From fa33a42206ca434abbcc816d86369cca667c48d9 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Wed, 7 Feb 2024 19:47:50 -0500 Subject: [PATCH] Updated tasks/main.yml --- tasks/main.yml | 1085 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 848 insertions(+), 237 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 4aa0be5..bd06bd4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -25,8 +25,8 @@ - no_reboot_needed - package_aide_installed -- name: Ensure AIDE is installed - package: +- name: Build and Test AIDE Database - Ensure AIDE Is Installed + ansible.builtin.package: name: '{{ item }}' state: present with_items: @@ -54,8 +54,8 @@ - no_reboot_needed - restrict_strategy -- name: Build and Test AIDE Database - command: /usr/sbin/aide --init +- name: Build and Test AIDE Database - Build and Test AIDE Database + ansible.builtin.command: /usr/sbin/aide --init changed_when: true when: - DISA_STIG_RHEL_08_010359 | bool @@ -80,8 +80,8 @@ - no_reboot_needed - restrict_strategy -- name: Check whether the stock AIDE Database exists - stat: +- name: Build and Test AIDE Database - Check Whether the Stock AIDE Database Exists + ansible.builtin.stat: path: /var/lib/aide/aide.db.new.gz register: aide_database_stat when: @@ -107,8 +107,8 @@ - no_reboot_needed - restrict_strategy -- name: Stage AIDE Database - copy: +- name: Build and Test AIDE Database - Stage AIDE Database + ansible.builtin.copy: src: /var/lib/aide/aide.db.new.gz dest: /var/lib/aide/aide.db.gz backup: true @@ -340,7 +340,7 @@ lineinfile: dest: /etc/sysconfig/sshd state: absent - regexp: ^\s*(?i)CRYPTO_POLICY.*$ + regexp: ^(?i)\s*CRYPTO_POLICY.*$ tags: - CCE-80939-2 - DISA-STIG-RHEL-08-010287 @@ -2290,7 +2290,7 @@ - name: 'Limit Password Reuse: password-auth - Check if expected PAM module line is present in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' - regexp: ^\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0] }}\s+pam_pwhistory.so\s*.* + regexp: ^\s*password\s+{{ '{{ var_password_pam_remember_control_flag.split(",")[0] }}' | regex_escape() }}\s+pam_pwhistory.so\s*.* state: absent check_mode: true changed_when: false @@ -2670,7 +2670,7 @@ - name: 'Limit Password Reuse: password-auth - Check if expected PAM module line is present in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' - regexp: ^\s*password\s+requisite\s+pam_pwhistory.so\s*.* + regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.* state: absent check_mode: true changed_when: false @@ -2716,7 +2716,7 @@ - name: 'Limit Password Reuse: password-auth - Check if the required PAM module option is present in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' - regexp: ^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b + regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b state: absent check_mode: true changed_when: false @@ -2726,7 +2726,7 @@ ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true - regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so.*) + regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so.*) line: \1 remember={{ var_password_pam_remember }} state: present register: result_pam_remember_add @@ -2737,7 +2737,7 @@ ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true - regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*) + regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*) line: \1\2={{ var_password_pam_remember }} \3 register: result_pam_remember_edit when: @@ -3037,7 +3037,7 @@ - name: 'Limit Password Reuse: system-auth - Check if expected PAM module line is present in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' - regexp: ^\s*password\s+{{ var_password_pam_remember_control_flag.split(",")[0] }}\s+pam_pwhistory.so\s*.* + regexp: ^\s*password\s+{{ '{{ var_password_pam_remember_control_flag.split(",")[0] }}' | regex_escape() }}\s+pam_pwhistory.so\s*.* state: absent check_mode: true changed_when: false @@ -3415,7 +3415,7 @@ - name: 'Limit Password Reuse: system-auth - Check if expected PAM module line is present in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' - regexp: ^\s*password\s+requisite\s+pam_pwhistory.so\s*.* + regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.* state: absent check_mode: true changed_when: false @@ -3461,7 +3461,7 @@ - name: 'Limit Password Reuse: system-auth - Check if the required PAM module option is present in {{ pam_file_path }}' ansible.builtin.lineinfile: path: '{{ pam_file_path }}' - regexp: ^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b + regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b state: absent check_mode: true changed_when: false @@ -3471,7 +3471,7 @@ ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true - regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so.*) + regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so.*) line: \1 remember={{ var_password_pam_remember }} state: present register: result_pam_remember_add @@ -3482,7 +3482,7 @@ ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true - regexp: ^(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*) + regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*) line: \1\2={{ var_password_pam_remember }} \3 register: result_pam_remember_edit when: @@ -4158,6 +4158,7 @@ tags: - CCE-80670-3 - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020014 - DISA-STIG-RHEL-08-020015 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) @@ -4171,6 +4172,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_08_020014 | bool - DISA_STIG_RHEL_08_020015 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool @@ -4184,6 +4186,7 @@ path: /usr/bin/authselect register: result_authselect_present when: + - DISA_STIG_RHEL_08_020014 | bool - DISA_STIG_RHEL_08_020015 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool @@ -4195,6 +4198,7 @@ tags: - CCE-80670-3 - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020014 - DISA-STIG-RHEL-08-020015 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) @@ -4249,6 +4253,7 @@ - result_authselect_enable_feature_cmd is not skipped - result_authselect_enable_feature_cmd is success when: + - DISA_STIG_RHEL_08_020014 | bool - DISA_STIG_RHEL_08_020015 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool @@ -4261,6 +4266,7 @@ tags: - CCE-80670-3 - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020014 - DISA-STIG-RHEL-08-020015 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) @@ -4318,6 +4324,7 @@ when: - result_pam_faillock_is_enabled.found == 0 when: + - DISA_STIG_RHEL_08_020014 | bool - DISA_STIG_RHEL_08_020015 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool @@ -4330,6 +4337,7 @@ tags: - CCE-80670-3 - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020014 - DISA-STIG-RHEL-08-020015 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) @@ -4348,6 +4356,7 @@ path: /etc/security/faillock.conf register: result_faillock_conf_check when: + - DISA_STIG_RHEL_08_020014 | bool - DISA_STIG_RHEL_08_020015 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool @@ -4359,6 +4368,7 @@ tags: - CCE-80670-3 - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020014 - DISA-STIG-RHEL-08-020015 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) @@ -4379,6 +4389,7 @@ line: unlock_time = {{ var_accounts_passwords_pam_faillock_unlock_time }} state: present when: + - DISA_STIG_RHEL_08_020014 | bool - DISA_STIG_RHEL_08_020015 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool @@ -4391,6 +4402,7 @@ tags: - CCE-80670-3 - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020014 - DISA-STIG-RHEL-08-020015 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) @@ -4673,6 +4685,7 @@ when: - result_pam_file_present.stat.exists when: + - DISA_STIG_RHEL_08_020014 | bool - DISA_STIG_RHEL_08_020015 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool @@ -4685,6 +4698,7 @@ tags: - CCE-80670-3 - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020014 - DISA-STIG-RHEL-08-020015 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) @@ -4762,6 +4776,7 @@ when: - result_pam_faillock_unlock_time_parameter_is_present.found > 0 when: + - DISA_STIG_RHEL_08_020014 | bool - DISA_STIG_RHEL_08_020015 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool @@ -4774,6 +4789,7 @@ tags: - CCE-80670-3 - CJIS-5.5.3 + - DISA-STIG-RHEL-08-020014 - DISA-STIG-RHEL-08-020015 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) @@ -5116,7 +5132,7 @@ option from "pam_pwquality.so" is not present in {{ pam_file_path }} ansible.builtin.replace: dest: '{{ pam_file_path }}' - regexp: (.*password.*.*.*pam_pwquality.so.*)\bretry\b=?[0-9a-zA-Z]*(.*) + regexp: (.*password.*{{ '.*' | regex_escape() }}.*pam_pwquality.so.*)\bretry\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal - name: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session - Ensure authselect @@ -5309,7 +5325,7 @@ option from "pam_pwquality.so" is not present in {{ pam_file_path }} ansible.builtin.replace: dest: '{{ pam_file_path }}' - regexp: (.*password.*.*.*pam_pwquality.so.*)\bretry\b=?[0-9a-zA-Z]*(.*) + regexp: (.*password.*{{ '.*' | regex_escape() }}.*pam_pwquality.so.*)\bretry\b=?[0-9a-zA-Z]*(.*) replace: \1\2 register: result_pam_option_removal - name: Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session - Ensure authselect @@ -5580,7 +5596,7 @@ }} ansible.builtin.lineinfile: path: '{{ pam_file_path }}' - regexp: ^\s*password\s+sufficient\s+pam_unix.so\s*.* + regexp: ^\s*password\s+{{ 'sufficient' | regex_escape() }}\s+pam_unix.so\s*.* state: absent check_mode: true changed_when: false @@ -5629,7 +5645,7 @@ pam_file_path }} ansible.builtin.lineinfile: path: '{{ pam_file_path }}' - regexp: ^\s*password\s+sufficient\s+pam_unix.so\s*.*\ssha512\b + regexp: ^\s*password\s+{{ 'sufficient' | regex_escape() }}\s+pam_unix.so\s*.*\ssha512\b state: absent check_mode: true changed_when: false @@ -5639,7 +5655,7 @@ ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true - regexp: ^(\s*password\s+sufficient\s+pam_unix.so.*) + regexp: ^(\s*password\s+{{ 'sufficient' | regex_escape() }}\s+pam_unix.so.*) line: \1 sha512 state: present register: result_pam_sha512_add @@ -5848,7 +5864,7 @@ - name: Set PAM's Password Hashing Algorithm - Check if expected PAM module line is present in {{ pam_file_path }} ansible.builtin.lineinfile: path: '{{ pam_file_path }}' - regexp: ^\s*password\s+sufficient\s+pam_unix.so\s*.* + regexp: ^\s*password\s+{{ 'sufficient' | regex_escape() }}\s+pam_unix.so\s*.* state: absent check_mode: true changed_when: false @@ -5894,7 +5910,7 @@ - name: Set PAM's Password Hashing Algorithm - Check if the required PAM module option is present in {{ pam_file_path }} ansible.builtin.lineinfile: path: '{{ pam_file_path }}' - regexp: ^\s*password\s+sufficient\s+pam_unix.so\s*.*\ssha512\b + regexp: ^\s*password\s+{{ 'sufficient' | regex_escape() }}\s+pam_unix.so\s*.*\ssha512\b state: absent check_mode: true changed_when: false @@ -5904,7 +5920,7 @@ ansible.builtin.lineinfile: path: '{{ pam_file_path }}' backrefs: true - regexp: ^(\s*password\s+sufficient\s+pam_unix.so.*) + regexp: ^(\s*password\s+{{ 'sufficient' | regex_escape() }}\s+pam_unix.so.*) line: \1 sha512 state: present register: result_pam_sha512_add @@ -6447,6 +6463,7 @@ register: result_authselect_present when: - DISA_STIG_RHEL_08_020331 | bool + - DISA_STIG_RHEL_08_020332 | bool - configure_strategy | bool - high_severity | bool - low_complexity | bool @@ -6458,6 +6475,7 @@ - CCE-80841-0 - CJIS-5.5.2 - DISA-STIG-RHEL-08-020331 + - DISA-STIG-RHEL-08-020332 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-CM-6(a) @@ -6515,6 +6533,7 @@ - result_authselect_enable_feature_cmd is success when: - DISA_STIG_RHEL_08_020331 | bool + - DISA_STIG_RHEL_08_020332 | bool - configure_strategy | bool - high_severity | bool - low_complexity | bool @@ -6527,6 +6546,7 @@ - CCE-80841-0 - CJIS-5.5.2 - DISA-STIG-RHEL-08-020331 + - DISA-STIG-RHEL-08-020332 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-CM-6(a) @@ -6551,6 +6571,7 @@ - /etc/pam.d/password-auth when: - DISA_STIG_RHEL_08_020331 | bool + - DISA_STIG_RHEL_08_020332 | bool - configure_strategy | bool - high_severity | bool - low_complexity | bool @@ -6563,6 +6584,7 @@ - CCE-80841-0 - CJIS-5.5.2 - DISA-STIG-RHEL-08-020331 + - DISA-STIG-RHEL-08-020332 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-CM-6(a) @@ -6691,6 +6713,69 @@ - no_reboot_needed - restrict_strategy +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86071-8 + - ensure_pam_wheel_group_empty + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - ensure_pam_wheel_group_empty | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Ensure the Group Used by pam_wheel Module Exists on System and is Empty - Ensure group {{ var_pam_wheel_group_for_su + }} is removed + group: + name: '{{ var_pam_wheel_group_for_su }}' + state: absent + when: + - ensure_pam_wheel_group_empty | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' + tags: + - CCE-86071-8 + - ensure_pam_wheel_group_empty + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Ensure the Group Used by pam_wheel Module Exists on System and is Empty - Ensure group {{ var_pam_wheel_group_for_su + }} exist + group: + name: '{{ var_pam_wheel_group_for_su }}' + state: present + when: + - ensure_pam_wheel_group_empty | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"pam" in ansible_facts.packages' + tags: + - CCE-86071-8 + - ensure_pam_wheel_group_empty + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Ensure that System Accounts Are Locked - Get All Local Users From /etc/passwd ansible.builtin.getent: database: passwd @@ -6837,6 +6922,48 @@ - no_shelllogin_for_systemaccounts - restrict_strategy +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-86064-3 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - use_pam_wheel_group_for_su + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - use_pam_wheel_group_for_su | bool + +- name: Enforce Usage of pam_wheel with Group Parameter for su Authentication - Add the group to the /etc/pam.d/su file + ansible.builtin.lineinfile: + path: /etc/pam.d/su + state: present + regexp: ^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid group=$ + line: auth required pam_wheel.so use_uid group={{ var_pam_wheel_group_for_su }} + when: + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - use_pam_wheel_group_for_su | bool + - '"pam" in ansible_facts.packages' + tags: + - CCE-86064-3 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - use_pam_wheel_group_for_su + - name: Correct any occurrence of TMOUT in /etc/profile replace: path: /etc/profile @@ -7370,14 +7497,9 @@ - no_reboot_needed - restrict_strategy -- name: Check if umask in /etc/bashrc is already set - ansible.builtin.lineinfile: - path: /etc/bashrc - regexp: ^(\s*)umask\s+.* - state: absent - check_mode: true - changed_when: false - register: umask_replace +- name: Gather the package facts + package_facts: + manager: auto tags: - CCE-81036-6 - DISA-STIG-RHEL-08-020353 @@ -7399,6 +7521,36 @@ - no_reboot_needed | bool - restrict_strategy | bool +- name: Check if umask in /etc/bashrc is already set + ansible.builtin.lineinfile: + path: /etc/bashrc + regexp: ^(\s*)umask\s+.* + state: absent + check_mode: true + changed_when: false + register: umask_replace + when: + - DISA_STIG_RHEL_08_020353 | bool + - accounts_umask_etc_bashrc | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"bash" in ansible_facts.packages' + tags: + - CCE-81036-6 + - DISA-STIG-RHEL-08-020353 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-8.6.1 + - accounts_umask_etc_bashrc + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Replace user umask in /etc/bashrc ansible.builtin.replace: path: /etc/bashrc @@ -7412,6 +7564,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"bash" in ansible_facts.packages' - umask_replace.found > 0 tags: - CCE-81036-6 @@ -7439,6 +7592,7 @@ - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - '"bash" in ansible_facts.packages' - umask_replace.found == 0 tags: - CCE-81036-6 @@ -10902,6 +11056,78 @@ - no_reboot_needed | bool - restrict_strategy | bool +- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: + - audit_rules_sysadmin_actions | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80743-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 + - audit_rules_sysadmin_actions + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add watch rule for /etc/sudoers in /etc/audit/audit.rules + lineinfile: + line: -w /etc/sudoers -p wa -k actions + state: present + dest: /etc/audit/audit.rules + create: true + mode: '0640' + when: + - audit_rules_sysadmin_actions | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - '"audit" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 + tags: + - CCE-80743-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 + - audit_rules_sysadmin_actions + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d @@ -11079,10 +11305,10 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/audit.rules +- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/audit.rules find: paths: /etc/audit/ - contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+ + contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: @@ -11114,9 +11340,9 @@ - no_reboot_needed - restrict_strategy -- name: Add watch rule for /etc/sudoers in /etc/audit/audit.rules +- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/audit.rules lineinfile: - line: -w /etc/sudoers -p wa -k actions + line: -w /etc/sudoers.d/ -p wa -k actions state: present dest: /etc/audit/audit.rules create: true @@ -11328,78 +11554,6 @@ - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules - when: - - audit_rules_sysadmin_actions | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80743-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - - audit_rules_sysadmin_actions - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/audit.rules - lineinfile: - line: -w /etc/sudoers.d/ -p wa -k actions - state: present - dest: /etc/audit/audit.rules - create: true - mode: '0640' - when: - - audit_rules_sysadmin_actions | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - '"audit" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - tags: - - CCE-80743-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - - audit_rules_sysadmin_actions - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - name: Gather the package facts package_facts: manager: auto @@ -12800,6 +12954,10 @@ manager: auto tags: - CCE-86432-2 + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_sudo_log_events - low_complexity - low_disruption @@ -12831,6 +12989,10 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-86432-2 + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_sudo_log_events - low_complexity - low_disruption @@ -12856,6 +13018,10 @@ - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86432-2 + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_sudo_log_events - low_complexity - low_disruption @@ -12880,6 +13046,10 @@ find_existing_watch_rules_d.matched == 0 tags: - CCE-86432-2 + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_sudo_log_events - low_complexity - low_disruption @@ -12904,6 +13074,10 @@ find_existing_watch_rules_d.matched == 0 tags: - CCE-86432-2 + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_sudo_log_events - low_complexity - low_disruption @@ -12929,6 +13103,10 @@ - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-86432-2 + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_sudo_log_events - low_complexity - low_disruption @@ -12953,6 +13131,10 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-86432-2 + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_sudo_log_events - low_complexity - low_disruption @@ -12979,6 +13161,10 @@ - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-86432-2 + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-10.2.2 - audit_sudo_log_events - low_complexity - low_disruption @@ -13027,6 +13213,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -13151,6 +13338,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - CCE-80685-1 - CJIS-5.4.1.1 @@ -13273,6 +13461,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-80685-1 @@ -13332,6 +13521,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -13458,6 +13648,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - CCE-80686-9 - CJIS-5.4.1.1 @@ -13582,6 +13773,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-80686-9 @@ -15899,6 +16091,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -16025,6 +16218,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - CCE-80693-5 - CJIS-5.4.1.1 @@ -16149,6 +16343,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-80693-5 @@ -18667,6 +18862,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -18794,6 +18990,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - CCE-80703-2 - DISA-STIG-RHEL-08-030361 @@ -18919,6 +19116,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-80703-2 @@ -19285,6 +19483,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -19412,6 +19611,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - CCE-80706-5 - DISA-STIG-RHEL-08-030361 @@ -19537,6 +19737,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-80706-5 @@ -19905,6 +20106,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -20038,6 +20240,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - CCE-80751-1 - DISA-STIG-RHEL-08-030420 @@ -20169,6 +20372,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-80751-1 @@ -20301,6 +20505,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - CCE-80751-1 - DISA-STIG-RHEL-08-030420 @@ -20432,6 +20637,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-80751-1 @@ -21081,6 +21287,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -21214,6 +21421,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - CCE-80753-7 - DISA-STIG-RHEL-08-030420 @@ -21345,6 +21553,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-80753-7 @@ -21477,6 +21686,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - CCE-80753-7 - DISA-STIG-RHEL-08-030420 @@ -21608,6 +21818,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-80753-7 @@ -22834,6 +23045,7 @@ - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -22943,6 +23155,7 @@ - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - CCE-88435-3 - audit_rules_kernel_module_loading_create @@ -23050,6 +23263,7 @@ - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-88435-3 @@ -23986,6 +24200,7 @@ - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64" tags: @@ -24099,6 +24314,7 @@ - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) tags: - CCE-88748-9 - audit_rules_kernel_module_loading_query @@ -24210,6 +24426,7 @@ - no_reboot_needed | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - not ( ansible_architecture == "aarch64" ) - audit_arch == "b64" tags: - CCE-88748-9 @@ -24248,10 +24465,10 @@ - reboot_required | bool - restrict_strategy | bool -- name: Check if watch rule for /var/log/faillock already exists in /etc/audit/rules.d/ +- name: Check if watch rule for {{ var_accounts_passwords_pam_faillock_dir }} already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d - contains: ^\s*-w\s+/var/log/faillock\s+-p\s+wa(\s|$)+ + contains: ^\s*-w\s+{{ var_accounts_passwords_pam_faillock_dir }}\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: @@ -24381,10 +24598,10 @@ - reboot_required - restrict_strategy -- name: Add watch rule for /var/log/faillock in /etc/audit/rules.d/ +- name: Add watch rule for {{ var_accounts_passwords_pam_faillock_dir }} in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -w /var/log/faillock -p wa -k logins + line: -w {{ var_accounts_passwords_pam_faillock_dir }} -p wa -k logins create: true mode: '0640' when: @@ -24415,10 +24632,10 @@ - reboot_required - restrict_strategy -- name: Check if watch rule for /var/log/faillock already exists in /etc/audit/audit.rules +- name: Check if watch rule for {{ var_accounts_passwords_pam_faillock_dir }} already exists in /etc/audit/audit.rules find: paths: /etc/audit/ - contains: ^\s*-w\s+/var/log/faillock\s+-p\s+wa(\s|$)+ + contains: ^\s*-w\s+{{ var_accounts_passwords_pam_faillock_dir }}\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: @@ -24448,9 +24665,9 @@ - reboot_required - restrict_strategy -- name: Add watch rule for /var/log/faillock in /etc/audit/audit.rules +- name: Add watch rule for {{ var_accounts_passwords_pam_faillock_dir }} in /etc/audit/audit.rules lineinfile: - line: -w /var/log/faillock -p wa -k logins + line: -w {{ var_accounts_passwords_pam_faillock_dir }} -p wa -k logins state: present dest: /etc/audit/audit.rules create: true @@ -26234,6 +26451,7 @@ - restrict_strategy | bool - '"audit" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( not ( ansible_architecture == "aarch64" ) and not ( ansible_architecture == "s390x" ) ) tags: - CCE-80748-7 - CJIS-5.4.1.1 @@ -28288,7 +28506,7 @@ - name: Check for duplicate values lineinfile: path: /etc/systemd/journald.conf - create: false + create: true regexp: ^\s*Compress= state: absent check_mode: true @@ -28297,7 +28515,7 @@ - name: Deduplicate values from /etc/systemd/journald.conf lineinfile: path: /etc/systemd/journald.conf - create: false + create: true regexp: ^\s*Compress= state: absent when: dupes.found is defined and dupes.found > 1 @@ -28332,7 +28550,7 @@ - name: Check for duplicate values lineinfile: path: /etc/systemd/journald.conf - create: false + create: true regexp: ^\s*ForwardToSyslog= state: absent check_mode: true @@ -28341,7 +28559,7 @@ - name: Deduplicate values from /etc/systemd/journald.conf lineinfile: path: /etc/systemd/journald.conf - create: false + create: true regexp: ^\s*ForwardToSyslog= state: absent when: dupes.found is defined and dupes.found > 1 @@ -28376,7 +28594,7 @@ - name: Check for duplicate values lineinfile: path: /etc/systemd/journald.conf - create: false + create: true regexp: ^\s*Storage= state: absent check_mode: true @@ -28385,7 +28603,7 @@ - name: Deduplicate values from /etc/systemd/journald.conf lineinfile: path: /etc/systemd/journald.conf - create: false + create: true regexp: ^\s*Storage= state: absent when: dupes.found is defined and dupes.found > 1 @@ -31093,6 +31311,25 @@ - no_reboot_needed - package_nftables_installed +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-88428-8 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_nftables_disabled + when: + - disable_strategy | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - service_nftables_disabled | bool + - name: Block Disable service nftables block: - name: Disable service nftables @@ -31113,7 +31350,8 @@ - medium_severity | bool - no_reboot_needed | bool - service_nftables_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "firewalld" in ansible_facts.packages + and "nftables" in ansible_facts.packages ) tags: - CCE-88428-8 - disable_strategy @@ -31136,7 +31374,8 @@ - medium_severity | bool - no_reboot_needed | bool - service_nftables_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "firewalld" in ansible_facts.packages + and "nftables" in ansible_facts.packages ) tags: - CCE-88428-8 - disable_strategy @@ -31159,7 +31398,8 @@ - medium_severity | bool - no_reboot_needed | bool - service_nftables_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "firewalld" in ansible_facts.packages + and "nftables" in ansible_facts.packages ) - socket_file_exists.stdout_lines is search("nftables.socket",multiline=True) tags: - CCE-88428-8 @@ -31446,14 +31686,88 @@ - unknown_strategy - wireless_disable_interfaces -- name: Get all world-writable directories with no sticky bits set - shell: 'set -o pipefail +- name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Excluded (Non-Local) File Systems and Paths + ansible.builtin.set_fact: + excluded_fstypes: + - afs + - ceph + - cifs + - smb3 + - smbfs + - sshfs + - ncpfs + - ncp + - nfs + - nfs4 + - gfs + - gfs2 + - glusterfs + - gpfs + - pvfs2 + - ocfs2 + - lustre + - davfs + - fuse.sshfs + excluded_paths: + - dev + - proc + - run + - sys + search_paths: [] + tags: + - CCE-80783-4 + - DISA-STIG-RHEL-08-010190 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - dir_perms_world_writable_sticky_bits + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - DISA_STIG_RHEL_08_010190 | bool + - dir_perms_world_writable_sticky_bits | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool - df --local -P | awk ''{if (NR!=1) print $6}'' | xargs -I ''{}'' find ''{}'' -xdev -type d \( -perm -0002 -a ! -perm -1000 - \) 2>/dev/null +- name: Verify that All World-Writable Directories Have Sticky Bits Set - Find Relevant Root Directories Ignoring Pre-Defined + Excluded Paths + ansible.builtin.find: + paths: / + file_type: directory + excludes: '{{ excluded_paths }}' + hidden: true + recurse: false + register: result_relevant_root_dirs + tags: + - CCE-80783-4 + - DISA-STIG-RHEL-08-010190 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - dir_perms_world_writable_sticky_bits + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - DISA_STIG_RHEL_08_010190 | bool + - dir_perms_world_writable_sticky_bits | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool - ' - register: dir_output +- name: Verify that All World-Writable Directories Have Sticky Bits Set - Include Relevant Root Directories in a List of Paths + to be Searched + ansible.builtin.set_fact: + search_paths: '{{ search_paths | union([item.path]) }}' + loop: '{{ result_relevant_root_dirs.files }}' tags: - CCE-80783-4 - DISA-STIG-RHEL-08-010190 @@ -31474,12 +31788,139 @@ - no_reboot_needed | bool - restrict_strategy | bool -- name: Ensure sticky bit is set - file: +- name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment Search Paths List with Local Partitions + Mount Points + ansible.builtin.set_fact: + search_paths: '{{ search_paths | union([item.mount]) }}' + loop: '{{ ansible_mounts }}' + when: + - DISA_STIG_RHEL_08_010190 | bool + - dir_perms_world_writable_sticky_bits | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - item.fstype not in excluded_fstypes + - item.mount != '/' + tags: + - CCE-80783-4 + - DISA-STIG-RHEL-08-010190 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - dir_perms_world_writable_sticky_bits + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment Search Paths List with Local NFS File + System Targets + ansible.builtin.set_fact: + search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}' + loop: '{{ ansible_mounts }}' + when: + - DISA_STIG_RHEL_08_010190 | bool + - dir_perms_world_writable_sticky_bits | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - item.device is search("localhost:") + tags: + - CCE-80783-4 + - DISA-STIG-RHEL-08-010190 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - dir_perms_world_writable_sticky_bits + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Rule Specific Facts + ansible.builtin.set_fact: + world_writable_dirs: [] + tags: + - CCE-80783-4 + - DISA-STIG-RHEL-08-010190 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - dir_perms_world_writable_sticky_bits + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - DISA_STIG_RHEL_08_010190 | bool + - dir_perms_world_writable_sticky_bits | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Verify that All World-Writable Directories Have Sticky Bits Set - Find All Uncompliant Directories in Local File Systems + ansible.builtin.command: + cmd: find {{ item }} -xdev -type d ( -perm -0002 -a ! -perm -1000 ) + loop: '{{ search_paths }}' + changed_when: false + register: result_found_dirs + tags: + - CCE-80783-4 + - DISA-STIG-RHEL-08-010190 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - dir_perms_world_writable_sticky_bits + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - DISA_STIG_RHEL_08_010190 | bool + - dir_perms_world_writable_sticky_bits | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Verify that All World-Writable Directories Have Sticky Bits Set - Create List of World Writable Directories Without + Sticky Bit + ansible.builtin.set_fact: + world_writable_dirs: '{{ world_writable_dirs | union(item.stdout_lines) | list }}' + loop: '{{ result_found_dirs.results }}' + tags: + - CCE-80783-4 + - DISA-STIG-RHEL-08-010190 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - dir_perms_world_writable_sticky_bits + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + when: + - DISA_STIG_RHEL_08_010190 | bool + - dir_perms_world_writable_sticky_bits | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + +- name: Verify that All World-Writable Directories Have Sticky Bits Set - Ensure Sticky Bit is Set on Local World Writable + Directories + ansible.builtin.file: path: '{{ item }}' mode: a+t - with_items: - - '{{ dir_output.stdout_lines }}' + loop: '{{ world_writable_dirs }}' tags: - CCE-80783-4 - DISA-STIG-RHEL-08-010190 @@ -35850,18 +36291,19 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool + - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - - unknown_severity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var" in ansible_mounts | + map(attribute="mount") | list ) tags: - CCE-83383-0 - configure_strategy - high_disruption - low_complexity + - medium_severity - mount_option_var_nosuid - no_reboot_needed - - unknown_severity - name: 'Add nosuid Option to /var: Create mount_info dictionary variable' set_fact: @@ -35873,10 +36315,11 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool + - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - - unknown_severity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var" in ansible_mounts | + map(attribute="mount") | list ) - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) tags: @@ -35884,9 +36327,9 @@ - configure_strategy - high_disruption - low_complexity + - medium_severity - mount_option_var_nosuid - no_reboot_needed - - unknown_severity - name: 'Add nosuid Option to /var: If /var not mounted, craft mount_info manually' set_fact: @@ -35904,10 +36347,11 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool + - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - - unknown_severity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var" in ansible_mounts | + map(attribute="mount") | list ) - ("--fstab" | length == 0) - (device_name.stdout | length == 0) tags: @@ -35915,9 +36359,9 @@ - configure_strategy - high_disruption - low_complexity + - medium_severity - mount_option_var_nosuid - no_reboot_needed - - unknown_severity - name: 'Add nosuid Option to /var: Make sure nosuid option is part of the to /var options' set_fact: @@ -35926,19 +36370,20 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool + - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - - unknown_severity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var" in ansible_mounts | + map(attribute="mount") | list ) - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83383-0 - configure_strategy - high_disruption - low_complexity + - medium_severity - mount_option_var_nosuid - no_reboot_needed - - unknown_severity - name: 'Add nosuid Option to /var: Ensure /var is mounted with nosuid option' mount: @@ -35951,19 +36396,20 @@ - configure_strategy | bool - high_disruption | bool - low_complexity | bool + - medium_severity | bool - mount_option_var_nosuid | bool - no_reboot_needed | bool - - unknown_severity | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var" in ansible_mounts | + map(attribute="mount") | list ) - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83383-0 - configure_strategy - high_disruption - low_complexity + - medium_severity - mount_option_var_nosuid - no_reboot_needed - - unknown_severity - name: 'Add nodev Option to /var/tmp: Check information associated to mountpoint' command: findmnt --fstab '/var/tmp' @@ -36883,7 +37329,7 @@ - name: Check for duplicate values lineinfile: path: /etc/selinux/config - create: false + create: true regexp: ^SELINUX= state: absent check_mode: true @@ -36892,7 +37338,7 @@ - name: Deduplicate values from /etc/selinux/config lineinfile: path: /etc/selinux/config - create: false + create: true regexp: ^SELINUX= state: absent when: dupes.found is defined and dupes.found > 1 @@ -36925,7 +37371,7 @@ - name: Check for duplicate values lineinfile: path: /etc/selinux/config - create: false + create: true regexp: ^SELINUXTYPE= state: absent check_mode: true @@ -36934,7 +37380,7 @@ - name: Deduplicate values from /etc/selinux/config lineinfile: path: /etc/selinux/config - create: false + create: true regexp: ^SELINUXTYPE= state: absent when: dupes.found is defined and dupes.found > 1 @@ -36975,7 +37421,7 @@ - name: Check for duplicate values lineinfile: path: /etc/selinux/config - create: false + create: true regexp: ^SELINUX= state: absent check_mode: true @@ -36984,7 +37430,7 @@ - name: Deduplicate values from /etc/selinux/config lineinfile: path: /etc/selinux/config - create: false + create: true regexp: ^SELINUX= state: absent when: dupes.found is defined and dupes.found > 1 @@ -37431,11 +37877,12 @@ - medium_severity - no_reboot_needed -- name: Set permissions for /etc/cron.d/ - file: - path: /etc/cron.d/ - state: directory - mode: u-s,g-xwrs,o-xwrt +- name: Find /etc/cron.d/ file(s) + command: 'find -H /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + register: files_found + changed_when: false + failed_when: false + check_mode: false when: - configure_strategy | bool - file_permissions_cron_d | bool @@ -37456,11 +37903,39 @@ - medium_severity - no_reboot_needed -- name: Set permissions for /etc/cron.daily/ +- name: Set permissions for /etc/cron.d/ file(s) file: - path: /etc/cron.daily/ - state: directory + path: '{{ item }}' mode: u-s,g-xwrs,o-xwrt + state: directory + with_items: + - '{{ files_found.stdout_lines }}' + when: + - configure_strategy | bool + - file_permissions_cron_d | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82277-5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_d + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Find /etc/cron.daily/ file(s) + command: 'find -H /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + register: files_found + changed_when: false + failed_when: false + check_mode: false when: - configure_strategy | bool - file_permissions_cron_daily | bool @@ -37481,11 +37956,39 @@ - medium_severity - no_reboot_needed -- name: Set permissions for /etc/cron.hourly/ +- name: Set permissions for /etc/cron.daily/ file(s) file: - path: /etc/cron.hourly/ - state: directory + path: '{{ item }}' mode: u-s,g-xwrs,o-xwrt + state: directory + with_items: + - '{{ files_found.stdout_lines }}' + when: + - configure_strategy | bool + - file_permissions_cron_daily | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82240-3 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_daily + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Find /etc/cron.hourly/ file(s) + command: 'find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + register: files_found + changed_when: false + failed_when: false + check_mode: false when: - configure_strategy | bool - file_permissions_cron_hourly | bool @@ -37506,11 +38009,39 @@ - medium_severity - no_reboot_needed -- name: Set permissions for /etc/cron.monthly/ +- name: Set permissions for /etc/cron.hourly/ file(s) file: - path: /etc/cron.monthly/ - state: directory + path: '{{ item }}' mode: u-s,g-xwrs,o-xwrt + state: directory + with_items: + - '{{ files_found.stdout_lines }}' + when: + - configure_strategy | bool + - file_permissions_cron_hourly | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82230-4 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_hourly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Find /etc/cron.monthly/ file(s) + command: 'find -H /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + register: files_found + changed_when: false + failed_when: false + check_mode: false when: - configure_strategy | bool - file_permissions_cron_monthly | bool @@ -37531,11 +38062,66 @@ - medium_severity - no_reboot_needed -- name: Set permissions for /etc/cron.weekly/ +- name: Set permissions for /etc/cron.monthly/ file(s) file: - path: /etc/cron.weekly/ + path: '{{ item }}' + mode: u-s,g-xwrs,o-xwrt state: directory + with_items: + - '{{ files_found.stdout_lines }}' + when: + - configure_strategy | bool + - file_permissions_cron_monthly | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82263-5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_monthly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Find /etc/cron.weekly/ file(s) + command: 'find -H /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d ' + register: files_found + changed_when: false + failed_when: false + check_mode: false + when: + - configure_strategy | bool + - file_permissions_cron_weekly | bool + - low_complexity | bool + - low_disruption | bool + - medium_severity | bool + - no_reboot_needed | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-82253-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 + - configure_strategy + - file_permissions_cron_weekly + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Set permissions for /etc/cron.weekly/ file(s) + file: + path: '{{ item }}' mode: u-s,g-xwrs,o-xwrt + state: directory + with_items: + - '{{ files_found.stdout_lines }}' when: - configure_strategy | bool - file_permissions_cron_weekly | bool @@ -38552,6 +39138,28 @@ - package_rsh_removed | bool - unknown_severity | bool +- name: Gather the package facts + package_facts: + manager: auto + tags: + - CCE-80842-8 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - no_rsh_trust_files + - restrict_strategy + when: + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - no_rsh_trust_files | bool + - restrict_strategy | bool + - name: Detect .rhosts files in users home directories find: paths: @@ -38563,6 +39171,14 @@ file_type: file check_mode: false register: rhosts_locations + when: + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - no_rsh_trust_files | bool + - restrict_strategy | bool + - '"rsh-server" in ansible_facts.packages' tags: - CCE-80842-8 - NIST-800-53-CM-6(a) @@ -38574,13 +39190,6 @@ - no_reboot_needed - no_rsh_trust_files - restrict_strategy - when: - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - no_rsh_trust_files | bool - - restrict_strategy | bool - name: Remove .rhosts files file: @@ -38594,6 +39203,7 @@ - no_reboot_needed | bool - no_rsh_trust_files | bool - restrict_strategy | bool + - '"rsh-server" in ansible_facts.packages' - rhosts_locations is success tags: - CCE-80842-8 @@ -38611,6 +39221,14 @@ file: path: /etc/hosts.equiv state: absent + when: + - high_severity | bool + - low_complexity | bool + - low_disruption | bool + - no_reboot_needed | bool + - no_rsh_trust_files | bool + - restrict_strategy | bool + - '"rsh-server" in ansible_facts.packages' tags: - CCE-80842-8 - NIST-800-53-CM-6(a) @@ -38622,13 +39240,6 @@ - no_reboot_needed - no_rsh_trust_files - restrict_strategy - when: - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - no_rsh_trust_files | bool - - restrict_strategy | bool - name: Ensure talk is removed package: @@ -39367,7 +39978,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*ClientAliveCountMax\s+ state: absent check_mode: true @@ -39376,7 +39987,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*ClientAliveCountMax\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -39387,7 +39998,7 @@ regexp: (?i)^\s*ClientAliveCountMax\s+ line: ClientAliveCountMax {{ var_sshd_set_keepalive }} state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_08_010200 | bool @@ -39422,7 +40033,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*ClientAliveInterval\s+ state: absent check_mode: true @@ -39431,7 +40042,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*ClientAliveInterval\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -39442,7 +40053,7 @@ regexp: (?i)^\s*ClientAliveInterval\s+ line: ClientAliveInterval {{ sshd_idle_timeout_value }} state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_08_010201 | bool @@ -39480,7 +40091,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*HostbasedAuthentication\s+ state: absent check_mode: true @@ -39489,7 +40100,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*HostbasedAuthentication\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -39500,7 +40111,7 @@ regexp: (?i)^\s*HostbasedAuthentication\s+ line: HostbasedAuthentication no state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - disable_host_auth | bool @@ -39532,7 +40143,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*PermitEmptyPasswords\s+ state: absent check_mode: true @@ -39541,7 +40152,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*PermitEmptyPasswords\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -39552,7 +40163,7 @@ regexp: (?i)^\s*PermitEmptyPasswords\s+ line: PermitEmptyPasswords no state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_08_020330 | bool @@ -39587,7 +40198,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*IgnoreRhosts\s+ state: absent check_mode: true @@ -39596,7 +40207,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*IgnoreRhosts\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -39607,7 +40218,7 @@ regexp: (?i)^\s*IgnoreRhosts\s+ line: IgnoreRhosts yes state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool @@ -39638,7 +40249,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*PermitRootLogin\s+ state: absent check_mode: true @@ -39647,7 +40258,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*PermitRootLogin\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -39658,7 +40269,7 @@ regexp: (?i)^\s*PermitRootLogin\s+ line: PermitRootLogin no state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_08_010550 | bool @@ -39696,7 +40307,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*AllowTcpForwarding\s+ state: absent check_mode: true @@ -39705,7 +40316,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*AllowTcpForwarding\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -39716,7 +40327,7 @@ regexp: (?i)^\s*AllowTcpForwarding\s+ line: AllowTcpForwarding no state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool @@ -39741,7 +40352,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*X11Forwarding\s+ state: absent check_mode: true @@ -39750,7 +40361,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*X11Forwarding\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -39761,7 +40372,7 @@ regexp: (?i)^\s*X11Forwarding\s+ line: X11Forwarding no state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_08_040340 | bool @@ -39789,7 +40400,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*PermitUserEnvironment\s+ state: absent check_mode: true @@ -39798,7 +40409,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*PermitUserEnvironment\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -39809,7 +40420,7 @@ regexp: (?i)^\s*PermitUserEnvironment\s+ line: PermitUserEnvironment no state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - DISA_STIG_RHEL_08_010830 | bool @@ -39843,7 +40454,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*UsePAM\s+ state: absent check_mode: true @@ -39852,7 +40463,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*UsePAM\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -39863,7 +40474,7 @@ regexp: (?i)^\s*UsePAM\s+ line: UsePAM yes state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool @@ -39888,7 +40499,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*Banner\s+ state: absent check_mode: true @@ -39897,7 +40508,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*Banner\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -39908,7 +40519,7 @@ regexp: (?i)^\s*Banner\s+ line: Banner /etc/issue.net state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool @@ -39938,7 +40549,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*LoginGraceTime\s+ state: absent check_mode: true @@ -39947,7 +40558,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*LoginGraceTime\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -39958,7 +40569,7 @@ regexp: (?i)^\s*LoginGraceTime\s+ line: LoginGraceTime {{ var_sshd_set_login_grace_time }} state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool @@ -39982,7 +40593,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*LogLevel\s+ state: absent check_mode: true @@ -39991,7 +40602,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*LogLevel\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -40002,7 +40613,7 @@ regexp: (?i)^\s*LogLevel\s+ line: LogLevel VERBOSE state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool @@ -40031,7 +40642,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*MaxAuthTries\s+ state: absent check_mode: true @@ -40040,7 +40651,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*MaxAuthTries\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -40051,7 +40662,7 @@ regexp: (?i)^\s*MaxAuthTries\s+ line: MaxAuthTries {{ sshd_max_auth_tries_value }} state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool @@ -40076,7 +40687,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*MaxSessions\s+ state: absent check_mode: true @@ -40085,7 +40696,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*MaxSessions\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -40096,7 +40707,7 @@ regexp: (?i)^\s*MaxSessions\s+ line: MaxSessions {{ var_sshd_max_sessions }} state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - configure_strategy | bool @@ -40121,7 +40732,7 @@ - name: Check for duplicate values lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*MaxStartups\s+ state: absent check_mode: true @@ -40130,7 +40741,7 @@ - name: Deduplicate values from /etc/ssh/sshd_config lineinfile: path: /etc/ssh/sshd_config - create: false + create: true regexp: (?i)^\s*MaxStartups\s+ state: absent when: dupes.found is defined and dupes.found > 1 @@ -40141,7 +40752,7 @@ regexp: (?i)^\s*MaxStartups\s+ line: MaxStartups {{ var_sshd_set_maxstartups }} state: present - insertbefore: ^[#\s]*Match + insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: - low_complexity | bool