Merge pull request #311 from ansible-lockdown/devel

Stigv1r14 release to main

.pre-commit-config.yaml

@@ -35,7 +35,7 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.21.1
+  rev: v8.21.2
   hooks:
   - id: gitleaks
 

Changelog.md

@@ -1,5 +1,36 @@
 # Changes to RHEL8STIG
 
+## 3.3 STIG V1R14
+
+- #232 - thanks to  @eday87 @BJSmithIEEE
+- #298 thanks to @mikefrompsu
+- #299 thanks to @cpu010100
+- thanks to @dglinder
+  - #301
+  - #302
+- ansible config update
+
+- Added gui discovery option
+updated ruleids
+
+- CAT I
+  - RHEL-08-020330 - cat1
+- CAT II
+  - RHEL-08-010040
+  - RHEL-08-010070
+  - RHEL-08-010200
+  - RHEL-08-010201
+  - RHEL-08-010423
+  - RHEL-08-010520
+  - RHEL-08-010521
+  - RHEL-08-010522
+  - RHEL-08-010550
+  - RHEL-08-010830
+  - RHEL-08-020350
+  - RHEL-08-040161
+  - RHEL-08-040340
+  - RHEL-08-040341
+
 ## 3.3 - STIG V1R13 - 24th Jan 2024
 
 - updated audit variables

README.md

@@ -2,7 +2,7 @@
 
 ## Configure a RHEL8 based system to be complaint with Disa STIG
 
-This role is based on RHEL 8 DISA STIG: [Version 1, Rel 13 released on Jan 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R13_STIG.zip).
+This role is based on RHEL 8 DISA STIG: [Version 1, Rel 14 released on  24, April 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R14_STIG.zip).
 
 ---
 

ansible.cfg

@@ -18,7 +18,7 @@ record_host_keys=False
 
 [ssh_connection]
 transfer_method=scp
-ssh_args = -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
+ssh_args = -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ControlMaster=auto -o ControlPersist=60s
 
 [accelerate]
 

defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ## metadata for Audit benchmark
-benchmark_version: 'v1r13'
+benchmark_version: 'v1r14'
 
 ## Benchmark name used by audting control role
 # The audit variable found at the base
@@ -498,7 +498,7 @@ rhel_08_040300: true
 rhel_08_040310: true
 
 # Whether or not to run tasks related to auditing/patching the desktop environment
-rhel8stig_gui: false
+rhel8stig_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}"
 
 # Whether or not you need kdump. False will disable service and true will leave service
 rhel8stig_kdump_needed: false

site.yml

@@ -1,7 +1,8 @@
 ---
-- hosts: all  # noqa: name[play]
+
+- name: Run RHEL8 STiG hardening
+  hosts: "{{ hosts | default('all') }}"
   become: true
 
   roles:
-
       - role: "{{ playbook_dir }}"

tasks/fix-cat1.yml

@@ -94,7 +94,7 @@
             - change_requires_reboot
 
       - name: "HIGH | RHEL-08-010020 | AUDIT | Verify boot kernel parameters in /etc/default/grub"
-        ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])boot=UUID={{ rhel8stig_boot_uuid.stdout }}(?=[" ]).*"$' /etc/default/grub
+        ansible.builtin.shell: grep -P '^\s*GRUB_CMDLINE_LINUX=".*(?<=[" ])boot=UUID={{ prelim_rhel8stig_boot_uuid.stdout }}(?=[" ]).*"$' /etc/default/grub
         check_mode: false
         changed_when: false
         failed_when: rhel_08_010020_boot_kernel_set.rc not in [ 0, 1 ]
@@ -106,13 +106,13 @@
             regexp: "{{ rhel8stig_regexp_quoted_params }}"
             replace: "{{ rhel8stig_replace_quoted_params }}"
         vars:
-            query: "{{ rhel8stig_boot_part.stdout }}"
+            query: "{{ prelim_rhel8stig_boot_part.stdout }}"
             key: GRUB_CMDLINE_LINUX
             param: boot
-            value: UUID={{ rhel8stig_boot_uuid.stdout }}
+            value: UUID={{ prelim_rhel8stig_boot_uuid.stdout }}
             insert: true
         when:
-            - rhel8stig_boot_part.stdout not in ['/', '']
+            - prelim_rhel8stig_boot_part.stdout not in ['/', '']
             - rhel_08_010020_boot_kernel_set.stdout | length == 0
             - not ansible_check_mode or
               rhel_08_010020_default_grub_missing_audit is not changed
@@ -125,12 +125,12 @@
         check_mode: false
         with_items:
             - fips=1
-            - boot=UUID={{ rhel8stig_boot_uuid.stdout }}
+            - boot=UUID={{ prelim_rhel8stig_boot_uuid.stdout }}
         register: rhel_08_010020_audit
         when:
             - not ansible_check_mode or
               rhel_08_010020_default_grub_missing_audit is not changed
-            - "rhel8stig_boot_part.stdout not in ['/', ''] or
+            - "prelim_rhel8stig_boot_part.stdout not in ['/', ''] or
               'boot=' not in item"
         changed_when:
             - ansible_check_mode
@@ -345,7 +345,7 @@
       - CAT1
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-230380r858715_rule
+      - SV-230380r951612_rule
       - V-230380
       - disruption_high
 

tasks/fix-cat2.yml

@@ -139,7 +139,7 @@
             - RHEL-08-010060
             - CCI-000048
             - SRG-OS-000023-GPOS-00006
-            - SV-230225r858694_rule
+            - SV-230225r951590_rule
             - SV-230227r627750_rule
             - V-230225
             - V-230227
@@ -206,7 +206,7 @@
       - CAT2
       - CCI-000067
       - SRG-OS-000032-GPOS-00013
-      - SV-230228r627750_rule
+      - SV-230228r951592_rule
       - V-230228
       - rsyslog
 
@@ -541,7 +541,7 @@
       - CAT2
       - CCI-001133
       - SRG-OS-000163-GPOS-00072
-      - SV-230244r917867_rule
+      - SV-230244r951594_rule
       - V-230244
       - ssh
 
@@ -560,7 +560,7 @@
       - CAT2
       - CCI-001133
       - SRG-OS-000163-GPOS-00072
-      - SV-244525r917886_rule
+      - SV-244525r951596_rule
       - V-244525
       - ssh
 
@@ -1390,16 +1390,17 @@
       - multifactor
 
 - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication."
-  ansible.builtin.lineinfile:
+  community.general.ini_file:
       path: '{{ rhel8stig_sssd_conf }}'
-      regexp: '^certificate_verification = {{ item.regexp }}'
       state: "{{ item.state }}"
-      line: "{{ item.line | default(omit) }}"
+      section: "{{ item.section | default(omit) }}"
+      option: "certificate_verification"
+      value: "{{ item.value }}"
   with_items:
-      - { regexp: 'no_ocsp, no_verification', state: absent }
-      - { regexp: 'no_ocsp', state: absent }
-      - { regexp: 'no_verification', state: absent }
-      - { regexp: 'ocsp_dgst=sha1', state: present, line: 'certificate_verification = ocsp_dgst=sha1' }
+      - { value: 'no_ocsp, no_verification', state: absent }
+      - { value: 'no_ocsp', state: absent }
+      - { value: 'no_verification', state: absent }
+      - { value: 'ocsp_dgst=sha1', state: present, section: "sssd" }
   notify: restart sssd
   when:
       - rhel_08_010400
@@ -1568,7 +1569,7 @@
       - CAT2
       - CCI-001084
       - SRG-OS-000134-GPOS-00068
-      - SV-230279r792888_rule
+      - SV-230279r951598_rule
       - V-230279
       - grub
 
@@ -1699,7 +1700,7 @@
       - CAT2
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-230290r858705_rule
+      - SV-230290r951602_rule
       - V-230290
       - ssh
 
@@ -1718,7 +1719,7 @@
       - CAT2
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-230291r858707_rule
+      - SV-230291r952105_rule
       - V-230291
       - ssh
 
@@ -1736,7 +1737,7 @@
       - CAT2
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-244528r858709_rule
+      - SV-244528r952106_rule
       - V-244528
       - ssh
 
@@ -1794,7 +1795,7 @@
       - CAT2
       - CCI-000770
       - SRG-OS-000109-GPOS-00056
-      - SV-230296r858711_rule
+      - SV-230296r951608_rule
       - V-230296
       - ssh
 
@@ -2735,7 +2736,7 @@
       - CAT2
       - CCI-000366
       - SRG-OS-000480-GPOS-00229
-      - SV-230330r858713_rule
+      - SV-230330r951610_rule
       - V-230330
       - ssh
       - disruption_high
@@ -3334,11 +3335,9 @@
       path: /etc/profile.d/tmux.sh
       marker: "# <!-- {mark} ANSIBLE LOCKDOWN RHEL-08-020041 MANAGED BLOCK -->"
       block: |
-          if [ "$PS1" ]; then
-          parent=$(ps -o ppid= -p $$)
-          name=$(ps -o comm= -p $parent)
-          case "$name" in (sshd|login) exec tmux ;; esac
-          fi
+          ### Updated to recognize other session control per Red Hat Case 03115293
+          [ $( /bin/id -u ) -eq 0 ] && [ x$TMUX = x ] && exec tmux
+          [[ $( /bin/tty ) =~ '/dev/tty' ]] && [ -n "$PS1" -a -z "$TMUX" ] && exec tmux
       create: true
   when:
       - rhel_08_020041
@@ -4303,7 +4302,7 @@
       - CAT2
       - CCI-000052
       - SRG-OS-000480-GPOS-00227
-      - SV-230382r858717_rule
+      - SV-230382r951614_rule
       - V-230382
       - ssh
 
@@ -6593,8 +6592,8 @@
       - RHEL-08-040161
       - CAT2
       - CCI-000068
-      - RG-OS-000033-GPOS-00014
-      - SV-230527r858719_rule
+      - SRG-OS-000033-GPOS-00014
+      - SV-230527r951616_rule
       - V-230527
       - ssh
 
@@ -7221,7 +7220,7 @@
 - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes."
   block:
       - name: "MEDIUM | RHEL-08-040282 | AUDIT | RHEL 8 must restrict usage of ptrace to descendant processes. | Find conflicting instances"
-        ansible.builtin.shell: grep -rs "kernel.yama.ptrace_scope\s*=\s*1" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
+        ansible.builtin.shell: grep -Ers "kernel.yama.ptrace_scope\s*=\s*.*" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
         changed_when: false
         failed_when: false
         register: rhel_08_040282_conflicting_settings
@@ -7495,7 +7494,7 @@
       - CAT2
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-230555r858721_rule
+      - V-230555r951618_rule
       - V-230555
       - ssh
 
@@ -7513,7 +7512,8 @@
       - CAT2
       - CCI-000366
       - SRG-OS-000480-GPOS-00227
-      - SV-230556r858723_rule
+      - SV-230556r951620_rule
+      - V-230556
       - ssh
 
 - name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | Add KEXs"

tasks/prelim.yml

@@ -97,27 +97,30 @@
   tags:
       - run_audit
 
-- name: "PRELIM | RHEL-08-010020"
-  block:
-      - name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions"
-        ansible.builtin.shell: df --output=target /boot | tail -n 1
-        changed_when: false
-        check_mode: false
-        register: rhel8stig_boot_part
+- name: "PRELIM | Find boot partition"
+  ansible.builtin.shell: if [ -d /sys/firmware/efi ]; then echo "/boot/efi" ; else echo "/boot"; fi
+  changed_when: false
+  check_mode: false
+  register: prelim_rhel8stig_boot_part
+  tags:
+      - always
 
-      - name: "PRELIM | RHEL-08-010020 | Check if /boot or /boot/efi reside on separate partitions | get UUID"
-        ansible.builtin.shell: lsblk -f | grep -E "{{ rhel8stig_boot_part.stdout }}$" | awk '{ print $3 }'
-        changed_when: false
-        check_mode: false
-        register: rhel8stig_boot_uuid
+- name: "PRELIM | Find boot partition UUID"
+  ansible.builtin.shell: if [ -d /sys/firmware/efi ]; then lsblk -l -o +UUID | grep -i efi | awk '{print $NF}'; else lsblk -l -o +UUID | grep -w '/boot' | grep -v efi | awk '{print $NF}'; fi
+  changed_when: false
+  check_mode: false
+  register: prelim_rhel8stig_boot_uuid
+  when:
+      - rhel_08_010020
+  tags:
+      - always
 
-      - name: "PRELIM | RHEL-08-010020 | Crypto-policies-scripts package for FIPS"
-        ansible.builtin.package:
-            name: crypto-policies-scripts
-            state: present
-        when:
-            - "'crypto-policies-scripts' not in ansible_facts.packages"
+- name: "PRELIM | RHEL-08-010020 | Crypto-policies-scripts package for FIPS"
+  ansible.builtin.package:
+      name: crypto-policies-scripts
+      state: present
   when:
+      - "'crypto-policies-scripts' not in ansible_facts.packages"
       - rhel_08_010020
   tags:
       - RHEL-08-010020
@@ -143,6 +146,13 @@
       - RHEL-08-010140
       - RHEL-08-010150
 
+- name: "PRELIM | Discover Gnome Desktop Environment"
+  tags:
+      - always
+  ansible.builtin.stat:
+      path: /usr/share/gnome/gnome-version.xml
+  register: prelim_gnome_present
+
 - name: "PRELIM | dconf"
   block:
       - name: "PRELIM | Install dconf"
@@ -349,7 +359,7 @@
             path: "{{ rhel8stig_aide_db_file }}"
         register: rhel8stig_aide_db_status
         check_mode: false
-        changed_when: not rhel8stig_aide_db_status.stat.exists
+        changed_when: false
         notify: "{{ rhel8stig_aide_handler }}"
   when:
       - not system_is_container