-27213-8 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030440 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - audit_rules_dac_modification_setxattr | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27213-8 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030440 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - audit_rules_dac_modification_setxattr | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CCE-27213-8 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030440 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: + - audit_rules_kernel_module_loading | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27129-6 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Perform remediation of Audit rules for kernel module loading for x86 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - init_module + - delete_module + - finit_module + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key modules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)modules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k modules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - init_module + - delete_module + - finit_module + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k modules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls + when: + - audit_rules_kernel_module_loading | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27129-6 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Perform remediation of Audit rules for kernel module loading for x86_64 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - init_module + - delete_module + - finit_module + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key modules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)modules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k modules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - init_module + - delete_module + - finit_module + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k modules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls + when: + - audit_rules_kernel_module_loading | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - reboot_required | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch == "b64" + tags: + - CCE-27129-6 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search for privileged commands + shell: 'set -o pipefail + + find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype + ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs + -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o + -perm -2000 \) 2> /dev/null + + ' + args: + warn: false + executable: /bin/bash + check_mode: false + register: find_result + changed_when: false + failed_when: false + when: + - audit_rules_privileged_commands | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27437-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path={{ item }} .*$ + patterns: '*.rules' + with_items: + - '{{ find_result.stdout_lines }}' + register: files_result + when: + - audit_rules_privileged_commands | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27437-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Overwrites the rule in rules.d + lineinfile: + path: '{{ item.1.path }}' + line: -a always,exit -F path={{ item.0.item }} -F auid>=1000 -F auid!=unset -F key=privileged + create: false + regexp: ^.*path={{ item.0.item }} .*$ + with_subelements: + - '{{ files_result.results }}' + - files + when: + - audit_rules_privileged_commands | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27437-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Adds the rule in rules.d + lineinfile: + path: /etc/audit/rules.d/privileged.rules + line: -a always,exit -F path={{ item.item }} -F auid>=1000 -F auid!=unset -F key=privileged + create: true + with_items: + - '{{ files_result.results }}' + when: + - audit_rules_privileged_commands | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - files_result.results is defined and item.matched == 0 + tags: + - CCE-27437-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path={{ item.item }} -F auid>=1000 -F auid!=unset -F key=privileged + create: true + regexp: ^.*path={{ item.item }} .*$ + with_items: + - '{{ files_result.results }}' + when: + - audit_rules_privileged_commands | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27437-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: + - audit_rules_time_adjtimex | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27290-6 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_adjtimex + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for adjtimex for x86 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls + when: + - audit_rules_time_adjtimex | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27290-6 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_adjtimex + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for adjtimex for x86_64 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls + when: + - audit_rules_time_adjtimex | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch == "b64" + tags: + - CCE-27290-6 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_adjtimex + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: + - audit_rules_time_clock_settime | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27219-5 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_clock_settime + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for clock_settime for x86 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key time-change + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)time-change$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/time-change.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/time-change.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls + when: + - audit_rules_time_clock_settime | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27219-5 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_clock_settime + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for clock_settime for x86_64 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key time-change + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)time-change$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/time-change.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/time-change.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls + when: + - audit_rules_time_clock_settime | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch == "b64" tags: - - CCE-80110-0 - - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010070 - - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(a) + - CCE-27219-5 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_clock_settime + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: + - audit_rules_time_settimeofday | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27216-1 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for settimeofday for x86 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls + when: + - audit_rules_time_settimeofday | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27216-1 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for settimeofday for x86_64 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls + when: + - audit_rules_time_settimeofday | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch == "b64" + tags: + - CCE-27216-1 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_delay + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy + - restrict_strategy -- name: Prevent user modification of GNOME idle-delay - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/idle-delay - line: /org/gnome/desktop/screensaver/idle-delay - create: true +- name: Perform remediation of Audit rules for stime syscall for x86 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - stime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - stime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - medium_severity | bool - - dconf_gnome_screensaver_idle_delay | bool - - unknown_strategy | bool - - medium_disruption | bool + - audit_rules_time_stime | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80110-0 - - CJIS-5.5.5 - - DISA-STIG-RHEL-07-010070 - - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(a) + - CCE-27299-7 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_idle_delay + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_stime - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy + - restrict_strategy -- name: Implement Blank Screensaver - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/desktop/screensaver - option: picture-uri - value: string '' - create: true +- name: Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - medium_severity | bool - - unknown_strategy | bool - - dconf_gnome_screensaver_mode_blank | bool - - medium_disruption | bool + - audit_rules_time_watch_localtime | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80113-4 - - CJIS-5.5.5 - - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(1) + - CCE-27310-2 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_mode_blank + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy + - restrict_strategy -- name: Prevent user modification of GNOME picture-uri - lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/desktop/screensaver/picture-uri - line: /org/gnome/desktop/screensaver/picture-uri - create: true +- name: Search /etc/audit/rules.d for other rules with specified key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_watch_key when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - medium_severity | bool - - unknown_strategy | bool - - dconf_gnome_screensaver_mode_blank | bool - - medium_disruption | bool + - audit_rules_time_watch_localtime | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80113-4 - - CJIS-5.5.5 - - NIST-800-171-3.1.10 - - NIST-800-53-AC-11(1) + - CCE-27310-2 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.1.8 - - dconf_gnome_screensaver_mode_blank + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy + - restrict_strategy -- name: Security patches are up to date - package: - name: '*' - state: latest - tags: - - CCE-26895-3 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-020260 - - NIST-800-53-CM-6(a) - - NIST-800-53-SI-2(5) - - NIST-800-53-SI-2(c) - - PCI-DSS-Req-6.2 - - high_disruption - - high_severity - - low_complexity - - patch_strategy - - reboot_required - - security_patches_up_to_date - - skip_ansible_lint +- name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules when: - - security_patches_up_to_date | bool - - reboot_required | bool - - high_severity | bool - - skip_ansible_lint | bool - - high_disruption | bool - - patch_strategy | bool + - audit_rules_time_watch_localtime | bool - low_complexity | bool - -- name: Read permission of GPG key directory - stat: - path: /etc/pki/rpm-gpg/ - register: gpg_key_directory_permission - check_mode: false + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - - CCE-26957-1 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-5(3) + - CCE-27310-2 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_redhat_gpgkey_installed - - high_severity - - medium_complexity - - medium_disruption + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime + - low_complexity + - low_disruption + - medium_severity - no_reboot_needed - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: + - audit_rules_time_watch_localtime | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - high_severity | bool - - ensure_redhat_gpgkey_installed | bool - - medium_complexity | bool - - medium_disruption | bool - -- name: Read signatures in GPG key - command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - args: - warn: false - changed_when: false - register: gpg_fingerprints - check_mode: false + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 tags: - - CCE-26957-1 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-5(3) + - CCE-27310-2 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_redhat_gpgkey_installed - - high_severity - - medium_complexity - - medium_disruption + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime + - low_complexity + - low_disruption + - medium_severity - no_reboot_needed - restrict_strategy + +- name: Add watch rule for /etc/localtime in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/localtime -p wa -k audit_time_rules + create: true + mode: '0640' when: + - audit_rules_time_watch_localtime | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - high_severity | bool - - ensure_redhat_gpgkey_installed | bool - - medium_complexity | bool - - medium_disruption | bool - -- name: Set Fact - Installed GPG Fingerprints - set_fact: - gpg_installed_fingerprints: '{{ gpg_fingerprints.stdout | regex_findall(''^pub.* - - (?:^fpr[:]*)([0-9A-Fa-f]*)'', ''\1'') | list }}' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-26957-1 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-5(3) + - CCE-27310-2 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_redhat_gpgkey_installed - - high_severity - - medium_complexity - - medium_disruption + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime + - low_complexity + - low_disruption + - medium_severity - no_reboot_needed - restrict_strategy + +- name: Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: + - audit_rules_time_watch_localtime | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - high_severity | bool - - ensure_redhat_gpgkey_installed | bool - - medium_complexity | bool - - medium_disruption | bool - -- name: Set Fact - Valid fingerprints - set_fact: - gpg_valid_fingerprints: ("567E347AD0044ADE55BA8A5F199E2F91FD431D51" "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0") + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-26957-1 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-5(3) + - CCE-27310-2 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_redhat_gpgkey_installed - - high_severity - - medium_complexity - - medium_disruption + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime + - low_complexity + - low_disruption + - medium_severity - no_reboot_needed - restrict_strategy - when: - - no_reboot_needed | bool - - restrict_strategy | bool - - high_severity | bool - - ensure_redhat_gpgkey_installed | bool - - medium_complexity | bool - - medium_disruption | bool -- name: Import RedHat GPG key - rpm_key: +- name: Add watch rule for /etc/localtime in /etc/audit/audit.rules + lineinfile: + line: -w /etc/localtime -p wa -k audit_time_rules state: present - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + dest: /etc/audit/audit.rules + create: true + mode: '0640' when: - - gpg_key_directory_permission.stat.mode <= '0755' - - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0 - - gpg_installed_fingerprints | length > 0 - - ansible_distribution == "RedHat" + - audit_rules_time_watch_localtime | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - high_severity | bool - - ensure_redhat_gpgkey_installed | bool - - medium_complexity | bool - - medium_disruption | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-26957-1 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-5(3) + - CCE-27310-2 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_redhat_gpgkey_installed - - high_severity - - medium_complexity - - medium_disruption + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime + - low_complexity + - low_disruption + - medium_severity - no_reboot_needed - restrict_strategy -- name: Check existence of yum on Fedora - stat: - path: /etc/yum.conf - register: yum_config_file - check_mode: false +- name: enable syslog plugin + lineinfile: + dest: /etc/audisp/plugins.d/syslog.conf + regexp: ^active + line: active = yes + create: true when: - - ansible_distribution == "Fedora" + - auditd_audispd_syslog_plugin_activated | bool + - configure_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - - high_severity | bool - - unknown_strategy | bool - - ensure_gpgcheck_globally_activated | bool - - medium_disruption | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27341-7 + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AU-4(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.3 + - auditd_audispd_syslog_plugin_activated + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Configure auditd mail_acct Action on Low Disk Space + lineinfile: + dest: /etc/audit/auditd.conf + line: action_mail_acct = {{ var_auditd_action_mail_acct }} + state: present + create: true + when: + - auditd_data_retention_action_mail_acct | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-26989-4 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-020050 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-27394-6 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030350 + - NIST-800-171-3.3.1 + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(a) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_gpgcheck_globally_activated - - high_severity + - NIST-800-53-IA-5(1) + - PCI-DSS-Req-10.7.a + - auditd_data_retention_action_mail_acct - low_complexity - - medium_disruption + - low_disruption + - medium_severity - no_reboot_needed - - unknown_strategy + - restrict_strategy -- name: Ensure GPG check is globally activated (yum) - ini_file: - dest: /etc/yum.conf - section: main - option: gpgcheck - value: 1 - no_extra_spaces: true - create: false +- name: Configure auditd admin_space_left Action on Low Disk Space + lineinfile: + dest: /etc/audit/auditd.conf + line: admin_space_left_action = {{ var_auditd_admin_space_left_action }} + regexp: ^\s*admin_space_left_action\s*=\s*.*$ + state: present + create: true when: - - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "Scientific" or yum_config_file.stat.exists) - - no_reboot_needed | bool - - high_severity | bool - - unknown_strategy | bool - - ensure_gpgcheck_globally_activated | bool - - medium_disruption | bool + - auditd_data_retention_admin_space_left_action | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-26989-4 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-020050 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-27370-6 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030340 + - NIST-800-171-3.3.1 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_gpgcheck_globally_activated - - high_severity + - PCI-DSS-Req-10.7 + - auditd_data_retention_admin_space_left_action - low_complexity - - medium_disruption + - low_disruption + - medium_severity - no_reboot_needed - - unknown_strategy + - restrict_strategy -- name: Ensure GPG check is globally activated (dnf) - ini_file: - dest: /etc/dnf/dnf.conf - section: main - option: gpgcheck - value: 1 - no_extra_spaces: true - create: false +- name: Configure auditd Max Log File Size + lineinfile: + dest: /etc/audit/auditd.conf + regexp: ^\s*max_log_file\s*=\s*.*$ + line: max_log_file = {{ var_auditd_max_log_file }} + state: present + create: true when: - - ansible_distribution == "Fedora" - - no_reboot_needed | bool - - high_severity | bool - - unknown_strategy | bool - - ensure_gpgcheck_globally_activated | bool - - medium_disruption | bool + - auditd_data_retention_max_log_file | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-26989-4 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-07-020050 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-27319-3 + - CJIS-5.4.1.1 + - NIST-800-53-AU-11 - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_gpgcheck_globally_activated - - high_severity + - PCI-DSS-Req-10.7 + - auditd_data_retention_max_log_file - low_complexity - - medium_disruption + - low_disruption + - medium_severity - no_reboot_needed - - unknown_strategy + - restrict_strategy -- name: Grep for yum repo section names - shell: grep -HEr '^\[.+\]' -r /etc/yum.repos.d/ - register: repo_grep_results - ignore_errors: true - changed_when: false +- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size + lineinfile: + dest: /etc/audit/auditd.conf + line: max_log_file_action = {{ var_auditd_max_log_file_action }} + regexp: ^\s*max_log_file_action\s*=\s*.*$ + state: present + create: true + when: + - auditd_data_retention_max_log_file_action | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-26876-3 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-27231-0 + - CJIS-5.4.1.1 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - enable_strategy - - ensure_gpgcheck_never_disabled - - high_severity + - PCI-DSS-Req-10.7 + - auditd_data_retention_max_log_file_action - low_complexity - - medium_disruption + - low_disruption + - medium_severity - no_reboot_needed + - restrict_strategy + +- name: Configure auditd Number of Logs Retained + lineinfile: + dest: /etc/audit/auditd.conf + line: num_logs = {{ var_auditd_num_logs }} + regexp: ^\s*num_logs\s*=\s*.*$ + state: present + create: true when: - - ensure_gpgcheck_never_disabled | bool - - no_reboot_needed | bool - - high_severity | bool - - enable_strategy | bool - - medium_disruption | bool + - auditd_data_retention_num_logs | bool - low_complexity | bool - -- name: Set gpgcheck=1 for each yum repo - ini_file: - path: '{{ item[0] }}' - section: '{{ item[1] }}' - option: gpgcheck - value: '1' - no_extra_spaces: true - loop: '{{ repo_grep_results.stdout | regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) }}' + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-26876-3 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-27348-2 + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AU-11 - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - enable_strategy - - ensure_gpgcheck_never_disabled - - high_severity + - PCI-DSS-Req-10.7 + - auditd_data_retention_num_logs - low_complexity - - medium_disruption + - low_disruption + - medium_severity - no_reboot_needed + - restrict_strategy + +- name: Configure auditd space_left Action on Low Disk Space + lineinfile: + dest: /etc/audit/auditd.conf + line: space_left_action = {{ var_auditd_space_left_action }} + regexp: ^\s*space_left_action\s*=\s*.*$ + state: present + create: true when: - - ensure_gpgcheck_never_disabled | bool - - no_reboot_needed | bool - - high_severity | bool - - enable_strategy | bool - - medium_disruption | bool + - auditd_data_retention_space_left_action | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-27375-5 + - CJIS-5.4.1.1 + - DISA-STIG-RHEL-07-030340 + - NIST-800-171-3.3.1 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.7 + - auditd_data_retention_space_left_action + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy - name: Test for existence /boot/grub2/grub.cfg stat: path: /boot/grub2/grub.cfg register: file_exists when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - medium_severity | bool - configure_strategy | bool - file_groupowner_grub2_cfg | bool - - low_disruption | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-82023-3 - CJIS-5.5.2.2 @@ -9348,14 +10071,14 @@ path: /boot/grub2/grub.cfg group: '0' when: - - file_exists.stat is defined and file_exists.stat.exists - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - medium_severity | bool - configure_strategy | bool - file_groupowner_grub2_cfg | bool - - low_disruption | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-82023-3 - CJIS-5.5.2.2 @@ -9375,13 +10098,13 @@ path: /boot/grub2/grub.cfg register: file_exists when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - file_owner_grub2_cfg | bool - - no_reboot_needed | bool - - medium_severity | bool - configure_strategy | bool - - low_disruption | bool + - file_owner_grub2_cfg | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-82026-6 - CJIS-5.5.2.2 @@ -9401,14 +10124,14 @@ path: /boot/grub2/grub.cfg owner: '0' when: - - file_exists.stat is defined and file_exists.stat.exists - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - file_owner_grub2_cfg | bool - - no_reboot_needed | bool - - medium_severity | bool - configure_strategy | bool - - low_disruption | bool + - file_owner_grub2_cfg | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-82026-6 - CJIS-5.5.2.2 @@ -9423,121 +10146,154 @@ - medium_severity - no_reboot_needed -- name: Ensure libreswan is installed - package: - name: libreswan - state: present +- name: Configure daily log rotation in /etc/logrotate.conf + lineinfile: + create: true + dest: /etc/logrotate.conf + regexp: ^daily$ + line: daily + when: + - configure_strategy | bool + - ensure_logrotate_activated | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80170-4 + - CCE-80195-1 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-4.1 - - enable_strategy + - PCI-DSS-Req-10.7 + - configure_strategy + - ensure_logrotate_activated - low_complexity - low_disruption - medium_severity - no_reboot_needed - - package_libreswan_installed + +- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf + lineinfile: + create: false + dest: /etc/logrotate.conf + regexp: ^[\s]*(weekly|monthly|yearly)$ + state: absent when: - - no_reboot_needed | bool - - medium_severity | bool - - package_libreswan_installed | bool - - enable_strategy | bool - - low_disruption | bool + - configure_strategy | bool + - ensure_logrotate_activated | bool - low_complexity | bool - -- name: Test for existence /etc/group - stat: - path: /etc/group - register: file_exists + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82037-3 - - CJIS-5.5.2.2 - - NIST-800-53-AC-6(1) + - CCE-80195-1 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.7.c + - PCI-DSS-Req-10.7 - configure_strategy - - file_groupowner_etc_group + - ensure_logrotate_activated - low_complexity - low_disruption - medium_severity - no_reboot_needed - when: - - no_reboot_needed | bool - - medium_severity | bool - - configure_strategy | bool - - file_groupowner_etc_group | bool - - low_disruption | bool - - low_complexity | bool -- name: Ensure group owner 0 on /etc/group - file: - path: /etc/group - group: '0' +- name: Configure cron.daily if not already + block: + - name: Add shebang + lineinfile: + path: /etc/cron.daily/logrotate + line: '#!/bin/sh' + insertbefore: BOF + create: true + - name: Add logrotate call + lineinfile: + path: /etc/cron.daily/logrotate + line: /usr/sbin/logrotate /etc/logrotate.conf + regexp: ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ when: - - file_exists.stat is defined and file_exists.stat.exists - - no_reboot_needed | bool - - medium_severity | bool - configure_strategy | bool - - file_groupowner_etc_group | bool - - low_disruption | bool + - ensure_logrotate_activated | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82037-3 - - CJIS-5.5.2.2 - - NIST-800-53-AC-6(1) + - CCE-80195-1 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-8.7.c + - PCI-DSS-Req-10.7 - configure_strategy - - file_groupowner_etc_group + - ensure_logrotate_activated + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure libreswan is installed + package: + name: libreswan + state: present + tags: + - CCE-80170-4 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-4.1 + - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed + - package_libreswan_installed + when: + - enable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - package_libreswan_installed | bool - name: Test for existence /etc/group stat: path: /etc/group register: file_exists tags: - - CCE-82032-4 + - CCE-82037-3 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_permissions_etc_group + - file_groupowner_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - - no_reboot_needed | bool - - file_permissions_etc_group | bool - configure_strategy | bool - - medium_severity | bool - - low_disruption | bool + - file_groupowner_etc_group | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool -- name: Ensure permission 0644 on /etc/group +- name: Ensure group owner 0 on /etc/group file: path: /etc/group - mode: '0644' + group: '0' when: - - file_exists.stat is defined and file_exists.stat.exists - - no_reboot_needed | bool - - file_permissions_etc_group | bool - configure_strategy | bool - - medium_severity | bool - - low_disruption | bool + - file_groupowner_etc_group | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82032-4 + - CCE-82037-3 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_permissions_etc_group + - file_groupowner_etc_group - low_complexity - low_disruption - medium_severity @@ -9560,25 +10316,25 @@ - medium_severity - no_reboot_needed when: - - no_reboot_needed | bool - - medium_severity | bool - - file_groupowner_etc_passwd | bool - configure_strategy | bool - - low_disruption | bool + - file_groupowner_etc_passwd | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool - name: Ensure group owner 0 on /etc/passwd file: path: /etc/passwd group: '0' when: - - file_exists.stat is defined and file_exists.stat.exists - - no_reboot_needed | bool - - medium_severity | bool - - file_groupowner_etc_passwd | bool - configure_strategy | bool - - low_disruption | bool + - file_groupowner_etc_passwd | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-26639-5 - CJIS-5.5.2.2 @@ -9609,25 +10365,25 @@ - medium_severity - no_reboot_needed when: - - no_reboot_needed | bool - configure_strategy | bool - - medium_severity | bool - file_groupowner_etc_shadow | bool - - low_disruption | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool - name: Ensure group owner 0 on /etc/shadow file: path: /etc/shadow group: '0' when: - - file_exists.stat is defined and file_exists.stat.exists - - no_reboot_needed | bool - configure_strategy | bool - - medium_severity | bool - file_groupowner_etc_shadow | bool - - low_disruption | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-82051-4 - CJIS-5.5.2.2 @@ -9641,50 +10397,50 @@ - medium_severity - no_reboot_needed -- name: Test for existence /etc/shadow +- name: Test for existence /etc/group stat: - path: /etc/shadow + path: /etc/group register: file_exists tags: - - CCE-82022-5 + - CCE-82031-6 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_owner_etc_shadow + - file_owner_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - - file_owner_etc_shadow | bool - - no_reboot_needed | bool - configure_strategy | bool - - medium_severity | bool - - low_disruption | bool + - file_owner_etc_group | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/shadow +- name: Ensure owner 0 on /etc/group file: - path: /etc/shadow + path: /etc/group owner: '0' when: - - file_exists.stat is defined and file_exists.stat.exists - - file_owner_etc_shadow | bool - - no_reboot_needed | bool - configure_strategy | bool - - medium_severity | bool - - low_disruption | bool + - file_owner_etc_group | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82022-5 + - CCE-82031-6 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_owner_etc_shadow + - file_owner_etc_group - low_complexity - low_disruption - medium_severity @@ -9695,45 +10451,45 @@ path: /etc/passwd register: file_exists tags: - - CCE-82029-0 + - CCE-82052-2 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_permissions_etc_passwd + - file_owner_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - - no_reboot_needed | bool - - medium_severity | bool - configure_strategy | bool - - low_disruption | bool - - file_permissions_etc_passwd | bool + - file_owner_etc_passwd | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool -- name: Ensure permission 0644 on /etc/passwd +- name: Ensure owner 0 on /etc/passwd file: path: /etc/passwd - mode: '0644' + owner: '0' when: - - file_exists.stat is defined and file_exists.stat.exists - - no_reboot_needed | bool - - medium_severity | bool - configure_strategy | bool - - low_disruption | bool - - file_permissions_etc_passwd | bool + - file_owner_etc_passwd | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82029-0 + - CCE-82052-2 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_permissions_etc_passwd + - file_owner_etc_passwd - low_complexity - low_disruption - medium_severity @@ -9744,265 +10500,296 @@ path: /etc/shadow register: file_exists tags: - - CCE-82042-3 + - CCE-82022-5 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_permissions_etc_shadow + - file_owner_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - - file_permissions_etc_shadow | bool - - no_reboot_needed | bool - - medium_severity | bool - configure_strategy | bool - - low_disruption | bool + - file_owner_etc_shadow | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool -- name: Ensure permission 0000 on /etc/shadow +- name: Ensure owner 0 on /etc/shadow file: path: /etc/shadow - mode: '0000' + owner: '0' when: - - file_exists.stat is defined and file_exists.stat.exists - - file_permissions_etc_shadow | bool - - no_reboot_needed | bool - - medium_severity | bool - configure_strategy | bool - - low_disruption | bool + - file_owner_etc_shadow | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82042-3 + - CCE-82022-5 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_permissions_etc_shadow + - file_owner_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed -- name: Test for existence /etc/passwd +- name: Test for existence /etc/group stat: - path: /etc/passwd + path: /etc/group register: file_exists tags: - - CCE-82052-2 + - CCE-82032-4 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_owner_etc_passwd + - file_permissions_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - - no_reboot_needed | bool - - medium_severity | bool - - file_owner_etc_passwd | bool - configure_strategy | bool - - low_disruption | bool + - file_permissions_etc_group | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/passwd +- name: Ensure permission 0644 on /etc/group file: - path: /etc/passwd - owner: '0' + path: /etc/group + mode: '0644' when: - - file_exists.stat is defined and file_exists.stat.exists - - no_reboot_needed | bool - - medium_severity | bool - - file_owner_etc_passwd | bool - configure_strategy | bool - - low_disruption | bool + - file_permissions_etc_group | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82052-2 + - CCE-82032-4 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_owner_etc_passwd + - file_permissions_etc_group - low_complexity - low_disruption - medium_severity - no_reboot_needed -- name: Test for existence /etc/group +- name: Test for existence /etc/passwd stat: - path: /etc/group + path: /etc/passwd register: file_exists tags: - - CCE-82031-6 + - CCE-82029-0 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_owner_etc_group + - file_permissions_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed when: - - file_owner_etc_group | bool - - medium_severity | bool - configure_strategy | bool - - no_reboot_needed | bool - - low_disruption | bool + - file_permissions_etc_passwd | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool -- name: Ensure owner 0 on /etc/group +- name: Ensure permission 0644 on /etc/passwd file: - path: /etc/group - owner: '0' + path: /etc/passwd + mode: '0644' when: - - file_exists.stat is defined and file_exists.stat.exists - - file_owner_etc_group | bool - - medium_severity | bool - configure_strategy | bool - - no_reboot_needed | bool - - low_disruption | bool + - file_permissions_etc_passwd | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-82031-6 + - CCE-82029-0 - CJIS-5.5.2.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - configure_strategy - - file_owner_etc_group + - file_permissions_etc_passwd - low_complexity - low_disruption - medium_severity - no_reboot_needed -- name: Configure daily log rotation in /etc/logrotate.conf - lineinfile: - create: true - dest: /etc/logrotate.conf - regexp: ^daily$ - line: daily - when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - medium_severity | bool - - configure_strategy | bool - - low_disruption | bool - - ensure_logrotate_activated | bool - - low_complexity | bool +- name: Test for existence /etc/shadow + stat: + path: /etc/shadow + register: file_exists tags: - - CCE-80195-1 + - CCE-82042-3 + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 + - PCI-DSS-Req-8.7.c - configure_strategy - - ensure_logrotate_activated + - file_permissions_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed - -- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf - lineinfile: - create: false - dest: /etc/logrotate.conf - regexp: ^(weekly|monthly|yearly)$ - state: absent when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - medium_severity | bool - configure_strategy | bool + - file_permissions_etc_shadow | bool + - low_complexity | bool - low_disruption | bool - - ensure_logrotate_activated | bool + - medium_severity | bool + - no_reboot_needed | bool + +- name: Ensure permission 0000 on /etc/shadow + file: + path: /etc/shadow + mode: '0000' + when: + - configure_strategy | bool + - file_permissions_etc_shadow | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - file_exists.stat is defined and file_exists.stat.exists tags: - - CCE-80195-1 + - CCE-82042-3 + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 + - PCI-DSS-Req-8.7.c - configure_strategy - - ensure_logrotate_activated + - file_permissions_etc_shadow - low_complexity - low_disruption - medium_severity - no_reboot_needed -- name: Configure cron.daily if not already +- name: Set SSH Idle Timeout Interval block: - - name: Add shebang + - name: Check for duplicate values lineinfile: - path: /etc/cron.daily/logrotate - line: '#!/bin/sh' - insertbefore: BOF - create: true - - name: Add logrotate call + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*ClientAliveInterval\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: - path: /etc/cron.daily/logrotate - line: /usr/sbin/logrotate /etc/logrotate.conf - regexp: ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*ClientAliveInterval\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*ClientAliveInterval\s+ + line: ClientAliveInterval {{ sshd_idle_timeout_value }} + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - no_reboot_needed | bool - - medium_severity | bool - - configure_strategy | bool - - low_disruption | bool - - ensure_logrotate_activated | bool - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_set_idle_timeout | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80195-1 + - CCE-27433-2 + - CJIS-5.5.6 + - DISA-STIG-RHEL-07-040320 + - NIST-800-171-3.1.11 + - NIST-800-53-AC-12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.7 - - configure_strategy - - ensure_logrotate_activated + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-10 + - PCI-DSS-Req-8.1.8 - low_complexity - low_disruption - medium_severity - no_reboot_needed + - restrict_strategy + - sshd_set_idle_timeout -- name: Set SSH Idle Timeout Interval +- name: Set SSH Client Alive Count Max to zero block: + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*ClientAliveCountMax\s+ + state: absent + check_mode: true + changed_when: false + register: dupes - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config create: false - regexp: (?i)^\s*ClientAliveInterval\s+ + regexp: (?i)^\s*ClientAliveCountMax\s+ state: absent + when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config create: true - line: ClientAliveInterval {{ sshd_idle_timeout_value }} + regexp: (?i)^\s*ClientAliveCountMax\s+ + line: ClientAliveCountMax 0 state: present insertbefore: ^[#\s]*Match validate: /usr/sbin/sshd -t -f %s when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - sshd_set_idle_timeout | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - medium_severity | bool - - low_disruption | bool - - low_complexity | bool + - sshd_set_keepalive_0 | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-27433-2 + - CCE-83399-6 - CJIS-5.5.6 - - DISA-STIG-RHEL-07-040320 + - DISA-STIG-RHEL-07-040340 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-17(a) - - NIST-800-53-AC-17(a) - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - - NIST-800-53-CM-6(a) - NIST-800-53-SC-10 - PCI-DSS-Req-8.1.8 - low_complexity @@ -10010,4 +10797,4 @@ - medium_severity - no_reboot_needed - restrict_strategy - - sshd_set_idle_timeout + - sshd_set_keepalive_0