ansible-lockdown · uk-bolly · Apr 30, 2024 · Oct 25, 2023 · Oct 25, 2023 · Oct 25, 2023
diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json
diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.5.0
+  rev: v4.6.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -33,17 +33,14 @@ repos:
   rev: v1.4.0
   hooks:
   - id: detect-secrets
-    args: [ '--baseline', '.config/.secrets.baseline' ]
-    exclude: .config/.gitleaks-report.json
 
 - repo: https://github.com/gitleaks/gitleaks
   rev: v8.18.2
   hooks:
   - id: gitleaks
-    args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.2.0
+  rev: v24.2.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint

diff --git a/Changelog.md b/Changelog.md
@@ -1,7 +1,25 @@
 # Changes to RHEL8STIG
 
+## 3.1 - STIG V1R12 - 25th Oct 2023
+
+ruleid updated
+
+- 010020
+- 010471
+- 030741
+- 030742
+- 040400
+
+- added SSH validation
+- added ansible_facts for variable usage
+
+- AUDIT
+  - Audit_only ability now added to run standalone audit
+    - audit_only: true
+  - Related Audit repo updated to improve tests audit binary(goss updated to latest version)
+
 ## 3.0.3 - Stig V1R11 - 26th July 2023
-q
+
 - updates to collections since galaxy updated
 - updates to audit
 

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 ## Configure a RHEL8 based system to be complaint with Disa STIG
 
-This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R11_STIG.zip).
+This role is based on RHEL 8 DISA STIG: [Version 1, Rel 12 released on Oct 25, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R12_STIG.zip).
 
 ---
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,6 +1,6 @@
 ---
 ## metadata for Audit benchmark
-benchmark_version: 'v1r11'
+benchmark_version: 'v1r12'
 
 ## Benchmark name used by audting control role
 # The audit variable found at the base
@@ -56,24 +56,46 @@ rhel8stig_skip_reboot: true
 # Defined will change if control requires
 change_requires_reboot: false
 
-### Goss is required on the remote host
+##########################################
+### Goss is required on the remote host ###
+## Refer to vars/auditd.yml for any other settings ##
+
+# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
 setup_audit: false
+
+# enable audits to run - this runs the audit and get the latest content
+run_audit: false
+
+# Only run Audit do not remediate
+audit_only: false
+# As part of audit_only
+# This will enable files to be copied back to control node
+fetch_audit_files: false
+# Path to copy the files to will create dir structure
+audit_capture_files_dir: /some/location to copy to on control node
+
 # How to retrieve audit binary
 # Options are copy or download - detailed settings at the bottom of this file
 # you will need to access to either github or the file already dowmloaded
 get_audit_binary_method: download
 
+## if get_audit_binary_method - copy the following needs to be updated for your environment
+## it is expected that it will be copied from somewhere accessible to the control node
+## e.g copy from ansible control node to remote host
+audit_bin_copy_location: /some/accessible/path
+
 # how to get audit files onto host options
 # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
 audit_content: git
 
-# enable audits to run - this  runs the audit and get the latest content
-run_audit: false
+# archive or copy:
+audit_conf_copy: "some path to copy from"
+
+# get_url:
+audit_files_url: "some url maybe s3?"
 
 # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
 audit_run_heavy_tests: true
-# Timeout for those cmds that take longer to run where timeout set
-audit_cmd_timeout: 60000
 
 ### End Goss enablements ####
 #### Detailed settings found at the end of this document ####
@@ -856,20 +878,26 @@ rhel8stig_ntp_server_name: 0.us.pool.ntp.mil
 # rhel8stig_fapolicy_white_list is the whitelist for fapolicyd, the last item in the list must be dyny all all
 rhel8stig_fapolicy_white_list:
     - 'deny_audit perm=any pattern=ld_so : all'
-    - deny all all
+    - 'deny perm=any all : all'
 
 # RHEL-08-040090
 # rhel8stig_custom_firewall_zone is the desired name for the new customer firewall zone
 rhel8stig_custom_firewall_zone: "new_fw_zone"
 
+# rhel8stig_copy_existing_zone - if you wish to copy an existing zones rules to the new zone
+rhel8stig_copy_existing_zone: true
+# rhel8stig_existing_zone_to_copy - name of the zone that you wish to copy from
+rhel8stig_existing_zone_to_copy: public
+
 # RHEL-08-040090
-# rhel8stig_white_list_services is the services that you want to allow through initially for teh new firewall zone
+# This designed not work with rhel8stig_existing_zone_to_copy and when deploy new rules
+# rhel8stig_white_list_services is the services that you want to allow through initially for the new firewall zone
 # http and ssh need to be enabled for the role to run.
 # This can also be a port number if no service exists
 rhel8stig_white_list_services:
+    - ssh
     - http
     - https
-    - ssh
 
 # RHEL-08-010290
 # RHEL-08-010290
@@ -900,55 +928,3 @@ rhel8stig_tmux_lock_after_time: 900
 # The value given to Defaults timestamp timeout= in the sudo file.
 # Value must be greater than 0 to conform to STIG standards
 rhel8stig_sudo_timestamp_timeout: 1
-
-#### Goss Configuration Settings ####
-# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
-audit_run_script_environment:
-    AUDIT_BIN: "{{ audit_bin }}"
-    AUDIT_FILE: 'goss.yml'
-    AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
-
-### Goss binary settings ###
-audit_bin_version:
-    release: v0.3.23
-    checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d'
-audit_bin_path: /usr/local/bin/
-audit_bin: "{{ audit_bin_path }}goss"
-audit_format: json
-
-# if get_audit_binary_method == download change accordingly
-audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64"
-
-## if get_audit_binary_method - copy the following needs to be updated for your environment
-## it is expected that it will be copied from somewhere accessible to the control node
-## e.g copy from ansible control node to remote host
-audit_bin_copy_location: /some/accessible/path
-
-#### Goss Audit Benchmark file ###
-## managed by the control audit_content
-# git
-audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
-audit_git_version: "benchmark_{{ benchmark_version }}_rh8"
-
-# archive or copy:
-audit_conf_copy: "some path to copy from"
-
-# get_url:
-audit_files_url: "some url maybe s3?"
-
-## Goss configuration information
-# Where the goss configs and outputs are stored
-audit_out_dir: '/opt'
-# Where the goss audit configuration will be stored
-audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit"
-
-# If changed these can affect other products
-pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
-post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
-
-## The following should not need changing
-audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml"
-audit_results: |
-      The pre remediation results are: {{ pre_audit_summary }}.
-      The post remediation results are: {{ post_audit_summary }}.
-      Full breakdown can be found in {{ audit_out_dir }}
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,4 +1,9 @@
 ---
+
+- name: change_requires_reboot
+  ansible.builtin.set_fact:
+      change_requires_reboot: true
+
 - name: systemctl daemon-reload
   ansible.builtin.systemd:
       daemon_reload: true
@@ -16,6 +21,7 @@
   when:
       - not rhel8stig_system_is_chroot
       - "'openssh-server' in ansible_facts.packages"
+      - not change_requires_reboot
 
 - name: restart sssd
   ansible.builtin.service:
@@ -30,6 +36,7 @@
       state: restarted
   when:
       - not rhel8stig_system_is_chroot
+      - not change_requires_reboot
 
 - name: restart rsyslog
   ansible.builtin.service:
@@ -82,6 +89,7 @@
       - not rhel8stig_skip_for_travis
       - not rhel8stig_system_is_chroot
       - not system_is_container
+      - not change_requires_reboot
 
 - name: update auditd
   ansible.builtin.template:
@@ -98,6 +106,7 @@
       - not rhel8stig_skip_for_travis
       - not rhel8stig_system_is_chroot
       - not system_is_container
+      - not change_requires_reboot
 
 - name: rebuild initramfs
   ansible.builtin.shell: dracut -f
@@ -146,7 +155,3 @@
   ansible.builtin.debug:
       msg: "Post-run OpenSCAP score is {{ rhel8stig_postscanresults.Benchmark.TestResult.score['#text'] }}"
   when: rhel8stig_oscap_scan
-
-- name: change_requires_reboot
-  ansible.builtin.set_fact:
-      change_requires_reboot: true