Add photon 4/5 updates (#200)

* Photon 4 V1R5 updates

* Photon 5 V1R3 updates

photon/4.0/ansible/vmware-photon-4.0-stig-ansible-hardening/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Change Log
 
+## [4.0 Version 1 Release 5] (2024-01-04)
+
+#### Release Notes
+- PHTN-40-000047 removed bridge module from list to support container workloads
+- PHTN-40-000231 updated task to not run if container host packages are installed
+- PHTN-40-000247 new control to remove nullok from pam_unix.so module
+
 ## [4.0 Version 1 Release 4] (2023-08-08)
 
 #### Release Notes

photon/4.0/ansible/vmware-photon-4.0-stig-ansible-hardening/README.md

@@ -1,6 +1,6 @@
 # vmware-photon-4.0-stig-ansible-hardening
 VMware Photon OS 4.0 STIG Readiness Guide Ansible Playbook  
-Version: Version 1 Release 4: 08 August 2023  
+Version: Version 1 Release 5: 04 January 2024  
 STIG Type: STIG Readiness Guide  
 
 ## Requirements

photon/4.0/ansible/vmware-photon-4.0-stig-ansible-hardening/defaults/main.yml

@@ -215,3 +215,5 @@ run_kernel_fs_protected_hardlinks: true
 run_systemd_tmp_mount: true
 # PHTN-40-000246
 run_kernel_fs_suid_dumpable: true
+# PHTN-40-000247
+run_pam_remove_nullok: true

photon/4.0/ansible/vmware-photon-4.0-stig-ansible-hardening/tasks/photon.yml

@@ -172,14 +172,14 @@
       ansible.builtin.lineinfile:
         path: '{{ var_pam_faillock_conf_file }}'
         state: present
-        regexp: '^#?\s*deny\s'
+        regexp: '^#?\s*deny.*$'
         line: deny = {{ var_pam_faillock_deny }}
 
     - name: PHTN-40-000004 - Configure faillock.conf fail_interval
       ansible.builtin.lineinfile:
         path: '{{ var_pam_faillock_conf_file }}'
         state: present
-        regexp: '^#?\s*fail_interval\s'
+        regexp: '^#?\s*fail_interval.*$'
         line: fail_interval = {{ var_pam_faillock_fail_interval }}
 
 ###################################################################################################################################
@@ -1082,7 +1082,7 @@
       ansible.builtin.lineinfile:
         path: '{{ var_pam_faillock_conf_file }}'
         state: present
-        regexp: '^#?\s*unlock_time\s'
+        regexp: '^#?\s*unlock_time.*$'
         line: unlock_time = {{ var_pam_faillock_unlock_time }}
 
 ###################################################################################################################################
@@ -1730,7 +1730,7 @@
       ansible.builtin.lineinfile:
         path: '{{ var_pam_faillock_conf_file }}'
         state: present
-        regexp: '^#?\s*silent$'
+        regexp: '^#?\s*silent.*$'
         line: silent
 
 ###################################################################################################################################
@@ -1742,7 +1742,7 @@
       ansible.builtin.lineinfile:
         path: '{{ var_pam_faillock_conf_file }}'
         state: present
-        regexp: '^#?\s*audit$'
+        regexp: '^#?\s*audit.*$'
         line: audit
 
 ###################################################################################################################################
@@ -1754,7 +1754,7 @@
       ansible.builtin.lineinfile:
         path: '{{ var_pam_faillock_conf_file }}'
         state: present
-        regexp: '^#?\s*even_deny_root$'
+        regexp: '^#?\s*even_deny_root.*$'
         line: even_deny_root
 
 ###################################################################################################################################
@@ -1766,7 +1766,7 @@
       ansible.builtin.lineinfile:
         path: '{{ var_pam_faillock_conf_file }}'
         state: present
-        regexp: '^#?\s*dir$'
+        regexp: '^#?\s*dir.*$'
         line: dir = {{ var_pam_faillock_dir }}
 
     - name: PHTN-40-000196 - Create faillock dir
@@ -2423,11 +2423,22 @@
   tags: [PHTN-40-000231]
   when: run_kernel_net_ip_forward | bool
   block:
+    - name: PHTN-40-000231 - Check to see if container host packages are installed
+      ansible.builtin.shell: |
+        set -o pipefail
+        rpm -qa | grep -E '(^docker-|^containerd|^kubernetes)'
+      register: cntrpkgsinstalled
+      changed_when: false
+      failed_when:
+        - cntrpkgsinstalled.rc == 2
+
     - name: PHTN-40-000231 - Check to see if net.ipv4.ip_forward is set to 0
       ansible.builtin.command: /sbin/sysctl net.ipv4.ip_forward
       register: ipv4_ip_forward
       failed_when: ipv4_ip_forward.rc == 2
       changed_when: false
+      when:
+        - cntrpkgsinstalled.stdout == ""
 
     - name: PHTN-40-000231 - Configure kernel parameter net.ipv4.ip_forward
       ansible.posix.sysctl:
@@ -2437,7 +2448,10 @@
         sysctl_file: '{{ var_sysctl_conf_file }}'
         sysctl_set: true
         reload: true
-      when: ipv4_ip_forward.stdout != "net.ipv4.ip_forward = 0"
+      when:
+        - ipv4_ip_forward.stdout is defined
+        - ipv4_ip_forward.stdout != "net.ipv4.ip_forward = 0"
+        - cntrpkgsinstalled.stdout == ""
 
 ###################################################################################################################################
 - name: PHTN-40-000232 - Configure kernel parameter net_tcp_timestamps
@@ -2709,6 +2723,23 @@
         reload: true
       when: fs_suid_dumpable.stdout != "fs.suid_dumpable = 0"
 
+###################################################################################################################################
+- name: PHTN-40-000247 - Remove nullok from pam_unix.so module
+  tags: [PHTN-40-000247]
+  when: run_pam_remove_nullok | bool
+  block:
+    - name: PHTN-40-000247 - Remove nullok from /etc/pam.d/system-password
+      ansible.builtin.replace:
+        path: '{{ var_pam_system_password_file }}'
+        regexp: '^(password.*pam_unix\.so.*)(\snullok)(.*)'
+        replace: '\1\3'
+
+    - name: PHTN-40-000247 - Remove nullok from /etc/pam.d/system-auth
+      ansible.builtin.replace:
+        path: '{{ var_pam_system_auth_file }}'
+        regexp: '^(auth.*pam_unix\.so.*)(\snullok)(.*)'
+        replace: '\1\3'
+
 ###################################################################################################################################
 # !!! AIDE configuration should be the last task here so the configuration database includes all changes !!!
 - name: PHTN-40-000237 - Configure AIDE

photon/4.0/ansible/vmware-photon-4.0-stig-ansible-hardening/templates/audit.STIG.rules

@@ -46,6 +46,7 @@
 -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 -a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/ping -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 -a always,exit -F path=/usr/bin/procmail -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

photon/4.0/ansible/vmware-photon-4.0-stig-ansible-hardening/templates/modprobe.conf

@@ -1,4 +1,3 @@
-install bridge /bin/false
 install sctp /bin/false
 install dccp /bin/false
 install dccp_ipv4 /bin/false

photon/4.0/docs/README.md

@@ -3,4 +3,4 @@
 ## Overview
 An XCCDF formatted XML is provided for the Photon OS 4.0 STIG Readiness Guide content for use to view in [STIG Viewer](https://public.cyber.mil/stigs/stig-viewing-tools/).  
 
-This can consumed from the zip file included here or from the individual files themselves.
+This can be consumed from the zip file included here.

photon/4.0/inspec/vmware-photon-4.0-stig-baseline/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Change Log
 
+## [4.0 Version 1 Release 5] (2024-01-04)
+
+#### Release Notes
+- Misc. tech edits for PHTN-40-000003,07,19,31,35,36,37,38,41,43,46,67,68,76,78,86,105,160,173,175,184,185,187,193,196,200,204,206,213,214,215,216,223,224,225,226,227,228,229,232,238,244,246
+- PHTN-40-000042 updated finding statement and test
+- PHTN-40-000047 removed bridge module from list to support container workloads
+- PHTN-40-000107 added /var/lib/docker path to exclude from check
+- PHTN-40-000121 updated test to support ntp server input as an array instead of strings
+- PHTN-40-000231 updated test to include input for container host systems to mark the control N/A
+- PHTN-40-000247 new control
+
 ## [4.0 Version 1 Release 4] (2023-08-08)
 
 #### Release Notes

photon/4.0/inspec/vmware-photon-4.0-stig-baseline/README.md

@@ -1,17 +1,30 @@
 # vmware-photon-4.0-stig-baseline
 Photon OS 4.0 STIG Readiness Guide Chef InSpec Profile  
-Version: Release 1 Version 4 Date: 08 August 2023  
+Version: Release 1 Version 5 Date: 04 January 2024  
 STIG Type: STIG Readiness Guide  
 
 ## Overview
 This is a compliance auditing profile that is based on Chef InSpec/CINC Auditor to perform an automated check for STIG compliance of the Photon OS 4.0 STIG Readiness Guide.  
 
 ## Requirements
-
-- [Chef InSpec](https://downloads.chef.io/tools/inspec) or [CINC Auditor](https://cinc.sh/start/auditor/) installed on a machine that can SSH target node. Tested with version 5.22.3. Chef/CINC Workstation can also be installed and used.
+- [Chef InSpec](https://downloads.chef.io/tools/inspec) or [CINC Auditor](https://cinc.sh/start/auditor/) installed on a machine that can SSH target node. Tested with version 6.6.0. Chef/CINC Workstation can also be installed and used.
 - SSH access to Photon instance
 - Update the inputs in inspec-example.yml or make a new copy and update as appropriate for your environment
 
+## Inputs
+Inputs are used to provide variable information that customize how the profile is ran against the target system. Below is a list of inputs available for this profile that can be provided.  
+
+|     Input Name    |       Default Value       | Description |     Type    |   STIG IDs  |
+|-------------------|---------------------------|-------------|-------------|-------------|
+|authprivlog        |/var/log/messages          |The expected log path for the authpriv log in the rsyslog config.|String|PHTN-40-000012|
+|containerHost      |false                      |Used to indicate if system is a container host and running Kubernetes/Docker/etc for controls where this would make them N/A.|Boolean|PHTN-40-000231|
+|ntptype            |ntpd                       |Specify the NTP solution used. Supported values are `ntpd`, `timesyncd`, or `chrony`.|String|PHTN-40-000121|
+|ntpServers         |time-a-g.nist.gov,time-b-g.nist.gov|A list of NTP servers with which the system should sync.|Array|PHTN-40-000121|
+|syslogServer       |syslog.changeme.local:514  |Specify the IP or FQDN with port of the target syslog server.|String|PHTN-40-000111|
+|useFaillockConf    |true                       |Used to indicate that `/etc/security/faillock.conf` is used to configure `pam_faillock.so`.|Boolean|PHTN-40-000004,PHTN-40-000108,PHTN-40-000193,,PHTN-40-000194,PHTN-40-000195,PHTN-40-000196|
+|usePwqualityConf   |true                       |Used to indicate that `/etc/security/pwquality.conf` is used to configure `pam_pwquality.so`.|Boolean|PHTN-40-000035,PHTN-40-000036,PHTN-40-000037,,PHTN-40-000038,PHTN-40-000044,PHTN-40-000086,PHTN-40-000184,PHTN-40-000235|
+|useHistoryConf     |true                       |Used to indicate that `/etc/security/pwhistory.conf` is used to configure `pam_pwhistory.so`.|Boolean|PHTN-40-000043|
+
 ## Running the profile
 
 #### Run all controls in the profile against a target server with an SSH Key

photon/4.0/inspec/vmware-photon-4.0-stig-baseline/controls/PHTN-40-000003.rb

@@ -30,7 +30,7 @@
 
     # /sbin/augenrules --load
 
-    Note: A \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.
+    Note: An \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.
 
     Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one.
   "

photon/4.0/inspec/vmware-photon-4.0-stig-baseline/controls/PHTN-40-000007.rb

@@ -1,7 +1,7 @@
 control 'PHTN-40-000007' do
   title 'The Photon operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.'
   desc  "
-    Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.
+    Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to Denial of Service (DoS) attacks.
 
     This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
   "

photon/4.0/inspec/vmware-photon-4.0-stig-baseline/controls/PHTN-40-000019.rb

@@ -34,7 +34,7 @@
 
     # /sbin/augenrules --load
 
-    Note: A \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.
+    Note: An \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.
 
     Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one.
   "

photon/4.0/inspec/vmware-photon-4.0-stig-baseline/controls/PHTN-40-000031.rb

@@ -36,7 +36,7 @@
 
     # /sbin/augenrules --load
 
-    Note: A \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.
+    Note: An \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd.
 
     Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one.
   "

photon/4.0/inspec/vmware-photon-4.0-stig-baseline/controls/PHTN-40-000035.rb

@@ -1,13 +1,13 @@
 control 'PHTN-40-000035' do
-  title 'The Photon operating system must enforce password complexity by requiring that at least one upper-case character be used.'
+  title 'The Photon operating system must enforce password complexity by requiring that at least one uppercase character be used.'
   desc  "
     Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
 
     Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
   "
   desc  'rationale', ''
   desc  'check', "
-    At the command line, run the following command to verify at least one upper-case character be used:
+    At the command line, run the following command to verify at least one uppercase character be used:
 
     # grep '^ucredit' /etc/security/pwquality.conf
 

photon/4.0/inspec/vmware-photon-4.0-stig-baseline/controls/PHTN-40-000036.rb

@@ -1,13 +1,13 @@
 control 'PHTN-40-000036' do
-  title 'The Photon operating system must enforce password complexity by requiring that at least one lower-case character be used.'
+  title 'The Photon operating system must enforce password complexity by requiring that at least one lowercase character be used.'
   desc  "
     Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
 
     Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
   "
   desc  'rationale', ''
   desc  'check', "
-    At the command line, run the following command to verify at least one lower-case character be used:
+    At the command line, run the following command to verify at least one lowercase character be used:
 
     # grep '^lcredit' /etc/security/pwquality.conf
 

photon/4.0/inspec/vmware-photon-4.0-stig-baseline/controls/PHTN-40-000037.rb

@@ -7,7 +7,7 @@
   "
   desc  'rationale', ''
   desc  'check', "
-    At the command line, run the following command to verify at least one lower-case character be used:
+    At the command line, run the following command to verify at least one numeric character be used:
 
     # grep '^dcredit' /etc/security/pwquality.conf
 

photon/4.0/inspec/vmware-photon-4.0-stig-baseline/controls/PHTN-40-000038.rb

@@ -1,15 +1,15 @@
 control 'PHTN-40-000038' do
-  title 'The Photon operating system must require the change of at least 8 characters when passwords are changed.'
+  title 'The Photon operating system must require the change of at least eight characters when passwords are changed.'
   desc  "
      If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
 
     The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.
 
-    If the password length is an odd number then number of changed characters must be rounded up.  For example, a password length of 15 characters must require the change of at least 8 characters.
+    If the password length is an odd number then number of changed characters must be rounded up.  For example, a password length of 15 characters must require the change of at least eight characters.
   "
   desc  'rationale', ''
   desc  'check', "
-    At the command line, run the following command to verify at least one lower-case character be used:
+    At the command line, run the following command to verify at least eight different characters be used:
 
     # grep '^difok' /etc/security/pwquality.conf
 

photon/4.0/inspec/vmware-photon-4.0-stig-baseline/controls/PHTN-40-000041.rb

@@ -1,9 +1,9 @@
 control 'PHTN-40-000041' do
-  title 'The Photon operating system must enforce 1 day as the minimum password lifetime.'
+  title 'The Photon operating system must enforce one day as the minimum password lifetime.'
   desc  "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse."
   desc  'rationale', ''
   desc  'check', "
-    At the command line, run the following command to verify 1 day as the minimum password lifetime:
+    At the command line, run the following command to verify one day as the minimum password lifetime:
 
     # grep '^PASS_MIN_DAYS' /etc/login.defs
 

photon/4.0/inspec/vmware-photon-4.0-stig-baseline/controls/PHTN-40-000042.rb

@@ -1,13 +1,14 @@
 control 'PHTN-40-000042' do
-  title 'The Photon operating systems must enforce a 90 day maximum password lifetime restriction.'
+  title 'The Photon operating systems must enforce a 90-day maximum password lifetime restriction.'
   desc  'Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.'
   desc  'rationale', ''
   desc  'check', "
-    At the command line, run the following command to verify a 90 day maximum password lifetime restriction:
+    At the command line, run the following command to verify a 90-day maximum password lifetime restriction:
 
     # grep '^PASS_MAX_DAYS' /etc/login.defs
 
     If \"PASS_MAX_DAYS\" is not set to <= 90, is missing or commented out, this is a finding.
+    If \"PASS_MAX_DAYS\" is disabled or set to -1, this is a finding.
   "
   desc 'fix', "
     Navigate to and open:
@@ -29,5 +30,6 @@
 
   describe login_defs do
     its('PASS_MAX_DAYS') { should cmp <= '90' }
+    its('PASS_MAX_DAYS') { should cmp >= 0 }
   end
 end