From 04993c7f8bde36c0bd12cbe31ca71498766c69f7 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Mon, 11 Oct 2021 08:35:53 -0400 Subject: [PATCH] Updates tasks/main.yml --- tasks/main.yml | 18825 +++++++++++++++++++++++------------------------ 1 file changed, 9284 insertions(+), 9541 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 7764372..d462700 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2627 +1,2373 @@ -- name: 'Set fact: Package manager reinstall command (dnf)' - set_fact: - package_manager_reinstall_cmd: dnf reinstall -y - when: - - high_complexity | bool - - high_severity | bool - - medium_disruption | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - rpm_verify_hashes | bool - - ansible_distribution == "Fedora" +- name: Prevent Log In to Accounts With Empty Password - system-auth + replace: + dest: /etc/pam.d/system-auth + regexp: nullok tags: - - CCE-80857-6 - - CJIS-5.10.4.1 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity + - CCE-80841-0 + - CJIS-5.5.2 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - configure_strategy - high_severity + - low_complexity - medium_disruption + - no_empty_passwords - no_reboot_needed - - restrict_strategy - - rpm_verify_hashes - -- name: 'Set fact: Package manager reinstall command (yum)' - set_fact: - package_manager_reinstall_cmd: yum reinstall -y when: - - high_complexity | bool + - no_empty_passwords | bool + - no_reboot_needed | bool - high_severity | bool + - configure_strategy | bool - medium_disruption | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - rpm_verify_hashes | bool - - (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") + - low_complexity | bool + +- name: Prevent Log In to Accounts With Empty Password - password-auth + replace: + dest: /etc/pam.d/password-auth + regexp: nullok tags: - - CCE-80857-6 - - CJIS-5.10.4.1 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity + - CCE-80841-0 + - CJIS-5.5.2 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - configure_strategy - high_severity + - low_complexity - medium_disruption + - no_empty_passwords - no_reboot_needed - - restrict_strategy - - rpm_verify_hashes - -- name: Read files with incorrect hash - command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig - args: - warn: false - register: files_with_incorrect_hash - changed_when: false - failed_when: files_with_incorrect_hash.rc > 1 - check_mode: false when: - - high_complexity | bool + - no_empty_passwords | bool + - no_reboot_needed | bool - high_severity | bool + - configure_strategy | bool - medium_disruption | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - rpm_verify_hashes | bool - - (package_manager_reinstall_cmd is defined) + - low_complexity | bool + +- name: Direct root Logins Not Allowed + copy: + dest: /etc/securetty + content: '' tags: - - CCE-80857-6 - - CJIS-5.10.4.1 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity - - high_severity - - medium_disruption + - CCE-80840-2 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-2 + - low_complexity + - low_disruption + - medium_severity + - no_direct_root_logins - no_reboot_needed - restrict_strategy - - rpm_verify_hashes - -- name: Create list of packages - command: rpm -qf "{{ item }}" - args: - warn: false - with_items: '{{ files_with_incorrect_hash.stdout_lines | map(''regex_findall'', ''^[.]+[5]+.* (\/.*)'', ''\1'') | map(''join'') - | select(''match'', ''(\/.*)'') | list | unique }}' - register: list_of_packages - changed_when: false - check_mode: false when: - - high_complexity | bool - - high_severity | bool - - medium_disruption | bool + - no_direct_root_logins | bool - no_reboot_needed | bool - restrict_strategy | bool - - rpm_verify_hashes | bool - - files_with_incorrect_hash.stdout_lines is defined - - (files_with_incorrect_hash.stdout_lines | length > 0) + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + +- name: Restrict Virtual Console Root Logins + lineinfile: + dest: /etc/securetty + regexp: ^vc + state: absent tags: - - CCE-80857-6 - - CJIS-5.10.4.1 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity - - high_severity - - medium_disruption + - CCE-80864-2 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-AC-6 + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity - no_reboot_needed - restrict_strategy - - rpm_verify_hashes - -- name: Reinstall packages of files with incorrect hash - command: '{{ package_manager_reinstall_cmd }} ''{{ item }}''' - args: - warn: false - with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list | unique }}' + - securetty_root_login_console_only when: - - high_complexity | bool - - high_severity | bool - - medium_disruption | bool - no_reboot_needed | bool - restrict_strategy | bool - - rpm_verify_hashes | bool - - files_with_incorrect_hash.stdout_lines is defined - - (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) - tags: - - CCE-80857-6 - - CJIS-5.10.4.1 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity - - high_severity - - medium_disruption - - no_reboot_needed - - restrict_strategy - - rpm_verify_hashes + - securetty_root_login_console_only | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool -- name: Read list of files with incorrect permissions - command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup - args: - warn: false - register: files_with_incorrect_permissions - failed_when: files_with_incorrect_permissions.rc > 1 - changed_when: false - check_mode: false +- name: Restrict Serial Port Root Logins + lineinfile: + dest: /etc/securetty + regexp: ttyS[0-9] + state: absent tags: - - CCE-80858-4 - - CJIS-5.10.4.1 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) + - CCE-80856-8 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-AC-6 - NIST-800-53-CM-6(a) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity - - high_severity - - medium_disruption + - low_complexity + - low_disruption + - medium_severity - no_reboot_needed + - restrict_serial_port_logins - restrict_strategy - - rpm_verify_permissions when: - - high_complexity | bool - - high_severity | bool - - medium_disruption | bool - no_reboot_needed | bool + - restrict_serial_port_logins | bool - restrict_strategy | bool - - rpm_verify_permissions | bool - -- name: Create list of packages - command: rpm -qf "{{ item }}" - args: - warn: false - with_items: '{{ files_with_incorrect_permissions.stdout_lines | map(''regex_findall'', ''^[.]+[M]+.* (\/.*)'', ''\1'') | - map(''join'') | select(''match'', ''(\/.*)'') | list | unique }}' - register: list_of_packages - changed_when: false - check_mode: false + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + +- name: Disable service debug-shell + block: + - name: Gather the service facts + service_facts: null + - name: Disable service debug-shell + systemd: + name: debug-shell.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"debug-shell.service" in ansible_facts.services' when: - - high_complexity | bool - - high_severity | bool - - medium_disruption | bool + - disable_strategy | bool - no_reboot_needed | bool - - restrict_strategy | bool - - rpm_verify_permissions | bool - - (files_with_incorrect_permissions.stdout_lines | length > 0) + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80858-4 - - CJIS-5.10.4.1 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity - - high_severity - - medium_disruption + - CCE-80876-6 + - NIST-800-171-3.4.5 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity - no_reboot_needed - - restrict_strategy - - rpm_verify_permissions + - service_debug-shell_disabled -- name: Correct file permissions with RPM - command: rpm --setperms '{{ item }}' +- name: Unit Socket Exists - debug-shell.socket + command: systemctl list-unit-files debug-shell.socket args: warn: false - with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list | unique }}' + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false when: - - high_complexity | bool - - high_severity | bool - - medium_disruption | bool + - disable_strategy | bool - no_reboot_needed | bool - - restrict_strategy | bool - - rpm_verify_permissions | bool - - (files_with_incorrect_permissions.stdout_lines | length > 0) - tags: - - CCE-80858-4 - - CJIS-5.10.4.1 - - NIST-800-171-3.3.8 - - NIST-800-171-3.4.1 - - NIST-800-53-AU-9(3) - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-6(c) - - NIST-800-53-CM-6(d) - - NIST-800-53-SI-7 - - NIST-800-53-SI-7(1) - - NIST-800-53-SI-7(6) - - PCI-DSS-Req-11.5 - - high_complexity - - high_severity - - medium_disruption - - no_reboot_needed - - restrict_strategy - - rpm_verify_permissions - -- name: Configure SSH to use System Crypto Policy - lineinfile: - dest: /etc/sysconfig/sshd - state: absent - regexp: ^\s*CRYPTO_POLICY.*$ + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80939-2 - - NIST-800-53-AC-17(2) - - NIST-800-53-AC-17(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(6) - - NIST-800-53-SC-13 - - configure_ssh_crypto_policy + - CCE-80876-6 + - NIST-800-171-3.4.5 - disable_strategy - low_complexity - - medium_disruption + - low_disruption - medium_severity - - reboot_required + - no_reboot_needed + - service_debug-shell_disabled + +- name: Disable socket debug-shell + systemd: + name: debug-shell.socket + enabled: 'no' + state: stopped + masked: 'yes' when: - - configure_ssh_crypto_policy | bool - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool + - no_reboot_needed | bool - medium_severity | bool - - reboot_required | bool - -- name: Configure System Cryptography Policy - lineinfile: - path: /etc/crypto-policies/config - regexp: ^(?!#)(\S+)$ - line: '{{ var_system_crypto_policy }}' - create: true + - low_disruption | bool + - low_complexity | bool + - '"debug-shell.socket" in socket_file_exists.stdout_lines[1]' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80935-0 - - NIST-800-53-AC-17(2) - - NIST-800-53-AC-17(a) - - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(6) - - NIST-800-53-SC-12(2) - - NIST-800-53-SC-12(3) - - NIST-800-53-SC-13 - - configure_crypto_policy - - high_severity + - CCE-80876-6 + - NIST-800-171-3.4.5 + - disable_strategy - low_complexity - low_disruption + - medium_severity - no_reboot_needed - - restrict_strategy + - service_debug-shell_disabled + +- name: require single user mode password + lineinfile: + create: true + dest: /usr/lib/systemd/system/rescue.service + regexp: ^#?ExecStart= + line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue when: - - configure_crypto_policy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool + - require_singleuser_auth | bool - no_reboot_needed | bool - restrict_strategy | bool - -- name: Verify that Crypto Policy is Set (runtime) - command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }} + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80935-0 - - NIST-800-53-AC-17(2) - - NIST-800-53-AC-17(a) + - CCE-80855-0 + - NIST-800-171-3.1.1 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-3 - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(6) - - NIST-800-53-SC-12(2) - - NIST-800-53-SC-12(3) - - NIST-800-53-SC-13 - - configure_crypto_policy - - high_severity + - NIST-800-53-IA-2 - low_complexity - low_disruption + - medium_severity - no_reboot_needed + - require_singleuser_auth - restrict_strategy - when: - - configure_crypto_policy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool - - restrict_strategy | bool -- name: Gather the package facts - package_facts: +- package_facts: manager: auto + name: Gather the package facts tags: - - CCE-80791-7 - - DISA-STIG-RHEL-08-010371 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80784-2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - ensure_gpgcheck_local_packages + - NIST-800-53-CM-6(a) + - disable_ctrlaltdel_burstaction + - disable_strategy - high_severity - low_complexity - - medium_disruption + - low_disruption - no_reboot_needed - - unknown_strategy when: - - ensure_gpgcheck_local_packages | bool + - disable_strategy | bool + - no_reboot_needed | bool + - disable_ctrlaltdel_burstaction | bool - high_severity | bool + - low_disruption | bool - low_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool - - unknown_strategy | bool -- name: Check existence of yum on Fedora - stat: - path: /etc/yum.conf - register: yum_config_file - check_mode: false +- name: Disable Ctrl-Alt-Del Burst Action + lineinfile: + dest: /etc/systemd/system.conf + state: present + regexp: ^CtrlAltDelBurstAction + line: CtrlAltDelBurstAction=none + create: true when: - - ensure_gpgcheck_local_packages | bool + - disable_strategy | bool + - no_reboot_needed | bool + - disable_ctrlaltdel_burstaction | bool - high_severity | bool + - low_disruption | bool - low_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - '"yum" in ansible_facts.packages' - - ansible_distribution == "Fedora" + - '"systemd" in ansible_facts.packages' tags: - - CCE-80791-7 - - DISA-STIG-RHEL-08-010371 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80784-2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - ensure_gpgcheck_local_packages + - NIST-800-53-CM-6(a) + - disable_ctrlaltdel_burstaction + - disable_strategy - high_severity - low_complexity - - medium_disruption + - low_disruption - no_reboot_needed - - unknown_strategy -- name: Ensure GPG check Enabled for Local Packages (Yum) - ini_file: - dest: /etc/yum.conf - section: main - option: localpkg_gpgcheck - value: 1 - create: true +- package_facts: + manager: auto + name: Gather the package facts + tags: + - CCE-80826-1 + - NIST-800-171-3.1.2 + - NIST-800-171-3.4.5 + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-2(1) + - grub2_disable_interactive_boot + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy when: - - ensure_gpgcheck_local_packages | bool - - high_severity | bool + - restrict_strategy | bool + - reboot_required | bool + - grub2_disable_interactive_boot | bool + - medium_severity | bool + - low_disruption | bool - low_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - '"yum" in ansible_facts.packages' - - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "Scientific" or yum_config_file.stat.exists) + +- name: Verify that Interactive Boot is Disabled in /etc/default/grub + replace: + dest: /etc/default/grub + regexp: systemd.confirm_spawn=(1|yes|true|on) + replace: systemd.confirm_spawn=no + when: + - restrict_strategy | bool + - reboot_required | bool + - grub2_disable_interactive_boot | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - '"grub2-common" in ansible_facts.packages' tags: - - CCE-80791-7 - - DISA-STIG-RHEL-08-010371 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80826-1 + - NIST-800-171-3.1.2 + - NIST-800-171-3.4.5 - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - ensure_gpgcheck_local_packages - - high_severity + - NIST-800-53-SC-2(1) + - grub2_disable_interactive_boot - low_complexity - - medium_disruption - - no_reboot_needed - - unknown_strategy + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy -- name: Ensure GPG check Enabled for Local Packages (DNF) - ini_file: - dest: /etc/dnf/dnf.conf - section: main - option: localpkg_gpgcheck - value: 1 - create: true +- name: Verify that Interactive Boot is Disabled (runtime) + command: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" when: - - ensure_gpgcheck_local_packages | bool - - high_severity | bool + - restrict_strategy | bool + - reboot_required | bool + - grub2_disable_interactive_boot | bool + - medium_severity | bool + - low_disruption | bool - low_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - '"yum" in ansible_facts.packages' - - ansible_distribution == "Fedora" + - '"grub2-common" in ansible_facts.packages' tags: - - CCE-80791-7 - - DISA-STIG-RHEL-08-010371 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80826-1 + - NIST-800-171-3.1.2 + - NIST-800-171-3.4.5 - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - ensure_gpgcheck_local_packages - - high_severity + - NIST-800-53-SC-2(1) + - grub2_disable_interactive_boot - low_complexity - - medium_disruption - - no_reboot_needed - - unknown_strategy - -- name: Grep for yum repo section names - shell: 'set -o pipefail - - grep -HEr ''^\[.+\]'' -r /etc/yum.repos.d/ + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy - ' - register: repo_grep_results - ignore_errors: true - changed_when: false +- name: Disable Ctrl-Alt-Del Reboot Activation + systemd: + name: ctrl-alt-del.target + masked: true + state: stopped + when: + - disable_strategy | bool + - no_reboot_needed | bool + - high_severity | bool + - disable_ctrlaltdel_reboot | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80792-5 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80785-9 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - enable_strategy - - ensure_gpgcheck_never_disabled + - disable_ctrlaltdel_reboot + - disable_strategy - high_severity - low_complexity - - medium_disruption + - low_disruption - no_reboot_needed + +- name: Enable service auditd + block: + - name: Gather the package facts + package_facts: + manager: auto + - name: Enable service auditd + service: + name: auditd + enabled: 'yes' + state: started + when: + - '"audit" in ansible_facts.packages' when: - - enable_strategy | bool - - ensure_gpgcheck_never_disabled | bool + - no_reboot_needed | bool - high_severity | bool + - enable_strategy | bool - low_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool - -- name: Set gpgcheck=1 for each yum repo - ini_file: - path: '{{ item[0] }}' - section: '{{ item[1] }}' - option: gpgcheck - value: '1' - no_extra_spaces: true - loop: '{{ repo_grep_results.stdout | regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) }}' + - low_disruption | bool + - service_auditd_enabled | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80792-5 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80872-5 + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-171-3.3.2 + - NIST-800-171-3.3.6 + - NIST-800-53-AC-2(g) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-10 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-14(1) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-3 - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 + - PCI-DSS-Req-10.1 - enable_strategy - - ensure_gpgcheck_never_disabled - high_severity - low_complexity - - medium_disruption + - low_disruption - no_reboot_needed - when: - - enable_strategy | bool - - ensure_gpgcheck_never_disabled | bool - - high_severity | bool - - low_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool + - service_auditd_enabled -- name: Read permission of GPG key directory - stat: - path: /etc/pki/rpm-gpg/ - register: gpg_key_directory_permission - check_mode: false +- package_facts: + manager: auto + name: Gather the package facts tags: - - CCE-80795-8 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-5(3) + - CCE-80825-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) - NIST-800-53-CM-6(a) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_redhat_gpgkey_installed - - high_severity + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - grub2_audit_argument + - low_disruption - medium_complexity - - medium_disruption - - no_reboot_needed + - medium_severity + - reboot_required - restrict_strategy when: - - ensure_redhat_gpgkey_installed | bool - - high_severity | bool - - medium_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool + - grub2_audit_argument | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - medium_complexity | bool + - low_disruption | bool -- name: Read signatures in GPG key - command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - args: - warn: false +- name: get current kernel parameters + command: /usr/bin/grub2-editenv - list + register: kernelopts changed_when: false - register: gpg_fingerprints - check_mode: false - tags: - - CCE-80795-8 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-5(3) - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_redhat_gpgkey_installed - - high_severity - - medium_complexity - - medium_disruption - - no_reboot_needed - - restrict_strategy when: - - ensure_redhat_gpgkey_installed | bool - - high_severity | bool - - medium_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool + - grub2_audit_argument | bool - restrict_strategy | bool - -- name: Set Fact - Installed GPG Fingerprints - set_fact: - gpg_installed_fingerprints: '{{ gpg_fingerprints.stdout | regex_findall(''^pub.* - - (?:^fpr[:]*)([0-9A-Fa-f]*)'', ''\1'') | list }}' + - reboot_required | bool + - medium_severity | bool + - medium_complexity | bool + - low_disruption | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' tags: - - CCE-80795-8 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-5(3) + - CCE-80825-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) - NIST-800-53-CM-6(a) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_redhat_gpgkey_installed - - high_severity + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - grub2_audit_argument + - low_disruption - medium_complexity - - medium_disruption - - no_reboot_needed + - medium_severity + - reboot_required - restrict_strategy + +- name: Update the bootloader menu + command: /usr/bin/grub2-editenv - set "{{ item }} audit=1" + with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | list }}' when: - - ensure_redhat_gpgkey_installed | bool - - high_severity | bool - - medium_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool + - grub2_audit_argument | bool - restrict_strategy | bool - -- name: Set Fact - Valid fingerprints - set_fact: - gpg_valid_fingerprints: ("567E347AD0044ADE55BA8A5F199E2F91FD431D51" "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792") + - reboot_required | bool + - medium_severity | bool + - medium_complexity | bool + - low_disruption | bool + - kernelopts.stdout_lines is defined + - kernelopts.stdout_lines | length > 0 + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?audit=1(?:\s.*)?$', multiline=True) is none + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' tags: - - CCE-80795-8 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-5(3) + - CCE-80825-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) - NIST-800-53-CM-6(a) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_redhat_gpgkey_installed - - high_severity + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - grub2_audit_argument + - low_disruption - medium_complexity - - medium_disruption - - no_reboot_needed + - medium_severity + - reboot_required - restrict_strategy - when: - - ensure_redhat_gpgkey_installed | bool - - high_severity | bool - - medium_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool - - restrict_strategy | bool -- name: Import RedHat GPG key - rpm_key: +- name: Configure auditd Flush Priority + lineinfile: + dest: /etc/audit/auditd.conf + regexp: ^\s*flush\s*=\s*.*$ + line: flush = {{ var_auditd_flush }} state: present - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + create: true when: - - ensure_redhat_gpgkey_installed | bool - - high_severity | bool - - medium_complexity | bool - - medium_disruption | bool + - auditd_data_retention_flush | bool - no_reboot_needed | bool - restrict_strategy | bool - - gpg_key_directory_permission.stat.mode <= '0755' - - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0 - - gpg_installed_fingerprints | length > 0 - - ansible_distribution == "RedHat" + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80795-8 - - CJIS-5.10.4.1 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-5(3) + - CCE-80680-2 + - NIST-800-171-3.3.1 + - NIST-800-53-AU-11 - NIST-800-53-CM-6(a) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_redhat_gpgkey_installed - - high_severity - - medium_complexity - - medium_disruption + - auditd_data_retention_flush + - low_complexity + - low_disruption + - medium_severity - no_reboot_needed - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto +- name: enable syslog plugin + lineinfile: + dest: /etc/audit/plugins.d/syslog.conf + regexp: ^active + line: active = yes + create: true + when: + - auditd_audispd_syslog_plugin_activated | bool + - no_reboot_needed | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80790-9 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-08-010370 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80677-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AU-4(1) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_gpgcheck_globally_activated - - high_severity + - PCI-DSS-Req-10.5.3 + - auditd_audispd_syslog_plugin_activated + - configure_strategy - low_complexity - - medium_disruption + - low_disruption + - medium_severity - no_reboot_needed - - unknown_strategy - when: - - ensure_gpgcheck_globally_activated | bool - - high_severity | bool - - low_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool - - unknown_strategy | bool -- name: Check existence of yum on Fedora - stat: - path: /etc/yum.conf - register: yum_config_file - check_mode: false +- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*/etc/sudoers.*$ + patterns: '*.rules' + register: find_audit_sysadmin_actions when: - - ensure_gpgcheck_globally_activated | bool - - high_severity | bool - - low_complexity | bool - - medium_disruption | bool + - audit_rules_sysadmin_actions | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"yum" in ansible_facts.packages' - - ansible_distribution == "Fedora" + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80790-9 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-08-010370 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80743-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_gpgcheck_globally_activated - - high_severity + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - - medium_disruption + - low_disruption + - medium_severity - no_reboot_needed - - unknown_strategy + - restrict_strategy -- name: Ensure GPG check is globally activated (yum) - ini_file: - dest: /etc/yum.conf - section: main - option: gpgcheck - value: 1 - no_extra_spaces: true - create: false +- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule + set_fact: + all_sysadmin_actions_files: + - /etc/audit/rules.d/actions.rules when: - - ensure_gpgcheck_globally_activated | bool - - high_severity | bool - - low_complexity | bool - - medium_disruption | bool + - audit_rules_sysadmin_actions | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"yum" in ansible_facts.packages' - - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "Scientific" or yum_config_file.stat.exists) + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80790-9 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-08-010370 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) + - CCE-80743-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_gpgcheck_globally_activated - - high_severity + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - - medium_disruption + - low_disruption + - medium_severity - no_reboot_needed - - unknown_strategy + - restrict_strategy -- name: Ensure GPG check is globally activated (dnf) - ini_file: - dest: /etc/dnf/dnf.conf - section: main - option: gpgcheck - value: 1 - no_extra_spaces: true - create: false +- name: Use matched file as the recipient for the rule + set_fact: + all_sysadmin_actions_files: + - '{{ find_audit_sysadmin_actions.files | map(attribute=''path'') | list | first }}' when: - - ensure_gpgcheck_globally_activated | bool - - high_severity | bool - - low_complexity | bool - - medium_disruption | bool + - audit_rules_sysadmin_actions | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"yum" in ansible_facts.packages' - - ansible_distribution == "Fedora" - tags: - - CCE-80790-9 - - CJIS-5.10.4.1 - - DISA-STIG-RHEL-08-010370 - - NIST-800-171-3.4.8 - - NIST-800-53-CM-11(a) - - NIST-800-53-CM-11(b) - - NIST-800-53-CM-5(3) - - NIST-800-53-CM-6(a) - - NIST-800-53-SA-12 - - NIST-800-53-SA-12(10) - - NIST-800-53-SC-12 - - NIST-800-53-SC-12(3) - - NIST-800-53-SI-7 - - PCI-DSS-Req-6.2 - - ensure_gpgcheck_globally_activated - - high_severity - - low_complexity - - medium_disruption - - no_reboot_needed - - unknown_strategy - -- name: Gather the package facts - package_facts: - manager: auto + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80773-5 - - NIST-800-171-3.1.13 - - NIST-800-53-AC-17(2) - - NIST-800-53-AC-17(a) + - CCE-80743-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - dconf_gnome_remote_access_encryption + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy - when: - - dconf_gnome_remote_access_encryption | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool + - restrict_strategy -- name: Require Encryption for Remote Access in GNOME3 - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/Vino - option: require-encryption - value: 'true' +- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d + lineinfile: + path: '{{ all_sysadmin_actions_files[0] }}' + line: -w /etc/sudoers -p wa -k actions create: true - no_extra_spaces: true when: - - dconf_gnome_remote_access_encryption | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool + - audit_rules_sysadmin_actions | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80773-5 - - NIST-800-171-3.1.13 - - NIST-800-53-AC-17(2) - - NIST-800-53-AC-17(a) + - CCE-80743-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - dconf_gnome_remote_access_encryption + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy + - restrict_strategy -- name: Prevent user modification of GNOME3 Encryption for Remote Access +- name: Inserts/replaces audit rule for /etc/sudoers.d rule in rules.d lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/Vino/require-encryption - line: /org/gnome/Vino/require-encryption + path: '{{ all_sysadmin_actions_files[0] }}' + line: -w /etc/sudoers.d/ -p wa -k actions create: true when: - - dconf_gnome_remote_access_encryption | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool + - audit_rules_sysadmin_actions | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80773-5 - - NIST-800-171-3.1.13 - - NIST-800-53-AC-17(2) - - NIST-800-53-AC-17(a) + - CCE-80743-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - dconf_gnome_remote_access_encryption + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy + - restrict_strategy -- name: Dconf Update - command: dconf update +- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -w /etc/sudoers -p wa -k actions + create: true when: - - dconf_gnome_remote_access_encryption | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool + - audit_rules_sysadmin_actions | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80773-5 - - NIST-800-171-3.1.13 - - NIST-800-53-AC-17(2) - - NIST-800-53-AC-17(a) + - CCE-80743-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - dconf_gnome_remote_access_encryption + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80772-7 - - NIST-800-171-3.1.12 - - dconf_gnome_remote_access_credential_prompt - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - when: - - dconf_gnome_remote_access_credential_prompt | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - -- name: Require Credential Prompting for Remote Access in GNOME3 - ini_file: - dest: /etc/dconf/db/local.d/00-security-settings - section: org/gnome/Vino - option: authentication-methods - value: '[''vnc'']' - create: true - no_extra_spaces: true - when: - - dconf_gnome_remote_access_credential_prompt | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80772-7 - - NIST-800-171-3.1.12 - - dconf_gnome_remote_access_credential_prompt - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy + - restrict_strategy -- name: Prevent user modification of GNOME3 Credential Prompting for Remote Access +- name: Inserts/replaces audit rule for /etc/sudoers.d in audit.rules lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: ^/org/gnome/Vino/authentication-methods - line: /org/gnome/Vino/authentication-methods + path: /etc/audit/audit.rules + line: -w /etc/sudoers.d/ -p wa -k actions create: true when: - - dconf_gnome_remote_access_credential_prompt | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool + - audit_rules_sysadmin_actions | bool - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80772-7 - - NIST-800-171-3.1.12 - - dconf_gnome_remote_access_credential_prompt - - low_complexity - - medium_disruption - - medium_severity - - no_reboot_needed - - unknown_strategy - -- name: Dconf Update - command: dconf update - when: - - dconf_gnome_remote_access_credential_prompt | bool - - low_complexity | bool - - medium_disruption | bool + - restrict_strategy | bool - medium_severity | bool - - no_reboot_needed | bool - - unknown_strategy | bool - - '"gdm" in ansible_facts.packages' + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80772-7 - - NIST-800-171-3.1.12 - - dconf_gnome_remote_access_credential_prompt + - CCE-80743-8 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions - low_complexity - - medium_disruption + - low_disruption - medium_severity - no_reboot_needed - - unknown_strategy + - restrict_strategy -- name: Disable service debug-shell - block: - - name: Gather the service facts - service_facts: null - - name: Disable service debug-shell - systemd: - name: debug-shell.service - enabled: 'no' - state: stopped - masked: 'yes' - when: '"debug-shell.service" in ansible_facts.services' +- name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool + - restrict_strategy | bool - medium_severity | bool - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80876-6 - - DISA-STIG-RHEL-08-040180 - - NIST-800-171-3.4.5 - - disable_strategy + - CCE-80723-0 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - - service_debug-shell_disabled + - restrict_strategy -- name: Unit Socket Exists - debug-shell.socket - command: systemctl list-unit-files debug-shell.socket - args: - warn: false - register: socket_file_exists - changed_when: false - ignore_errors: true - check_mode: false +- name: Remediate audit rules for network configuration for x86 + block: + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool + - restrict_strategy | bool - medium_severity | bool - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80876-6 - - DISA-STIG-RHEL-08-040180 - - NIST-800-171-3.4.5 - - disable_strategy + - CCE-80723-0 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - - service_debug-shell_disabled + - restrict_strategy -- name: Disable socket debug-shell - systemd: - name: debug-shell.socket - enabled: 'no' - state: stopped - masked: 'yes' +- name: Remediate audit rules for network configuration for x86_64 + block: + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool + - restrict_strategy | bool - medium_severity | bool - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch == "b64" - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"debug-shell.socket" in socket_file_exists.stdout_lines[1]' tags: - - CCE-80876-6 - - DISA-STIG-RHEL-08-040180 - - NIST-800-171-3.4.5 - - disable_strategy + - CCE-80723-0 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - - service_debug-shell_disabled + - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto +- name: Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: + - audit_rules_networkconfig_modification | bool + - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80784-2 - - DISA-STIG-RHEL-08-040172 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) + - CCE-80723-0 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - disable_ctrlaltdel_burstaction - - disable_strategy - - high_severity + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption + - medium_severity - no_reboot_needed - when: - - disable_ctrlaltdel_burstaction | bool - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool + - restrict_strategy -- name: Disable Ctrl-Alt-Del Burst Action - lineinfile: - dest: /etc/systemd/system.conf - state: present - regexp: ^CtrlAltDelBurstAction - line: CtrlAltDelBurstAction=none - create: true +- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_watch_key when: - - disable_ctrlaltdel_burstaction | bool - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool + - restrict_strategy | bool + - medium_severity | bool - no_reboot_needed | bool - - '"systemd" in ansible_facts.packages' + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80784-2 - - DISA-STIG-RHEL-08-040172 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) - - NIST-800-53-CM-6(a) + - CCE-80723-0 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - disable_ctrlaltdel_burstaction - - disable_strategy - - high_severity + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption + - medium_severity - no_reboot_needed + - restrict_strategy -- name: require single user mode password - lineinfile: - create: true - dest: /usr/lib/systemd/system/rescue.service - regexp: ^#?ExecStart= - line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue +- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: - - low_complexity | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool + - restrict_strategy | bool - medium_severity | bool - no_reboot_needed | bool - - require_singleuser_auth | bool - - restrict_strategy | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80855-0 - - DISA-STIG-RHEL-08-010151 - - NIST-800-171-3.1.1 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-3 + - CCE-80723-0 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-2 + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - - require_singleuser_auth - restrict_strategy -- name: Disable Ctrl-Alt-Del Reboot Activation - systemd: - name: ctrl-alt-del.target - masked: true - state: stopped +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - disable_ctrlaltdel_reboot | bool - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool + - restrict_strategy | bool + - medium_severity | bool - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80785-9 - - DISA-STIG-RHEL-08-040170 - - NIST-800-171-3.4.5 - - NIST-800-53-AC-6(1) + - CCE-80723-0 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - disable_ctrlaltdel_reboot - - disable_strategy - - high_severity + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption + - medium_severity - no_reboot_needed + - restrict_strategy -- name: Gather the package facts - package_facts: - manager: auto +- name: Add watch rule for /etc/issue in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification + create: true + when: + - audit_rules_networkconfig_modification | bool + - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80826-1 - - NIST-800-171-3.1.2 - - NIST-800-171-3.4.5 + - CCE-80723-0 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-SC-2(1) - - grub2_disable_interactive_boot + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - when: - - grub2_disable_interactive_boot | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool -- name: Verify that Interactive Boot is Disabled in /etc/default/grub - replace: - dest: /etc/default/grub - regexp: systemd.confirm_spawn=(1|yes|true|on) - replace: systemd.confirm_spawn=no +- name: Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: - - grub2_disable_interactive_boot | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool - - '"grub2-common" in ansible_facts.packages' + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80826-1 - - NIST-800-171-3.1.2 - - NIST-800-171-3.4.5 + - CCE-80723-0 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-SC-2(1) - - grub2_disable_interactive_boot + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Verify that Interactive Boot is Disabled (runtime) - command: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" +- name: Add watch rule for /etc/issue in /etc/audit/audit.rules + lineinfile: + line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification + state: present + dest: /etc/audit/audit.rules + create: true when: - - grub2_disable_interactive_boot | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool - - '"grub2-common" in ansible_facts.packages' + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80826-1 - - NIST-800-171-3.1.2 - - NIST-800-171-3.4.5 + - CCE-80723-0 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-SC-2(1) - - grub2_disable_interactive_boot + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Prevent Log In to Accounts With Empty Password - system-auth - replace: - dest: /etc/pam.d/system-auth - regexp: nullok - tags: - - CCE-80841-0 - - CJIS-5.5.2 - - DISA-STIG-RHEL-08-020330 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 - - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - configure_strategy - - high_severity - - low_complexity - - medium_disruption - - no_empty_passwords - - no_reboot_needed +- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: - - configure_strategy | bool - - high_severity | bool - - low_complexity | bool - - medium_disruption | bool - - no_empty_passwords | bool + - audit_rules_networkconfig_modification | bool + - restrict_strategy | bool + - medium_severity | bool - no_reboot_needed | bool - -- name: Prevent Log In to Accounts With Empty Password - password-auth - replace: - dest: /etc/pam.d/password-auth - regexp: nullok + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80841-0 - - CJIS-5.5.2 - - DISA-STIG-RHEL-08-020330 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 + - CCE-80723-0 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-5(1)(a) - - NIST-800-53-IA-5(c) - - PCI-DSS-Req-8.2.3 - - configure_strategy - - high_severity + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - - medium_disruption - - no_empty_passwords + - low_disruption + - medium_severity - no_reboot_needed + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_watch_key when: - - configure_strategy | bool - - high_severity | bool - - low_complexity | bool - - medium_disruption | bool - - no_empty_passwords | bool + - audit_rules_networkconfig_modification | bool + - restrict_strategy | bool + - medium_severity | bool - no_reboot_needed | bool - -- name: Restrict Virtual Console Root Logins - lineinfile: - dest: /etc/securetty - regexp: ^vc - state: absent + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80864-2 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 - - NIST-800-53-AC-6 + - CCE-80723-0 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - - securetty_root_login_console_only - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - securetty_root_login_console_only | bool -- name: Direct root Logins Not Allowed - copy: - dest: /etc/securetty - content: '' +- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: - - low_complexity | bool - - low_disruption | bool + - audit_rules_networkconfig_modification | bool + - restrict_strategy | bool - medium_severity | bool - - no_direct_root_logins | bool - no_reboot_needed | bool - - restrict_strategy | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80840-2 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.6 + - CCE-80723-0 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-IA-2 + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - no_direct_root_logins - no_reboot_needed - restrict_strategy -- name: Restrict Serial Port Root Logins - lineinfile: - dest: /etc/securetty - regexp: ttyS[0-9] - state: absent - tags: - - CCE-80856-8 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 - - NIST-800-53-AC-6 - - NIST-800-53-CM-6(a) - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_serial_port_logins - - restrict_strategy +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_serial_port_logins | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool - -- name: Enable service auditd - block: - - name: Gather the package facts - package_facts: - manager: auto - - name: Enable service auditd - service: - name: auditd - enabled: 'yes' - state: started - masked: 'no' - when: - - '"audit" in ansible_facts.packages' - when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - medium_severity | bool - no_reboot_needed | bool - - service_auditd_enabled | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80872-5 + - CCE-80723-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-010560 - - NIST-800-171-3.3.1 - - NIST-800-171-3.3.2 - - NIST-800-171-3.3.6 - - NIST-800-53-AC-2(g) + - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - - NIST-800-53-AU-10 - NIST-800-53-AU-12(c) - - NIST-800-53-AU-14(1) - NIST-800-53-AU-2(d) - - NIST-800-53-AU-3 - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.1 - - enable_strategy + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - no_reboot_needed - - service_auditd_enabled - -- name: Gather the package facts - package_facts: - manager: auto - tags: - - CCE-80825-3 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030601 - - NIST-800-171-3.3.1 - - NIST-800-53-AC-17(1) - - NIST-800-53-AU-10 - - NIST-800-53-AU-14(1) - - NIST-800-53-CM-6(a) - - NIST-800-53-IR-5(1) - - PCI-DSS-Req-10.3 - - grub2_audit_argument - - low_disruption - - medium_complexity - - medium_severity - - reboot_required - restrict_strategy - when: - - grub2_audit_argument | bool - - low_disruption | bool - - medium_complexity | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool -- name: get current kernel parameters - command: /usr/bin/grub2-editenv - list - register: kernelopts - changed_when: false +- name: Add watch rule for /etc/issue.net in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification + create: true when: - - grub2_audit_argument | bool - - low_disruption | bool - - medium_complexity | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"grub2-common" in ansible_facts.packages' tags: - - CCE-80825-3 + - CCE-80723-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030601 - - NIST-800-171-3.3.1 - - NIST-800-53-AC-17(1) - - NIST-800-53-AU-10 - - NIST-800-53-AU-14(1) + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-IR-5(1) - - PCI-DSS-Req-10.3 - - grub2_audit_argument + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity - low_disruption - - medium_complexity - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Update the bootloader menu - command: /usr/bin/grub2-editenv - set "{{ item }} audit=1" - with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | list }}' +- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: - - grub2_audit_argument | bool - - low_disruption | bool - - medium_complexity | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"grub2-common" in ansible_facts.packages' - - kernelopts.stdout_lines is defined - - kernelopts.stdout_lines | length > 0 - - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?audit=1(?:\s.*)?$', multiline=True) is none tags: - - CCE-80825-3 + - CCE-80723-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030601 - - NIST-800-171-3.3.1 - - NIST-800-53-AC-17(1) - - NIST-800-53-AU-10 - - NIST-800-53-AU-14(1) + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - NIST-800-53-IR-5(1) - - PCI-DSS-Req-10.3 - - grub2_audit_argument + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity - low_disruption - - medium_complexity - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit mount tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Add watch rule for /etc/issue.net in /etc/audit/audit.rules + lineinfile: + line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_media_export | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80722-2 + - CCE-80723-0 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules +- name: Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ + contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ patterns: '*.rules' - register: find_mount + register: find_existing_watch_rules_d when: - - audit_rules_media_export | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80722-2 + - CCE-80723-0 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules +- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_watch_key when: - - audit_rules_media_export | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_mount.matched is defined and find_mount.matched == 0 tags: - - CCE-80722-2 + - CCE-80723-0 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule set_fact: all_files: - - '{{ find_mount.files | map(attribute=''path'') | list | first }}' + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: - - audit_rules_media_export | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_mount.matched is defined and find_mount.matched > 0 tags: - - CCE-80722-2 + - CCE-80723-0 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the mount rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_media_export | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80722-2 + - CCE-80723-0 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the mount rule in rules.d when on x86_64 +- name: Add watch rule for /etc/hosts in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification create: true when: - - audit_rules_media_export | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80722-2 + - CCE-80723-0 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the mount rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: - - audit_rules_media_export | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80722-2 + - CCE-80723-0 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the mount rule in audit.rules when on x86_64 +- name: Add watch rule for /etc/hosts in /etc/audit/audit.rules lineinfile: - line: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_media_export | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80722-2 + - CCE-80723-0 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_media_export + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit gshadow tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: - - audit_rules_usergroup_modification_gshadow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80759-4 + - CCE-80723-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030160 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_gshadow + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other user/group modification audit rules +- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification find: paths: /etc/audit/rules.d - recurse: false - contains: -k audit_rules_usergroup_modification$ + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ patterns: '*.rules' - register: find_gshadow + register: find_watch_key when: - - audit_rules_usergroup_modification_gshadow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80759-4 + - CCE-80723-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030160 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_gshadow + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for - the rule +- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/privileged.rules + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules when: - - audit_rules_usergroup_modification_gshadow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_gshadow.matched is defined and find_gshadow.matched == 0 tags: - - CCE-80759-4 + - CCE-80723-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030160 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_gshadow + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_gshadow.files | map(attribute=''path'') | list | first }}' + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_usergroup_modification_gshadow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_gshadow.matched is defined and find_gshadow.matched > 0 tags: - - CCE-80759-4 + - CCE-80723-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030160 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_gshadow + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the gshadow rule in rules.d when on x86 +- name: Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification create: true when: - - audit_rules_usergroup_modification_gshadow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80759-4 + - CCE-80723-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030160 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_gshadow - - low_complexity + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the gshadow rule in /etc/audit/audit.rules - lineinfile: - line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification - state: present - dest: /etc/audit/audit.rules - create: true +- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: - - audit_rules_usergroup_modification_gshadow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80759-4 + - CCE-80723-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030160 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_gshadow + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules + lineinfile: + line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_mac_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_networkconfig_modification | bool - restrict_strategy | bool + - medium_severity | bool + - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80721-4 + - CCE-80723-0 - CJIS-5.4.1.1 - - NIST-800-171-3.1.8 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification + - audit_rules_networkconfig_modification - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key MAC-policy +- name: Collect all files from /etc/audit/rules.d with .rules extension find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)MAC-policy$ + paths: /etc/audit/rules.d/ patterns: '*.rules' - register: find_watch_key + register: find_rules_d when: - - audit_rules_mac_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_immutable | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80721-4 + - CCE-80708-1 - CJIS-5.4.1.1 - - NIST-800-171-3.1.8 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - NIST-800-171-3.3.1 + - NIST-800-171-3.4.3 + - NIST-800-53-AC-6(9) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification + - PCI-DSS-Req-10.5.2 + - audit_rules_immutable - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/MAC-policy.rules +- name: Remove the -e option from all Audit config files + lineinfile: + path: '{{ item }}' + regexp: ^\s*(?:-e)\s+.*$ + state: absent + loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules''] }}' when: - - audit_rules_mac_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_immutable | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 tags: - - CCE-80721-4 + - CCE-80708-1 - CJIS-5.4.1.1 - - NIST-800-171-3.1.8 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - NIST-800-171-3.3.1 + - NIST-800-171-3.4.3 + - NIST-800-53-AC-6(9) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification + - PCI-DSS-Req-10.5.2 + - audit_rules_immutable - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' +- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules + lineinfile: + path: '{{ item }}' + create: true + line: -e 2 + loop: + - /etc/audit/audit.rules + - /etc/audit/rules.d/immutable.rules when: - - audit_rules_mac_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_immutable | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 tags: - - CCE-80721-4 + - CCE-80708-1 - CJIS-5.4.1.1 - - NIST-800-171-3.1.8 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - NIST-800-171-3.3.1 + - NIST-800-171-3.4.3 + - NIST-800-53-AC-6(9) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification + - PCI-DSS-Req-10.5.2 + - audit_rules_immutable - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Add watch rule for /etc/selinux/ in /etc/audit/rules.d/ - lineinfile: - path: '{{ all_files[0] }}' - line: -w /etc/selinux/ -p wa -k MAC-policy - create: true - mode: '0640' +- name: Set architecture for audit shadow tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_mac_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_usergroup_modification_shadow | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80721-4 + - CCE-80762-8 - CJIS-5.4.1.1 - - NIST-800-171-3.1.8 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_shadow - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/audit.rules +- name: Search /etc/audit/rules.d for other user/group modification audit rules find: - paths: /etc/audit/ - contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules + paths: /etc/audit/rules.d + recurse: false + contains: -k audit_rules_usergroup_modification$ + patterns: '*.rules' + register: find_shadow when: - - audit_rules_mac_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_usergroup_modification_shadow | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80721-4 + - CCE-80762-8 - CJIS-5.4.1.1 - - NIST-800-171-3.1.8 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_shadow - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Add watch rule for /etc/selinux/ in /etc/audit/audit.rules - lineinfile: - line: -w /etc/selinux/ -p wa -k MAC-policy - state: present - dest: /etc/audit/audit.rules - create: true - mode: '0640' +- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for + the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_mac_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_usergroup_modification_shadow | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_shadow.matched is defined and find_shadow.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-80721-4 + - CCE-80762-8 - CJIS-5.4.1.1 - - NIST-800-171-3.1.8 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_mac_modification - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*/etc/sudoers.*$ - patterns: '*.rules' - register: find_audit_sysadmin_actions - when: - - audit_rules_sysadmin_actions | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80743-8 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030172 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_shadow - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule +- name: Use matched file as the recipient for the rule set_fact: - all_sysadmin_actions_files: - - /etc/audit/rules.d/actions.rules + all_files: + - '{{ find_shadow.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_sysadmin_actions | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_usergroup_modification_shadow | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_shadow.matched is defined and find_shadow.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0 tags: - - CCE-80743-8 + - CCE-80762-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030172 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_shadow - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_sysadmin_actions_files: - - '{{ find_audit_sysadmin_actions.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the shadow rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification + create: true when: - - audit_rules_sysadmin_actions | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_usergroup_modification_shadow | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0 tags: - - CCE-80743-8 + - CCE-80762-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030172 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_shadow - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d +- name: Inserts/replaces the shadow rule in /etc/audit/audit.rules lineinfile: - path: '{{ all_sysadmin_actions_files[0] }}' - line: -w /etc/sudoers -p wa -k actions + line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification + state: present + dest: /etc/audit/audit.rules create: true when: - - audit_rules_sysadmin_actions | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_usergroup_modification_shadow | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80743-8 + - CCE-80762-8 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030172 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_shadow - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces audit rule for /etc/sudoers.d rule in rules.d - lineinfile: - path: '{{ all_sysadmin_actions_files[0] }}' - line: -w /etc/sudoers.d/ -p wa -k actions - create: true +- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: - - audit_rules_sysadmin_actions | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_session_events | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80743-8 + - CCE-80742-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030172 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -w /etc/sudoers -p wa -k actions - create: true +- name: Search /etc/audit/rules.d for other rules with specified key session + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)session$ + patterns: '*.rules' + register: find_watch_key when: - - audit_rules_sysadmin_actions | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_session_events | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80743-8 + - CCE-80742-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030172 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces audit rule for /etc/sudoers.d in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -w /etc/sudoers.d/ -p wa -k actions - create: true +- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/session.rules when: - - audit_rules_sysadmin_actions | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_session_events | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80743-8 + - CCE-80742-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030172 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(7)(b) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.2 - - PCI-DSS-Req-10.2.5.b - - audit_rules_sysadmin_actions + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Set architecture for audit passwd tasks +- name: Use matched file as the recipient for the rule set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_usergroup_modification_passwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_session_events | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80761-0 + - CCE-80742-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030150 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_passwd + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other user/group modification audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -k audit_rules_usergroup_modification$ - patterns: '*.rules' - register: find_passwd - when: - - audit_rules_usergroup_modification_passwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80761-0 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030150 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_passwd - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for - the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules +- name: Add watch rule for /var/run/utmp in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /var/run/utmp -p wa -k session + create: true when: - - audit_rules_usergroup_modification_passwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_session_events | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_passwd.matched is defined and find_passwd.matched == 0 - tags: - - CCE-80761-0 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030150 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_passwd - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_passwd.files | map(attribute=''path'') | list | first }}' - when: - - audit_rules_usergroup_modification_passwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - reboot_required | bool - - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_passwd.matched is defined and find_passwd.matched > 0 tags: - - CCE-80761-0 + - CCE-80742-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030150 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_passwd + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the passwd rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification - create: true +- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: - - audit_rules_usergroup_modification_passwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_session_events | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80761-0 + - CCE-80742-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030150 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_passwd + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the passwd rule in /etc/audit/audit.rules +- name: Add watch rule for /var/run/utmp in /etc/audit/audit.rules lineinfile: - line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification + line: -w /var/run/utmp -p wa -k session state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_usergroup_modification_passwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_session_events | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80761-0 + - CCE-80742-0 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030150 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_passwd + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/rules.d/ +- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d - contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ + contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80742-0 @@ -2646,13 +2392,13 @@ register: find_watch_key when: - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80742-0 - CJIS-5.4.1.1 @@ -2674,14 +2420,14 @@ - /etc/audit/rules.d/session.rules when: - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80742-0 - CJIS-5.4.1.1 @@ -2703,14 +2449,14 @@ - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80742-0 - CJIS-5.4.1.1 @@ -2726,21 +2472,20 @@ - reboot_required - restrict_strategy -- name: Add watch rule for /var/run/utmp in /etc/audit/rules.d/ +- name: Add watch rule for /var/log/btmp in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -w /var/run/utmp -p wa -k session + line: -w /var/log/btmp -p wa -k session create: true - mode: '0640' when: - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80742-0 - CJIS-5.4.1.1 @@ -2756,19 +2501,19 @@ - reboot_required - restrict_strategy -- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/audit.rules +- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/audit.rules find: paths: /etc/audit/ - contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ + contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80742-0 @@ -2785,22 +2530,21 @@ - reboot_required - restrict_strategy -- name: Add watch rule for /var/run/utmp in /etc/audit/audit.rules +- name: Add watch rule for /var/log/btmp in /etc/audit/audit.rules lineinfile: - line: -w /var/run/utmp -p wa -k session + line: -w /var/log/btmp -p wa -k session state: present dest: /etc/audit/audit.rules create: true - mode: '0640' when: - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80742-0 - CJIS-5.4.1.1 @@ -2816,19 +2560,19 @@ - reboot_required - restrict_strategy -- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/rules.d/ +- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/rules.d/ find: paths: /etc/audit/rules.d - contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ + contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ patterns: '*.rules' register: find_existing_watch_rules_d when: - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80742-0 @@ -2853,13 +2597,13 @@ register: find_watch_key when: - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80742-0 - CJIS-5.4.1.1 @@ -2881,14 +2625,14 @@ - /etc/audit/rules.d/session.rules when: - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80742-0 - CJIS-5.4.1.1 @@ -2910,14 +2654,14 @@ - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80742-0 - CJIS-5.4.1.1 @@ -2933,21 +2677,20 @@ - reboot_required - restrict_strategy -- name: Add watch rule for /var/log/btmp in /etc/audit/rules.d/ +- name: Add watch rule for /var/log/wtmp in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -w /var/log/btmp -p wa -k session + line: -w /var/log/wtmp -p wa -k session create: true - mode: '0640' when: - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80742-0 - CJIS-5.4.1.1 @@ -2963,19 +2706,19 @@ - reboot_required - restrict_strategy -- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/audit.rules +- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/audit.rules find: paths: /etc/audit/ - contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ + contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ patterns: audit.rules register: find_existing_watch_audit_rules when: - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80742-0 @@ -2992,22 +2735,21 @@ - reboot_required - restrict_strategy -- name: Add watch rule for /var/log/btmp in /etc/audit/audit.rules +- name: Add watch rule for /var/log/wtmp in /etc/audit/audit.rules lineinfile: - line: -w /var/log/btmp -p wa -k session + line: -w /var/log/wtmp -p wa -k session state: present dest: /etc/audit/audit.rules create: true - mode: '0640' when: - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80742-0 - CJIS-5.4.1.1 @@ -3023,88 +2765,87 @@ - reboot_required - restrict_strategy -- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: Set architecture for audit mount tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_media_export | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80742-0 + - CCE-80722-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key session +- name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)session$ + recurse: false + contains: -F key=perm_mod$ patterns: '*.rules' - register: find_watch_key + register: find_mount when: - - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_media_export | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80742-0 + - CCE-80722-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/session.rules + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_media_export | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_mount.matched is defined and find_mount.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 tags: - - CCE-80742-0 + - CCE-80722-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity @@ -3114,116 +2855,146 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + - '{{ find_mount.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_media_export | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_mount.matched is defined and find_mount.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 tags: - - CCE-80742-0 + - CCE-80722-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Add watch rule for /var/log/wtmp in /etc/audit/rules.d/ +- name: Inserts/replaces the mount rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -w /var/log/wtmp -p wa -k session + line: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod create: true - mode: '0640' when: - - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_media_export | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80742-0 + - CCE-80722-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules +- name: Inserts/replaces the mount rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_media_export | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80742-0 + - CCE-80722-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Add watch rule for /var/log/wtmp in /etc/audit/audit.rules +- name: Inserts/replaces the mount rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -w /var/log/wtmp -p wa -k session + line: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod state: present dest: /etc/audit/audit.rules create: true - mode: '0640' when: - - audit_rules_session_events | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - restrict_strategy | bool - reboot_required | bool + - audit_rules_media_export | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80722-2 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the mount rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: - restrict_strategy | bool + - reboot_required | bool + - audit_rules_media_export | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-80742-0 + - CCE-80722-2 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_session_events + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export - low_complexity - low_disruption - medium_severity @@ -3234,17 +3005,16 @@ set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: + - restrict_strategy | bool + - reboot_required | bool - audit_rules_usergroup_modification_opasswd | bool - - low_complexity | bool - - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80760-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030140 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -3267,17 +3037,16 @@ patterns: '*.rules' register: find_opasswd when: + - restrict_strategy | bool + - reboot_required | bool - audit_rules_usergroup_modification_opasswd | bool - - low_complexity | bool - - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80760-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030140 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -3298,18 +3067,17 @@ all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_usergroup_modification_opasswd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - audit_rules_usergroup_modification_opasswd | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - find_opasswd.matched is defined and find_opasswd.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80760-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030140 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -3329,18 +3097,17 @@ all_files: - '{{ find_opasswd.files | map(attribute=''path'') | list | first }}' when: + - restrict_strategy | bool + - reboot_required | bool - audit_rules_usergroup_modification_opasswd | bool - - low_complexity | bool - - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - low_disruption | bool + - low_complexity | bool - find_opasswd.matched is defined and find_opasswd.matched > 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80760-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030140 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -3361,17 +3128,16 @@ line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification create: true when: + - restrict_strategy | bool + - reboot_required | bool - audit_rules_usergroup_modification_opasswd | bool - - low_complexity | bool - - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80760-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030140 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -3393,17 +3159,16 @@ dest: /etc/audit/audit.rules create: true when: + - restrict_strategy | bool + - reboot_required | bool - audit_rules_usergroup_modification_opasswd | bool - - low_complexity | bool - - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80760-2 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030140 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -3418,179 +3183,88 @@ - reboot_required - restrict_strategy -- name: Collect all files from /etc/audit/rules.d with .rules extension +- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/rules.d/ find: - paths: /etc/audit/rules.d/ + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ patterns: '*.rules' - register: find_rules_d + register: find_existing_watch_rules_d when: - - audit_rules_system_shutdown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_mac_modification | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80744-6 - - NIST-800-171-3.3.1 - - NIST-800-171-3.3.4 - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-24 - - audit_rules_system_shutdown - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Remove the -f option from all Audit config files - lineinfile: - path: '{{ item }}' - regexp: ^\s*(?:-f)\s+.*$ - state: absent - loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules''] }}' - when: - - audit_rules_system_shutdown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - reboot_required | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80744-6 - - NIST-800-171-3.3.1 - - NIST-800-171-3.3.4 - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-24 - - audit_rules_system_shutdown - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules - lineinfile: - path: '{{ item }}' - create: true - line: -f 2 - loop: - - /etc/audit/audit.rules - - /etc/audit/rules.d/immutable.rules - when: - - audit_rules_system_shutdown | bool - - low_complexity | bool - - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80744-6 - - NIST-800-171-3.3.1 - - NIST-800-171-3.3.4 - - NIST-800-53-AU-5(b) - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-24 - - audit_rules_system_shutdown - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Set architecture for audit group tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} - when: - - audit_rules_usergroup_modification_group | bool - - low_complexity | bool - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80758-6 + - CCE-80721-4 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030170 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) + - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_group + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other user/group modification audit rules +- name: Search /etc/audit/rules.d for other rules with specified key MAC-policy find: paths: /etc/audit/rules.d - recurse: false - contains: -k audit_rules_usergroup_modification$ + contains: ^.*(?:-F key=|-k\s+)MAC-policy$ patterns: '*.rules' - register: find_group + register: find_watch_key when: - - audit_rules_usergroup_modification_group | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_mac_modification | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80758-6 + - CCE-80721-4 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030170 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) + - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_group + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for - the rule +- name: Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/privileged.rules + - /etc/audit/rules.d/MAC-policy.rules when: - - audit_rules_usergroup_modification_group | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_mac_modification | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_group.matched is defined and find_group.matched == 0 tags: - - CCE-80758-6 + - CCE-80721-4 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030170 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) + - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_group + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity @@ -3600,91 +3274,114 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_group.files | map(attribute=''path'') | list | first }}' + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_usergroup_modification_group | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_mac_modification | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_group.matched is defined and find_group.matched > 0 tags: - - CCE-80758-6 + - CCE-80721-4 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030170 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) + - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_group + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the group rule in rules.d when on x86 +- name: Add watch rule for /etc/selinux/ in /etc/audit/rules.d/ lineinfile: path: '{{ all_files[0] }}' - line: -w /etc/group -p wa -k audit_rules_usergroup_modification + line: -w /etc/selinux/ -p wa -k MAC-policy create: true when: - - audit_rules_usergroup_modification_group | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_mac_modification | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80758-6 + - CCE-80721-4 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030170 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) + - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_group + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the group rule in /etc/audit/audit.rules - lineinfile: - line: -w /etc/group -p wa -k audit_rules_usergroup_modification - state: present - dest: /etc/audit/audit.rules - create: true - when: - - audit_rules_usergroup_modification_group | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool +- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: + - audit_rules_mac_modification | bool + - restrict_strategy | bool - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80721-4 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.8 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Add watch rule for /etc/selinux/ in /etc/audit/audit.rules + lineinfile: + line: -w /etc/selinux/ -p wa -k MAC-policy + state: present + dest: /etc/audit/audit.rules + create: true + when: + - audit_rules_mac_modification | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80758-6 + - CCE-80721-4 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030170 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) + - NIST-800-171-3.1.8 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_group + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification - low_complexity - low_disruption - medium_severity @@ -3697,106 +3394,99 @@ patterns: '*.rules' register: find_rules_d when: - - audit_rules_immutable | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_system_shutdown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80708-1 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030121 + - CCE-80744-6 - NIST-800-171-3.3.1 - - NIST-800-171-3.4.3 - - NIST-800-53-AC-6(9) + - NIST-800-171-3.3.4 + - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.2 - - audit_rules_immutable + - NIST-800-53-SC-24 + - audit_rules_system_shutdown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Remove the -e option from all Audit config files +- name: Remove the -f option from all Audit config files lineinfile: path: '{{ item }}' - regexp: ^\s*(?:-e)\s+.*$ + regexp: ^\s*(?:-f)\s+.*$ state: absent loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules''] }}' when: - - audit_rules_immutable | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_system_shutdown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80708-1 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030121 + - CCE-80744-6 - NIST-800-171-3.3.1 - - NIST-800-171-3.4.3 - - NIST-800-53-AC-6(9) + - NIST-800-171-3.3.4 + - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.2 - - audit_rules_immutable + - NIST-800-53-SC-24 + - audit_rules_system_shutdown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules +- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules lineinfile: path: '{{ item }}' create: true - line: -e 2 + line: -f 2 loop: - /etc/audit/audit.rules - /etc/audit/rules.d/immutable.rules when: - - audit_rules_immutable | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_system_shutdown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80708-1 - - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030121 + - CCE-80744-6 - NIST-800-171-3.3.1 - - NIST-800-171-3.4.3 - - NIST-800-53-AC-6(9) + - NIST-800-171-3.3.4 + - NIST-800-53-AU-5(b) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.2 - - audit_rules_immutable + - NIST-800-53-SC-24 + - audit_rules_system_shutdown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit shadow tasks +- name: Set architecture for audit gshadow tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_usergroup_modification_shadow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_usergroup_modification_gshadow | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80762-8 + - CCE-80759-4 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030130 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -3804,7 +3494,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_gshadow - low_complexity - low_disruption - medium_severity @@ -3817,19 +3507,18 @@ recurse: false contains: -k audit_rules_usergroup_modification$ patterns: '*.rules' - register: find_shadow + register: find_gshadow when: - - audit_rules_usergroup_modification_shadow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_usergroup_modification_gshadow | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80762-8 + - CCE-80759-4 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030130 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -3837,7 +3526,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_gshadow - low_complexity - low_disruption - medium_severity @@ -3850,18 +3539,17 @@ all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_usergroup_modification_shadow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_usergroup_modification_gshadow | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_gshadow.matched is defined and find_gshadow.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_shadow.matched is defined and find_shadow.matched == 0 tags: - - CCE-80762-8 + - CCE-80759-4 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030130 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -3869,7 +3557,7 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_gshadow - low_complexity - low_disruption - medium_severity @@ -3879,20 +3567,19 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_shadow.files | map(attribute=''path'') | list | first }}' + - '{{ find_gshadow.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_usergroup_modification_shadow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_usergroup_modification_gshadow | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_gshadow.matched is defined and find_gshadow.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_shadow.matched is defined and find_shadow.matched > 0 tags: - - CCE-80762-8 + - CCE-80759-4 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030130 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -3900,30 +3587,29 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_gshadow - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the shadow rule in rules.d when on x86 +- name: Inserts/replaces the gshadow rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification + line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification create: true when: - - audit_rules_usergroup_modification_shadow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_usergroup_modification_gshadow | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80762-8 + - CCE-80759-4 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030130 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -3931,31 +3617,30 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_gshadow - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the shadow rule in /etc/audit/audit.rules +- name: Inserts/replaces the gshadow rule in /etc/audit/audit.rules lineinfile: - line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification + line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_usergroup_modification_shadow | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_usergroup_modification_gshadow | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80762-8 + - CCE-80759-4 - CJIS-5.4.1.1 - - DISA-STIG-RHEL-08-030130 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -3963,1195 +3648,1030 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.5 - - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_gshadow - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit tasks +- name: Set architecture for audit passwd tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_usergroup_modification_passwd | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80723-0 + - CCE-80761-0 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_passwd - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Remediate audit rules for network configuration for x86 - block: - - name: Declare list of syscals - set_fact: - syscalls: - - sethostname - - setdomainname - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_rules_networkconfig_modification - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - sethostname - - setdomainname - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls +- name: Search /etc/audit/rules.d for other user/group modification audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -k audit_rules_usergroup_modification$ + patterns: '*.rules' + register: find_passwd when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_usergroup_modification_passwd | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80723-0 + - CCE-80761-0 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_passwd - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Remediate audit rules for network configuration for x86_64 - block: - - name: Declare list of syscals - set_fact: - syscalls: - - sethostname - - setdomainname - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b64_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_rules_networkconfig_modification - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - sethostname - - setdomainname - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b64_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls +- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for + the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_usergroup_modification_passwd | bool + - low_disruption | bool + - low_complexity | bool + - find_passwd.matched is defined and find_passwd.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch == "b64" tags: - - CCE-80723-0 + - CCE-80761-0 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_passwd - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_passwd.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_usergroup_modification_passwd | bool + - low_disruption | bool + - low_complexity | bool + - find_passwd.matched is defined and find_passwd.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80723-0 + - CCE-80761-0 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_passwd - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ - patterns: '*.rules' - register: find_watch_key +- name: Inserts/replaces the passwd rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification + create: true when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_usergroup_modification_passwd | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 + - CCE-80761-0 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_passwd - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules +- name: Inserts/replaces the passwd rule in /etc/audit/audit.rules + lineinfile: + line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_usergroup_modification_passwd | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 + - CCE-80761-0 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_passwd - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Set architecture for audit group tasks set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_usergroup_modification_group | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 + - CCE-80758-6 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_group - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/issue in /etc/audit/rules.d/ - lineinfile: - path: '{{ all_files[0] }}' - line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification - create: true - mode: '0640' +- name: Search /etc/audit/rules.d for other user/group modification audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -k audit_rules_usergroup_modification$ + patterns: '*.rules' + register: find_group when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_usergroup_modification_group | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 + - CCE-80758-6 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_group - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules +- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for + the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_usergroup_modification_group | bool + - low_complexity | bool + - find_group.matched is defined and find_group.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80723-0 + - CCE-80758-6 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_group - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/issue in /etc/audit/audit.rules - lineinfile: - line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification - state: present - dest: /etc/audit/audit.rules - create: true - mode: '0640' +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_group.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_usergroup_modification_group | bool + - low_complexity | bool + - find_group.matched is defined and find_group.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-80723-0 + - CCE-80758-6 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_group - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: Inserts/replaces the group rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/group -p wa -k audit_rules_usergroup_modification + create: true when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_usergroup_modification_group | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80723-0 + - CCE-80758-6 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_group - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ - patterns: '*.rules' - register: find_watch_key +- name: Inserts/replaces the group rule in /etc/audit/audit.rules + lineinfile: + line: -w /etc/group -p wa -k audit_rules_usergroup_modification + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_usergroup_modification_group | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 + - CCE-80758-6 - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_group - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule +- name: Set architecture for audit init_module tasks set_fact: - all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - audit_rules_kernel_module_loading_init | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80713-1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification - - low_complexity + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_init + - configure_strategy + - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*init_module.*$ + patterns: '*.rules' + register: find_init_module when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - audit_rules_kernel_module_loading_init | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80713-1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_init + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Add watch rule for /etc/issue.net in /etc/audit/rules.d/ - lineinfile: - path: '{{ all_files[0] }}' - line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification - create: true - mode: '0640' +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - audit_rules_kernel_module_loading_init | bool + - low_complexity | bool + - find_init_module.matched is defined and find_init_module.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80713-1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_init + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_init_module.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - audit_rules_kernel_module_loading_init | bool + - low_complexity | bool + - find_init_module.matched is defined and find_init_module.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80713-1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_init + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Add watch rule for /etc/issue.net in /etc/audit/audit.rules +- name: Inserts/replaces the init_module rule in rules.d lineinfile: - line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S init_module -k module-change state: present - dest: /etc/audit/audit.rules create: true - mode: '0640' when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - audit_rules_kernel_module_loading_init | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80713-1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_init + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: Inserts/replaces the init_module rule in rules.d on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S init_module -k module-change + state: present + create: true when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - audit_rules_kernel_module_loading_init | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80713-1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_init + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ - patterns: '*.rules' - register: find_watch_key +- name: Inserts/replaces the init_module rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F arch=b32 -S init_module -k module-change + create: true when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - audit_rules_kernel_module_loading_init | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80713-1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_init + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules +- name: Inserts/replaces the init_module rule in audit.rules when on x86_64 + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F arch=b64 -S init_module -k module-change + create: true when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - audit_rules_kernel_module_loading_init | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80713-1 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_init + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Set architecture for audit delete_module tasks set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - audit_rules_kernel_module_loading_delete | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80711-5 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_delete + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Add watch rule for /etc/hosts in /etc/audit/rules.d/ - lineinfile: - path: '{{ all_files[0] }}' - line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification - create: true - mode: '0640' +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*delete_module.*$ + patterns: '*.rules' + register: find_delete_module when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - audit_rules_kernel_module_loading_delete | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80711-5 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_delete + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - audit_rules_kernel_module_loading_delete | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool + - find_delete_module.matched is defined and find_delete_module.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80711-5 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_delete + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Add watch rule for /etc/hosts in /etc/audit/audit.rules - lineinfile: - line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification - state: present - dest: /etc/audit/audit.rules - create: true - mode: '0640' +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_delete_module.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - audit_rules_kernel_module_loading_delete | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool + - find_delete_module.matched is defined and find_delete_module.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80711-5 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_delete + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: Inserts/replaces the delete_module rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S delete_module -k module-change + state: present + create: true when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - audit_rules_kernel_module_loading_delete | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80711-5 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_delete + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ - patterns: '*.rules' - register: find_watch_key +- name: Inserts/replaces the delete_module rule in rules.d on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S delete_module -k module-change + state: present + create: true when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - audit_rules_kernel_module_loading_delete | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80711-5 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_delete + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules +- name: Inserts/replaces the delete_module rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F arch=b32 -S delete_module -k module-change + create: true when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - audit_rules_kernel_module_loading_delete | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80711-5 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_delete + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the delete_module rule in audit.rules when on x86_64 + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F arch=b64 -S delete_module -k module-change + create: true when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - audit_rules_kernel_module_loading_delete | bool - no_reboot_needed | bool - - restrict_strategy | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80711-5 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading_delete + - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy -- name: Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/ - lineinfile: - path: '{{ all_files[0] }}' - line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification - create: true - mode: '0640' +- name: Search /etc/audit/rules.d for other user/group modification audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -k logins$ + patterns: '*.rules' + register: find_lastlog when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_login_events_lastlog | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80719-8 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_lastlog - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules +- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules as the recipient for the + rule + set_fact: + all_files: + - /etc/audit/rules.d/logins.rules when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_login_events_lastlog | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_lastlog.matched is defined and find_lastlog.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80719-8 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_lastlog - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_lastlog.files | map(attribute=''path'') | list | first }}' + when: + - audit_rules_login_events_lastlog | bool + - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_lastlog.matched is defined and find_lastlog.matched > 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80719-8 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_lastlog + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lastlog rule in rules.d when on x86 lineinfile: - line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification - state: present - dest: /etc/audit/audit.rules + path: '{{ all_files[0] }}' + line: -w /var/log/lastlog -p wa -k logins create: true - mode: '0640' when: - - audit_rules_networkconfig_modification | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_login_events_lastlog | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-80723-0 - - CJIS-5.4.1.1 + - CCE-80719-8 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_networkconfig_modification + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_lastlog - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Set architecture for audit open_by_handle_at tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Inserts/replaces the lastlog rule in /etc/audit/audit.rules + lineinfile: + line: -w /var/log/lastlog -p wa -k logins + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_login_events_lastlog | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80755-2 + - CCE-80719-8 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open_by_handle_at + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_lastlog - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules +- name: Search /etc/audit/rules.d for other user/group modification audit rules find: paths: /etc/audit/rules.d recurse: false - contains: -F key=perm_mod$ + contains: -k logins$ patterns: '*.rules' - register: find_open_by_handle_at + register: find_faillock when: - - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_login_events_faillock | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80755-2 + - CCE-80718-0 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open_by_handle_at + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_faillock - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule +- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules as the recipient for the + rule set_fact: all_files: - - /etc/audit/rules.d/access.rules + - /etc/audit/rules.d/logins.rules when: - - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_login_events_faillock | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_faillock.matched is defined and find_faillock.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched == 0 tags: - - CCE-80755-2 + - CCE-80718-0 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open_by_handle_at + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_faillock - low_complexity - low_disruption - medium_severity @@ -5161,5238 +4681,4988 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_open_by_handle_at.files | map(attribute=''path'') | list | first }}' + - '{{ find_faillock.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_login_events_faillock | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_faillock.matched is defined and find_faillock.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched > 0 tags: - - CCE-80755-2 + - CCE-80718-0 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open_by_handle_at + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_faillock - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86 +- name: Inserts/replaces the faillock rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: '{{ item }}' + line: -w /var/run/faillock -p wa -k logins create: true - with_items: - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_login_events_faillock | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80755-2 + - CCE-80718-0 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open_by_handle_at + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_faillock - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64 +- name: Inserts/replaces the faillock rule in /etc/audit/audit.rules lineinfile: - path: '{{ all_files[0] }}' - line: '{{ item }}' + line: -w /var/run/faillock -p wa -k logins + state: present + dest: /etc/audit/audit.rules create: true - with_items: - - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_login_events_faillock | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80755-2 + - CCE-80718-0 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open_by_handle_at + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_faillock - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: '{{ item }}' - state: present - dest: /etc/audit/audit.rules - create: true - with_items: - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Search /etc/audit/rules.d for other user/group modification audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -k logins$ + patterns: '*.rules' + register: find_tallylog when: - - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_login_events_tallylog | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80755-2 + - CCE-80720-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - low_complexity + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_tallylog + - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64 - lineinfile: - line: '{{ item }}' - state: present - dest: /etc/audit/audit.rules - create: true - with_items: - - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules as the recipient for the + rule + set_fact: + all_files: + - /etc/audit/rules.d/logins.rules when: - - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_login_events_tallylog | bool + - low_disruption | bool + - low_complexity | bool + - find_tallylog.matched is defined and find_tallylog.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80755-2 + - CCE-80720-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open_by_handle_at + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_tallylog - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit truncate tasks +- name: Use matched file as the recipient for the rule set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + all_files: + - '{{ find_tallylog.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_unsuccessful_file_modification_truncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_login_events_tallylog | bool + - low_disruption | bool + - low_complexity | bool + - find_tallylog.matched is defined and find_tallylog.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80756-0 + - CCE-80720-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_truncate + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_tallylog - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_truncate +- name: Inserts/replaces the tallylog rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -w /var/log/tallylog -p wa -k logins + create: true when: - - audit_rules_unsuccessful_file_modification_truncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_login_events_tallylog | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80756-0 + - CCE-80720-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_truncate + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_tallylog - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/access.rules +- name: Inserts/replaces the tallylog rule in /etc/audit/audit.rules + lineinfile: + line: -w /var/log/tallylog -p wa -k logins + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_unsuccessful_file_modification_truncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_login_events_tallylog | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_truncate.matched is defined and find_truncate.matched == 0 tags: - - CCE-80756-0 + - CCE-80720-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_truncate + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_tallylog - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_truncate.files | map(attribute=''path'') | list | first }}' +- name: Perform remediation of Audit rules for stime syscall for x86 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - stime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - stime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls when: - - audit_rules_unsuccessful_file_modification_truncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_time_stime | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_truncate.matched is defined and find_truncate.matched > 0 tags: - - CCE-80756-0 + - CCE-80748-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_truncate + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_stime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the truncate rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ item }}' - create: true - with_items: - - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d when: - - audit_rules_unsuccessful_file_modification_truncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_time_watch_localtime | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80756-0 - - NIST-800-171-3.1.7 + - CCE-80749-5 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_truncate + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the truncate rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ item }}' - create: true - with_items: - - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Search /etc/audit/rules.d for other rules with specified key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_watch_key when: - - audit_rules_unsuccessful_file_modification_truncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_time_watch_localtime | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80756-0 + - CCE-80749-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_truncate + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the truncate rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: '{{ item }}' - state: present - dest: /etc/audit/audit.rules - create: true - with_items: - - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules when: - - audit_rules_unsuccessful_file_modification_truncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_time_watch_localtime | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80756-0 + - CCE-80749-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_truncate + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the truncate rule in audit.rules when on x86_64 - lineinfile: - line: '{{ item }}' - state: present - dest: /etc/audit/audit.rules - create: true - with_items: - - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_unsuccessful_file_modification_truncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_time_watch_localtime | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and + find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80756-0 + - CCE-80749-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_truncate + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit openat tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Add watch rule for /etc/localtime in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/localtime -p wa -k audit_time_rules + create: true when: - - audit_rules_unsuccessful_file_modification_openat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_time_watch_localtime | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80754-5 + - CCE-80749-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules +- name: Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_openat + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules when: - - audit_rules_unsuccessful_file_modification_openat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_time_watch_localtime | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80754-5 + - CCE-80749-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/access.rules +- name: Add watch rule for /etc/localtime in /etc/audit/audit.rules + lineinfile: + line: -w /etc/localtime -p wa -k audit_time_rules + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_unsuccessful_file_modification_openat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_time_watch_localtime | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_openat.matched is defined and find_openat.matched == 0 tags: - - CCE-80754-5 + - CCE-80749-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Set architecture for audit tasks set_fact: - all_files: - - '{{ find_openat.files | map(attribute=''path'') | list | first }}' + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_unsuccessful_file_modification_openat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_time_adjtimex | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_openat.matched is defined and find_openat.matched > 0 tags: - - CCE-80754-5 + - CCE-80745-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_adjtimex - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the openat rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ item }}' - create: true - with_items: - - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - when: - - audit_rules_unsuccessful_file_modification_openat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool +- name: Perform remediation of Audit rules for adjtimex for x86 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls + when: + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_time_adjtimex | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80754-5 + - CCE-80745-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_adjtimex - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the openat rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ item }}' - create: true - with_items: - - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Perform remediation of Audit rules for adjtimex for x86_64 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls when: - - audit_rules_unsuccessful_file_modification_openat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_time_adjtimex | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch == "b64" - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80754-5 + - CCE-80745-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_adjtimex - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: '{{ item }}' - state: present - dest: /etc/audit/audit.rules - create: true - with_items: - - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_unsuccessful_file_modification_openat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_time_clock_settime | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80754-5 + - CCE-80746-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the openat rule in audit.rules when on x86_64 - lineinfile: - line: '{{ item }}' - state: present - dest: /etc/audit/audit.rules - create: true - with_items: - - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Perform remediation of Audit rules for clock_settime for x86 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key time-change + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)time-change$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/time-change.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/time-change.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls when: - - audit_rules_unsuccessful_file_modification_openat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_time_clock_settime | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80754-5 + - CCE-80746-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_openat + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit open tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Perform remediation of Audit rules for clock_settime for x86_64 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key time-change + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)time-change$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/time-change.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/time-change.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls when: - - audit_rules_unsuccessful_file_modification_open | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_time_clock_settime | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch == "b64" - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80753-7 + - CCE-80746-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_clock_settime - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_open +- name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_unsuccessful_file_modification_open | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_time_settimeofday | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80753-7 + - CCE-80747-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/access.rules - when: - - audit_rules_unsuccessful_file_modification_open | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool +- name: Perform remediation of Audit rules for settimeofday for x86 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls + when: + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_time_settimeofday | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_open.matched is defined and find_open.matched == 0 tags: - - CCE-80753-7 + - CCE-80747-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_open.files | map(attribute=''path'') | list | first }}' +- name: Perform remediation of Audit rules for settimeofday for x86_64 platform + block: + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + - name: Insert the syscall rule in {{ all_files[0] }} + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls when: - - audit_rules_unsuccessful_file_modification_open | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_time_settimeofday | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch == "b64" - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_open.matched is defined and find_open.matched > 0 tags: - - CCE-80753-7 + - CCE-80747-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the open rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ item }}' - create: true - with_items: - - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Set architecture for audit fchown tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_unsuccessful_file_modification_open | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80753-7 + - CCE-80689-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the open rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ item }}' - create: true - with_items: - - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - when: - - audit_rules_unsuccessful_file_modification_open | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchown + when: + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80753-7 + - CCE-80689-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: '{{ item }}' - state: present - dest: /etc/audit/audit.rules - create: true - with_items: - - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_unsuccessful_file_modification_open | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_fchown.matched is defined and find_fchown.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80753-7 + - CCE-80689-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the open rule in audit.rules when on x86_64 - lineinfile: - line: '{{ item }}' - state: present - dest: /etc/audit/audit.rules - create: true - with_items: - - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fchown.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_unsuccessful_file_modification_open | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_fchown.matched is defined and find_fchown.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80753-7 + - CCE-80689-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_open + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit creat tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Inserts/replaces the fchown rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - audit_rules_unsuccessful_file_modification_creat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80751-1 + - CCE-80689-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_creat + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_creat +- name: Inserts/replaces the fchown rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - audit_rules_unsuccessful_file_modification_creat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80751-1 + - CCE-80689-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_creat + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/access.rules +- name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_unsuccessful_file_modification_creat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_creat.matched is defined and find_creat.matched == 0 tags: - - CCE-80751-1 + - CCE-80689-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_creat + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_creat.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the fchown rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_unsuccessful_file_modification_creat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_fchown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_creat.matched is defined and find_creat.matched > 0 tags: - - CCE-80751-1 + - CCE-80689-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_creat + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the creat rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ item }}' - create: true - with_items: - - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Set architecture for audit setxattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_unsuccessful_file_modification_creat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80751-1 + - CCE-80697-6 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_creat + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the creat rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ item }}' - create: true - with_items: - - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_setxattr when: - - audit_rules_unsuccessful_file_modification_creat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80751-1 + - CCE-80697-6 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_creat + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the creat rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: '{{ item }}' - state: present - dest: /etc/audit/audit.rules - create: true - with_items: - - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_unsuccessful_file_modification_creat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_setxattr.matched is defined and find_setxattr.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80751-1 + - CCE-80697-6 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_creat + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the creat rule in audit.rules when on x86_64 - lineinfile: - line: '{{ item }}' - state: present - dest: /etc/audit/audit.rules - create: true - with_items: - - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_setxattr.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_unsuccessful_file_modification_creat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_setxattr.matched is defined and find_setxattr.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80751-1 + - CCE-80697-6 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_creat + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit ftruncate tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Inserts/replaces the setxattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - audit_rules_unsuccessful_file_modification_ftruncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80752-9 + - CCE-80697-6 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_ftruncate + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_ftruncate +- name: Inserts/replaces the setxattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - audit_rules_unsuccessful_file_modification_ftruncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80752-9 + - CCE-80697-6 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_ftruncate + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/access.rules +- name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_unsuccessful_file_modification_ftruncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_ftruncate.matched is defined and find_ftruncate.matched == 0 tags: - - CCE-80752-9 + - CCE-80697-6 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_ftruncate + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_ftruncate.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_unsuccessful_file_modification_ftruncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_setxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_ftruncate.matched is defined and find_ftruncate.matched > 0 tags: - - CCE-80752-9 + - CCE-80697-6 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_ftruncate + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the ftruncate rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ item }}' - create: true - with_items: - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Set architecture for audit chown tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_unsuccessful_file_modification_ftruncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80752-9 + - CCE-80686-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_ftruncate + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the ftruncate rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ item }}' - create: true - with_items: - - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_chown when: - - audit_rules_unsuccessful_file_modification_ftruncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80752-9 + - CCE-80686-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_ftruncate - - low_complexity + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown + - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the ftruncate rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: '{{ item }}' - state: present - dest: /etc/audit/audit.rules - create: true - with_items: - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_unsuccessful_file_modification_ftruncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_chown.matched is defined and find_chown.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80752-9 + - CCE-80686-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_ftruncate + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the ftruncate rule in audit.rules when on x86_64 - lineinfile: - line: '{{ item }}' - state: present - dest: /etc/audit/audit.rules - create: true - with_items: - - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access - - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_chown.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_unsuccessful_file_modification_ftruncate | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_chown.matched is defined and find_chown.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80752-9 + - CCE-80686-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.1 - - PCI-DSS-Req-10.2.4 - - audit_rules_unsuccessful_file_modification_ftruncate + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*path=/usr/bin/chcon.*$ - patterns: '*.rules' - register: find_chcon +- name: Inserts/replaces the chown rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - audit_rules_execution_chcon | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80698-4 + - CCE-80686-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_chcon + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules +- name: Inserts/replaces the chown rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - audit_rules_execution_chcon | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_chcon.matched is defined and find_chcon.matched == 0 tags: - - CCE-80698-4 + - CCE-80686-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_chcon + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_chcon.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_execution_chcon | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_chcon.matched is defined and find_chcon.matched > 0 tags: - - CCE-80698-4 + - CCE-80686-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_chcon + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the chcon rule in rules.d +- name: Inserts/replaces the chown rule in audit.rules when on x86_64 lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true when: - - audit_rules_execution_chcon | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_chown | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80698-4 + - CCE-80686-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_chcon + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the chcon rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged - create: true +- name: Set architecture for audit lsetxattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_execution_chcon | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80698-4 + - CCE-80695-0 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_chcon + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries +- name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false - contains: ^.*path=/usr/sbin/setsebool.*$ + contains: -F key=perm_mod$ patterns: '*.rules' - register: find_setsebool + register: find_lsetxattr when: - - audit_rules_execution_setsebool | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80701-6 + - CCE-80695-0 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_setsebool + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_execution_setsebool | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_lsetxattr.matched is defined and find_lsetxattr.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_setsebool.matched is defined and find_setsebool.matched == 0 tags: - - CCE-80701-6 + - CCE-80695-0 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_setsebool + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_setsebool.files | map(attribute=''path'') | list | first }}' + - '{{ find_lsetxattr.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_execution_setsebool | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_lsetxattr.matched is defined and find_lsetxattr.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_setsebool.matched is defined and find_setsebool.matched > 0 tags: - - CCE-80701-6 + - CCE-80695-0 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_setsebool + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the setsebool rule in rules.d +- name: Inserts/replaces the lsetxattr rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_execution_setsebool | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80701-6 + - CCE-80695-0 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_setsebool + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the setsebool rule in audit.rules +- name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_execution_setsebool | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80701-6 + - CCE-80695-0 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_setsebool + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*path=/usr/sbin/semanage.*$ - patterns: '*.rules' - register: find_semanage +- name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_execution_semanage | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80700-8 + - CCE-80695-0 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_semanage + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules +- name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_execution_semanage | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_lsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_semanage.matched is defined and find_semanage.matched == 0 tags: - - CCE-80700-8 + - CCE-80695-0 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_semanage + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Set architecture for audit chmod tasks set_fact: - all_files: - - '{{ find_semanage.files | map(attribute=''path'') | list | first }}' + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_execution_semanage | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_dac_modification_chmod | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_semanage.matched is defined and find_semanage.matched > 0 tags: - - CCE-80700-8 + - CCE-80685-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_semanage + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the semanage rule in rules.d - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged - create: true +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_chmod when: - - audit_rules_execution_semanage | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_dac_modification_chmod | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80700-8 + - CCE-80685-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_semanage + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the semanage rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged - create: true +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_execution_semanage | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_dac_modification_chmod | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_chmod.matched is defined and find_chmod.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80700-8 + - CCE-80685-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_semanage + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*path=/usr/sbin/restorecon.*$ - patterns: '*.rules' - register: find_restorecon +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_chmod.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_execution_restorecon | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_dac_modification_chmod | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_chmod.matched is defined and find_chmod.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80699-2 + - CCE-80685-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_restorecon + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules +- name: Inserts/replaces the chmod rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - audit_rules_execution_restorecon | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_dac_modification_chmod | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_restorecon.matched is defined and find_restorecon.matched == 0 tags: - - CCE-80699-2 + - CCE-80685-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_restorecon + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_restorecon.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the chmod rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - audit_rules_execution_restorecon | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_dac_modification_chmod | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_restorecon.matched is defined and find_restorecon.matched > 0 tags: - - CCE-80699-2 + - CCE-80685-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_restorecon + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the restorecon rule in rules.d +- name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true when: - - audit_rules_execution_restorecon | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_dac_modification_chmod | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80699-2 + - CCE-80685-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_restorecon + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the restorecon rule in audit.rules +- name: Inserts/replaces the chmod rule in audit.rules when on x86_64 lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true when: - - audit_rules_execution_restorecon | bool - - low_complexity | bool - - low_disruption | bool + - restrict_strategy | bool + - reboot_required | bool + - audit_rules_dac_modification_chmod | bool - medium_severity | bool - - no_reboot_needed | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80685-1 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Set architecture for audit removexattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_removexattr | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80699-2 + - CCE-80696-8 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_execution_restorecon + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries +- name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false - contains: ^.*path=/usr/bin/gpasswd.*$ + contains: -F key=perm_mod$ patterns: '*.rules' - register: find_gpasswd + register: find_removexattr when: - - audit_rules_privileged_commands_gpasswd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_removexattr | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80728-9 + - CCE-80696-8 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_gpasswd + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_privileged_commands_gpasswd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_removexattr | bool + - low_disruption | bool + - low_complexity | bool + - find_removexattr.matched is defined and find_removexattr.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_gpasswd.matched is defined and find_gpasswd.matched == 0 tags: - - CCE-80728-9 + - CCE-80696-8 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_gpasswd + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_gpasswd.files | map(attribute=''path'') | list | first }}' + - '{{ find_removexattr.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_privileged_commands_gpasswd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_removexattr | bool + - low_disruption | bool + - low_complexity | bool + - find_removexattr.matched is defined and find_removexattr.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_gpasswd.matched is defined and find_gpasswd.matched > 0 tags: - - CCE-80728-9 + - CCE-80696-8 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_gpasswd + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the gpasswd rule in rules.d +- name: Inserts/replaces the removexattr rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_gpasswd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_removexattr | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80728-9 + - CCE-80696-8 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_gpasswd + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the gpasswd rule in audit.rules +- name: Inserts/replaces the removexattr rule in rules.d when on x86_64 lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_gpasswd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_removexattr | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80728-9 + - CCE-80696-8 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_gpasswd + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*path=/usr/bin/sudoedit.*$ - patterns: '*.rules' - register: find_sudoedit +- name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_privileged_commands_sudoedit | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80738-8 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudoedit - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: - - audit_rules_privileged_commands_sudoedit | bool - - low_complexity | bool - - low_disruption | bool + - reboot_required | bool - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_sudoedit.matched is defined and find_sudoedit.matched == 0 - tags: - - CCE-80738-8 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudoedit - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_sudoedit.files | map(attribute=''path'') | list | first }}' - when: - - audit_rules_privileged_commands_sudoedit | bool - - low_complexity | bool + - audit_rules_dac_modification_removexattr | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_sudoedit.matched is defined and find_sudoedit.matched > 0 tags: - - CCE-80738-8 + - CCE-80696-8 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudoedit + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the sudoedit rule in rules.d +- name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true when: - - audit_rules_privileged_commands_sudoedit | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_removexattr | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80738-8 + - CCE-80696-8 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudoedit + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the sudoedit rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged - create: true +- name: Set architecture for audit fremovexattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_privileged_commands_sudoedit | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80738-8 + - CCE-80691-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudoedit + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries +- name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false - contains: ^.*path=/usr/bin/chage.*$ + contains: -F key=perm_mod$ patterns: '*.rules' - register: find_chage + register: find_fremovexattr when: - - audit_rules_privileged_commands_chage | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80725-5 + - CCE-80691-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chage + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_privileged_commands_chage | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool + - low_disruption | bool + - low_complexity | bool + - find_fremovexattr.matched is defined and find_fremovexattr.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_chage.matched is defined and find_chage.matched == 0 tags: - - CCE-80725-5 + - CCE-80691-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chage + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_chage.files | map(attribute=''path'') | list | first }}' + - '{{ find_fremovexattr.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_privileged_commands_chage | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool + - low_disruption | bool + - low_complexity | bool + - find_fremovexattr.matched is defined and find_fremovexattr.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_chage.matched is defined and find_chage.matched > 0 tags: - - CCE-80725-5 + - CCE-80691-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chage + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the chage rule in rules.d +- name: Inserts/replaces the fremovexattr rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_chage | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80725-5 + - CCE-80691-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chage + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the chage rule in audit.rules +- name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_chage | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80725-5 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chage - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*path=/usr/bin/crontab.*$ - patterns: '*.rules' - register: find_crontab - when: - - audit_rules_privileged_commands_crontab | bool - - low_complexity | bool - - low_disruption | bool + - reboot_required | bool - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80727-1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_crontab - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: - - audit_rules_privileged_commands_crontab | bool - - low_complexity | bool + - audit_rules_dac_modification_fremovexattr | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_crontab.matched is defined and find_crontab.matched == 0 tags: - - CCE-80727-1 + - CCE-80691-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_crontab + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_crontab.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_privileged_commands_crontab | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_crontab.matched is defined and find_crontab.matched > 0 tags: - - CCE-80727-1 + - CCE-80691-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_crontab + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the crontab rule in rules.d +- name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true when: - - audit_rules_privileged_commands_crontab | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_fremovexattr | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80727-1 + - CCE-80691-9 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_crontab + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the crontab rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged - create: true +- name: Set architecture for audit fchownat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_privileged_commands_crontab | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80727-1 + - CCE-80690-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_crontab + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries +- name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false - contains: ^.*path=/usr/bin/chsh.*$ + contains: -F key=perm_mod$ patterns: '*.rules' - register: find_chsh + register: find_fchownat when: - - audit_rules_privileged_commands_chsh | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80726-3 + - CCE-80690-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chsh + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_privileged_commands_chsh | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_fchownat.matched is defined and find_fchownat.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_chsh.matched is defined and find_chsh.matched == 0 tags: - - CCE-80726-3 + - CCE-80690-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chsh + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_chsh.files | map(attribute=''path'') | list | first }}' + - '{{ find_fchownat.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_privileged_commands_chsh | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_fchownat.matched is defined and find_fchownat.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_chsh.matched is defined and find_chsh.matched > 0 tags: - - CCE-80726-3 + - CCE-80690-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chsh + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the chsh rule in rules.d +- name: Inserts/replaces the fchownat rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_chsh | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80726-3 + - CCE-80690-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chsh + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the chsh rule in audit.rules +- name: Inserts/replaces the fchownat rule in rules.d when on x86_64 lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_chsh | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80726-3 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_chsh - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*path=/usr/bin/su.*$ - patterns: '*.rules' - register: find_su - when: - - audit_rules_privileged_commands_su | bool - - low_complexity | bool - - low_disruption | bool + - reboot_required | bool - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80736-2 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_su - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: - - audit_rules_privileged_commands_su | bool - - low_complexity | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_su.matched is defined and find_su.matched == 0 tags: - - CCE-80736-2 + - CCE-80690-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_su + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_su.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_privileged_commands_su | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_su.matched is defined and find_su.matched > 0 tags: - - CCE-80736-2 + - CCE-80690-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_su + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the su rule in rules.d +- name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true when: - - audit_rules_privileged_commands_su | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fchownat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80736-2 + - CCE-80690-1 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_su + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the su rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged - create: true +- name: Set architecture for audit fchmod tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_privileged_commands_su | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80736-2 + - CCE-80687-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_su + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries +- name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false - contains: ^.*path=/usr/bin/umount.*$ + contains: -F key=perm_mod$ patterns: '*.rules' - register: find_umount + register: find_fchmod when: - - audit_rules_privileged_commands_umount | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80739-6 + - CCE-80687-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_umount + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_privileged_commands_umount | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool + - low_disruption | bool + - low_complexity | bool + - find_fchmod.matched is defined and find_fchmod.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_umount.matched is defined and find_umount.matched == 0 tags: - - CCE-80739-6 + - CCE-80687-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_umount + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_umount.files | map(attribute=''path'') | list | first }}' + - '{{ find_fchmod.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_privileged_commands_umount | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool + - low_disruption | bool + - low_complexity | bool + - find_fchmod.matched is defined and find_fchmod.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_umount.matched is defined and find_umount.matched > 0 tags: - - CCE-80739-6 + - CCE-80687-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_umount + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the umount rule in rules.d +- name: Inserts/replaces the fchmod rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_umount | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80739-6 + - CCE-80687-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_umount + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the umount rule in audit.rules +- name: Inserts/replaces the fchmod rule in rules.d when on x86_64 lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_umount | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80739-6 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_umount - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*path=/usr/bin/newgrp.*$ - patterns: '*.rules' - register: find_newgrp - when: - - audit_rules_privileged_commands_newgrp | bool - - low_complexity | bool - - low_disruption | bool + - reboot_required | bool - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80729-7 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newgrp - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: - - audit_rules_privileged_commands_newgrp | bool - - low_complexity | bool + - audit_rules_dac_modification_fchmod | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_newgrp.matched is defined and find_newgrp.matched == 0 tags: - - CCE-80729-7 + - CCE-80687-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newgrp + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_newgrp.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_privileged_commands_newgrp | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_newgrp.matched is defined and find_newgrp.matched > 0 tags: - - CCE-80729-7 + - CCE-80687-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newgrp + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the newgrp rule in rules.d +- name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true when: - - audit_rules_privileged_commands_newgrp | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_fchmod | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80729-7 + - CCE-80687-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newgrp + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the newgrp rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged - create: true +- name: Set architecture for audit lchown tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_privileged_commands_newgrp | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lchown | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80729-7 + - CCE-80693-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_newgrp + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries +- name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false - contains: ^.*path=/usr/sbin/pam_timestamp_check.*$ + contains: -F key=perm_mod$ patterns: '*.rules' - register: find_pam_timestamp_check + register: find_lchown when: - - audit_rules_privileged_commands_pam_timestamp_check | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lchown | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80730-5 + - CCE-80693-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_pam_timestamp_check + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_privileged_commands_pam_timestamp_check | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lchown | bool + - low_disruption | bool + - low_complexity | bool + - find_lchown.matched is defined and find_lchown.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_pam_timestamp_check.matched is defined and find_pam_timestamp_check.matched == 0 tags: - - CCE-80730-5 + - CCE-80693-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_pam_timestamp_check + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_pam_timestamp_check.files | map(attribute=''path'') | list | first }}' + - '{{ find_lchown.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_privileged_commands_pam_timestamp_check | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lchown | bool + - low_disruption | bool + - low_complexity | bool + - find_lchown.matched is defined and find_lchown.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_pam_timestamp_check.matched is defined and find_pam_timestamp_check.matched > 0 tags: - - CCE-80730-5 + - CCE-80693-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_pam_timestamp_check + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the pam_timestamp_check rule in rules.d +- name: Inserts/replaces the lchown rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_pam_timestamp_check | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lchown | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80730-5 + - CCE-80693-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_pam_timestamp_check + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the pam_timestamp_check rule in audit.rules +- name: Inserts/replaces the lchown rule in rules.d when on x86_64 lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -F key=privileged + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_pam_timestamp_check | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80730-5 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_pam_timestamp_check - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*path=/usr/sbin/postqueue.*$ - patterns: '*.rules' - register: find_postqueue - when: - - audit_rules_privileged_commands_postqueue | bool - - low_complexity | bool - - low_disruption | bool + - reboot_required | bool - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80733-9 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postqueue - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: - - audit_rules_privileged_commands_postqueue | bool - - low_complexity | bool + - audit_rules_dac_modification_lchown | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_postqueue.matched is defined and find_postqueue.matched == 0 tags: - - CCE-80733-9 + - CCE-80693-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postqueue + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_postqueue.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_privileged_commands_postqueue | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lchown | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_postqueue.matched is defined and find_postqueue.matched > 0 tags: - - CCE-80733-9 + - CCE-80693-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postqueue + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the postqueue rule in rules.d +- name: Inserts/replaces the lchown rule in audit.rules when on x86_64 lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true when: - - audit_rules_privileged_commands_postqueue | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lchown | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80733-9 + - CCE-80693-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postqueue + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the postqueue rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged - create: true +- name: Set architecture for audit fsetxattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_privileged_commands_postqueue | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80733-9 + - CCE-80692-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postqueue + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries +- name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false - contains: ^.*path=/usr/bin/passwd.*$ + contains: -F key=perm_mod$ patterns: '*.rules' - register: find_passwd + register: find_fsetxattr when: - - audit_rules_privileged_commands_passwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80731-3 + - CCE-80692-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_passwd + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_privileged_commands_passwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_fsetxattr.matched is defined and find_fsetxattr.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_passwd.matched is defined and find_passwd.matched == 0 tags: - - CCE-80731-3 + - CCE-80692-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_passwd + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_passwd.files | map(attribute=''path'') | list | first }}' + - '{{ find_fsetxattr.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_privileged_commands_passwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_fsetxattr.matched is defined and find_fsetxattr.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_passwd.matched is defined and find_passwd.matched > 0 tags: - - CCE-80731-3 + - CCE-80692-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_passwd + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the passwd rule in rules.d +- name: Inserts/replaces the fsetxattr rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_passwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80731-3 + - CCE-80692-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_passwd - - low_complexity + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr + - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the passwd rule in audit.rules +- name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_passwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80731-3 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_passwd - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*path=/usr/sbin/postdrop.*$ - patterns: '*.rules' - register: find_postdrop - when: - - audit_rules_privileged_commands_postdrop | bool - - low_complexity | bool - - low_disruption | bool + - reboot_required | bool - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80732-1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postdrop - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules - when: - - audit_rules_privileged_commands_postdrop | bool - - low_complexity | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_postdrop.matched is defined and find_postdrop.matched == 0 tags: - - CCE-80732-1 + - CCE-80692-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postdrop + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_postdrop.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_privileged_commands_postdrop | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_postdrop.matched is defined and find_postdrop.matched > 0 tags: - - CCE-80732-1 + - CCE-80692-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postdrop + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the postdrop rule in rules.d +- name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true when: - - audit_rules_privileged_commands_postdrop | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_fsetxattr | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80732-1 + - CCE-80692-7 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postdrop + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the postdrop rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged - create: true +- name: Set architecture for audit fchmodat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_privileged_commands_postdrop | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80732-1 + - CCE-80688-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_postdrop + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries +- name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false - contains: ^.*path=/usr/sbin/unix_chkpwd.*$ + contains: -F key=perm_mod$ patterns: '*.rules' - register: find_unix_chkpwd + register: find_fchmodat when: - - audit_rules_privileged_commands_unix_chkpwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80740-4 + - CCE-80688-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - - NIST-800-53-AU-12.1(ii) - - NIST-800-53-AU-12.1(iv) - NIST-800-53-AU-2(d) - - NIST-800-53-AU-3 - - NIST-800-53-AU-3.1 - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(1)(a) - - audit_rules_privileged_commands_unix_chkpwd + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_privileged_commands_unix_chkpwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool + - low_complexity | bool + - find_fchmodat.matched is defined and find_fchmodat.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_unix_chkpwd.matched is defined and find_unix_chkpwd.matched == 0 tags: - - CCE-80740-4 + - CCE-80688-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - - NIST-800-53-AU-12.1(ii) - - NIST-800-53-AU-12.1(iv) - NIST-800-53-AU-2(d) - - NIST-800-53-AU-3 - - NIST-800-53-AU-3.1 - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(1)(a) - - audit_rules_privileged_commands_unix_chkpwd + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_unix_chkpwd.files | map(attribute=''path'') | list | first }}' + - '{{ find_fchmodat.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_privileged_commands_unix_chkpwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool + - low_complexity | bool + - find_fchmodat.matched is defined and find_fchmodat.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_unix_chkpwd.matched is defined and find_unix_chkpwd.matched > 0 tags: - - CCE-80740-4 + - CCE-80688-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(a) - NIST-800-53-AU-12(c) - - NIST-800-53-AU-12.1(ii) - - NIST-800-53-AU-12.1(iv) - NIST-800-53-AU-2(d) - - NIST-800-53-AU-3 - - NIST-800-53-AU-3.1 - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(1)(a) - - audit_rules_privileged_commands_unix_chkpwd + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the unix_chkpwd rule in rules.d +- name: Inserts/replaces the fchmodat rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_unix_chkpwd | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80740-4 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-12.1(ii) - - NIST-800-53-AU-12.1(iv) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-3 - - NIST-800-53-AU-3.1 - - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(1)(a) - - audit_rules_privileged_commands_unix_chkpwd - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Inserts/replaces the unix_chkpwd rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged - create: true - when: - - audit_rules_privileged_commands_unix_chkpwd | bool - - low_complexity | bool - - low_disruption | bool + - reboot_required | bool - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80740-4 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-2(4) - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(a) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-12.1(ii) - - NIST-800-53-AU-12.1(iv) - - NIST-800-53-AU-2(d) - - NIST-800-53-AU-3 - - NIST-800-53-AU-3.1 - - NIST-800-53-CM-6(a) - - NIST-800-53-MA-4(1)(a) - - audit_rules_privileged_commands_unix_chkpwd - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*path=/usr/bin/sudo.*$ - patterns: '*.rules' - register: find_sudo - when: - - audit_rules_privileged_commands_sudo | bool - - low_complexity | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool + - audit_rules_dac_modification_fchmodat | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80737-0 + - CCE-80688-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudo + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules +- name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true when: - - audit_rules_privileged_commands_sudo | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_sudo.matched is defined and find_sudo.matched == 0 tags: - - CCE-80737-0 + - CCE-80688-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudo + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_sudo.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true when: - - audit_rules_privileged_commands_sudo | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_sudo.matched is defined and find_sudo.matched > 0 tags: - - CCE-80737-0 + - CCE-80688-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudo + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the sudo rule in rules.d +- name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules create: true when: - - audit_rules_privileged_commands_sudo | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_dac_modification_fchmodat | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80737-0 + - CCE-80688-5 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudo + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the sudo rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged - create: true +- name: Set architecture for audit lremovexattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_privileged_commands_sudo | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80737-0 + - CCE-80694-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_sudo + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries +- name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false - contains: ^.*path=/usr/sbin/userhelper.*$ + contains: -F key=perm_mod$ patterns: '*.rules' - register: find_userhelper + register: find_lremovexattr when: - - audit_rules_privileged_commands_userhelper | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80741-2 + - CCE-80694-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_userhelper + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_privileged_commands_userhelper | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool + - low_disruption | bool + - low_complexity | bool + - find_lremovexattr.matched is defined and find_lremovexattr.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_userhelper.matched is defined and find_userhelper.matched == 0 tags: - - CCE-80741-2 + - CCE-80694-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_userhelper + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_userhelper.files | map(attribute=''path'') | list | first }}' + - '{{ find_lremovexattr.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_privileged_commands_userhelper | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool + - low_disruption | bool + - low_complexity | bool + - find_lremovexattr.matched is defined and find_lremovexattr.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_userhelper.matched is defined and find_userhelper.matched > 0 tags: - - CCE-80741-2 + - CCE-80694-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_userhelper + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the userhelper rule in rules.d +- name: Inserts/replaces the lremovexattr rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged + line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_userhelper | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80741-2 + - CCE-80694-3 + - CJIS-5.4.1.1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_userhelper + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the userhelper rule in audit.rules +- name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod create: true when: - - audit_rules_privileged_commands_userhelper | bool + - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool + - low_disruption | bool - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80694-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_dac_modification_lremovexattr | bool - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80694-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_dac_modification_lremovexattr | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80694-3 + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Set architecture for audit truncate tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_truncate | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80741-2 + - CCE-80756-0 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_userhelper + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for audit rule entries +- name: Search /etc/audit/rules.d for other DAC audit rules find: paths: /etc/audit/rules.d recurse: false - contains: ^.*path=/usr/libexec/openssh/ssh-keysign.*$ + contains: -F key=perm_mod$ patterns: '*.rules' - register: find_ssh_keysign + register: find_truncate when: - - audit_rules_privileged_commands_ssh_keysign | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_truncate | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80735-4 + - CCE-80756-0 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_ssh_keysign + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/privileged.rules + - /etc/audit/rules.d/access.rules when: - - audit_rules_privileged_commands_ssh_keysign | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_truncate | bool + - low_disruption | bool + - low_complexity | bool + - find_truncate.matched is defined and find_truncate.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_ssh_keysign.matched is defined and find_ssh_keysign.matched == 0 tags: - - CCE-80735-4 + - CCE-80756-0 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_ssh_keysign + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_ssh_keysign.files | map(attribute=''path'') | list | first }}' + - '{{ find_truncate.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_privileged_commands_ssh_keysign | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_truncate | bool + - low_disruption | bool + - low_complexity | bool + - find_truncate.matched is defined and find_truncate.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_ssh_keysign.matched is defined and find_ssh_keysign.matched > 0 tags: - - CCE-80735-4 + - CCE-80756-0 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_ssh_keysign + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the ssh_keysign rule in rules.d +- name: Inserts/replaces the truncate rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged + line: '{{ item }}' create: true + with_items: + - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_privileged_commands_ssh_keysign | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_truncate | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80735-4 + - CCE-80756-0 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_ssh_keysign + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Inserts/replaces the ssh_keysign rule in audit.rules +- name: Inserts/replaces the truncate rule in rules.d when on x86_64 lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged + path: '{{ all_files[0] }}' + line: '{{ item }}' create: true + with_items: + - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_privileged_commands_ssh_keysign | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_truncate | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80735-4 + - CCE-80756-0 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - audit_rules_privileged_commands_ssh_keysign + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Set architecture for audit tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Inserts/replaces the truncate rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_time_adjtimex | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_truncate | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80745-3 - - CJIS-5.4.1.1 + - CCE-80756-0 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_adjtimex + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for adjtimex for x86 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - adjtimex - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - adjtimex - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls +- name: Inserts/replaces the truncate rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_time_adjtimex | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_truncate | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80745-3 - - CJIS-5.4.1.1 + - CCE-80756-0 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_adjtimex + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for adjtimex for x86_64 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - adjtimex - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b64_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - adjtimex - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b64_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls +- name: Set architecture for audit openat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_time_adjtimex | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_unsuccessful_file_modification_openat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch == "b64" tags: - - CCE-80745-3 - - CJIS-5.4.1.1 + - CCE-80754-5 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_adjtimex + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for stime syscall for x86 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - stime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - stime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_openat when: - - audit_rules_time_stime | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_unsuccessful_file_modification_openat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80748-7 - - CJIS-5.4.1.1 + - CCE-80754-5 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_stime + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Set architecture for audit tasks +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + all_files: + - /etc/audit/rules.d/access.rules when: - - audit_rules_time_clock_settime | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_unsuccessful_file_modification_openat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_openat.matched is defined and find_openat.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80746-1 - - CJIS-5.4.1.1 + - CCE-80754-5 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_clock_settime + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for clock_settime for x86 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - clock_settime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key time-change - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)time-change$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/time-change.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/time-change.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - clock_settime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_openat.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_time_clock_settime | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_unsuccessful_file_modification_openat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_openat.matched is defined and find_openat.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80746-1 - - CJIS-5.4.1.1 + - CCE-80754-5 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_clock_settime + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for clock_settime for x86_64 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - clock_settime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b64_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key time-change - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)time-change$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/time-change.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/time-change.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - clock_settime - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b64_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls +- name: Inserts/replaces the openat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_time_clock_settime | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_unsuccessful_file_modification_openat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch == "b64" tags: - - CCE-80746-1 - - CJIS-5.4.1.1 + - CCE-80754-5 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_clock_settime + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ - patterns: '*.rules' - register: find_existing_watch_rules_d +- name: Inserts/replaces the openat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_time_watch_localtime | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_unsuccessful_file_modification_openat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80749-5 - - CJIS-5.4.1.1 + - CCE-80754-5 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other rules with specified key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_watch_key +- name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_time_watch_localtime | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_unsuccessful_file_modification_openat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80749-5 - - CJIS-5.4.1.1 + - CCE-80754-5 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules +- name: Inserts/replaces the openat rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_time_watch_localtime | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_unsuccessful_file_modification_openat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 tags: - - CCE-80749-5 - - CJIS-5.4.1.1 + - CCE-80754-5 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Set architecture for audit creat tasks set_fact: - all_files: - - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_time_watch_localtime | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_creat | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and - find_existing_watch_rules_d.matched == 0 tags: - - CCE-80749-5 - - CJIS-5.4.1.1 + - CCE-80751-1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/localtime in /etc/audit/rules.d/ - lineinfile: - path: '{{ all_files[0] }}' - line: -w /etc/localtime -p wa -k audit_time_rules - create: true - mode: '0640' +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_creat when: - - audit_rules_time_watch_localtime | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_creat | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - - CCE-80749-5 - - CJIS-5.4.1.1 + - CCE-80751-1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules - find: - paths: /etc/audit/ - contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ - patterns: audit.rules - register: find_existing_watch_audit_rules +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules when: - - audit_rules_time_watch_localtime | bool - - low_complexity | bool - - low_disruption | bool + - restrict_strategy | bool + - reboot_required | bool - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_unsuccessful_file_modification_creat | bool + - low_disruption | bool + - low_complexity | bool + - find_creat.matched is defined and find_creat.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80751-1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_creat.files | map(attribute=''path'') | list | first }}' + when: - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_creat | bool + - low_disruption | bool + - low_complexity | bool + - find_creat.matched is defined and find_creat.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80749-5 - - CJIS-5.4.1.1 + - CCE-80751-1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Add watch rule for /etc/localtime in /etc/audit/audit.rules +- name: Inserts/replaces the creat rule in rules.d when on x86 lineinfile: - line: -w /etc/localtime -p wa -k audit_time_rules - state: present - dest: /etc/audit/audit.rules + path: '{{ all_files[0] }}' + line: '{{ item }}' create: true - mode: '0640' + with_items: + - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_time_watch_localtime | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_creat | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - - CCE-80749-5 - - CJIS-5.4.1.1 + - CCE-80751-1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_watch_localtime + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Set architecture for audit tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Inserts/replaces the creat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_time_settimeofday | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_creat | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80747-9 - - CJIS-5.4.1.1 + - CCE-80751-1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_settimeofday + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for settimeofday for x86 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - settimeofday - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b32_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - settimeofday - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b32_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b32" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls +- name: Inserts/replaces the creat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_time_settimeofday | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_creat | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80747-9 - - CJIS-5.4.1.1 + - CCE-80751-1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_settimeofday + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Perform remediation of Audit rules for settimeofday for x86_64 platform - block: - - name: Declare list of syscals - set_fact: - syscalls: - - settimeofday - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ - find: - paths: /etc/audit/rules.d - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: '*.rules' - register: audit_syscalls_found_b64_rules_d - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int - }}" - - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules - find: - paths: /etc/audit/rules.d - contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ - patterns: '*.rules' - register: find_syscalls_files - - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/audit_time_rules.rules - when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first }}' - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - - name: Insert the syscall rule in {{ all_files[0] }} - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_rules_d.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in {{ all_files[0] }} - lineinfile: - path: '{{ all_files[0] }}' - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls - - name: Declare list of syscals - set_fact: - syscalls: - - settimeofday - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules - find: - paths: /etc/audit - contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - patterns: audit.rules - register: audit_syscalls_found_b64_audit_rules - loop: '{{ syscalls }}' - - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int - }}" - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: 'Construct rule: add rule list, action and arch' - set_fact: tmpline="-a always,exit -F arch=b64" - - name: 'Construct rule: add syscalls' - set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" - loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' - when: item.matched is defined and item.matched == 0 - - name: 'Construct rule: add fields and key' - set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: '{{ tmpline }}' - create: true - state: present - when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls +- name: Inserts/replaces the creat rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_time_settimeofday | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_creat | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch == "b64" tags: - - CCE-80747-9 - - CJIS-5.4.1.1 + - CCE-80751-1 - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.4.2.b - - audit_rules_time_settimeofday + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption - medium_severity - - no_reboot_needed + - reboot_required - restrict_strategy -- name: Set architecture for audit lchown tasks +- name: Set architecture for audit open tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_dac_modification_lchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80693-5 - - CJIS-5.4.1.1 + - CCE-80753-7 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption - medium_severity @@ -10405,52 +9675,52 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_lchown + register: find_open when: - - audit_rules_dac_modification_lchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80693-5 - - CJIS-5.4.1.1 + - CCE-80753-7 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/privileged.rules + - /etc/audit/rules.d/access.rules when: - - audit_rules_dac_modification_lchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_open.matched is defined and find_open.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_lchown.matched is defined and find_lchown.matched == 0 tags: - - CCE-80693-5 - - CJIS-5.4.1.1 + - CCE-80753-7 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption - medium_severity @@ -10460,167 +9730,179 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_lchown.files | map(attribute=''path'') | list | first }}' + - '{{ find_open.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_lchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_open.matched is defined and find_open.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_lchown.matched is defined and find_lchown.matched > 0 tags: - - CCE-80693-5 - - CJIS-5.4.1.1 + - CCE-80753-7 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lchown rule in rules.d when on x86 +- name: Inserts/replaces the open rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: '{{ item }}' create: true + with_items: + - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_dac_modification_lchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80693-5 - - CJIS-5.4.1.1 + - CCE-80753-7 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lchown rule in rules.d when on x86_64 +- name: Inserts/replaces the open rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: '{{ item }}' create: true + with_items: + - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_dac_modification_lchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80693-5 - - CJIS-5.4.1.1 + - CCE-80753-7 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: '{{ item }}' state: present dest: /etc/audit/audit.rules create: true + with_items: + - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_dac_modification_lchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80693-5 - - CJIS-5.4.1.1 + - CCE-80753-7 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lchown rule in audit.rules when on x86_64 +- name: Inserts/replaces the open rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: '{{ item }}' state: present dest: /etc/audit/audit.rules create: true + with_items: + - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_dac_modification_lchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80693-5 - - CJIS-5.4.1.1 + - CCE-80753-7 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lchown + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit fchmod tasks +- name: Set architecture for audit open_by_handle_at tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_dac_modification_fchmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80687-7 - - CJIS-5.4.1.1 + - CCE-80755-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at - low_complexity - low_disruption - medium_severity @@ -10633,52 +9915,52 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_fchmod + register: find_open_by_handle_at when: - - audit_rules_dac_modification_fchmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80687-7 - - CJIS-5.4.1.1 + - CCE-80755-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/privileged.rules + - /etc/audit/rules.d/access.rules when: - - audit_rules_dac_modification_fchmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_fchmod.matched is defined and find_fchmod.matched == 0 tags: - - CCE-80687-7 - - CJIS-5.4.1.1 + - CCE-80755-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at - low_complexity - low_disruption - medium_severity @@ -10688,167 +9970,179 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fchmod.files | map(attribute=''path'') | list | first }}' + - '{{ find_open_by_handle_at.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_fchmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_fchmod.matched is defined and find_fchmod.matched > 0 tags: - - CCE-80687-7 - - CJIS-5.4.1.1 + - CCE-80755-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmod rule in rules.d when on x86 +- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: '{{ item }}' create: true + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_dac_modification_fchmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80687-7 - - CJIS-5.4.1.1 + - CCE-80755-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmod rule in rules.d when on x86_64 +- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: '{{ item }}' create: true + with_items: + - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_dac_modification_fchmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80687-7 - - CJIS-5.4.1.1 + - CCE-80755-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: '{{ item }}' state: present dest: /etc/audit/audit.rules create: true + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_dac_modification_fchmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80687-7 - - CJIS-5.4.1.1 + - CCE-80755-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 +- name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: '{{ item }}' state: present dest: /etc/audit/audit.rules create: true + with_items: + - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_dac_modification_fchmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - audit_rules_unsuccessful_file_modification_open_by_handle_at | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80687-7 - - CJIS-5.4.1.1 + - CCE-80755-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmod + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit fremovexattr tasks +- name: Set architecture for audit ftruncate tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_dac_modification_fremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_ftruncate | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80691-9 - - CJIS-5.4.1.1 + - CCE-80752-9 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption - medium_severity @@ -10861,52 +10155,52 @@ recurse: false contains: -F key=perm_mod$ patterns: '*.rules' - register: find_fremovexattr + register: find_ftruncate when: - - audit_rules_dac_modification_fremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_ftruncate | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80691-9 - - CJIS-5.4.1.1 + - CCE-80752-9 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/privileged.rules + - /etc/audit/rules.d/access.rules when: - - audit_rules_dac_modification_fremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_ftruncate | bool + - low_disruption | bool + - low_complexity | bool + - find_ftruncate.matched is defined and find_ftruncate.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_fremovexattr.matched is defined and find_fremovexattr.matched == 0 tags: - - CCE-80691-9 - - CJIS-5.4.1.1 + - CCE-80752-9 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption - medium_severity @@ -10916,851 +10210,951 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fremovexattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_ftruncate.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_fremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_ftruncate | bool + - low_disruption | bool + - low_complexity | bool + - find_ftruncate.matched is defined and find_ftruncate.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_fremovexattr.matched is defined and find_fremovexattr.matched > 0 tags: - - CCE-80691-9 - - CJIS-5.4.1.1 + - CCE-80752-9 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fremovexattr rule in rules.d when on x86 +- name: Inserts/replaces the ftruncate rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: '{{ item }}' create: true + with_items: + - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_dac_modification_fremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_ftruncate | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80691-9 - - CJIS-5.4.1.1 + - CCE-80752-9 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 +- name: Inserts/replaces the ftruncate rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: '{{ item }}' create: true + with_items: + - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_dac_modification_fremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_ftruncate | bool + - low_disruption | bool + - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80691-9 - - CJIS-5.4.1.1 + - CCE-80752-9 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the ftruncate rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: '{{ item }}' state: present dest: /etc/audit/audit.rules create: true + with_items: + - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_dac_modification_fremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_ftruncate | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80691-9 - - CJIS-5.4.1.1 + - CCE-80752-9 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 +- name: Inserts/replaces the ftruncate rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: '{{ item }}' state: present dest: /etc/audit/audit.rules create: true + with_items: + - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access when: - - audit_rules_dac_modification_fremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' - tags: - - CCE-80691-9 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fremovexattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Set architecture for audit chmod tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} - when: - - audit_rules_dac_modification_chmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - reboot_required | bool - - restrict_strategy | bool + - medium_severity | bool + - audit_rules_unsuccessful_file_modification_ftruncate | bool + - low_disruption | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80685-1 - - CJIS-5.4.1.1 + - CCE-80752-9 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules +- name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false - contains: -F key=perm_mod$ + contains: ^.*path=/usr/sbin/setsebool.*$ patterns: '*.rules' - register: find_chmod + register: find_setsebool when: - - audit_rules_dac_modification_chmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_execution_setsebool | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80685-1 - - CJIS-5.4.1.1 + - CCE-80701-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_execution_setsebool - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_dac_modification_chmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_execution_setsebool | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_setsebool.matched is defined and find_setsebool.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_chmod.matched is defined and find_chmod.matched == 0 tags: - - CCE-80685-1 - - CJIS-5.4.1.1 + - CCE-80701-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_execution_setsebool - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_chmod.files | map(attribute=''path'') | list | first }}' + - '{{ find_setsebool.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_chmod | bool - - low_complexity | bool - - low_disruption | bool + - no_reboot_needed | bool + - audit_rules_execution_setsebool | bool + - restrict_strategy | bool - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - low_disruption | bool + - low_complexity | bool + - find_setsebool.matched is defined and find_setsebool.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_chmod.matched is defined and find_chmod.matched > 0 tags: - - CCE-80685-1 - - CJIS-5.4.1.1 + - CCE-80701-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_execution_setsebool - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the chmod rule in rules.d when on x86 +- name: Inserts/replaces the setsebool rule in rules.d lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_dac_modification_chmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_execution_setsebool | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80685-1 - - CJIS-5.4.1.1 + - CCE-80701-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_execution_setsebool - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the chmod rule in rules.d when on x86_64 +- name: Inserts/replaces the setsebool rule in audit.rules lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_dac_modification_chmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_execution_setsebool | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80685-1 - - CJIS-5.4.1.1 + - CCE-80701-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_execution_setsebool - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/sbin/semanage.*$ + patterns: '*.rules' + register: find_semanage when: - - audit_rules_dac_modification_chmod | bool - - low_complexity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - audit_rules_execution_semanage | bool + - medium_severity | bool - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80700-8 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_semanage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - no_reboot_needed | bool + - restrict_strategy | bool + - audit_rules_execution_semanage | bool - medium_severity | bool - - reboot_required | bool + - low_disruption | bool + - low_complexity | bool + - find_semanage.matched is defined and find_semanage.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80700-8 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_semanage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_semanage.files | map(attribute=''path'') | list | first }}' + when: + - no_reboot_needed | bool - restrict_strategy | bool + - audit_rules_execution_semanage | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_semanage.matched is defined and find_semanage.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80685-1 - - CJIS-5.4.1.1 + - CCE-80700-8 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_execution_semanage - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the chmod rule in audit.rules when on x86_64 +- name: Inserts/replaces the semanage rule in rules.d lineinfile: - line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_dac_modification_chmod | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - audit_rules_execution_semanage | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80685-1 - - CJIS-5.4.1.1 + - CCE-80700-8 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chmod + - audit_rules_execution_semanage - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit lremovexattr tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Inserts/replaces the semanage rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged + create: true when: - - audit_rules_dac_modification_lremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - audit_rules_execution_semanage | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80694-3 - - CJIS-5.4.1.1 + - CCE-80700-8 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - audit_rules_execution_semanage - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules +- name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false - contains: -F key=perm_mod$ + contains: ^.*path=/usr/bin/chcon.*$ patterns: '*.rules' - register: find_lremovexattr + register: find_chcon when: - - audit_rules_dac_modification_lremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - audit_rules_execution_chcon | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80694-3 - - CJIS-5.4.1.1 + - CCE-80698-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - audit_rules_execution_chcon - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_dac_modification_lremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - audit_rules_execution_chcon | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_chcon.matched is defined and find_chcon.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_lremovexattr.matched is defined and find_lremovexattr.matched == 0 tags: - - CCE-80694-3 - - CJIS-5.4.1.1 + - CCE-80698-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - audit_rules_execution_chcon - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_lremovexattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_chcon.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_lremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - audit_rules_execution_chcon | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_chcon.matched is defined and find_chcon.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_lremovexattr.matched is defined and find_lremovexattr.matched > 0 tags: - - CCE-80694-3 - - CJIS-5.4.1.1 + - CCE-80698-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - audit_rules_execution_chcon - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lremovexattr rule in rules.d when on x86 +- name: Inserts/replaces the chcon rule in rules.d lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_dac_modification_lremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - audit_rules_execution_chcon | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80694-3 - - CJIS-5.4.1.1 + - CCE-80698-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - audit_rules_execution_chcon - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 +- name: Inserts/replaces the chcon rule in audit.rules lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_dac_modification_lremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - audit_rules_execution_chcon | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80694-3 - - CJIS-5.4.1.1 + - CCE-80698-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - audit_rules_execution_chcon - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/sbin/restorecon.*$ + patterns: '*.rules' + register: find_restorecon when: - - audit_rules_dac_modification_lremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_execution_restorecon | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80694-3 - - CJIS-5.4.1.1 + - CCE-80699-2 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - audit_rules_execution_restorecon - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 - lineinfile: - line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_dac_modification_lremovexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_execution_restorecon | bool + - low_disruption | bool + - low_complexity | bool + - find_restorecon.matched is defined and find_restorecon.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80694-3 - - CJIS-5.4.1.1 + - CCE-80699-2 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lremovexattr + - audit_rules_execution_restorecon - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit fchown tasks +- name: Use matched file as the recipient for the rule set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + all_files: + - '{{ find_restorecon.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_fchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_execution_restorecon | bool + - low_disruption | bool + - low_complexity | bool + - find_restorecon.matched is defined and find_restorecon.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80689-3 - - CJIS-5.4.1.1 + - CCE-80699-2 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_execution_restorecon - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_fchown +- name: Inserts/replaces the restorecon rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged + create: true when: - - audit_rules_dac_modification_fchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_execution_restorecon | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80689-3 - - CJIS-5.4.1.1 + - CCE-80699-2 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_execution_restorecon - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules +- name: Inserts/replaces the restorecon rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged + create: true when: - - audit_rules_dac_modification_fchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_execution_restorecon | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_fchown.matched is defined and find_fchown.matched == 0 tags: - - CCE-80689-3 - - CJIS-5.4.1.1 + - CCE-80699-2 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - audit_rules_execution_restorecon - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule +- name: Set architecture for audit rmdir tasks set_fact: - all_files: - - '{{ find_fchown.files | map(attribute=''path'') | list | first }}' + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_dac_modification_fchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_file_deletion_events_rmdir | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_fchown.matched is defined and find_fchown.matched > 0 tags: - - CCE-80689-3 - - CJIS-5.4.1.1 + - CCE-80705-7 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchown rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=delete$ + patterns: '*.rules' + register: find_rmdir when: - - audit_rules_dac_modification_fchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - audit_rules_file_deletion_events_rmdir | bool + - restrict_strategy | bool - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80705-7 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/delete.rules + when: + - audit_rules_file_deletion_events_rmdir | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_rmdir.matched is defined and find_rmdir.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80689-3 - - CJIS-5.4.1.1 + - CCE-80705-7 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchown rule in rules.d when on x86_64 +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_rmdir.files | map(attribute=''path'') | list | first }}' + when: + - audit_rules_file_deletion_events_rmdir | bool + - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_rmdir.matched is defined and find_rmdir.matched > 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80705-7 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the rmdir rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete create: true when: - - audit_rules_dac_modification_fchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_file_deletion_events_rmdir | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80705-7 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the rmdir rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete + create: true + when: + - audit_rules_file_deletion_events_rmdir | bool + - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80689-3 - - CJIS-5.4.1.1 + - CCE-80705-7 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the rmdir rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_fchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_file_deletion_events_rmdir | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80689-3 - - CJIS-5.4.1.1 + - CCE-80705-7 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchown rule in audit.rules when on x86_64 +- name: Inserts/replaces the rmdir rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_fchown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_file_deletion_events_rmdir | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80689-3 - - CJIS-5.4.1.1 + - CCE-80705-7 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchown + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit lsetxattr tasks +- name: Set architecture for audit unlinkat tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_dac_modification_lsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_file_deletion_events_unlinkat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80695-0 - - CJIS-5.4.1.1 + - CCE-80707-3 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat - low_complexity - low_disruption - medium_severity @@ -11771,54 +11165,52 @@ find: paths: /etc/audit/rules.d recurse: false - contains: -F key=perm_mod$ + contains: -F key=delete$ patterns: '*.rules' - register: find_lsetxattr + register: find_unlinkat when: - - audit_rules_dac_modification_lsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_file_deletion_events_unlinkat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80695-0 - - CJIS-5.4.1.1 + - CCE-80707-3 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/privileged.rules + - /etc/audit/rules.d/delete.rules when: - - audit_rules_dac_modification_lsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_file_deletion_events_unlinkat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_unlinkat.matched is defined and find_unlinkat.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_lsetxattr.matched is defined and find_lsetxattr.matched == 0 tags: - - CCE-80695-0 - - CJIS-5.4.1.1 + - CCE-80707-3 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat - low_complexity - low_disruption - medium_severity @@ -11828,167 +11220,161 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_lsetxattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_unlinkat.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_lsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_file_deletion_events_unlinkat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_unlinkat.matched is defined and find_unlinkat.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_lsetxattr.matched is defined and find_lsetxattr.matched > 0 tags: - - CCE-80695-0 - - CJIS-5.4.1.1 + - CCE-80707-3 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lsetxattr rule in rules.d when on x86 +- name: Inserts/replaces the unlinkat rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete create: true when: - - audit_rules_dac_modification_lsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_file_deletion_events_unlinkat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80695-0 - - CJIS-5.4.1.1 + - CCE-80707-3 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 +- name: Inserts/replaces the unlinkat rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete create: true when: - - audit_rules_dac_modification_lsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_file_deletion_events_unlinkat | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80695-0 - - CJIS-5.4.1.1 + - CCE-80707-3 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the unlinkat rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_lsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_file_deletion_events_unlinkat | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80695-0 - - CJIS-5.4.1.1 + - CCE-80707-3 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 +- name: Inserts/replaces the unlinkat rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_lsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_file_deletion_events_unlinkat | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80695-0 - - CJIS-5.4.1.1 + - CCE-80707-3 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_lsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit fchownat tasks +- name: Set architecture for audit rename tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_dac_modification_fchownat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_rename | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80690-1 - - CJIS-5.4.1.1 + - CCE-80703-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename - low_complexity - low_disruption - medium_severity @@ -11999,54 +11385,52 @@ find: paths: /etc/audit/rules.d recurse: false - contains: -F key=perm_mod$ + contains: -F key=delete$ patterns: '*.rules' - register: find_fchownat + register: find_rename when: - - audit_rules_dac_modification_fchownat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_rename | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80690-1 - - CJIS-5.4.1.1 + - CCE-80703-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/privileged.rules + - /etc/audit/rules.d/delete.rules when: - - audit_rules_dac_modification_fchownat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_rename | bool + - low_disruption | bool + - low_complexity | bool + - find_rename.matched is defined and find_rename.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_fchownat.matched is defined and find_fchownat.matched == 0 tags: - - CCE-80690-1 - - CJIS-5.4.1.1 + - CCE-80703-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename - low_complexity - low_disruption - medium_severity @@ -12056,167 +11440,161 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fchownat.files | map(attribute=''path'') | list | first }}' + - '{{ find_rename.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_fchownat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_rename | bool + - low_disruption | bool + - low_complexity | bool + - find_rename.matched is defined and find_rename.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_fchownat.matched is defined and find_fchownat.matched > 0 tags: - - CCE-80690-1 - - CJIS-5.4.1.1 + - CCE-80703-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchownat rule in rules.d when on x86 +- name: Inserts/replaces the rename rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -F key=delete create: true when: - - audit_rules_dac_modification_fchownat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_rename | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80690-1 - - CJIS-5.4.1.1 + - CCE-80703-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchownat rule in rules.d when on x86_64 +- name: Inserts/replaces the rename rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -F key=delete create: true when: - - audit_rules_dac_modification_fchownat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_rename | bool + - low_disruption | bool + - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80690-1 - - CJIS-5.4.1.1 + - CCE-80703-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the rename rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -F key=delete state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_fchownat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_rename | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80690-1 - - CJIS-5.4.1.1 + - CCE-80703-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 +- name: Inserts/replaces the rename rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -F key=delete state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_fchownat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_rename | bool + - low_disruption | bool + - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80690-1 - - CJIS-5.4.1.1 + - CCE-80703-2 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchownat + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit setxattr tasks +- name: Set architecture for audit renameat tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_dac_modification_setxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80697-6 - - CJIS-5.4.1.1 + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_renameat | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80704-0 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat - low_complexity - low_disruption - medium_severity @@ -12227,54 +11605,52 @@ find: paths: /etc/audit/rules.d recurse: false - contains: -F key=perm_mod$ + contains: -F key=delete$ patterns: '*.rules' - register: find_setxattr + register: find_renameat when: - - audit_rules_dac_modification_setxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_renameat | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80697-6 - - CJIS-5.4.1.1 + - CCE-80704-0 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/privileged.rules + - /etc/audit/rules.d/delete.rules when: - - audit_rules_dac_modification_setxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_renameat | bool + - low_disruption | bool + - low_complexity | bool + - find_renameat.matched is defined and find_renameat.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_setxattr.matched is defined and find_setxattr.matched == 0 tags: - - CCE-80697-6 - - CJIS-5.4.1.1 + - CCE-80704-0 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat - low_complexity - low_disruption - medium_severity @@ -12284,167 +11660,161 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_setxattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_renameat.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_setxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_renameat | bool + - low_disruption | bool + - low_complexity | bool + - find_renameat.matched is defined and find_renameat.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_setxattr.matched is defined and find_setxattr.matched > 0 tags: - - CCE-80697-6 - - CJIS-5.4.1.1 + - CCE-80704-0 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the setxattr rule in rules.d when on x86 +- name: Inserts/replaces the renameat rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -F key=delete create: true when: - - audit_rules_dac_modification_setxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_renameat | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80697-6 - - CJIS-5.4.1.1 + - CCE-80704-0 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the setxattr rule in rules.d when on x86_64 +- name: Inserts/replaces the renameat rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -F key=delete create: true when: - - audit_rules_dac_modification_setxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_renameat | bool + - low_disruption | bool + - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80697-6 - - CJIS-5.4.1.1 + - CCE-80704-0 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the renameat rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -F key=delete state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_setxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_renameat | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80697-6 - - CJIS-5.4.1.1 + - CCE-80704-0 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 +- name: Inserts/replaces the renameat rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -F key=delete state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_setxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - audit_rules_file_deletion_events_renameat | bool + - low_disruption | bool + - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80697-6 - - CJIS-5.4.1.1 + - CCE-80704-0 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_setxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Set architecture for audit fsetxattr tasks +- name: Set architecture for audit unlink tasks set_fact: audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} when: - - audit_rules_dac_modification_fsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_file_deletion_events_unlink | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80692-7 - - CJIS-5.4.1.1 + - CCE-80706-5 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink - low_complexity - low_disruption - medium_severity @@ -12455,54 +11825,52 @@ find: paths: /etc/audit/rules.d recurse: false - contains: -F key=perm_mod$ + contains: -F key=delete$ patterns: '*.rules' - register: find_fsetxattr + register: find_unlink when: - - audit_rules_dac_modification_fsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_file_deletion_events_unlink | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80692-7 - - CJIS-5.4.1.1 + - CCE-80706-5 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/privileged.rules + - /etc/audit/rules.d/delete.rules when: - - audit_rules_dac_modification_fsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_file_deletion_events_unlink | bool + - low_complexity | bool + - find_unlink.matched is defined and find_unlink.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_fsetxattr.matched is defined and find_fsetxattr.matched == 0 tags: - - CCE-80692-7 - - CJIS-5.4.1.1 + - CCE-80706-5 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink - low_complexity - low_disruption - medium_severity @@ -12512,2891 +11880,3383 @@ - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_fsetxattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_unlink.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_fsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_file_deletion_events_unlink | bool + - low_complexity | bool + - find_unlink.matched is defined and find_unlink.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_fsetxattr.matched is defined and find_fsetxattr.matched > 0 tags: - - CCE-80692-7 - - CJIS-5.4.1.1 + - CCE-80706-5 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fsetxattr rule in rules.d when on x86 +- name: Inserts/replaces the unlink rule in rules.d when on x86 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -F key=delete create: true when: - - audit_rules_dac_modification_fsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_file_deletion_events_unlink | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80692-7 - - CJIS-5.4.1.1 + - CCE-80706-5 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 +- name: Inserts/replaces the unlink rule in rules.d when on x86_64 lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -F key=delete create: true when: - - audit_rules_dac_modification_fsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_file_deletion_events_unlink | bool + - low_complexity | bool - audit_arch is defined and audit_arch == 'b64' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80692-7 - - CJIS-5.4.1.1 + - CCE-80706-5 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the unlink rule in /etc/audit/audit.rules when on x86 lineinfile: - line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -F key=delete state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_fsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_file_deletion_events_unlink | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80692-7 - - CJIS-5.4.1.1 + - CCE-80706-5 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 +- name: Inserts/replaces the unlink rule in audit.rules when on x86_64 lineinfile: - line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -F key=delete state: present dest: /etc/audit/audit.rules create: true when: - - audit_rules_dac_modification_fsetxattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' - tags: - - CCE-80692-7 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fsetxattr - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Set architecture for audit removexattr tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} - when: - - audit_rules_dac_modification_removexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - reboot_required | bool - - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_file_deletion_events_unlink | bool + - low_complexity | bool + - audit_arch is defined and audit_arch == 'b64' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80696-8 - - CJIS-5.4.1.1 + - CCE-80706-5 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules +- name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false - contains: -F key=perm_mod$ + contains: ^.*path=/usr/bin/passwd.*$ patterns: '*.rules' - register: find_removexattr + register: find_passwd when: - - audit_rules_dac_modification_removexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_passwd | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80696-8 - - CJIS-5.4.1.1 + - CCE-80731-3 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_privileged_commands_passwd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_dac_modification_removexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_passwd | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_passwd.matched is defined and find_passwd.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_removexattr.matched is defined and find_removexattr.matched == 0 tags: - - CCE-80696-8 - - CJIS-5.4.1.1 + - CCE-80731-3 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_privileged_commands_passwd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_removexattr.files | map(attribute=''path'') | list | first }}' + - '{{ find_passwd.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_removexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_passwd | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_passwd.matched is defined and find_passwd.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_removexattr.matched is defined and find_removexattr.matched > 0 tags: - - CCE-80696-8 - - CJIS-5.4.1.1 + - CCE-80731-3 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_privileged_commands_passwd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the removexattr rule in rules.d when on x86 +- name: Inserts/replaces the passwd rule in rules.d lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_dac_modification_removexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_passwd | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80696-8 - - CJIS-5.4.1.1 + - CCE-80731-3 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_privileged_commands_passwd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the removexattr rule in rules.d when on x86_64 +- name: Inserts/replaces the passwd rule in audit.rules lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_dac_modification_removexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_passwd | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80696-8 - - CJIS-5.4.1.1 + - CCE-80731-3 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_privileged_commands_passwd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/sudo.*$ + patterns: '*.rules' + register: find_sudo when: - - audit_rules_dac_modification_removexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_sudo | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80696-8 - - CJIS-5.4.1.1 + - CCE-80737-0 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_privileged_commands_sudo - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 - lineinfile: - line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_dac_modification_removexattr | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_sudo | bool + - low_disruption | bool + - low_complexity | bool + - find_sudo.matched is defined and find_sudo.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80696-8 - - CJIS-5.4.1.1 + - CCE-80737-0 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_removexattr + - audit_rules_privileged_commands_sudo - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit fchmodat tasks +- name: Use matched file as the recipient for the rule set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + all_files: + - '{{ find_sudo.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_fchmodat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_sudo | bool + - low_disruption | bool + - low_complexity | bool + - find_sudo.matched is defined and find_sudo.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80688-5 - - CJIS-5.4.1.1 + - CCE-80737-0 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_privileged_commands_sudo - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=perm_mod$ - patterns: '*.rules' - register: find_fchmodat +- name: Inserts/replaces the sudo rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged + create: true when: - - audit_rules_dac_modification_fchmodat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_sudo | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80688-5 - - CJIS-5.4.1.1 + - CCE-80737-0 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_privileged_commands_sudo - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules +- name: Inserts/replaces the sudo rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged + create: true when: - - audit_rules_dac_modification_fchmodat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_sudo | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_fchmodat.matched is defined and find_fchmodat.matched == 0 tags: - - CCE-80688-5 - - CJIS-5.4.1.1 + - CCE-80737-0 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_privileged_commands_sudo - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_fchmodat.files | map(attribute=''path'') | list | first }}' +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/sbin/postdrop.*$ + patterns: '*.rules' + register: find_postdrop when: - - audit_rules_dac_modification_fchmodat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_privileged_commands_postdrop | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_fchmodat.matched is defined and find_fchmodat.matched > 0 tags: - - CCE-80688-5 - - CJIS-5.4.1.1 + - CCE-80732-1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_privileged_commands_postdrop - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the fchmodat rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_dac_modification_fchmodat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_privileged_commands_postdrop | bool + - low_complexity | bool + - find_postdrop.matched is defined and find_postdrop.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80688-5 - - CJIS-5.4.1.1 + - CCE-80732-1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_privileged_commands_postdrop - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod - create: true +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_postdrop.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_fchmodat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_privileged_commands_postdrop | bool + - low_complexity | bool + - find_postdrop.matched is defined and find_postdrop.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80688-5 - - CJIS-5.4.1.1 + - CCE-80732-1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_privileged_commands_postdrop - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the postdrop rule in rules.d lineinfile: - line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_dac_modification_fchmodat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_privileged_commands_postdrop | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80688-5 - - CJIS-5.4.1.1 + - CCE-80732-1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat + - audit_rules_privileged_commands_postdrop - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 +- name: Inserts/replaces the postdrop rule in audit.rules lineinfile: - line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_dac_modification_fchmodat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_privileged_commands_postdrop | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80688-5 - - CJIS-5.4.1.1 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_fchmodat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Set architecture for audit chown tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} - when: - - audit_rules_dac_modification_chown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80686-9 - - CJIS-5.4.1.1 + - CCE-80732-1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_privileged_commands_postdrop - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules +- name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false - contains: -F key=perm_mod$ + contains: ^.*path=/usr/bin/chsh.*$ patterns: '*.rules' - register: find_chown + register: find_chsh when: - - audit_rules_dac_modification_chown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_chsh | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80686-9 - - CJIS-5.4.1.1 + - CCE-80726-3 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_privileged_commands_chsh - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_dac_modification_chown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_chsh | bool + - low_disruption | bool + - low_complexity | bool + - find_chsh.matched is defined and find_chsh.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_chown.matched is defined and find_chown.matched == 0 tags: - - CCE-80686-9 - - CJIS-5.4.1.1 + - CCE-80726-3 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_privileged_commands_chsh - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_chown.files | map(attribute=''path'') | list | first }}' + - '{{ find_chsh.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_dac_modification_chown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_chsh | bool + - low_disruption | bool + - low_complexity | bool + - find_chsh.matched is defined and find_chsh.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_chown.matched is defined and find_chown.matched > 0 tags: - - CCE-80686-9 - - CJIS-5.4.1.1 + - CCE-80726-3 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_privileged_commands_chsh - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the chown rule in rules.d when on x86 +- name: Inserts/replaces the chsh rule in rules.d lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + line: -a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_dac_modification_chown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_chsh | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80686-9 - - CJIS-5.4.1.1 + - CCE-80726-3 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_privileged_commands_chsh - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the chown rule in rules.d when on x86_64 +- name: Inserts/replaces the chsh rule in audit.rules lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_dac_modification_chown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_chsh | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80686-9 - - CJIS-5.4.1.1 + - CCE-80726-3 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_privileged_commands_chsh - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/gpasswd.*$ + patterns: '*.rules' + register: find_gpasswd when: - - audit_rules_dac_modification_chown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_gpasswd | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80686-9 - - CJIS-5.4.1.1 + - CCE-80728-9 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_privileged_commands_gpasswd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the chown rule in audit.rules when on x86_64 - lineinfile: - line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod - state: present - dest: /etc/audit/audit.rules - create: true +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_dac_modification_chown | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_gpasswd | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_gpasswd.matched is defined and find_gpasswd.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80686-9 - - CJIS-5.4.1.1 + - CCE-80728-9 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.5 - - audit_rules_dac_modification_chown + - audit_rules_privileged_commands_gpasswd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit unlinkat tasks +- name: Use matched file as the recipient for the rule set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + all_files: + - '{{ find_gpasswd.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_file_deletion_events_unlinkat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_gpasswd | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_gpasswd.matched is defined and find_gpasswd.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80707-3 + - CCE-80728-9 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlinkat + - audit_rules_privileged_commands_gpasswd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=delete$ - patterns: '*.rules' - register: find_unlinkat +- name: Inserts/replaces the gpasswd rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged + create: true when: - - audit_rules_file_deletion_events_unlinkat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_gpasswd | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80707-3 + - CCE-80728-9 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlinkat + - audit_rules_privileged_commands_gpasswd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/delete.rules +- name: Inserts/replaces the gpasswd rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged + create: true when: - - audit_rules_file_deletion_events_unlinkat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_gpasswd | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_unlinkat.matched is defined and find_unlinkat.matched == 0 tags: - - CCE-80707-3 + - CCE-80728-9 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlinkat + - audit_rules_privileged_commands_gpasswd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_unlinkat.files | map(attribute=''path'') | list | first }}' +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/chage.*$ + patterns: '*.rules' + register: find_chage when: - - audit_rules_file_deletion_events_unlinkat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_chage | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_unlinkat.matched is defined and find_unlinkat.matched > 0 tags: - - CCE-80707-3 + - CCE-80725-5 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlinkat + - audit_rules_privileged_commands_chage - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the unlinkat rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete - create: true +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_file_deletion_events_unlinkat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_chage | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_chage.matched is defined and find_chage.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80707-3 + - CCE-80725-5 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlinkat + - audit_rules_privileged_commands_chage - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the unlinkat rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete - create: true +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_chage.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_file_deletion_events_unlinkat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_chage | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_chage.matched is defined and find_chage.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80707-3 + - CCE-80725-5 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlinkat + - audit_rules_privileged_commands_chage - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the unlinkat rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the chage rule in rules.d lineinfile: - line: -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete - state: present - dest: /etc/audit/audit.rules + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_file_deletion_events_unlinkat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_chage | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80707-3 + - CCE-80725-5 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlinkat + - audit_rules_privileged_commands_chage - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the unlinkat rule in audit.rules when on x86_64 +- name: Inserts/replaces the chage rule in audit.rules lineinfile: - line: -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete - state: present - dest: /etc/audit/audit.rules + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_file_deletion_events_unlinkat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_chage | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80707-3 + - CCE-80725-5 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlinkat + - audit_rules_privileged_commands_chage - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit unlink tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/sbin/userhelper.*$ + patterns: '*.rules' + register: find_userhelper when: - - audit_rules_file_deletion_events_unlink | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_userhelper | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80706-5 + - CCE-80741-2 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlink + - audit_rules_privileged_commands_userhelper - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=delete$ - patterns: '*.rules' - register: find_unlink +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_file_deletion_events_unlink | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_userhelper | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_userhelper.matched is defined and find_userhelper.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80706-5 + - CCE-80741-2 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlink + - audit_rules_privileged_commands_userhelper - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule +- name: Use matched file as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/delete.rules + - '{{ find_userhelper.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_file_deletion_events_unlink | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_userhelper | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_userhelper.matched is defined and find_userhelper.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_unlink.matched is defined and find_unlink.matched == 0 tags: - - CCE-80706-5 + - CCE-80741-2 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlink + - audit_rules_privileged_commands_userhelper - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_unlink.files | map(attribute=''path'') | list | first }}' +- name: Inserts/replaces the userhelper rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged + create: true when: - - audit_rules_file_deletion_events_unlink | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_userhelper | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_unlink.matched is defined and find_unlink.matched > 0 tags: - - CCE-80706-5 + - CCE-80741-2 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlink + - audit_rules_privileged_commands_userhelper - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the unlink rule in rules.d when on x86 +- name: Inserts/replaces the userhelper rule in audit.rules lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -F key=delete + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_file_deletion_events_unlink | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_userhelper | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80706-5 + - CCE-80741-2 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlink + - audit_rules_privileged_commands_userhelper - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the unlink rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -F key=delete - create: true +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/sbin/pam_timestamp_check.*$ + patterns: '*.rules' + register: find_pam_timestamp_check when: - - audit_rules_file_deletion_events_unlink | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_pam_timestamp_check | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80706-5 + - CCE-80730-5 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlink + - audit_rules_privileged_commands_pam_timestamp_check - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the unlink rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -F key=delete - state: present - dest: /etc/audit/audit.rules - create: true +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_file_deletion_events_unlink | bool - - low_complexity | bool - - low_disruption | bool + - no_reboot_needed | bool + - restrict_strategy | bool - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_pam_timestamp_check | bool + - low_disruption | bool + - low_complexity | bool + - find_pam_timestamp_check.matched is defined and find_pam_timestamp_check.matched == 0 + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80730-5 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_pam_timestamp_check + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_pam_timestamp_check.files | map(attribute=''path'') | list | first }}' + when: + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_pam_timestamp_check | bool + - low_disruption | bool + - low_complexity | bool + - find_pam_timestamp_check.matched is defined and find_pam_timestamp_check.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80706-5 + - CCE-80730-5 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlink + - audit_rules_privileged_commands_pam_timestamp_check - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the unlink rule in audit.rules when on x86_64 +- name: Inserts/replaces the pam_timestamp_check rule in rules.d lineinfile: - line: -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -F key=delete - state: present - dest: /etc/audit/audit.rules + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_file_deletion_events_unlink | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_pam_timestamp_check | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80706-5 + - CCE-80730-5 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_unlink + - audit_rules_privileged_commands_pam_timestamp_check - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit rename tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Inserts/replaces the pam_timestamp_check rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -F key=privileged + create: true when: - - audit_rules_file_deletion_events_rename | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_pam_timestamp_check | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80703-2 + - CCE-80730-5 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rename + - audit_rules_privileged_commands_pam_timestamp_check - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules +- name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false - contains: -F key=delete$ + contains: ^.*path=/usr/bin/crontab.*$ patterns: '*.rules' - register: find_rename + register: find_crontab when: - - audit_rules_file_deletion_events_rename | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_crontab | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80703-2 + - CCE-80727-1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rename + - audit_rules_privileged_commands_crontab - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/delete.rules + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_file_deletion_events_rename | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_crontab | bool + - low_disruption | bool + - low_complexity | bool + - find_crontab.matched is defined and find_crontab.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_rename.matched is defined and find_rename.matched == 0 tags: - - CCE-80703-2 + - CCE-80727-1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rename + - audit_rules_privileged_commands_crontab - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_rename.files | map(attribute=''path'') | list | first }}' + - '{{ find_crontab.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_file_deletion_events_rename | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_crontab | bool + - low_disruption | bool + - low_complexity | bool + - find_crontab.matched is defined and find_crontab.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_rename.matched is defined and find_rename.matched > 0 tags: - - CCE-80703-2 + - CCE-80727-1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rename + - audit_rules_privileged_commands_crontab - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the rename rule in rules.d when on x86 +- name: Inserts/replaces the crontab rule in rules.d lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -F key=delete + line: -a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_file_deletion_events_rename | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_crontab | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80703-2 + - CCE-80727-1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rename + - audit_rules_privileged_commands_crontab - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the rename rule in rules.d when on x86_64 +- name: Inserts/replaces the crontab rule in audit.rules lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -F key=delete + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_file_deletion_events_rename | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_crontab | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80703-2 + - CCE-80727-1 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rename + - audit_rules_privileged_commands_crontab - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the rename rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -F key=delete - state: present - dest: /etc/audit/audit.rules - create: true +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/umount.*$ + patterns: '*.rules' + register: find_umount when: - - audit_rules_file_deletion_events_rename | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_privileged_commands_umount | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80703-2 + - CCE-80739-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rename + - audit_rules_privileged_commands_umount - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the rename rule in audit.rules when on x86_64 - lineinfile: - line: -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -F key=delete - state: present - dest: /etc/audit/audit.rules - create: true +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_file_deletion_events_rename | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_privileged_commands_umount | bool + - low_complexity | bool + - find_umount.matched is defined and find_umount.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80703-2 + - CCE-80739-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rename + - audit_rules_privileged_commands_umount - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Set architecture for audit rmdir tasks +- name: Use matched file as the recipient for the rule set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + all_files: + - '{{ find_umount.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_file_deletion_events_rmdir | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_privileged_commands_umount | bool + - low_complexity | bool + - find_umount.matched is defined and find_umount.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80705-7 + - CCE-80739-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rmdir + - audit_rules_privileged_commands_umount - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -F key=delete$ - patterns: '*.rules' - register: find_rmdir +- name: Inserts/replaces the umount rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged + create: true when: - - audit_rules_file_deletion_events_rmdir | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_privileged_commands_umount | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80705-7 + - CCE-80739-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rmdir + - audit_rules_privileged_commands_umount - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/delete.rules +- name: Inserts/replaces the umount rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged + create: true when: - - audit_rules_file_deletion_events_rmdir | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - audit_rules_privileged_commands_umount | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_rmdir.matched is defined and find_rmdir.matched == 0 tags: - - CCE-80705-7 + - CCE-80739-6 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rmdir + - audit_rules_privileged_commands_umount - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_rmdir.files | map(attribute=''path'') | list | first }}' +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/sbin/unix_chkpwd.*$ + patterns: '*.rules' + register: find_unix_chkpwd when: - - audit_rules_file_deletion_events_rmdir | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_unix_chkpwd | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_rmdir.matched is defined and find_rmdir.matched > 0 tags: - - CCE-80705-7 + - CCE-80740-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rmdir + - audit_rules_privileged_commands_unix_chkpwd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the rmdir rule in rules.d when on x86 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete - create: true +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_file_deletion_events_rmdir | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_unix_chkpwd | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_unix_chkpwd.matched is defined and find_unix_chkpwd.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80705-7 + - CCE-80740-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rmdir + - audit_rules_privileged_commands_unix_chkpwd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the rmdir rule in rules.d when on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete - create: true +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_unix_chkpwd.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_file_deletion_events_rmdir | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_unix_chkpwd | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_unix_chkpwd.matched is defined and find_unix_chkpwd.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80705-7 + - CCE-80740-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rmdir + - audit_rules_privileged_commands_unix_chkpwd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the rmdir rule in /etc/audit/audit.rules when on x86 +- name: Inserts/replaces the unix_chkpwd rule in rules.d lineinfile: - line: -a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete - state: present - dest: /etc/audit/audit.rules + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_file_deletion_events_rmdir | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_unix_chkpwd | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80705-7 + - CCE-80740-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rmdir + - audit_rules_privileged_commands_unix_chkpwd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the rmdir rule in audit.rules when on x86_64 +- name: Inserts/replaces the unix_chkpwd rule in audit.rules lineinfile: - line: -a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete - state: present - dest: /etc/audit/audit.rules + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_file_deletion_events_rmdir | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool + - audit_rules_privileged_commands_unix_chkpwd | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' - tags: - - CCE-80705-7 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_rmdir - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Set architecture for audit renameat tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} - when: - - audit_rules_file_deletion_events_renameat | bool - - low_complexity | bool - - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80704-0 + - CCE-80740-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_renameat + - audit_rules_privileged_commands_unix_chkpwd - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other DAC audit rules +- name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false - contains: -F key=delete$ + contains: ^.*path=/usr/libexec/openssh/ssh-keysign.*$ patterns: '*.rules' - register: find_renameat + register: find_ssh_keysign when: - - audit_rules_file_deletion_events_renameat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - audit_rules_privileged_commands_ssh_keysign | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80704-0 + - CCE-80735-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_renameat + - audit_rules_privileged_commands_ssh_keysign - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/delete.rules + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_file_deletion_events_renameat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - audit_rules_privileged_commands_ssh_keysign | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_ssh_keysign.matched is defined and find_ssh_keysign.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_renameat.matched is defined and find_renameat.matched == 0 tags: - - CCE-80704-0 + - CCE-80735-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_renameat + - audit_rules_privileged_commands_ssh_keysign - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_renameat.files | map(attribute=''path'') | list | first }}' + - '{{ find_ssh_keysign.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_file_deletion_events_renameat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - audit_rules_privileged_commands_ssh_keysign | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_ssh_keysign.matched is defined and find_ssh_keysign.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_renameat.matched is defined and find_renameat.matched > 0 tags: - - CCE-80704-0 + - CCE-80735-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_renameat + - audit_rules_privileged_commands_ssh_keysign - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the renameat rule in rules.d when on x86 +- name: Inserts/replaces the ssh_keysign rule in rules.d lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -F key=delete + line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_file_deletion_events_renameat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - audit_rules_privileged_commands_ssh_keysign | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80704-0 + - CCE-80735-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_renameat + - audit_rules_privileged_commands_ssh_keysign - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the renameat rule in rules.d when on x86_64 +- name: Inserts/replaces the ssh_keysign rule in audit.rules lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -F key=delete + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_file_deletion_events_renameat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - audit_rules_privileged_commands_ssh_keysign | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80704-0 + - CCE-80735-4 - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_renameat + - audit_rules_privileged_commands_ssh_keysign - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the renameat rule in /etc/audit/audit.rules when on x86 - lineinfile: - line: -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -F key=delete - state: present - dest: /etc/audit/audit.rules - create: true +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/sudoedit.*$ + patterns: '*.rules' + register: find_sudoedit when: - - audit_rules_file_deletion_events_renameat | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80704-0 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_renameat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Inserts/replaces the renameat rule in audit.rules when on x86_64 - lineinfile: - line: -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -F key=delete - state: present - dest: /etc/audit/audit.rules - create: true - when: - - audit_rules_file_deletion_events_renameat | bool - - low_complexity | bool - - low_disruption | bool - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' - tags: - - CCE-80704-0 - - NIST-800-171-3.1.7 - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_file_deletion_events_renameat - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Search /etc/audit/rules.d for other user/group modification audit rules - find: - paths: /etc/audit/rules.d - recurse: false - contains: -k logins$ - patterns: '*.rules' - register: find_lastlog - when: - - audit_rules_login_events_lastlog | bool - - low_complexity | bool + - audit_rules_privileged_commands_sudoedit | bool - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - - restrict_strategy | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80719-8 - - DISA-STIG-RHEL-08-030600 + - CCE-80738-8 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_lastlog + - audit_rules_privileged_commands_sudoedit - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules as the recipient for the - rule +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/logins.rules + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_login_events_lastlog | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_sudoedit | bool + - low_disruption | bool + - low_complexity | bool + - find_sudoedit.matched is defined and find_sudoedit.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_lastlog.matched is defined and find_lastlog.matched == 0 tags: - - CCE-80719-8 - - DISA-STIG-RHEL-08-030600 + - CCE-80738-8 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_lastlog + - audit_rules_privileged_commands_sudoedit - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_lastlog.files | map(attribute=''path'') | list | first }}' + - '{{ find_sudoedit.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_login_events_lastlog | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_sudoedit | bool + - low_disruption | bool + - low_complexity | bool + - find_sudoedit.matched is defined and find_sudoedit.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_lastlog.matched is defined and find_lastlog.matched > 0 tags: - - CCE-80719-8 - - DISA-STIG-RHEL-08-030600 + - CCE-80738-8 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_lastlog + - audit_rules_privileged_commands_sudoedit - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lastlog rule in rules.d when on x86 +- name: Inserts/replaces the sudoedit rule in rules.d lineinfile: path: '{{ all_files[0] }}' - line: -w /var/log/lastlog -p wa -k logins + line: -a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_login_events_lastlog | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_sudoedit | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80719-8 - - DISA-STIG-RHEL-08-030600 + - CCE-80738-8 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_lastlog + - audit_rules_privileged_commands_sudoedit - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the lastlog rule in /etc/audit/audit.rules +- name: Inserts/replaces the sudoedit rule in audit.rules lineinfile: - line: -w /var/log/lastlog -p wa -k logins - state: present - dest: /etc/audit/audit.rules + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_login_events_lastlog | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_sudoedit | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80719-8 - - DISA-STIG-RHEL-08-030600 + - CCE-80738-8 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_lastlog + - audit_rules_privileged_commands_sudoedit - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other user/group modification audit rules +- name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false - contains: -k logins$ + contains: ^.*path=/usr/sbin/postqueue.*$ patterns: '*.rules' - register: find_faillock + register: find_postqueue when: - - audit_rules_login_events_faillock | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_postqueue | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80718-0 + - CCE-80733-9 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_faillock + - audit_rules_privileged_commands_postqueue - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules as the recipient for the - rule +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/logins.rules + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_login_events_faillock | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_postqueue | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_postqueue.matched is defined and find_postqueue.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_faillock.matched is defined and find_faillock.matched == 0 tags: - - CCE-80718-0 + - CCE-80733-9 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_faillock + - audit_rules_privileged_commands_postqueue - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_faillock.files | map(attribute=''path'') | list | first }}' + - '{{ find_postqueue.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_login_events_faillock | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_postqueue | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - find_postqueue.matched is defined and find_postqueue.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_faillock.matched is defined and find_faillock.matched > 0 tags: - - CCE-80718-0 + - CCE-80733-9 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_faillock + - audit_rules_privileged_commands_postqueue - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the faillock rule in rules.d when on x86 +- name: Inserts/replaces the postqueue rule in rules.d lineinfile: path: '{{ all_files[0] }}' - line: -w /var/run/faillock -p wa -k logins + line: -a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_login_events_faillock | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_postqueue | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80718-0 + - CCE-80733-9 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_faillock + - audit_rules_privileged_commands_postqueue - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the faillock rule in /etc/audit/audit.rules +- name: Inserts/replaces the postqueue rule in audit.rules lineinfile: - line: -w /var/run/faillock -p wa -k logins - state: present - dest: /etc/audit/audit.rules - create: true + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged + create: true when: - - audit_rules_login_events_faillock | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - audit_rules_privileged_commands_postqueue | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80718-0 + - CCE-80733-9 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_faillock + - audit_rules_privileged_commands_postqueue - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Search /etc/audit/rules.d for other user/group modification audit rules +- name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false - contains: -k logins$ + contains: ^.*path=/usr/bin/su.*$ patterns: '*.rules' - register: find_tallylog + register: find_su when: - - audit_rules_login_events_tallylog | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_su | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80720-6 + - CCE-80736-2 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_tallylog + - audit_rules_privileged_commands_su - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules as the recipient for the - rule +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - - /etc/audit/rules.d/logins.rules + - /etc/audit/rules.d/privileged.rules when: - - audit_rules_login_events_tallylog | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_su | bool + - low_disruption | bool + - low_complexity | bool + - find_su.matched is defined and find_su.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_tallylog.matched is defined and find_tallylog.matched == 0 tags: - - CCE-80720-6 + - CCE-80736-2 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_tallylog + - audit_rules_privileged_commands_su - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_tallylog.files | map(attribute=''path'') | list | first }}' + - '{{ find_su.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_login_events_tallylog | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_su | bool + - low_disruption | bool + - low_complexity | bool + - find_su.matched is defined and find_su.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_tallylog.matched is defined and find_tallylog.matched > 0 tags: - - CCE-80720-6 + - CCE-80736-2 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_tallylog + - audit_rules_privileged_commands_su - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the tallylog rule in rules.d when on x86 +- name: Inserts/replaces the su rule in rules.d lineinfile: path: '{{ all_files[0] }}' - line: -w /var/log/tallylog -p wa -k logins + line: -a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_login_events_tallylog | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_su | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80720-6 + - CCE-80736-2 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_tallylog + - audit_rules_privileged_commands_su - low_complexity - low_disruption - medium_severity - - reboot_required + - no_reboot_needed - restrict_strategy -- name: Inserts/replaces the tallylog rule in /etc/audit/audit.rules +- name: Inserts/replaces the su rule in audit.rules lineinfile: - line: -w /var/log/tallylog -p wa -k logins - state: present - dest: /etc/audit/audit.rules + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_login_events_tallylog | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool + - no_reboot_needed | bool - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80720-6 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.3 - - audit_rules_login_events_tallylog - - low_complexity - - low_disruption - - medium_severity - - reboot_required - - restrict_strategy - -- name: Set architecture for audit delete_module tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} - when: - - audit_rules_kernel_module_loading_delete | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - medium_severity | bool - - no_reboot_needed | bool + - audit_rules_privileged_commands_su | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80711-5 + - CCE-80736-2 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_delete - - configure_strategy + - audit_rules_privileged_commands_su - low_complexity - low_disruption - medium_severity - no_reboot_needed + - restrict_strategy - name: Search /etc/audit/rules.d for audit rule entries find: paths: /etc/audit/rules.d recurse: false - contains: ^.*delete_module.*$ + contains: ^.*path=/usr/bin/newgrp.*$ patterns: '*.rules' - register: find_delete_module + register: find_newgrp when: - - audit_rules_kernel_module_loading_delete | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool + - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_newgrp | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80711-5 + - CCE-80729-7 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_delete - - configure_strategy + - audit_rules_privileged_commands_newgrp - low_complexity - low_disruption - medium_severity - no_reboot_needed + - restrict_strategy - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule set_fact: all_files: - /etc/audit/rules.d/privileged.rules when: - - audit_rules_kernel_module_loading_delete | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool + - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_newgrp | bool + - low_disruption | bool + - low_complexity | bool + - find_newgrp.matched is defined and find_newgrp.matched == 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_delete_module.matched is defined and find_delete_module.matched == 0 tags: - - CCE-80711-5 + - CCE-80729-7 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_delete - - configure_strategy + - audit_rules_privileged_commands_newgrp - low_complexity - low_disruption - medium_severity - no_reboot_needed + - restrict_strategy - name: Use matched file as the recipient for the rule set_fact: all_files: - - '{{ find_delete_module.files | map(attribute=''path'') | list | first }}' + - '{{ find_newgrp.files | map(attribute=''path'') | list | first }}' when: - - audit_rules_kernel_module_loading_delete | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool + - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_newgrp | bool + - low_disruption | bool + - low_complexity | bool + - find_newgrp.matched is defined and find_newgrp.matched > 0 - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_delete_module.matched is defined and find_delete_module.matched > 0 tags: - - CCE-80711-5 + - CCE-80729-7 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_delete - - configure_strategy + - audit_rules_privileged_commands_newgrp - low_complexity - low_disruption - medium_severity - no_reboot_needed + - restrict_strategy -- name: Inserts/replaces the delete_module rule in rules.d +- name: Inserts/replaces the newgrp rule in rules.d lineinfile: path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S delete_module -k module-change - state: present + line: -a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_kernel_module_loading_delete | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool + - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_newgrp | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80711-5 + - CCE-80729-7 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_delete - - configure_strategy + - audit_rules_privileged_commands_newgrp - low_complexity - low_disruption - medium_severity - no_reboot_needed + - restrict_strategy -- name: Inserts/replaces the delete_module rule in rules.d on x86_64 +- name: Inserts/replaces the newgrp rule in audit.rules lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S delete_module -k module-change - state: present + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged create: true when: - - audit_rules_kernel_module_loading_delete | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool + - restrict_strategy | bool + - medium_severity | bool + - audit_rules_privileged_commands_newgrp | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' tags: - - CCE-80711-5 + - CCE-80729-7 - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_delete - - configure_strategy + - audit_rules_privileged_commands_newgrp - low_complexity - low_disruption - medium_severity - no_reboot_needed + - restrict_strategy -- name: Inserts/replaces the delete_module rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F arch=b32 -S delete_module -k module-change - create: true - when: - - audit_rules_kernel_module_loading_delete | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- package_facts: + manager: auto + name: Gather the package facts tags: - - CCE-80711-5 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-80773-5 + - NIST-800-171-3.1.13 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_delete - - configure_strategy + - dconf_gnome_remote_access_encryption - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed + - unknown_strategy + when: + - dconf_gnome_remote_access_encryption | bool + - no_reboot_needed | bool + - medium_severity | bool + - unknown_strategy | bool + - medium_disruption | bool + - low_complexity | bool -- name: Inserts/replaces the delete_module rule in audit.rules when on x86_64 - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F arch=b64 -S delete_module -k module-change +- name: Require Encryption for Remote Access in GNOME3 + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/Vino + option: require-encryption + value: 'true' create: true + no_extra_spaces: true when: - - audit_rules_kernel_module_loading_delete | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - dconf_gnome_remote_access_encryption | bool - no_reboot_needed | bool + - medium_severity | bool + - unknown_strategy | bool + - medium_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' + - '"gdm" in ansible_facts.packages' tags: - - CCE-80711-5 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-80773-5 + - NIST-800-171-3.1.13 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_delete - - configure_strategy + - dconf_gnome_remote_access_encryption - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed + - unknown_strategy -- name: Set architecture for audit init_module tasks - set_fact: - audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} +- name: Prevent user modification of GNOME3 Encryption for Remote Access + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/Vino/require-encryption + line: /org/gnome/Vino/require-encryption + create: true when: - - audit_rules_kernel_module_loading_init | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - dconf_gnome_remote_access_encryption | bool - no_reboot_needed | bool + - medium_severity | bool + - unknown_strategy | bool + - medium_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"gdm" in ansible_facts.packages' tags: - - CCE-80713-1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-80773-5 + - NIST-800-171-3.1.13 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_init - - configure_strategy + - dconf_gnome_remote_access_encryption - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed + - unknown_strategy -- name: Search /etc/audit/rules.d for audit rule entries - find: - paths: /etc/audit/rules.d - recurse: false - contains: ^.*init_module.*$ - patterns: '*.rules' - register: find_init_module - when: - - audit_rules_kernel_module_loading_init | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- package_facts: + manager: auto + name: Gather the package facts tags: - - CCE-80713-1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_init - - configure_strategy + - CCE-80772-7 + - NIST-800-171-3.1.12 + - dconf_gnome_remote_access_credential_prompt - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed - -- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules + - unknown_strategy when: - - audit_rules_kernel_module_loading_init | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool + - no_reboot_needed | bool - medium_severity | bool + - unknown_strategy | bool + - dconf_gnome_remote_access_credential_prompt | bool + - medium_disruption | bool + - low_complexity | bool + +- name: Require Credential Prompting for Remote Access in GNOME3 + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/Vino + option: authentication-methods + value: '[''vnc'']' + create: true + no_extra_spaces: true + when: - no_reboot_needed | bool + - medium_severity | bool + - unknown_strategy | bool + - dconf_gnome_remote_access_credential_prompt | bool + - medium_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_init_module.matched is defined and find_init_module.matched == 0 + - '"gdm" in ansible_facts.packages' tags: - - CCE-80713-1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_init - - configure_strategy + - CCE-80772-7 + - NIST-800-171-3.1.12 + - dconf_gnome_remote_access_credential_prompt - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed + - unknown_strategy -- name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_init_module.files | map(attribute=''path'') | list | first }}' +- name: Prevent user modification of GNOME3 Credential Prompting for Remote Access + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/Vino/authentication-methods + line: /org/gnome/Vino/authentication-methods + create: true when: - - audit_rules_kernel_module_loading_init | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool + - medium_severity | bool + - unknown_strategy | bool + - dconf_gnome_remote_access_credential_prompt | bool + - medium_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - find_init_module.matched is defined and find_init_module.matched > 0 + - '"gdm" in ansible_facts.packages' tags: - - CCE-80713-1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) - - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_init - - configure_strategy + - CCE-80772-7 + - NIST-800-171-3.1.12 + - dconf_gnome_remote_access_credential_prompt - low_complexity - - low_disruption + - medium_disruption - medium_severity - no_reboot_needed + - unknown_strategy + +- name: Read list of files with incorrect permissions + command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup + args: + warn: false + register: files_with_incorrect_permissions + failed_when: files_with_incorrect_permissions.rc > 1 + changed_when: false + check_mode: false + tags: + - CCE-80858-4 + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_permissions + when: + - high_complexity | bool + - no_reboot_needed | bool + - rpm_verify_permissions | bool + - restrict_strategy | bool + - high_severity | bool + - medium_disruption | bool + +- name: Create list of packages + command: rpm -qf "{{ item }}" + args: + warn: false + with_items: '{{ files_with_incorrect_permissions.stdout_lines | map(''regex_findall'', ''^[.]+[M]+.* (\/.*)'', ''\1'') | + map(''join'') | select(''match'', ''(\/.*)'') | list | unique }}' + register: list_of_packages + changed_when: false + check_mode: false + when: + - high_complexity | bool + - no_reboot_needed | bool + - rpm_verify_permissions | bool + - restrict_strategy | bool + - high_severity | bool + - medium_disruption | bool + - (files_with_incorrect_permissions.stdout_lines | length > 0) + tags: + - CCE-80858-4 + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_permissions + +- name: Correct file permissions with RPM + command: rpm --setperms '{{ item }}' + args: + warn: false + with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list | unique }}' + when: + - high_complexity | bool + - no_reboot_needed | bool + - rpm_verify_permissions | bool + - restrict_strategy | bool + - high_severity | bool + - medium_disruption | bool + - (files_with_incorrect_permissions.stdout_lines | length > 0) + tags: + - CCE-80858-4 + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_permissions + +- name: 'Set fact: Package manager reinstall command (dnf)' + set_fact: + package_manager_reinstall_cmd: dnf reinstall -y + when: + - high_complexity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - high_severity | bool + - rpm_verify_hashes | bool + - medium_disruption | bool + - ansible_distribution == "Fedora" + tags: + - CCE-80857-6 + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_hashes + +- name: 'Set fact: Package manager reinstall command (yum)' + set_fact: + package_manager_reinstall_cmd: yum reinstall -y + when: + - high_complexity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - high_severity | bool + - rpm_verify_hashes | bool + - medium_disruption | bool + - (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") + tags: + - CCE-80857-6 + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_hashes + +- name: Read files with incorrect hash + command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig + args: + warn: false + register: files_with_incorrect_hash + changed_when: false + failed_when: files_with_incorrect_hash.rc > 1 + check_mode: false + when: + - high_complexity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - high_severity | bool + - rpm_verify_hashes | bool + - medium_disruption | bool + - (package_manager_reinstall_cmd is defined) + tags: + - CCE-80857-6 + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_hashes + +- name: Create list of packages + command: rpm -qf "{{ item }}" + args: + warn: false + with_items: '{{ files_with_incorrect_hash.stdout_lines | map(''regex_findall'', ''^[.]+[5]+.* (\/.*)'', ''\1'') | map(''join'') + | select(''match'', ''(\/.*)'') | list | unique }}' + register: list_of_packages + changed_when: false + check_mode: false + when: + - high_complexity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - high_severity | bool + - rpm_verify_hashes | bool + - medium_disruption | bool + - files_with_incorrect_hash.stdout_lines is defined + - (files_with_incorrect_hash.stdout_lines | length > 0) + tags: + - CCE-80857-6 + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_hashes + +- name: Reinstall packages of files with incorrect hash + command: '{{ package_manager_reinstall_cmd }} ''{{ item }}''' + args: + warn: false + with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list | unique }}' + when: + - high_complexity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - high_severity | bool + - rpm_verify_hashes | bool + - medium_disruption | bool + - files_with_incorrect_hash.stdout_lines is defined + - (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) + tags: + - CCE-80857-6 + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_hashes + +- name: Configure System Cryptography Policy + lineinfile: + path: /etc/crypto-policies/config + regexp: ^(?!#)(\S+)$ + line: '{{ var_system_crypto_policy }}' + create: true + tags: + - CCE-80935-0 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-12(2) + - NIST-800-53-SC-12(3) + - NIST-800-53-SC-13 + - configure_crypto_policy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + when: + - no_reboot_needed | bool + - restrict_strategy | bool + - high_severity | bool + - configure_crypto_policy | bool + - low_disruption | bool + - low_complexity | bool + +- name: Verify that Crypto Policy is Set (runtime) + command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }} + tags: + - CCE-80935-0 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-12(2) + - NIST-800-53-SC-12(3) + - NIST-800-53-SC-13 + - configure_crypto_policy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + when: + - no_reboot_needed | bool + - restrict_strategy | bool + - high_severity | bool + - configure_crypto_policy | bool + - low_disruption | bool + - low_complexity | bool + +- name: Configure SSH to use System Crypto Policy + lineinfile: + dest: /etc/sysconfig/sshd + state: absent + regexp: ^\s*CRYPTO_POLICY.*$ + tags: + - CCE-80939-2 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-13 + - configure_ssh_crypto_policy + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + when: + - disable_strategy | bool + - reboot_required | bool + - medium_severity | bool + - configure_ssh_crypto_policy | bool + - medium_disruption | bool + - low_complexity | bool + +- name: Grep for yum repo section names + shell: grep -HEr '^\[.+\]' -r /etc/yum.repos.d/ + register: repo_grep_results + ignore_errors: true + changed_when: false + tags: + - CCE-80792-5 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - enable_strategy + - ensure_gpgcheck_never_disabled + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + when: + - ensure_gpgcheck_never_disabled | bool + - no_reboot_needed | bool + - high_severity | bool + - enable_strategy | bool + - medium_disruption | bool + - low_complexity | bool + +- name: Set gpgcheck=1 for each yum repo + ini_file: + path: '{{ item[0] }}' + section: '{{ item[1] }}' + option: gpgcheck + value: '1' + no_extra_spaces: true + loop: '{{ repo_grep_results.stdout | regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) }}' + tags: + - CCE-80792-5 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - enable_strategy + - ensure_gpgcheck_never_disabled + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + when: + - ensure_gpgcheck_never_disabled | bool + - no_reboot_needed | bool + - high_severity | bool + - enable_strategy | bool + - medium_disruption | bool + - low_complexity | bool + +- name: Read permission of GPG key directory + stat: + path: /etc/pki/rpm-gpg/ + register: gpg_key_directory_permission + check_mode: false + tags: + - CCE-80795-8 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_redhat_gpgkey_installed + - high_severity + - medium_complexity + - medium_disruption + - no_reboot_needed + - restrict_strategy + when: + - no_reboot_needed | bool + - restrict_strategy | bool + - high_severity | bool + - ensure_redhat_gpgkey_installed | bool + - medium_complexity | bool + - medium_disruption | bool + +- name: Read signatures in GPG key + command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + args: + warn: false + changed_when: false + register: gpg_fingerprints + check_mode: false + tags: + - CCE-80795-8 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_redhat_gpgkey_installed + - high_severity + - medium_complexity + - medium_disruption + - no_reboot_needed + - restrict_strategy + when: + - no_reboot_needed | bool + - restrict_strategy | bool + - high_severity | bool + - ensure_redhat_gpgkey_installed | bool + - medium_complexity | bool + - medium_disruption | bool + +- name: Set Fact - Installed GPG Fingerprints + set_fact: + gpg_installed_fingerprints: '{{ gpg_fingerprints.stdout | regex_findall(''^pub.* + + (?:^fpr[:]*)([0-9A-Fa-f]*)'', ''\1'') | list }}' + tags: + - CCE-80795-8 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_redhat_gpgkey_installed + - high_severity + - medium_complexity + - medium_disruption + - no_reboot_needed + - restrict_strategy + when: + - no_reboot_needed | bool + - restrict_strategy | bool + - high_severity | bool + - ensure_redhat_gpgkey_installed | bool + - medium_complexity | bool + - medium_disruption | bool + +- name: Set Fact - Valid fingerprints + set_fact: + gpg_valid_fingerprints: ("567E347AD0044ADE55BA8A5F199E2F91FD431D51" "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792") + tags: + - CCE-80795-8 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_redhat_gpgkey_installed + - high_severity + - medium_complexity + - medium_disruption + - no_reboot_needed + - restrict_strategy + when: + - no_reboot_needed | bool + - restrict_strategy | bool + - high_severity | bool + - ensure_redhat_gpgkey_installed | bool + - medium_complexity | bool + - medium_disruption | bool + +- name: Import RedHat GPG key + rpm_key: + state: present + key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + when: + - no_reboot_needed | bool + - restrict_strategy | bool + - high_severity | bool + - ensure_redhat_gpgkey_installed | bool + - medium_complexity | bool + - medium_disruption | bool + - gpg_key_directory_permission.stat.mode <= '0755' + - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0 + - gpg_installed_fingerprints | length > 0 + - ansible_distribution == "RedHat" + tags: + - CCE-80795-8 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_redhat_gpgkey_installed + - high_severity + - medium_complexity + - medium_disruption + - no_reboot_needed + - restrict_strategy + +- package_facts: + manager: auto + name: Gather the package facts + tags: + - CCE-80790-9 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + when: + - no_reboot_needed | bool + - high_severity | bool + - unknown_strategy | bool + - ensure_gpgcheck_globally_activated | bool + - medium_disruption | bool + - low_complexity | bool + +- name: Check existence of yum on Fedora + stat: + path: /etc/yum.conf + register: yum_config_file + check_mode: false + when: + - no_reboot_needed | bool + - high_severity | bool + - unknown_strategy | bool + - ensure_gpgcheck_globally_activated | bool + - medium_disruption | bool + - low_complexity | bool + - ansible_distribution == "Fedora" + - '"yum" in ansible_facts.packages' + tags: + - CCE-80790-9 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Ensure GPG check is globally activated (yum) + ini_file: + dest: /etc/yum.conf + section: main + option: gpgcheck + value: 1 + no_extra_spaces: true + create: false + when: + - no_reboot_needed | bool + - high_severity | bool + - unknown_strategy | bool + - ensure_gpgcheck_globally_activated | bool + - medium_disruption | bool + - low_complexity | bool + - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "Scientific" or yum_config_file.stat.exists) + - '"yum" in ansible_facts.packages' + tags: + - CCE-80790-9 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy -- name: Inserts/replaces the init_module rule in rules.d - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b32 -S init_module -k module-change - state: present - create: true +- name: Ensure GPG check is globally activated (dnf) + ini_file: + dest: /etc/dnf/dnf.conf + section: main + option: gpgcheck + value: 1 + no_extra_spaces: true + create: false when: - - audit_rules_kernel_module_loading_init | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - high_severity | bool + - unknown_strategy | bool + - ensure_gpgcheck_globally_activated | bool + - medium_disruption | bool + - low_complexity | bool + - ansible_distribution == "Fedora" + - '"yum" in ansible_facts.packages' tags: - - CCE-80713-1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-80790-9 + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_init - - configure_strategy + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed + - unknown_strategy -- name: Inserts/replaces the init_module rule in rules.d on x86_64 - lineinfile: - path: '{{ all_files[0] }}' - line: -a always,exit -F arch=b64 -S init_module -k module-change - state: present - create: true - when: - - audit_rules_kernel_module_loading_init | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' +- package_facts: + manager: auto + name: Gather the package facts tags: - - CCE-80713-1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-80791-7 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_init - - configure_strategy + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - ensure_gpgcheck_local_packages + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed - -- name: Inserts/replaces the init_module rule in audit.rules - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F arch=b32 -S init_module -k module-change - create: true + - unknown_strategy when: - - audit_rules_kernel_module_loading_init | bool - - configure_strategy | bool + - no_reboot_needed | bool + - high_severity | bool + - unknown_strategy | bool + - medium_disruption | bool + - ensure_gpgcheck_local_packages | bool - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + +- name: Check existence of yum on Fedora + stat: + path: /etc/yum.conf + register: yum_config_file + check_mode: false + when: - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - high_severity | bool + - unknown_strategy | bool + - medium_disruption | bool + - ensure_gpgcheck_local_packages | bool + - low_complexity | bool + - ansible_distribution == "Fedora" + - '"yum" in ansible_facts.packages' tags: - - CCE-80713-1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-80791-7 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_init - - configure_strategy + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - ensure_gpgcheck_local_packages + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed + - unknown_strategy -- name: Inserts/replaces the init_module rule in audit.rules when on x86_64 - lineinfile: - path: /etc/audit/audit.rules - line: -a always,exit -F arch=b64 -S init_module -k module-change +- name: Ensure GPG check Enabled for Local Packages (Yum) + ini_file: + dest: /etc/yum.conf + section: main + option: localpkg_gpgcheck + value: 1 create: true when: - - audit_rules_kernel_module_loading_init | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - audit_arch is defined and audit_arch == 'b64' + - high_severity | bool + - unknown_strategy | bool + - medium_disruption | bool + - ensure_gpgcheck_local_packages | bool + - low_complexity | bool + - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "Scientific" or yum_config_file.stat.exists) + - '"yum" in ansible_facts.packages' tags: - - CCE-80713-1 - - NIST-800-171-3.1.7 - - NIST-800-53-AC-6(9) - - NIST-800-53-AU-12(c) - - NIST-800-53-AU-2(d) + - CCE-80791-7 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.2.7 - - audit_rules_kernel_module_loading_init - - configure_strategy + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - ensure_gpgcheck_local_packages + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed + - unknown_strategy -- name: Configure auditd Flush Priority - lineinfile: - dest: /etc/audit/auditd.conf - regexp: ^\s*flush\s*=\s*.*$ - line: flush = {{ var_auditd_flush }} - state: present +- name: Ensure GPG check Enabled for Local Packages (DNF) + ini_file: + dest: /etc/dnf/dnf.conf + section: main + option: localpkg_gpgcheck + value: 1 create: true when: - - auditd_data_retention_flush | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - high_severity | bool + - unknown_strategy | bool + - medium_disruption | bool + - ensure_gpgcheck_local_packages | bool + - low_complexity | bool + - ansible_distribution == "Fedora" + - '"yum" in ansible_facts.packages' tags: - - CCE-80680-2 - - NIST-800-171-3.3.1 - - NIST-800-53-AU-11 + - CCE-80791-7 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - - auditd_data_retention_flush + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - ensure_gpgcheck_local_packages + - high_severity - low_complexity - - low_disruption - - medium_severity + - medium_disruption - no_reboot_needed - - restrict_strategy + - unknown_strategy -- name: enable syslog plugin - lineinfile: - dest: /etc/audit/plugins.d/syslog.conf - regexp: ^active - line: active = yes - create: true - when: - - auditd_audispd_syslog_plugin_activated | bool - - configure_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] +- package_facts: + manager: auto + name: Gather the package facts tags: - - CCE-80677-8 - - CJIS-5.4.1.1 - - NIST-800-171-3.3.1 - - NIST-800-53-AU-4(1) + - CCE-80805-5 + - CJIS-5.5.2.2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSS-Req-10.5.3 - - auditd_audispd_syslog_plugin_activated + - PCI-DSS-Req-7.1 - configure_strategy + - file_owner_grub2_cfg - low_complexity - low_disruption - medium_severity - no_reboot_needed + when: + - file_owner_grub2_cfg | bool + - no_reboot_needed | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool - name: Test for existence /boot/grub2/grub.cfg stat: path: /boot/grub2/grub.cfg register: file_exists when: - - configure_strategy | bool - file_owner_grub2_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' tags: - CCE-80805-5 - CJIS-5.5.2.2 @@ -15416,14 +15276,15 @@ path: /boot/grub2/grub.cfg owner: '0' when: - - configure_strategy | bool - file_owner_grub2_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool - file_exists.stat is defined and file_exists.stat.exists + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' tags: - CCE-80805-5 - CJIS-5.5.2.2 @@ -15438,18 +15299,41 @@ - medium_severity - no_reboot_needed +- package_facts: + manager: auto + name: Gather the package facts + tags: + - CCE-80814-7 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_permissions_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - file_permissions_grub2_cfg | bool + - no_reboot_needed | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool + - name: Test for existence /boot/grub2/grub.cfg stat: path: /boot/grub2/grub.cfg register: file_exists when: - - configure_strategy | bool - file_permissions_grub2_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' tags: - CCE-80814-7 - NIST-800-171-3.4.5 @@ -15462,19 +15346,20 @@ - medium_severity - no_reboot_needed -- name: Ensure permission 0600 on /boot/grub2/grub.cfg +- name: Ensure permission 600 on /boot/grub2/grub.cfg file: path: /boot/grub2/grub.cfg - mode: '0600' + mode: '600' when: - - configure_strategy | bool - file_permissions_grub2_cfg | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - medium_severity | bool + - configure_strategy | bool + - low_disruption | bool + - low_complexity | bool - file_exists.stat is defined and file_exists.stat.exists + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' tags: - CCE-80814-7 - NIST-800-171-3.4.5 @@ -15487,18 +15372,43 @@ - medium_severity - no_reboot_needed +- package_facts: + manager: auto + name: Gather the package facts + tags: + - CCE-80800-6 + - CJIS-5.5.2.2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-7.1 + - configure_strategy + - file_groupowner_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + when: + - no_reboot_needed | bool + - medium_severity | bool + - configure_strategy | bool + - file_groupowner_grub2_cfg | bool + - low_disruption | bool + - low_complexity | bool + - name: Test for existence /boot/grub2/grub.cfg stat: path: /boot/grub2/grub.cfg register: file_exists when: + - no_reboot_needed | bool + - medium_severity | bool - configure_strategy | bool - file_groupowner_grub2_cfg | bool - - low_complexity | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' tags: - CCE-80800-6 - CJIS-5.5.2.2 @@ -15518,14 +15428,15 @@ path: /boot/grub2/grub.cfg group: '0' when: + - no_reboot_needed | bool + - medium_severity | bool - configure_strategy | bool - file_groupowner_grub2_cfg | bool - - low_complexity | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - low_complexity | bool - file_exists.stat is defined and file_exists.stat.exists + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' tags: - CCE-80800-6 - CJIS-5.5.2.2 @@ -15547,16 +15458,15 @@ line: '*.* @@{{ rsyslog_remote_loghost_address }}' create: true when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool - rsyslog_remote_loghost | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80863-4 - - DISA-STIG-RHEL-08-030690 - NIST-800-53-AU-4(1) - NIST-800-53-AU-9(2) - NIST-800-53-CM-6(a) @@ -15567,257 +15477,233 @@ - restrict_strategy - rsyslog_remote_loghost +- name: Find /etc/grub.d/ files + find: + paths: + - /etc/grub.d/ + follow: true + register: grub + when: + - no_reboot_needed | bool + - grub2_enable_selinux | bool + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80827-9 + - NIST-800-171-3.1.2 + - NIST-800-171-3.7.2 + - NIST-800-53-AC-3 + - NIST-800-53-AC-3(3)(a) + - grub2_enable_selinux + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Ensure SELinux Not Disabled in grub files + replace: + dest: '{{ item.path }}' + regexp: (selinux|enforcing)=0 + with_items: + - '{{ grub.files }}' + - path: /etc/grub2.cfg + - path: /etc/default/grub + when: + - no_reboot_needed | bool + - grub2_enable_selinux | bool + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80827-9 + - NIST-800-171-3.1.2 + - NIST-800-171-3.7.2 + - NIST-800-53-AC-3 + - NIST-800-53-AC-3(3)(a) + - grub2_enable_selinux + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - name: Configure SELinux Policy block: - - name: Check for duplicate values - lineinfile: - path: /etc/selinux/config - create: false - regexp: ^SELINUXTYPE= - state: absent - check_mode: true - changed_when: false - register: dupes - name: Deduplicate values from /etc/selinux/config lineinfile: path: /etc/selinux/config create: false regexp: ^SELINUXTYPE= state: absent - when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/selinux/config lineinfile: path: /etc/selinux/config create: true - regexp: ^SELINUXTYPE= line: SELINUXTYPE={{ var_selinux_policy_name }} state: present when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - reboot_required | bool - restrict_strategy | bool + - reboot_required | bool + - high_severity | bool - selinux_policytype | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80868-3 - - DISA-STIG-RHEL-08-010450 - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3)(a) - NIST-800-53-AU-9 - NIST-800-53-SC-7(21) + - high_severity - low_complexity - low_disruption - - medium_severity - reboot_required - restrict_strategy - selinux_policytype - name: Ensure SELinux State is Enforcing block: - - name: Check for duplicate values - lineinfile: - path: /etc/selinux/config - create: false - regexp: ^SELINUX= - state: absent - check_mode: true - changed_when: false - register: dupes - name: Deduplicate values from /etc/selinux/config lineinfile: path: /etc/selinux/config create: false regexp: ^SELINUX= state: absent - when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/selinux/config lineinfile: path: /etc/selinux/config create: true - regexp: ^SELINUX= line: SELINUX={{ var_selinux_state }} state: present when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool + - high_severity | bool + - low_disruption | bool - selinux_state | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80869-1 - - DISA-STIG-RHEL-08-010170 - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3)(a) - NIST-800-53-AU-9 - NIST-800-53-SC-7(21) + - high_severity - low_complexity - low_disruption - - medium_severity - no_reboot_needed - restrict_strategy - selinux_state -- name: Find /etc/grub.d/ files - find: - paths: - - /etc/grub.d/ - follow: true - register: grub - when: - - grub2_enable_selinux | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80827-9 - - NIST-800-171-3.1.2 - - NIST-800-171-3.7.2 - - NIST-800-53-AC-3 - - NIST-800-53-AC-3(3)(a) - - grub2_enable_selinux - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - -- name: Ensure SELinux Not Disabled in grub files - replace: - dest: '{{ item.path }}' - regexp: (selinux|enforcing)=0 - with_items: - - '{{ grub.files }}' - - path: /etc/grub2.cfg - - path: /etc/default/grub - when: - - grub2_enable_selinux | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80827-9 - - NIST-800-171-3.1.2 - - NIST-800-171-3.7.2 - - NIST-800-53-AC-3 - - NIST-800-53-AC-3(3)(a) - - grub2_enable_selinux - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - restrict_strategy - - name: Ensure python3-libsemanage installed package: name: python3-libsemanage state: present when: + - no_reboot_needed | bool + - medium_severity | bool + - sebool_selinuxuser_execstack | bool - enable_strategy | bool - - low_complexity | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - sebool_selinuxuser_execmod | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80950-9 + - CCE-80951-7 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - sebool_selinuxuser_execmod + - sebool_selinuxuser_execstack -- name: Set SELinux boolean selinuxuser_execmod accordingly +- name: Set SELinux boolean selinuxuser_execstack accordingly seboolean: - name: selinuxuser_execmod - state: '{{ var_selinuxuser_execmod }}' + name: selinuxuser_execstack + state: '{{ var_selinuxuser_execstack }}' persistent: true when: + - no_reboot_needed | bool + - medium_severity | bool + - sebool_selinuxuser_execstack | bool - enable_strategy | bool - - low_complexity | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - sebool_selinuxuser_execmod | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80950-9 + - CCE-80951-7 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - sebool_selinuxuser_execmod + - sebool_selinuxuser_execstack - name: Ensure python3-libsemanage installed package: name: python3-libsemanage state: present when: + - no_reboot_needed | bool + - medium_severity | bool - enable_strategy | bool - - low_complexity | bool + - sebool_selinuxuser_execmod | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - sebool_selinuxuser_execstack | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80951-7 + - CCE-80950-9 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - sebool_selinuxuser_execstack + - sebool_selinuxuser_execmod -- name: Set SELinux boolean selinuxuser_execstack accordingly +- name: Set SELinux boolean selinuxuser_execmod accordingly seboolean: - name: selinuxuser_execstack - state: '{{ var_selinuxuser_execstack }}' + name: selinuxuser_execmod + state: '{{ var_selinuxuser_execmod }}' persistent: true when: + - no_reboot_needed | bool + - medium_severity | bool - enable_strategy | bool - - low_complexity | bool + - sebool_selinuxuser_execmod | bool - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - sebool_selinuxuser_execstack | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80951-7 + - CCE-80950-9 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - sebool_selinuxuser_execstack + - sebool_selinuxuser_execmod - name: Ensure python3-libsemanage installed package: name: python3-libsemanage state: present when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool + - medium_severity | bool - sebool_selinuxuser_execheap | bool + - enable_strategy | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80949-1 @@ -15834,12 +15720,12 @@ state: '{{ var_selinuxuser_execheap }}' persistent: true when: - - enable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool + - medium_severity | bool - sebool_selinuxuser_execheap | bool + - enable_strategy | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80949-1 @@ -15850,86 +15736,6 @@ - no_reboot_needed - sebool_selinuxuser_execheap -- name: Ensure sysctl kernel.dmesg_restrict is set to 1 - sysctl: - name: kernel.dmesg_restrict - value: '1' - state: present - reload: true - when: - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_kernel_dmesg_restrict | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80913-7 - - DISA-STIG-RHEL-08-010375 - - NIST-800-171-3.1.5 - - NIST-800-53-SI-11(a) - - NIST-800-53-SI-11(b) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_kernel_dmesg_restrict - -- name: Ensure sysctl kernel.randomize_va_space is set to 2 - sysctl: - name: kernel.randomize_va_space - value: '2' - state: present - reload: true - when: - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_kernel_randomize_va_space | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80916-0 - - DISA-STIG-RHEL-08-010430 - - NIST-800-171-3.1.7 - - NIST-800-53-CM-6(a) - - NIST-800-53-SC-30 - - NIST-800-53-SC-30(2) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_kernel_randomize_va_space - -- name: Ensure sysctl fs.suid_dumpable is set to 0 - sysctl: - name: fs.suid_dumpable - value: '0' - state: present - reload: true - when: - - disable_strategy | bool - - low_complexity | bool - - medium_disruption | bool - - medium_severity | bool - - reboot_required | bool - - sysctl_fs_suid_dumpable | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - CCE-80912-9 - - NIST-800-53-SI-11(a) - - NIST-800-53-SI-11(b) - - disable_strategy - - low_complexity - - medium_disruption - - medium_severity - - reboot_required - - sysctl_fs_suid_dumpable - - name: Disable service autofs block: - name: Gather the service facts @@ -15943,15 +15749,14 @@ when: '"autofs.service" in ansible_facts.services' when: - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - service_autofs_disabled | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80873-3 - - DISA-STIG-RHEL-08-040070 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -15974,15 +15779,14 @@ check_mode: false when: - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - service_autofs_disabled | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80873-3 - - DISA-STIG-RHEL-08-040070 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -16003,16 +15807,15 @@ masked: 'yes' when: - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - service_autofs_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - '"autofs.socket" in socket_file_exists.stdout_lines[1]' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80873-3 - - DISA-STIG-RHEL-08-040070 - NIST-800-171-3.4.6 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -16033,14 +15836,13 @@ line: install usb-storage /bin/true when: - disable_strategy | bool - - low_complexity | bool - medium_disruption | bool - medium_severity | bool - reboot_required | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-80835-2 - - DISA-STIG-RHEL-08-040080 - NIST-800-171-3.1.21 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -16053,70 +15855,143 @@ - medium_severity - reboot_required -- name: Enable service crond - block: - - name: Gather the package facts - package_facts: - manager: auto - - name: Enable service crond - service: - name: crond - enabled: 'yes' - state: started - masked: 'no' - when: - - '"cronie" in ansible_facts.packages' +- name: Ensure sysctl kernel.dmesg_restrict is set to 1 + sysctl: + name: kernel.dmesg_restrict + value: '1' + state: present + reload: true when: - - enable_strategy | bool + - disable_strategy | bool + - reboot_required | bool + - medium_severity | bool + - medium_disruption | bool + - sysctl_kernel_dmesg_restrict | bool - low_complexity | bool - - low_disruption | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80913-7 + - NIST-800-171-3.1.5 + - NIST-800-53-SI-11(a) + - NIST-800-53-SI-11(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_dmesg_restrict + +- name: Ensure sysctl fs.suid_dumpable is set to 0 + sysctl: + name: fs.suid_dumpable + value: '0' + state: present + reload: true + when: + - disable_strategy | bool + - sysctl_fs_suid_dumpable | bool + - reboot_required | bool - medium_severity | bool - - no_reboot_needed | bool - - service_crond_enabled | bool + - medium_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80912-9 + - NIST-800-53-SI-11(a) + - NIST-800-53-SI-11(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_fs_suid_dumpable + +- name: Ensure sysctl kernel.randomize_va_space is set to 2 + sysctl: + name: kernel.randomize_va_space + value: '2' + state: present + reload: true + when: + - disable_strategy | bool + - reboot_required | bool + - medium_severity | bool + - sysctl_kernel_randomize_va_space | bool + - medium_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80875-8 + - CCE-80916-0 + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-30 + - NIST-800-53-SC-30(2) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_randomize_va_space + +- name: Ensure rsh-server is removed + package: + name: rsh-server + state: absent + tags: + - CCE-82184-3 - NIST-800-53-CM-6(a) - - enable_strategy + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-IA-5(1)(c) + - disable_strategy + - high_severity - low_complexity - low_disruption - - medium_severity - no_reboot_needed - - service_crond_enabled + - package_rsh-server_removed + when: + - disable_strategy | bool + - no_reboot_needed | bool + - low_complexity | bool + - low_disruption | bool + - high_severity | bool -- name: Disable service zebra +- name: Disable service rlogin block: - name: Gather the service facts service_facts: null - - name: Disable service zebra + - name: Disable service rlogin systemd: - name: zebra.service + name: rlogin.service enabled: 'no' state: stopped masked: 'yes' - when: '"zebra.service" in ansible_facts.services' + when: '"rlogin.service" in ansible_facts.services' when: + - service_rlogin_disabled | bool - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - service_zebra_disabled | bool + - high_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80889-9 + - CCE-80885-7 + - NIST-800-171-3.1.13 + - NIST-800-171-3.4.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - NIST-800-53-IA-5(1)(c) - disable_strategy + - high_severity - low_complexity - low_disruption - - medium_severity - no_reboot_needed - - service_zebra_disabled + - service_rlogin_disabled -- name: Unit Socket Exists - zebra.socket - command: systemctl list-unit-files zebra.socket +- name: Unit Socket Exists - rlogin.socket + command: systemctl list-unit-files rlogin.socket args: warn: false register: socket_file_exists @@ -16124,640 +15999,527 @@ ignore_errors: true check_mode: false when: + - service_rlogin_disabled | bool - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - service_zebra_disabled | bool + - high_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80889-9 + - CCE-80885-7 + - NIST-800-171-3.1.13 + - NIST-800-171-3.4.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - NIST-800-53-IA-5(1)(c) - disable_strategy + - high_severity - low_complexity - low_disruption - - medium_severity - no_reboot_needed - - service_zebra_disabled + - service_rlogin_disabled -- name: Disable socket zebra +- name: Disable socket rlogin systemd: - name: zebra.socket + name: rlogin.socket enabled: 'no' state: stopped masked: 'yes' when: + - service_rlogin_disabled | bool - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - service_zebra_disabled | bool + - high_severity | bool + - low_disruption | bool + - low_complexity | bool + - '"rlogin.socket" in socket_file_exists.stdout_lines[1]' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"zebra.socket" in socket_file_exists.stdout_lines[1]' tags: - - CCE-80889-9 + - CCE-80885-7 + - NIST-800-171-3.1.13 + - NIST-800-171-3.4.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - NIST-800-53-IA-5(1)(c) - disable_strategy + - high_severity - low_complexity - low_disruption - - medium_severity - no_reboot_needed - - service_zebra_disabled + - service_rlogin_disabled -- name: Allow Only SSH Protocol 2 +- name: Disable service rexec block: - - name: Check for duplicate values - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*Protocol\s+ - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*Protocol\s+ - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: true - regexp: (?i)^\s*Protocol\s+ - line: Protocol 2 - state: present - insertbefore: ^[#\s]*Match - validate: /usr/sbin/sshd -t -f %s + - name: Gather the service facts + service_facts: null + - name: Disable service rexec + systemd: + name: rexec.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"rexec.service" in ansible_facts.services' when: + - disable_strategy | bool + - no_reboot_needed | bool + - service_rexec_disabled | bool - high_severity | bool - - low_complexity | bool - low_disruption | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_allow_only_protocol2 | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80894-9 - - CJIS-5.5.6 + - CCE-80884-0 - NIST-800-171-3.1.13 - - NIST-800-171-3.5.4 - - NIST-800-53-AC-17(2) - - NIST-800-53-AC-17(a) + - NIST-800-171-3.4.7 - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) - NIST-800-53-IA-5(1)(c) - - NIST-800-53-MA-4(6) - - NIST-800-53-SC-13 + - disable_strategy - high_severity - low_complexity - low_disruption - no_reboot_needed - - restrict_strategy - - sshd_allow_only_protocol2 + - service_rexec_disabled -- name: Do Not Allow SSH Environment Options - block: - - name: Check for duplicate values - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*PermitUserEnvironment\s+ - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*PermitUserEnvironment\s+ - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: true - regexp: (?i)^\s*PermitUserEnvironment\s+ - line: PermitUserEnvironment no - state: present - insertbefore: ^[#\s]*Match - validate: /usr/sbin/sshd -t -f %s +- name: Unit Socket Exists - rexec.socket + command: systemctl list-unit-files rexec.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false when: - - low_complexity | bool + - disable_strategy | bool + - no_reboot_needed | bool + - service_rexec_disabled | bool + - high_severity | bool - low_disruption | bool - - medium_severity | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80884-0 + - NIST-800-171-3.1.13 + - NIST-800-171-3.4.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-IA-5(1)(c) + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - service_rexec_disabled + +- name: Disable socket rexec + systemd: + name: rexec.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - disable_strategy | bool - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_do_not_permit_user_env | bool + - service_rexec_disabled | bool + - high_severity | bool + - low_disruption | bool + - low_complexity | bool + - '"rexec.socket" in socket_file_exists.stdout_lines[1]' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80903-8 - - CJIS-5.5.6 - - DISA-STIG-RHEL-08-010830 - - NIST-800-171-3.1.12 - - NIST-800-53-AC-17(a) + - CCE-80884-0 + - NIST-800-171-3.1.13 + - NIST-800-171-3.4.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - NIST-800-53-IA-5(1)(c) + - disable_strategy + - high_severity - low_complexity - low_disruption - - medium_severity - no_reboot_needed - - restrict_strategy - - sshd_do_not_permit_user_env + - service_rexec_disabled -- name: Enable SSH Warning Banner - block: - - name: Check for duplicate values - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*Banner\s+ - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*Banner\s+ +- block: + - name: Detect shosts.equiv Files on the System + find: + paths: / + recurse: true + patterns: shosts.equiv + check_mode: false + register: shosts_equiv_locations + - name: Remove Rsh Trust Files + file: + path: '{{ item.path }}' state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: true - regexp: (?i)^\s*Banner\s+ - line: Banner /etc/issue - state: present - insertbefore: ^[#\s]*Match - validate: /usr/sbin/sshd -t -f %s - when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_enable_warning_banner | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + with_items: '{{ shosts_equiv_locations.files }}' + when: shosts_equiv_locations tags: - - CCE-80905-3 - - CJIS-5.5.6 - - DISA-STIG-RHEL-08-010040 - - NIST-800-171-3.1.9 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-8(a) - - NIST-800-53-AC-8(c) + - CCE-80842-8 - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - high_severity - low_complexity - low_disruption - - medium_severity - no_reboot_needed + - no_rsh_trust_files - restrict_strategy - - sshd_enable_warning_banner - -- name: Enable Use of Strict Mode Checking - block: - - name: Check for duplicate values - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*StrictModes\s+ - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*StrictModes\s+ - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: true - regexp: (?i)^\s*StrictModes\s+ - line: StrictModes yes - state: present - insertbefore: ^[#\s]*Match - validate: /usr/sbin/sshd -t -f %s when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - restrict_strategy | bool - - sshd_enable_strictmodes | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - high_severity | bool + - low_disruption | bool + - no_rsh_trust_files | bool + - low_complexity | bool + +- name: Ensure telnet is removed + package: + name: telnet + state: absent tags: - - CCE-80904-6 - - DISA-STIG-RHEL-08-010500 - - NIST-800-171-3.1.12 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-6 - - NIST-800-53-CM-6(a) + - CCE-80849-3 + - NIST-800-171-3.1.13 + - disable_strategy - low_complexity - low_disruption - - medium_severity + - low_severity - no_reboot_needed - - restrict_strategy - - sshd_enable_strictmodes + - package_telnet_removed + when: + - disable_strategy | bool + - no_reboot_needed | bool + - package_telnet_removed | bool + - low_severity | bool + - low_disruption | bool + - low_complexity | bool -- name: Disable GSSAPI Authentication - block: - - name: Check for duplicate values - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*GSSAPIAuthentication\s+ - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*GSSAPIAuthentication\s+ - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: true - regexp: (?i)^\s*GSSAPIAuthentication\s+ - line: GSSAPIAuthentication no - state: present - insertbefore: ^[#\s]*Match - validate: /usr/sbin/sshd -t -f %s +- name: Ensure telnet-server is removed + package: + name: telnet-server + state: absent + tags: + - CCE-82182-7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - package_telnet-server_removed when: + - disable_strategy | bool + - no_reboot_needed | bool - low_complexity | bool - low_disruption | bool - - medium_severity | bool + - high_severity | bool + +- name: Disable service telnet + block: + - name: Gather the service facts + service_facts: null + - name: Disable service telnet + systemd: + name: telnet.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"telnet.service" in ansible_facts.services' + when: + - service_telnet_disabled | bool + - disable_strategy | bool - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_disable_gssapi_auth | bool + - high_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80897-2 - - DISA-STIG-RHEL-08-010521 - - NIST-800-171-3.1.12 - - NIST-800-53-AC-17(a) + - CCE-80887-3 + - NIST-800-171-3.1.13 + - NIST-800-171-3.4.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - NIST-800-53-IA-5(1)(c) + - disable_strategy + - high_severity - low_complexity - low_disruption - - medium_severity - no_reboot_needed - - restrict_strategy - - sshd_disable_gssapi_auth + - service_telnet_disabled -- name: Disable SSH Access via Empty Passwords - block: - - name: Check for duplicate values - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*PermitEmptyPasswords\s+ - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*PermitEmptyPasswords\s+ - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: true - regexp: (?i)^\s*PermitEmptyPasswords\s+ - line: PermitEmptyPasswords no - state: present - insertbefore: ^[#\s]*Match - validate: /usr/sbin/sshd -t -f %s +- name: Unit Socket Exists - telnet.socket + command: systemctl list-unit-files telnet.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false when: + - service_telnet_disabled | bool + - disable_strategy | bool + - no_reboot_needed | bool - high_severity | bool - - low_complexity | bool - low_disruption | bool - - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_disable_empty_passwords | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80896-4 - - CJIS-5.5.6 - - DISA-STIG-RHEL-08-020330 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 - - NIST-800-53-AC-17(a) + - CCE-80887-3 + - NIST-800-171-3.1.13 + - NIST-800-171-3.4.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - NIST-800-53-IA-5(1)(c) + - disable_strategy - high_severity - low_complexity - low_disruption - no_reboot_needed - - restrict_strategy - - sshd_disable_empty_passwords + - service_telnet_disabled -- name: Disable Compression Or Set Compression to delayed - block: - - name: Check for duplicate values - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*Compression\s+ - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*Compression\s+ - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: true - regexp: (?i)^\s*Compression\s+ - line: Compression {{ var_sshd_disable_compression }} - state: present - insertbefore: ^[#\s]*Match - validate: /usr/sbin/sshd -t -f %s +- name: Disable socket telnet + systemd: + name: telnet.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - service_telnet_disabled | bool + - disable_strategy | bool + - no_reboot_needed | bool + - high_severity | bool + - low_disruption | bool + - low_complexity | bool + - '"telnet.socket" in socket_file_exists.stdout_lines[1]' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CCE-80887-3 + - NIST-800-171-3.1.13 + - NIST-800-171-3.4.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-IA-5(1)(c) + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - service_telnet_disabled + +- name: Ensure xinetd is removed + package: + name: xinetd + state: absent when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - disable_strategy | bool - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_disable_compression | bool + - low_severity | bool + - package_xinetd_removed | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80895-6 - - DISA-STIG-RHEL-08-010510 - - NIST-800-171-3.1.12 - - NIST-800-53-AC-17(a) + - CCE-80850-1 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - disable_strategy - low_complexity - low_disruption - - medium_severity + - low_severity - no_reboot_needed - - restrict_strategy - - sshd_disable_compression + - package_xinetd_removed -- name: Set SSH Client Alive Count Max to zero +- name: Disable service xinetd block: - - name: Check for duplicate values - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*ClientAliveCountMax\s+ - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*ClientAliveCountMax\s+ - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: true - regexp: (?i)^\s*ClientAliveCountMax\s+ - line: ClientAliveCountMax 0 - state: present - insertbefore: ^[#\s]*Match - validate: /usr/sbin/sshd -t -f %s + - name: Gather the service facts + service_facts: null + - name: Disable service xinetd + systemd: + name: xinetd.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"xinetd.service" in ansible_facts.services' when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - disable_strategy | bool - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_set_keepalive_0 | bool + - service_xinetd_disabled | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-83405-1 - - CJIS-5.5.6 - - DISA-STIG-RHEL-08-010200 - - NIST-800-171-3.1.11 - - NIST-800-53-AC-12 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-2(5) + - CCE-80888-1 + - NIST-800-171-3.4.7 - NIST-800-53-CM-6(a) - - NIST-800-53-SC-10 - - PCI-DSS-Req-8.1.8 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy - - sshd_set_keepalive_0 + - service_xinetd_disabled -- name: Disable Kerberos Authentication - block: - - name: Check for duplicate values - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*KerberosAuthentication\s+ - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*KerberosAuthentication\s+ - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: true - regexp: (?i)^\s*KerberosAuthentication\s+ - line: KerberosAuthentication no - state: present - insertbefore: ^[#\s]*Match - validate: /usr/sbin/sshd -t -f %s +- name: Unit Socket Exists - xinetd.socket + command: systemctl list-unit-files xinetd.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false when: - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - disable_strategy | bool - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_disable_kerb_auth | bool + - service_xinetd_disabled | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80898-0 - - DISA-STIG-RHEL-08-010521 - - NIST-800-171-3.1.12 - - NIST-800-53-AC-17(a) + - CCE-80888-1 + - NIST-800-171-3.4.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy - - sshd_disable_kerb_auth + - service_xinetd_disabled -- name: Disable Host-Based Authentication - block: - - name: Check for duplicate values - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*HostbasedAuthentication\s+ - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*HostbasedAuthentication\s+ - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: true - regexp: (?i)^\s*HostbasedAuthentication\s+ - line: HostbasedAuthentication no - state: present - insertbefore: ^[#\s]*Match - validate: /usr/sbin/sshd -t -f %s +- name: Disable socket xinetd + systemd: + name: xinetd.socket + enabled: 'no' + state: stopped + masked: 'yes' when: - - disable_host_auth | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool + - disable_strategy | bool - no_reboot_needed | bool - - restrict_strategy | bool + - service_xinetd_disabled | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - '"xinetd.socket" in socket_file_exists.stdout_lines[1]' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80786-7 - - CJIS-5.5.6 - - NIST-800-171-3.1.12 - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-3 + - CCE-80888-1 + - NIST-800-171-3.4.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - - disable_host_auth + - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy + - service_xinetd_disabled -- name: Disable SSH Root Login - block: - - name: Check for duplicate values - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*PermitRootLogin\s+ - state: absent - check_mode: true - changed_when: false - register: dupes - - name: Deduplicate values from /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: false - regexp: (?i)^\s*PermitRootLogin\s+ - state: absent - when: dupes.found is defined and dupes.found > 1 - - name: Insert correct line to /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - create: true - regexp: (?i)^\s*PermitRootLogin\s+ - line: PermitRootLogin no - state: present - insertbefore: ^[#\s]*Match - validate: /usr/sbin/sshd -t -f %s +- name: Ensure talk is removed + package: + name: talk + state: absent + tags: + - CCE-80848-5 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_talk_removed when: - - low_complexity | bool + - disable_strategy | bool + - no_reboot_needed | bool + - package_talk_removed | bool + - medium_severity | bool - low_disruption | bool + - low_complexity | bool + +- name: Ensure talk-server is removed + package: + name: talk-server + state: absent + tags: + - CCE-82180-1 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_talk-server_removed + when: + - disable_strategy | bool + - no_reboot_needed | bool - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + +- name: Enable service crond + block: + - name: Gather the package facts + package_facts: + manager: auto + - name: Enable service crond + service: + name: crond + enabled: 'yes' + state: started + when: + - '"cronie" in ansible_facts.packages' + when: - no_reboot_needed | bool - - restrict_strategy | bool - - sshd_disable_root_login | bool + - medium_severity | bool + - service_crond_enabled | bool + - enable_strategy | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80901-2 - - CJIS-5.5.6 - - DISA-STIG-RHEL-08-010550 - - NIST-800-171-3.1.1 - - NIST-800-171-3.1.5 - - NIST-800-53- - - NIST-800-53-AC-17(a) - - NIST-800-53-AC-6(2) + - CCE-80875-8 - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-IA-2 - - NIST-800-53-IA-2(5) + - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - - restrict_strategy - - sshd_disable_root_login + - service_crond_enabled -- name: Disable service kdump +- name: Disable service zebra block: - name: Gather the service facts service_facts: null - - name: Disable service kdump + - name: Disable service zebra systemd: - name: kdump.service + name: zebra.service enabled: 'no' state: stopped masked: 'yes' - when: '"kdump.service" in ansible_facts.services' + when: '"zebra.service" in ansible_facts.services' when: - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - service_kdump_disabled | bool + - medium_severity | bool + - low_disruption | bool + - service_zebra_disabled | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80878-2 - - DISA-STIG-RHEL-08-010670 + - CCE-80889-9 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) @@ -16766,10 +16528,10 @@ - low_disruption - medium_severity - no_reboot_needed - - service_kdump_disabled + - service_zebra_disabled -- name: Unit Socket Exists - kdump.socket - command: systemctl list-unit-files kdump.socket +- name: Unit Socket Exists - zebra.socket + command: systemctl list-unit-files zebra.socket args: warn: false register: socket_file_exists @@ -16778,15 +16540,14 @@ check_mode: false when: - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - service_kdump_disabled | bool + - medium_severity | bool + - low_disruption | bool + - service_zebra_disabled | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80878-2 - - DISA-STIG-RHEL-08-010670 + - CCE-80889-9 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) @@ -16795,82 +16556,56 @@ - low_disruption - medium_severity - no_reboot_needed - - service_kdump_disabled + - service_zebra_disabled -- name: Disable socket kdump +- name: Disable socket zebra systemd: - name: kdump.socket + name: zebra.socket enabled: 'no' state: stopped masked: 'yes' when: - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - service_kdump_disabled | bool - - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"kdump.socket" in socket_file_exists.stdout_lines[1]' - tags: - - CCE-80878-2 - - DISA-STIG-RHEL-08-010670 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - service_kdump_disabled - -- name: Ensure xinetd is removed - package: - name: xinetd - state: absent - when: - - disable_strategy | bool - - low_complexity | bool + - medium_severity | bool - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_xinetd_removed | bool + - service_zebra_disabled | bool + - low_complexity | bool + - '"zebra.socket" in socket_file_exists.stdout_lines[1]' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80850-1 + - CCE-80889-9 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - low_disruption - - low_severity + - medium_severity - no_reboot_needed - - package_xinetd_removed + - service_zebra_disabled -- name: Disable service xinetd +- name: Disable service kdump block: - name: Gather the service facts service_facts: null - - name: Disable service xinetd + - name: Disable service kdump systemd: - name: xinetd.service + name: kdump.service enabled: 'no' state: stopped masked: 'yes' - when: '"xinetd.service" in ansible_facts.services' + when: '"kdump.service" in ansible_facts.services' when: - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - service_xinetd_disabled | bool + - service_kdump_disabled | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80888-1 - - NIST-800-171-3.4.7 + - CCE-80878-2 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) @@ -16879,10 +16614,10 @@ - low_disruption - medium_severity - no_reboot_needed - - service_xinetd_disabled + - service_kdump_disabled -- name: Unit Socket Exists - xinetd.socket - command: systemctl list-unit-files xinetd.socket +- name: Unit Socket Exists - kdump.socket + command: systemctl list-unit-files kdump.socket args: warn: false register: socket_file_exists @@ -16891,15 +16626,14 @@ check_mode: false when: - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - service_xinetd_disabled | bool + - service_kdump_disabled | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80888-1 - - NIST-800-171-3.4.7 + - CCE-80878-2 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) @@ -16908,26 +16642,25 @@ - low_disruption - medium_severity - no_reboot_needed - - service_xinetd_disabled + - service_kdump_disabled -- name: Disable socket xinetd +- name: Disable socket kdump systemd: - name: xinetd.socket + name: kdump.socket enabled: 'no' state: stopped masked: 'yes' when: - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - no_reboot_needed | bool - - service_xinetd_disabled | bool + - service_kdump_disabled | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - '"kdump.socket" in socket_file_exists.stdout_lines[1]' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"xinetd.socket" in socket_file_exists.stdout_lines[1]' tags: - - CCE-80888-1 - - NIST-800-171-3.4.7 + - CCE-80878-2 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) @@ -16936,429 +16669,439 @@ - low_disruption - medium_severity - no_reboot_needed - - service_xinetd_disabled - -- name: Ensure rsh-server is removed - package: - name: rsh-server - state: absent - tags: - - CCE-82184-3 - - DISA-STIG-RHEL-08-040010 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-IA-5(1)(c) - - disable_strategy - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - package_rsh-server_removed - when: - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - - no_reboot_needed | bool + - service_kdump_disabled -- name: Disable service rexec +- name: Disable SSH Access via Empty Passwords block: - - name: Gather the service facts - service_facts: null - - name: Disable service rexec - systemd: - name: rexec.service - enabled: 'no' - state: stopped - masked: 'yes' - when: '"rexec.service" in ansible_facts.services' + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PermitEmptyPasswords\s+ + state: absent + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + line: PermitEmptyPasswords no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s when: - - disable_strategy | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - sshd_disable_empty_passwords | bool - high_severity | bool - - low_complexity | bool - low_disruption | bool - - no_reboot_needed | bool - - service_rexec_disabled | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80884-0 - - NIST-800-171-3.1.13 - - NIST-800-171-3.4.7 + - CCE-80896-4 + - CJIS-5.5.6 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - - NIST-800-53-IA-5(1)(c) - - disable_strategy - high_severity - low_complexity - low_disruption - no_reboot_needed - - service_rexec_disabled + - restrict_strategy + - sshd_disable_empty_passwords -- name: Unit Socket Exists - rexec.socket - command: systemctl list-unit-files rexec.socket - args: - warn: false - register: socket_file_exists - changed_when: false - ignore_errors: true - check_mode: false +- name: Set SSH Client Alive Count Max + block: + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*ClientAliveCountMax\s+ + state: absent + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + line: ClientAliveCountMax 0 + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s when: - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - no_reboot_needed | bool - - service_rexec_disabled | bool + - restrict_strategy | bool + - medium_severity | bool + - sshd_set_keepalive | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80884-0 - - NIST-800-171-3.1.13 - - NIST-800-171-3.4.7 + - CCE-80907-9 + - CJIS-5.5.6 + - NIST-800-171-3.1.11 + - NIST-800-53-AC-12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-2(5) - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-IA-5(1)(c) - - disable_strategy - - high_severity + - NIST-800-53-SC-10 - low_complexity - low_disruption + - medium_severity - no_reboot_needed - - service_rexec_disabled + - restrict_strategy + - sshd_set_keepalive -- name: Disable socket rexec - systemd: - name: rexec.socket - enabled: 'no' - state: stopped - masked: 'yes' +- name: Enable SSH Warning Banner + block: + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*Banner\s+ + state: absent + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + line: Banner /etc/issue + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s when: - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool + - sshd_enable_warning_banner | bool - no_reboot_needed | bool - - service_rexec_disabled | bool + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"rexec.socket" in socket_file_exists.stdout_lines[1]' tags: - - CCE-80884-0 - - NIST-800-171-3.1.13 - - NIST-800-171-3.4.7 + - CCE-80905-3 + - CJIS-5.5.6 + - NIST-800-171-3.1.9 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(c) - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - NIST-800-53-IA-5(1)(c) - - disable_strategy - - high_severity - low_complexity - low_disruption + - medium_severity - no_reboot_needed - - service_rexec_disabled + - restrict_strategy + - sshd_enable_warning_banner -- name: Disable service rlogin +- name: Disable Kerberos Authentication block: - - name: Gather the service facts - service_facts: null - - name: Disable service rlogin - systemd: - name: rlogin.service - enabled: 'no' - state: stopped - masked: 'yes' - when: '"rlogin.service" in ansible_facts.services' + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*KerberosAuthentication\s+ + state: absent + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + line: KerberosAuthentication no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s when: - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - no_reboot_needed | bool - - service_rlogin_disabled | bool + - restrict_strategy | bool + - medium_severity | bool + - sshd_disable_kerb_auth | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80885-7 - - NIST-800-171-3.1.13 - - NIST-800-171-3.4.7 + - CCE-80898-0 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - - NIST-800-53-IA-5(1)(c) - - disable_strategy - - high_severity - low_complexity - low_disruption + - medium_severity - no_reboot_needed - - service_rlogin_disabled + - restrict_strategy + - sshd_disable_kerb_auth -- name: Unit Socket Exists - rlogin.socket - command: systemctl list-unit-files rlogin.socket - args: - warn: false - register: socket_file_exists - changed_when: false - ignore_errors: true - check_mode: false +- name: Allow Only SSH Protocol 2 + block: + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*Protocol\s+ + state: absent + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + line: Protocol 2 + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s when: - - disable_strategy | bool + - no_reboot_needed | bool + - restrict_strategy | bool - high_severity | bool - low_complexity | bool - low_disruption | bool - - no_reboot_needed | bool - - service_rlogin_disabled | bool + - sshd_allow_only_protocol2 | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80885-7 + - CCE-80894-9 + - CJIS-5.5.6 - NIST-800-171-3.1.13 - - NIST-800-171-3.4.7 + - NIST-800-171-3.5.4 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - NIST-800-53-IA-5(1)(c) - - disable_strategy + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-13 - high_severity - low_complexity - low_disruption - no_reboot_needed - - service_rlogin_disabled + - restrict_strategy + - sshd_allow_only_protocol2 -- name: Disable socket rlogin - systemd: - name: rlogin.socket - enabled: 'no' - state: stopped - masked: 'yes' +- name: Do Not Allow SSH Environment Options + block: + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PermitUserEnvironment\s+ + state: absent + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + line: PermitUserEnvironment no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s when: - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - no_reboot_needed | bool - - service_rlogin_disabled | bool + - restrict_strategy | bool + - medium_severity | bool + - sshd_do_not_permit_user_env | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"rlogin.socket" in socket_file_exists.stdout_lines[1]' tags: - - CCE-80885-7 - - NIST-800-171-3.1.13 - - NIST-800-171-3.4.7 + - CCE-80903-8 + - CJIS-5.5.6 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - - NIST-800-53-IA-5(1)(c) - - disable_strategy - - high_severity - low_complexity - low_disruption + - medium_severity - no_reboot_needed - - service_rlogin_disabled + - restrict_strategy + - sshd_do_not_permit_user_env -- block: - - name: Detect shosts.equiv Files on the System - find: - paths: / - recurse: true - patterns: shosts.equiv - check_mode: false - register: shosts_equiv_locations - - name: Remove Rsh Trust Files - file: - path: '{{ item.path }}' +- name: Disable Host-Based Authentication + block: + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*HostbasedAuthentication\s+ state: absent - with_items: '{{ shosts_equiv_locations.files }}' - when: shosts_equiv_locations - tags: - - CCE-80842-8 - - NIST-800-53-CM-6(a) - - NIST-800-53-CM-7(a) - - NIST-800-53-CM-7(b) - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - no_rsh_trust_files - - restrict_strategy + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + line: HostbasedAuthentication no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s when: - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - no_reboot_needed | bool - - no_rsh_trust_files | bool - restrict_strategy | bool - -- name: Ensure telnet-server is removed - package: - name: telnet-server - state: absent + - medium_severity | bool + - disable_host_auth | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-82182-7 - - DISA-STIG-RHEL-08-040000 + - CCE-80786-7 + - CJIS-5.5.6 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-3 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - - disable_strategy - - high_severity + - disable_host_auth - low_complexity - low_disruption + - medium_severity - no_reboot_needed - - package_telnet-server_removed + - restrict_strategy + +- name: Enable Use of Strict Mode Checking + block: + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*StrictModes\s+ + state: absent + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + line: StrictModes yes + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s when: - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - no_reboot_needed | bool - -- name: Ensure telnet is removed - package: - name: telnet - state: absent + - sshd_enable_strictmodes | bool + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80849-3 - - NIST-800-171-3.1.13 - - disable_strategy + - CCE-80904-6 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6 + - NIST-800-53-CM-6(a) - low_complexity - low_disruption - - low_severity + - medium_severity - no_reboot_needed - - package_telnet_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - low_severity | bool - - no_reboot_needed | bool - - package_telnet_removed | bool + - restrict_strategy + - sshd_enable_strictmodes -- name: Disable service telnet +- name: Disable GSSAPI Authentication block: - - name: Gather the service facts - service_facts: null - - name: Disable service telnet - systemd: - name: telnet.service - enabled: 'no' - state: stopped - masked: 'yes' - when: '"telnet.service" in ansible_facts.services' + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*GSSAPIAuthentication\s+ + state: absent + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + line: GSSAPIAuthentication no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s when: - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool - no_reboot_needed | bool - - service_telnet_disabled | bool + - restrict_strategy | bool + - medium_severity | bool + - sshd_disable_gssapi_auth | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80887-3 - - NIST-800-171-3.1.13 - - NIST-800-171-3.4.7 + - CCE-80897-2 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - - NIST-800-53-IA-5(1)(c) - - disable_strategy - - high_severity - low_complexity - low_disruption + - medium_severity - no_reboot_needed - - service_telnet_disabled + - restrict_strategy + - sshd_disable_gssapi_auth -- name: Unit Socket Exists - telnet.socket - command: systemctl list-unit-files telnet.socket - args: - warn: false - register: socket_file_exists - changed_when: false - ignore_errors: true - check_mode: false +- name: Disable Compression Or Set Compression to delayed + block: + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*Compression\s+ + state: absent + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + line: Compression {{ var_sshd_disable_compression }} + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s when: - - disable_strategy | bool - - high_severity | bool - - low_complexity | bool - - low_disruption | bool + - sshd_disable_compression | bool - no_reboot_needed | bool - - service_telnet_disabled | bool + - restrict_strategy | bool + - medium_severity | bool + - low_disruption | bool + - low_complexity | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - - CCE-80887-3 - - NIST-800-171-3.1.13 - - NIST-800-171-3.4.7 + - CCE-80895-6 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - - NIST-800-53-IA-5(1)(c) - - disable_strategy - - high_severity - low_complexity - low_disruption + - medium_severity - no_reboot_needed - - service_telnet_disabled + - restrict_strategy + - sshd_disable_compression -- name: Disable socket telnet - systemd: - name: telnet.socket - enabled: 'no' - state: stopped - masked: 'yes' +- name: Disable SSH Root Login + block: + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PermitRootLogin\s+ + state: absent + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + line: PermitRootLogin no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s when: - - disable_strategy | bool - - high_severity | bool + - no_reboot_needed | bool + - restrict_strategy | bool + - medium_severity | bool - low_complexity | bool - low_disruption | bool - - no_reboot_needed | bool - - service_telnet_disabled | bool + - sshd_disable_root_login | bool - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - - '"telnet.socket" in socket_file_exists.stdout_lines[1]' tags: - - CCE-80887-3 - - NIST-800-171-3.1.13 - - NIST-800-171-3.4.7 + - CCE-80901-2 + - CJIS-5.5.6 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53- + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(2) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - - NIST-800-53-IA-5(1)(c) - - disable_strategy - - high_severity - - low_complexity - - low_disruption - - no_reboot_needed - - service_telnet_disabled - -- name: Ensure talk-server is removed - package: - name: talk-server - state: absent - tags: - - CCE-82180-1 - - disable_strategy - - low_complexity - - low_disruption - - medium_severity - - no_reboot_needed - - package_talk-server_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - -- name: Ensure talk is removed - package: - name: talk - state: absent - tags: - - CCE-80848-5 - - disable_strategy + - NIST-800-53-IA-2 + - NIST-800-53-IA-2(5) - low_complexity - low_disruption - medium_severity - no_reboot_needed - - package_talk_removed - when: - - disable_strategy | bool - - low_complexity | bool - - low_disruption | bool - - medium_severity | bool - - no_reboot_needed | bool - - package_talk_removed | bool + - restrict_strategy + - sshd_disable_root_login