Skip to content

Commit

Permalink
Merge pull request #283 from ansible-lockdown/may24_updates
Browse files Browse the repository at this point in the history 
May24 updates
  • Loading branch information
@uk-bolly
uk-bolly authored May 30, 2024
2 parents 2309c49 + cbf87b9 commit 18e1cdc
Show file tree
Hide file tree
Showing 2 changed files with 89 additions and 69 deletions.
149 changes: 84 additions & 65 deletions tasks/fix-cat2.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,42 +192,12 @@
- V-230226

- name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored."
block:
- name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings info"
ansible.builtin.shell: grep '*.info' /etc/rsyslog.conf
changed_when: false
failed_when: false
register: rhel_08_010070_info_set_rsyslog

- name: "MEDIUM | RHEL-08-010070 | AUDIT | All RHEL 8 remote access methods must be monitored. | check settings authpriv"
ansible.builtin.shell: grep 'authpriv.* /var/log/secure' /etc/rsyslog.conf
changed_when: false
failed_when: false
register: rhel_08_010070_authpriv_set_rsyslog

- name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored. | Adjust settings no info"
ansible.builtin.lineinfile:
path: /etc/rsyslog.conf
regexp: ^(?!#).*\/var\/log\/secure
line: 'auth.*;authpriv.*;daemon.* /var/log/secure'
create: true
mode: '0644'
when:
- rhel_08_010070_info_set_rsyslog.stdout == 0
- rhel_08_010070_authpriv_set_rsyslog.stdout > 0

- name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored. | Adjust settings if info set"
ansible.builtin.lineinfile:
path: /etc/rsyslog.conf
backrefs: true
regexp: ^(?!#)(.*)(authpriv\.\*)(.*\/var\/log\/secure)
line: \1authpriv.*\2/var/log/secure
create: true
mode: '0644'
when:
- rhel_08_010070_info_set_rsyslog.stdout | length > 0
- rhel_08_010070_authpriv_set_rsyslog.stdout == 0

ansible.builtin.lineinfile:
path: /etc/rsyslog.conf
regexp: ^(?!#).*\/var\/log\/secure
line: 'auth.*;authpriv.*;daemon.* /var/log/secure'
create: true
mode: '0644'
notify: restart rsyslog
when:
- rhel_08_010070
Expand Down Expand Up @@ -1260,7 +1230,9 @@
regexp: '^kernel.kexec_load_disabled = 0'
state: absent
loop: "{{ rhel_08_010372_conflicting_settings.stdout_lines }}"
when: rhel_08_010372_conflicting_settings.stdout | length > 0
when:
- rhel_08_010372_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file
when:
- rhel_08_010372
tags:
Expand All @@ -1286,7 +1258,9 @@
regexp: '^fs.protected_symlinks = 0'
state: absent
loop: "{{ rhel_08_010373_conflicting_settings.stdout_lines }}"
when: rhel_08_010373_conflicting_settings.stdout | length > 0
when:
- rhel_08_010373_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set sysctl"
ansible.posix.sysctl:
Expand Down Expand Up @@ -1321,7 +1295,9 @@
regexp: '^fs.protected_hardlinks = 0'
state: absent
loop: "{{ rhel_08_010374_conflicting_settings.stdout_lines }}"
when: rhel_08_010374_conflicting_settings.stdout | length > 0
when:
- rhel_08_010374_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks."
ansible.posix.sysctl:
Expand Down Expand Up @@ -1610,7 +1586,9 @@
regexp: "kernel.randomize_va_space = [^2]"
state: absent
loop: "{{ rhel_08_010430_conflicting_settings.stdout_lines }}"
when: rhel_08_010430_conflicting_settings.stdout | length > 0
when:
- rhel_08_010430_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -2263,7 +2241,9 @@
regexp: kernel.core_pattern\s*=\s*.*(?<!\|\/bin\/false)$
state: absent
loop: "{{ rhel_08_010671_conflicting_settings.stdout_lines }}"
when: rhel_08_010671_conflicting_settings.stdout | length > 0
when:
- rhel_08_010671_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern."
ansible.posix.sysctl:
Expand Down Expand Up @@ -6683,7 +6663,9 @@
regexp: net.ipv4.conf.default.accept_redirects = [^0]
state: absent
loop: "{{ rhel_08_040209_conflicting_settings.stdout_lines }}"
when: rhel_08_040209_conflicting_settings.stdout | length > 0
when:
- rhel_08_040209_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -6718,7 +6700,9 @@
regexp: net.ipv6.conf.default.accept_redirects = [^0]
state: absent
loop: "{{ rhel_08_040210_conflicting_settings.stdout_lines }}"
when: rhel_08_040210_conflicting_settings.stdout | length > 0
when:
- rhel_08_040210_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -6755,7 +6739,9 @@
regexp: net.ipv4.conf.all.send_redirects = [^0]
state: absent
loop: "{{ rhel_08_040220_conflicting_settings.stdout_lines }}"
when: rhel_08_040220_conflicting_settings.stdout | length > 0
when:
- rhel_08_040220_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Use template to create file"
ansible.posix.sysctl:
Expand All @@ -6779,27 +6765,30 @@
- name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."
block:
- name: "MEDIUM | RHEL-08-040230 | AUDIT | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Find conflicting instances"
ansible.builtin.shell: grep -rs "net.ipv4.icmp_echo_ignore_broadcasts = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
ansible.builtin.shell: grep -rs "net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
changed_when: false
failed_when: false
register: rhel_08_040230_conflicting_settings

- name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Replace conflicting instances"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: net.ipv4.icmp_echo_ignore_broadcasts = [^1]
regexp: ^net.ipv4.icmp_echo_ignore_broadcasts.*
state: absent
loop: "{{ rhel_08_040230_conflicting_settings.stdout_lines }}"
when: rhel_08_040230_conflicting_settings.stdout | length > 0
when:
- rhel_08_040230_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file"
ansible.posix.sysctl:
name: net.ipv4.icmp_echo_ignore_broadcasts
value: 0
value: 1
state: present
reload: "{{ rhel8stig_sysctl_reload }}"
sysctl_set: true
sysctl_file: "{{ rhel8stig_sysctl_file }}"

when:
- rhel_08_040230
tags:
Expand All @@ -6825,7 +6814,9 @@
regexp: net.ipv4.conf.all.accept_source_route = [^0]
state: absent
loop: "{{ rhel_08_040239_conflicting_settings.stdout_lines }}"
when: rhel_08_040239_conflicting_settings.stdout | length > 0
when:
- rhel_08_040239_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -6896,7 +6887,9 @@
regexp: net.ipv4.conf.default.accept_source_route = [^0]
state: absent
loop: "{{ rhel_08_040249_conflicting_settings.stdout_lines }}"
when: rhel_08_040249_conflicting_settings.stdout | length > 0
when:
- rhel_08_040249_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -6967,7 +6960,9 @@
regexp: net.ipv4.conf.all.forwarding = [^0]
state: absent
loop: "{{ rhel_08_040259_conflicting_settings.stdout_lines }}"
when: rhel_08_040259_conflicting_settings.stdout | length > 0
when:
- rhel_08_040259_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -7003,7 +6998,9 @@
regexp: net.ipv6.conf.all.forwarding = [^0]
state: absent
loop: "{{ rhel_08_040260_conflicting_settings.stdout_lines }}"
when: rhel_08_040260_conflicting_settings.stdout | length > 0
when:
- rhel_08_040260_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -7040,7 +7037,9 @@
regexp: net.ipv6.conf.all.accept_ra = [^0]
state: absent
loop: "{{ rhel_08_040261_conflicting_settings.stdout_lines }}"
when: rhel_08_040261_conflicting_settings.stdout | length > 0
when:
- rhel_08_040261_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -7077,7 +7076,9 @@
regexp: net.ipv6.conf.default.accept_ra = [^0]
state: absent
loop: "{{ rhel_08_040262_conflicting_settings.stdout_lines }}"
when: rhel_08_040262_conflicting_settings.stdout | length > 0
when:
- rhel_08_040262_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -7114,7 +7115,9 @@
regexp: net.ipv4.conf.default.send_redirects = [^0]
state: absent
loop: "{{ rhel_08_040270_conflicting_settings.stdout_lines }}"
when: rhel_08_040270_conflicting_settings.stdout | length > 0
when:
- rhel_08_040270_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -7149,7 +7152,9 @@
regexp: net.ipv4.conf.all.accept_redirects = [^0]
state: absent
loop: "{{ rhel_08_040279_conflicting_settings.stdout_lines }}"
when: rhel_08_040279_conflicting_settings.stdout | length > 0
when:
- rhel_08_040279_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -7184,7 +7189,9 @@
regexp: net.ipv6.conf.all.accept_redirects = [^0]
state: absent
loop: "{{ rhel_08_040280_conflicting_settings.stdout_lines }}"
when: rhel_08_040280_conflicting_settings.stdout | length > 0
when:
- rhel_08_040280_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -7220,7 +7227,9 @@
regexp: kernel.unprivileged_bpf_disabled = [^1]
state: absent
loop: "{{ rhel_08_040281_conflicting_settings.stdout_lines }}"
when: rhel_08_040281_conflicting_settings.stdout | length > 0
when:
- rhel_08_040281_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Use template to create file"
ansible.posix.sysctl:
Expand All @@ -7244,18 +7253,20 @@
- name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes."
block:
- name: "MEDIUM | RHEL-08-040282 | AUDIT | RHEL 8 must restrict usage of ptrace to descendant processes. | Find conflicting instances"
ansible.builtin.shell: grep -rs "kernel.yama.ptrace_scope = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
ansible.builtin.shell: grep -rs "kernel.yama.ptrace_scope\s*=\s*1" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
changed_when: false
failed_when: false
register: rhel_08_040282_conflicting_settings

- name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Replace conflicting instances"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: kernel.yama.ptrace_scope = [^1]
regexp: kernel.yama.ptrace_scope.*
state: absent
loop: "{{ rhel_08_040282_conflicting_settings.stdout_lines }}"
when: rhel_08_040282_conflicting_settings.stdout | length > 0
when:
- rhel_08_040282_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -7290,7 +7301,9 @@
regexp: kernel.kptr_restrict = [^1]
state: absent
loop: "{{ rhel_08_040283_conflicting_settings.stdout_lines }}"
when: rhel_08_040283_conflicting_settings.stdout | length > 0
when:
- rhel_08_040283_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -7325,7 +7338,9 @@
regexp: user.max_user_namespaces = [^0]
state: absent
loop: "{{ rhel_08_040284_conflicting_settings.stdout_lines }}"
when: rhel_08_040284_conflicting_settings.stdout | length > 0
when:
- rhel_08_040284_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -7360,7 +7375,9 @@
regexp: net.ipv4.conf.all.rp_filter = [^1]
state: absent
loop: "{{ rhel_08_040285_conflicting_settings.stdout_lines }}"
when: rhel_08_040285_conflicting_settings.stdout | length > 0
when:
- rhel_08_040285_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Use template to create file"
ansible.posix.sysctl:
Expand Down Expand Up @@ -7395,7 +7412,9 @@
regexp: net.core.bpf_jit_harden = [^2]
state: absent
loop: "{{ rhel_08_040286_conflicting_settings.stdout_lines }}"
when: rhel_08_040286_conflicting_settings.stdout | length > 0
when:
- rhel_08_040286_conflicting_settings.stdout | length > 0
- item != rhel8stig_sysctl_file

- name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Use template to create file"
ansible.posix.sysctl:
Expand Down
9 changes: 5 additions & 4 deletions templates/ansible_vars_goss.yml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
## metadata for Audit benchmark
benchmark_version: {{ benchmark_version }}

rhel8stig_os_distribution: {{ ansible_distribution | lower }}
rhel8stig_os_distribution: {{ ansible_facts['distribution'] | lower }}

gpg_keys:
{% for info in gpg_keys %}
Expand All @@ -11,8 +11,9 @@ gpg_keys:
{% endfor %}
rpm_gpg_key: {{ rpm_gpg_key }}

rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %}
rhel8stig_os_version_pre_8_2: {% if ansible_facts['distribution_version'] is version('8.1', '<=') %}true{% else %}false{% endif %}

OS_ver: {{ ansible_facts['distribution_version'] }}

# Some tests may need to scan every filesystem or have an impact on a system
# these may need be scheduled to minimise impact also ability to set a timeout if taking too long
Expand Down Expand Up @@ -225,7 +226,7 @@ RHEL_08_020100: {{ rhel_08_020100 }}
RHEL_08_020101: {{ rhel_08_020101 }}
RHEL_08_020102: {{ rhel_08_020102 }}
RHEL_08_020103: {{ rhel_08_020103 }}
RHEL_08_020104: {{ rhel_08_020104 }}
RHEL_08_020104: {% if ansible_facts['distribution_version'] is version('8.4', '>=') %}true{% else %}false{% endif %} # Only runs if 8.4 or greater
RHEL_08_020110: {{ rhel_08_020110 }}
RHEL_08_020120: {{ rhel_08_020120 }}
RHEL_08_020130: {{ rhel_08_020130 }}
Expand Down Expand Up @@ -407,7 +408,7 @@ RHEL_08_010292: {{ rhel_08_010292 }}
RHEL_08_010375: {{ rhel_08_010375 }}
RHEL_08_010376: {{ rhel_08_010376 }}
RHEL_08_010440: {{ rhel_08_010440 }}
RHEL_08_010471: {{ rhel_08_010471 }}
RHEL_08_010471: {% if ansible_facts['distribution_version'] is version('8.4', '>=') %}false{% else %}true{% endif %} # Only runs if 8.3 or less
RHEL_08_010540: {{ rhel_08_010540 }}
RHEL_08_010541: {{ rhel_08_010541 }}
RHEL_08_010542: {{ rhel_08_010542 }}
Expand Down

0 comments on commit 18e1cdc

Please sign in to comment.