From b607190752d5a8a20445110eb5ab8f553c4d2985 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Wed, 7 Feb 2024 20:49:20 -0500 Subject: [PATCH] Updated tasks/main.yml --- tasks/main.yml | 1192 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 991 insertions(+), 201 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 5ea34e8..384c131 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,6 +3,7 @@ name: aide state: present when: + - DISA_STIG_RHEL_09_651010 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool @@ -13,6 +14,7 @@ tags: - CCE-90843-4 - CJIS-5.10.1.3 + - DISA-STIG-RHEL-09-651010 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 - PCI-DSSv4-11.5.2 @@ -134,6 +136,7 @@ with_items: - aide when: + - DISA_STIG_RHEL_09_651015 | bool - aide_periodic_cron_checking | bool - low_complexity | bool - low_disruption | bool @@ -144,6 +147,7 @@ tags: - CCE-83437-4 - CJIS-5.10.1.3 + - DISA-STIG-RHEL-09-651015 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) @@ -160,6 +164,7 @@ set_fact: cron_pkg_name: cronie when: + - DISA_STIG_RHEL_09_651015 | bool - aide_periodic_cron_checking | bool - low_complexity | bool - low_disruption | bool @@ -171,6 +176,7 @@ tags: - CCE-83437-4 - CJIS-5.10.1.3 + - DISA-STIG-RHEL-09-651015 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) @@ -187,6 +193,7 @@ set_fact: cron_pkg_name: cron when: + - DISA_STIG_RHEL_09_651015 | bool - aide_periodic_cron_checking | bool - low_complexity | bool - low_disruption | bool @@ -198,6 +205,7 @@ tags: - CCE-83437-4 - CJIS-5.10.1.3 + - DISA-STIG-RHEL-09-651015 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) @@ -215,6 +223,7 @@ name: '{{ cron_pkg_name }}' state: present when: + - DISA_STIG_RHEL_09_651015 | bool - aide_periodic_cron_checking | bool - low_complexity | bool - low_disruption | bool @@ -225,6 +234,7 @@ tags: - CCE-83437-4 - CJIS-5.10.1.3 + - DISA-STIG-RHEL-09-651015 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) @@ -246,6 +256,7 @@ user: root job: /usr/sbin/aide --check when: + - DISA_STIG_RHEL_09_651015 | bool - aide_periodic_cron_checking | bool - low_complexity | bool - low_disruption | bool @@ -256,6 +267,7 @@ tags: - CCE-83437-4 - CJIS-5.10.1.3 + - DISA-STIG-RHEL-09-651015 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) @@ -275,6 +287,7 @@ with_items: - aide when: + - DISA_STIG_RHEL_09_651015 | bool - aide_scan_notification | bool - low_complexity | bool - low_disruption | bool @@ -284,6 +297,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90844-2 + - DISA-STIG-RHEL-09-651015 - NIST-800-53-CM-3(5) - NIST-800-53-CM-6(a) - aide_scan_notification @@ -302,6 +316,7 @@ user: root job: /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" {{ var_aide_scan_notification_email }} when: + - DISA_STIG_RHEL_09_651015 | bool - aide_scan_notification | bool - low_complexity | bool - low_disruption | bool @@ -311,6 +326,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90844-2 + - DISA-STIG-RHEL-09-651015 - NIST-800-53-CM-3(5) - NIST-800-53-CM-6(a) - aide_scan_notification @@ -324,6 +340,7 @@ package_facts: manager: auto when: + - DISA_STIG_RHEL_09_651030 | bool - aide_verify_acls | bool - low_complexity | bool - low_disruption | bool @@ -334,6 +351,7 @@ - '' tags: - CCE-90837-6 + - DISA-STIG-RHEL-09-651030 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) @@ -352,6 +370,7 @@ ' when: + - DISA_STIG_RHEL_09_651030 | bool - aide_verify_acls | bool - low_complexity | bool - low_disruption | bool @@ -363,6 +382,7 @@ register: find_rules_groups_results tags: - CCE-90837-6 + - DISA-STIG-RHEL-09-651030 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) @@ -379,6 +399,7 @@ regexp: (^\s*{{ item }}\s*=\s*)(?!.*acl)([^\s]*) replace: \g<1>\g<2>+acl when: + - DISA_STIG_RHEL_09_651030 | bool - aide_verify_acls | bool - low_complexity | bool - low_disruption | bool @@ -390,6 +411,7 @@ with_items: '{{ find_rules_groups_results.stdout_lines | map(''trim'') | list }}' tags: - CCE-90837-6 + - DISA-STIG-RHEL-09-651030 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) @@ -404,6 +426,7 @@ package_facts: manager: auto when: + - DISA_STIG_RHEL_09_651035 | bool - aide_verify_ext_attributes | bool - low_complexity | bool - low_disruption | bool @@ -414,6 +437,7 @@ - '' tags: - CCE-83439-0 + - DISA-STIG-RHEL-09-651035 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) @@ -432,6 +456,7 @@ ' when: + - DISA_STIG_RHEL_09_651035 | bool - aide_verify_ext_attributes | bool - low_complexity | bool - low_disruption | bool @@ -443,6 +468,7 @@ register: find_rules_groups_results tags: - CCE-83439-0 + - DISA-STIG-RHEL-09-651035 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) @@ -459,6 +485,7 @@ regexp: (^\s*{{ item }}\s*=\s*)(?!.*xattrs)([^\s]*) replace: \g<1>\g<2>+xattrs when: + - DISA_STIG_RHEL_09_651035 | bool - aide_verify_ext_attributes | bool - low_complexity | bool - low_disruption | bool @@ -470,6 +497,7 @@ with_items: '{{ find_rules_groups_results.stdout_lines | map(''trim'') | list }}' tags: - CCE-83439-0 + - DISA-STIG-RHEL-09-651035 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) @@ -485,6 +513,7 @@ name: sudo state: present when: + - DISA_STIG_RHEL_09_432010 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool @@ -494,8 +523,9 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83523-1 + - DISA-STIG-RHEL-09-432010 - NIST-800-53-CM-6(a) - - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-2.2.6 - enable_strategy - low_complexity - low_disruption @@ -553,7 +583,7 @@ tags: - CCE-83538-9 - PCI-DSS-Req-10.2.5 - - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity @@ -585,7 +615,7 @@ tags: - CCE-83538-9 - PCI-DSS-Req-10.2.5 - - PCI-DSSv4-10.2.1.5 + - PCI-DSSv4-2.2.6 - low_complexity - low_disruption - medium_severity @@ -594,12 +624,13 @@ - sudo_add_use_pty - name: Find /etc/sudoers.d/ files - find: + ansible.builtin.find: paths: - /etc/sudoers.d/ register: sudoers tags: - CCE-83544-7 + - DISA-STIG-RHEL-09-432025 - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - low_complexity @@ -609,6 +640,7 @@ - restrict_strategy - sudo_remove_no_authenticate when: + - DISA_STIG_RHEL_09_432025 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -617,7 +649,7 @@ - sudo_remove_no_authenticate | bool - name: Remove lines containing !authenticate from sudoers files - replace: + ansible.builtin.replace: regexp: (^(?!#).*[\s]+\!authenticate.*$) replace: '# \g<1>' path: '{{ item.path }}' @@ -627,6 +659,7 @@ - '{{ sudoers.files }}' tags: - CCE-83544-7 + - DISA-STIG-RHEL-09-432025 - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - low_complexity @@ -636,6 +669,7 @@ - restrict_strategy - sudo_remove_no_authenticate when: + - DISA_STIG_RHEL_09_432025 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -644,12 +678,13 @@ - sudo_remove_no_authenticate | bool - name: Find /etc/sudoers.d/ files - find: + ansible.builtin.find: paths: - /etc/sudoers.d/ register: sudoers tags: - CCE-83536-3 + - DISA-STIG-RHEL-09-611085 - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - low_complexity @@ -659,6 +694,7 @@ - restrict_strategy - sudo_remove_nopasswd when: + - DISA_STIG_RHEL_09_611085 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -667,7 +703,7 @@ - sudo_remove_nopasswd | bool - name: Remove lines containing NOPASSWD from sudoers files - replace: + ansible.builtin.replace: regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$) replace: '# \g<1>' path: '{{ item.path }}' @@ -677,6 +713,7 @@ - '{{ sudoers.files }}' tags: - CCE-83536-3 + - DISA-STIG-RHEL-09-611085 - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - low_complexity @@ -686,6 +723,7 @@ - restrict_strategy - sudo_remove_nopasswd when: + - DISA_STIG_RHEL_09_611085 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -719,6 +757,7 @@ tags: - CCE-83457-2 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-09-214015 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) @@ -738,6 +777,7 @@ - medium_disruption - no_reboot_needed when: + - DISA_STIG_RHEL_09_214015 | bool - configure_strategy | bool - ensure_gpgcheck_globally_activated | bool - high_severity | bool @@ -754,6 +794,7 @@ no_extra_spaces: true create: false when: + - DISA_STIG_RHEL_09_214015 | bool - configure_strategy | bool - ensure_gpgcheck_globally_activated | bool - high_severity | bool @@ -764,6 +805,7 @@ tags: - CCE-83457-2 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-09-214015 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) @@ -788,6 +830,7 @@ manager: auto tags: - CCE-83463-0 + - DISA-STIG-RHEL-09-214020 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) @@ -802,6 +845,7 @@ - no_reboot_needed - unknown_strategy when: + - DISA_STIG_RHEL_09_214020 | bool - ensure_gpgcheck_local_packages | bool - high_severity | bool - low_complexity | bool @@ -829,6 +873,7 @@ no_extra_spaces: true create: true when: + - DISA_STIG_RHEL_09_214020 | bool - ensure_gpgcheck_local_packages | bool - high_severity | bool - low_complexity | bool @@ -838,6 +883,7 @@ - '"yum" in ansible_facts.packages' tags: - CCE-83463-0 + - DISA-STIG-RHEL-09-214020 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) @@ -864,6 +910,7 @@ tags: - CCE-83464-8 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-09-214025 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) @@ -883,6 +930,7 @@ - medium_disruption - no_reboot_needed when: + - DISA_STIG_RHEL_09_214025 | bool - enable_strategy | bool - ensure_gpgcheck_never_disabled | bool - high_severity | bool @@ -901,6 +949,7 @@ tags: - CCE-83464-8 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-09-214025 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) @@ -920,6 +969,7 @@ - medium_disruption - no_reboot_needed when: + - DISA_STIG_RHEL_09_214025 | bool - enable_strategy | bool - ensure_gpgcheck_never_disabled | bool - high_severity | bool @@ -935,6 +985,7 @@ tags: - CCE-84180-9 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-09-214010 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) @@ -942,6 +993,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity @@ -949,6 +1001,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_214010 | bool - ensure_redhat_gpgkey_installed | bool - high_severity | bool - medium_complexity | bool @@ -964,6 +1017,7 @@ tags: - CCE-84180-9 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-09-214010 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) @@ -971,6 +1025,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity @@ -978,6 +1033,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_214010 | bool - ensure_redhat_gpgkey_installed | bool - high_severity | bool - medium_complexity | bool @@ -993,6 +1049,7 @@ tags: - CCE-84180-9 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-09-214010 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) @@ -1000,6 +1057,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity @@ -1007,6 +1065,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_214010 | bool - ensure_redhat_gpgkey_installed | bool - high_severity | bool - medium_complexity | bool @@ -1020,6 +1079,7 @@ tags: - CCE-84180-9 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-09-214010 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) @@ -1027,6 +1087,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity @@ -1034,6 +1095,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_214010 | bool - ensure_redhat_gpgkey_installed | bool - high_severity | bool - medium_complexity | bool @@ -1046,6 +1108,7 @@ state: present key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release when: + - DISA_STIG_RHEL_09_214010 | bool - ensure_redhat_gpgkey_installed | bool - high_severity | bool - medium_complexity | bool @@ -1059,6 +1122,7 @@ tags: - CCE-84180-9 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-09-214010 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) @@ -1066,6 +1130,7 @@ - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 + - PCI-DSSv4-6.3.3 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity @@ -1080,6 +1145,7 @@ tags: - CCE-84185-8 - CJIS-5.10.4.1 + - DISA-STIG-RHEL-09-211015 - NIST-800-53-CM-6(a) - NIST-800-53-SI-2(5) - NIST-800-53-SI-2(c) @@ -1093,6 +1159,7 @@ - security_patches_up_to_date - skip_ansible_lint when: + - DISA_STIG_RHEL_09_211015 | bool - high_disruption | bool - low_complexity | bool - medium_severity | bool @@ -1959,6 +2026,7 @@ tags: - CCE-83587-6 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) @@ -1971,6 +2039,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool @@ -1983,6 +2052,7 @@ path: /usr/bin/authselect register: result_authselect_present when: + - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool @@ -1993,6 +2063,7 @@ tags: - CCE-83587-6 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) @@ -2046,6 +2117,7 @@ - result_authselect_enable_feature_cmd is not skipped - result_authselect_enable_feature_cmd is success when: + - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool @@ -2057,6 +2129,7 @@ tags: - CCE-83587-6 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) @@ -2113,6 +2186,7 @@ when: - result_pam_faillock_is_enabled.found == 0 when: + - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool @@ -2124,6 +2198,7 @@ tags: - CCE-83587-6 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) @@ -2141,6 +2216,7 @@ path: /etc/security/faillock.conf register: result_faillock_conf_check when: + - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool @@ -2151,6 +2227,7 @@ tags: - CCE-83587-6 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) @@ -2170,6 +2247,7 @@ line: deny = {{ var_accounts_passwords_pam_faillock_deny }} state: present when: + - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool @@ -2181,6 +2259,7 @@ tags: - CCE-83587-6 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) @@ -2460,6 +2539,7 @@ when: - result_pam_file_present.stat.exists when: + - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool @@ -2471,6 +2551,7 @@ tags: - CCE-83587-6 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) @@ -2547,6 +2628,7 @@ when: - result_pam_faillock_deny_parameter_is_present.found > 0 when: + - DISA_STIG_RHEL_09_411075 | bool - accounts_passwords_pam_faillock_deny | bool - low_complexity | bool - low_disruption | bool @@ -2558,6 +2640,7 @@ tags: - CCE-83587-6 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411075 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) @@ -2575,6 +2658,7 @@ manager: auto tags: - CCE-83589-2 + - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) @@ -2585,6 +2669,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool @@ -2597,6 +2682,7 @@ path: /usr/bin/authselect register: result_authselect_present when: + - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool @@ -2606,6 +2692,7 @@ - '"pam" in ansible_facts.packages' tags: - CCE-83589-2 + - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) @@ -2659,6 +2746,7 @@ - result_authselect_enable_feature_cmd is not skipped - result_authselect_enable_feature_cmd is success when: + - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool @@ -2669,6 +2757,7 @@ - result_authselect_present.stat.exists tags: - CCE-83589-2 + - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) @@ -2723,6 +2812,7 @@ when: - result_pam_faillock_is_enabled.found == 0 when: + - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool @@ -2733,6 +2823,7 @@ - not result_authselect_present.stat.exists tags: - CCE-83589-2 + - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) @@ -2748,6 +2839,7 @@ path: /etc/security/faillock.conf register: result_faillock_conf_check when: + - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool @@ -2757,6 +2849,7 @@ - '"pam" in ansible_facts.packages' tags: - CCE-83589-2 + - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) @@ -2774,6 +2867,7 @@ line: even_deny_root state: present when: + - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool @@ -2784,6 +2878,7 @@ - result_faillock_conf_check.stat.exists tags: - CCE-83589-2 + - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) @@ -3072,6 +3167,7 @@ when: - result_pam_file_present.stat.exists when: + - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool @@ -3082,6 +3178,7 @@ - result_faillock_conf_check.stat.exists tags: - CCE-83589-2 + - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) @@ -3131,6 +3228,7 @@ when: - result_pam_faillock_even_deny_root_parameter_is_present.found == 0 when: + - DISA_STIG_RHEL_09_411080 | bool - accounts_passwords_pam_faillock_deny_root | bool - low_complexity | bool - low_disruption | bool @@ -3141,6 +3239,7 @@ - not result_faillock_conf_check.stat.exists tags: - CCE-83589-2 + - DISA-STIG-RHEL-09-411080 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(c) @@ -3156,6 +3255,7 @@ manager: auto tags: - CCE-83583-5 + - DISA-STIG-RHEL-09-411085 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - accounts_passwords_pam_faillock_interval @@ -3165,6 +3265,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_411085 | bool - accounts_passwords_pam_faillock_interval | bool - low_complexity | bool - low_disruption | bool @@ -3177,6 +3278,7 @@ path: /usr/bin/authselect register: result_authselect_present when: + - DISA_STIG_RHEL_09_411085 | bool - accounts_passwords_pam_faillock_interval | bool - low_complexity | bool - low_disruption | bool @@ -3186,6 +3288,7 @@ - '"pam" in ansible_facts.packages' tags: - CCE-83583-5 + - DISA-STIG-RHEL-09-411085 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - accounts_passwords_pam_faillock_interval @@ -3238,6 +3341,7 @@ - result_authselect_enable_feature_cmd is not skipped - result_authselect_enable_feature_cmd is success when: + - DISA_STIG_RHEL_09_411085 | bool - accounts_passwords_pam_faillock_interval | bool - low_complexity | bool - low_disruption | bool @@ -3248,6 +3352,7 @@ - result_authselect_present.stat.exists tags: - CCE-83583-5 + - DISA-STIG-RHEL-09-411085 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - accounts_passwords_pam_faillock_interval @@ -3301,6 +3406,7 @@ when: - result_pam_faillock_is_enabled.found == 0 when: + - DISA_STIG_RHEL_09_411085 | bool - accounts_passwords_pam_faillock_interval | bool - low_complexity | bool - low_disruption | bool @@ -3311,6 +3417,7 @@ - not result_authselect_present.stat.exists tags: - CCE-83583-5 + - DISA-STIG-RHEL-09-411085 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - accounts_passwords_pam_faillock_interval @@ -3325,6 +3432,7 @@ path: /etc/security/faillock.conf register: result_faillock_conf_check when: + - DISA_STIG_RHEL_09_411085 | bool - accounts_passwords_pam_faillock_interval | bool - low_complexity | bool - low_disruption | bool @@ -3334,6 +3442,7 @@ - '"pam" in ansible_facts.packages' tags: - CCE-83583-5 + - DISA-STIG-RHEL-09-411085 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - accounts_passwords_pam_faillock_interval @@ -3350,6 +3459,7 @@ line: fail_interval = {{ var_accounts_passwords_pam_faillock_fail_interval }} state: present when: + - DISA_STIG_RHEL_09_411085 | bool - accounts_passwords_pam_faillock_interval | bool - low_complexity | bool - low_disruption | bool @@ -3360,6 +3470,7 @@ - result_faillock_conf_check.stat.exists tags: - CCE-83583-5 + - DISA-STIG-RHEL-09-411085 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - accounts_passwords_pam_faillock_interval @@ -3645,6 +3756,7 @@ when: - result_pam_file_present.stat.exists when: + - DISA_STIG_RHEL_09_411085 | bool - accounts_passwords_pam_faillock_interval | bool - low_complexity | bool - low_disruption | bool @@ -3655,6 +3767,7 @@ - result_faillock_conf_check.stat.exists tags: - CCE-83583-5 + - DISA-STIG-RHEL-09-411085 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - accounts_passwords_pam_faillock_interval @@ -3728,6 +3841,7 @@ when: - result_pam_faillock_fail_interval_parameter_is_present.found > 0 when: + - DISA_STIG_RHEL_09_411085 | bool - accounts_passwords_pam_faillock_interval | bool - low_complexity | bool - low_disruption | bool @@ -3738,6 +3852,7 @@ - not result_faillock_conf_check.stat.exists tags: - CCE-83583-5 + - DISA-STIG-RHEL-09-411085 - NIST-800-53-AC-7(a) - NIST-800-53-CM-6(a) - accounts_passwords_pam_faillock_interval @@ -3753,6 +3868,7 @@ tags: - CCE-83588-4 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) @@ -3765,6 +3881,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool @@ -3777,6 +3894,7 @@ path: /usr/bin/authselect register: result_authselect_present when: + - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool @@ -3787,6 +3905,7 @@ tags: - CCE-83588-4 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) @@ -3840,6 +3959,7 @@ - result_authselect_enable_feature_cmd is not skipped - result_authselect_enable_feature_cmd is success when: + - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool @@ -3851,6 +3971,7 @@ tags: - CCE-83588-4 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) @@ -3907,6 +4028,7 @@ when: - result_pam_faillock_is_enabled.found == 0 when: + - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool @@ -3918,6 +4040,7 @@ tags: - CCE-83588-4 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) @@ -3935,6 +4058,7 @@ path: /etc/security/faillock.conf register: result_faillock_conf_check when: + - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool @@ -3945,6 +4069,7 @@ tags: - CCE-83588-4 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) @@ -3964,6 +4089,7 @@ line: unlock_time = {{ var_accounts_passwords_pam_faillock_unlock_time }} state: present when: + - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool @@ -3975,6 +4101,7 @@ tags: - CCE-83588-4 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) @@ -4256,6 +4383,7 @@ when: - result_pam_file_present.stat.exists when: + - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool @@ -4267,6 +4395,7 @@ tags: - CCE-83588-4 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) @@ -4343,6 +4472,7 @@ when: - result_pam_faillock_unlock_time_parameter_is_present.found > 0 when: + - DISA_STIG_RHEL_09_411090 | bool - accounts_passwords_pam_faillock_unlock_time | bool - low_complexity | bool - low_disruption | bool @@ -4354,6 +4484,7 @@ tags: - CCE-83588-4 - CJIS-5.5.3 + - DISA-STIG-RHEL-09-411090 - NIST-800-171-3.1.8 - NIST-800-53-AC-7(b) - NIST-800-53-CM-6(a) @@ -4371,13 +4502,13 @@ manager: auto tags: - CCE-83566-0 + - DISA-STIG-RHEL-09-611070 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_dcredit - low_complexity - low_disruption @@ -4385,6 +4516,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_611070 | bool - accounts_password_pam_dcredit | bool - low_complexity | bool - low_disruption | bool @@ -4399,6 +4531,7 @@ regexp: ^#?\s*dcredit line: dcredit = {{ var_password_pam_dcredit }} when: + - DISA_STIG_RHEL_09_611070 | bool - accounts_password_pam_dcredit | bool - low_complexity | bool - low_disruption | bool @@ -4408,13 +4541,13 @@ - '"pam" in ansible_facts.packages' tags: - CCE-83566-0 + - DISA-STIG-RHEL-09-611070 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_dcredit - low_complexity - low_disruption @@ -4427,13 +4560,13 @@ manager: auto tags: - CCE-83570-2 + - DISA-STIG-RHEL-09-611065 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_lcredit - low_complexity - low_disruption @@ -4441,6 +4574,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_611065 | bool - accounts_password_pam_lcredit | bool - low_complexity | bool - low_disruption | bool @@ -4455,6 +4589,7 @@ regexp: ^#?\s*lcredit line: lcredit = {{ var_password_pam_lcredit }} when: + - DISA_STIG_RHEL_09_611065 | bool - accounts_password_pam_lcredit | bool - low_complexity | bool - low_disruption | bool @@ -4464,13 +4599,13 @@ - '"pam" in ansible_facts.packages' tags: - CCE-83570-2 + - DISA-STIG-RHEL-09-611065 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_lcredit - low_complexity - low_disruption @@ -4484,13 +4619,13 @@ tags: - CCE-83579-3 - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-09-611090 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_minlen - low_complexity - low_disruption @@ -4498,6 +4633,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_611090 | bool - accounts_password_pam_minlen | bool - low_complexity | bool - low_disruption | bool @@ -4512,6 +4648,7 @@ regexp: ^#?\s*minlen line: minlen = {{ var_password_pam_minlen }} when: + - DISA_STIG_RHEL_09_611090 | bool - accounts_password_pam_minlen | bool - low_complexity | bool - low_disruption | bool @@ -4522,13 +4659,13 @@ tags: - CCE-83579-3 - CJIS-5.6.2.1.1 + - DISA-STIG-RHEL-09-611090 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_minlen - low_complexity - low_disruption @@ -4541,6 +4678,7 @@ manager: auto tags: - CCE-83565-2 + - DISA-STIG-RHEL-09-611100 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) @@ -4552,6 +4690,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_611100 | bool - accounts_password_pam_ocredit | bool - low_complexity | bool - low_disruption | bool @@ -4566,6 +4705,7 @@ regexp: ^#?\s*ocredit line: ocredit = {{ var_password_pam_ocredit }} when: + - DISA_STIG_RHEL_09_611100 | bool - accounts_password_pam_ocredit | bool - low_complexity | bool - low_disruption | bool @@ -4575,6 +4715,7 @@ - '"pam" in ansible_facts.packages' tags: - CCE-83565-2 + - DISA-STIG-RHEL-09-611100 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) @@ -4591,13 +4732,12 @@ manager: auto tags: - CCE-83568-6 + - DISA-STIG-RHEL-09-611110 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_ucredit - low_complexity - low_disruption @@ -4605,6 +4745,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_611110 | bool - accounts_password_pam_ucredit | bool - low_complexity | bool - low_disruption | bool @@ -4619,6 +4760,7 @@ regexp: ^#?\s*ucredit line: ucredit = {{ var_password_pam_ucredit }} when: + - DISA_STIG_RHEL_09_611110 | bool - accounts_password_pam_ucredit | bool - low_complexity | bool - low_disruption | bool @@ -4628,13 +4770,12 @@ - '"pam" in ansible_facts.packages' tags: - CCE-83568-6 + - DISA-STIG-RHEL-09-611110 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) - NIST-800-53-IA-5(4) - NIST-800-53-IA-5(c) - PCI-DSS-Req-8.2.3 - - PCI-DSSv4-8.3.6 - - PCI-DSSv4-8.3.9 - accounts_password_pam_ucredit - low_complexity - low_disruption @@ -4908,12 +5049,13 @@ tags: - CCE-83606-4 - CJIS-5.6.2.1 + - DISA-STIG-RHEL-09-411010 - NIST-800-171-3.5.6 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.4 - - PCI-DSSv4-8.3.10.1 + - PCI-DSSv4-8.3.9 - accounts_maximum_age_login_defs - low_complexity - low_disruption @@ -4921,6 +5063,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_411010 | bool - accounts_maximum_age_login_defs | bool - low_complexity | bool - low_disruption | bool @@ -4935,6 +5078,7 @@ regexp: ^#?PASS_MAX_DAYS line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }} when: + - DISA_STIG_RHEL_09_411010 | bool - accounts_maximum_age_login_defs | bool - low_complexity | bool - low_disruption | bool @@ -4945,12 +5089,13 @@ tags: - CCE-83606-4 - CJIS-5.6.2.1 + - DISA-STIG-RHEL-09-411010 - NIST-800-171-3.5.6 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(d) - NIST-800-53-IA-5(f) - PCI-DSS-Req-8.2.4 - - PCI-DSSv4-8.3.10.1 + - PCI-DSSv4-8.3.9 - accounts_maximum_age_login_defs - low_complexity - low_disruption @@ -4964,6 +5109,7 @@ tags: - CCE-83608-0 - CJIS-5.6.2.1 + - DISA-STIG-RHEL-09-611095 - NIST-800-171-3.5.7 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) @@ -4975,6 +5121,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_611095 | bool - accounts_password_minlen_login_defs | bool - low_complexity | bool - low_disruption | bool @@ -4990,6 +5137,7 @@ line: PASS_MIN_LEN {{ var_accounts_password_minlen_login_defs }} create: true when: + - DISA_STIG_RHEL_09_611095 | bool - accounts_password_minlen_login_defs | bool - low_complexity | bool - low_disruption | bool @@ -5000,6 +5148,7 @@ tags: - CCE-83608-0 - CJIS-5.6.2.1 + - DISA-STIG-RHEL-09-611095 - NIST-800-171-3.5.7 - NIST-800-53-CM-6(a) - NIST-800-53-IA-5(1)(a) @@ -5016,6 +5165,7 @@ manager: auto tags: - CCE-83615-5 + - DISA-STIG-RHEL-09-611050 - accounts_password_pam_unix_rounds_password_auth - configure_strategy - low_complexity @@ -5023,6 +5173,7 @@ - medium_severity - no_reboot_needed when: + - DISA_STIG_RHEL_09_611050 | bool - accounts_password_pam_unix_rounds_password_auth | bool - configure_strategy | bool - low_complexity | bool @@ -5035,6 +5186,7 @@ path: /etc/pam.d/password-auth register: result_pam_file_present when: + - DISA_STIG_RHEL_09_611050 | bool - accounts_password_pam_unix_rounds_password_auth | bool - configure_strategy | bool - low_complexity | bool @@ -5044,6 +5196,7 @@ - '"pam" in ansible_facts.packages' tags: - CCE-83615-5 + - DISA-STIG-RHEL-09-611050 - accounts_password_pam_unix_rounds_password_auth - configure_strategy - low_complexity @@ -5253,6 +5406,7 @@ - result_authselect_present.stat.exists - "(result_pam_rounds_add is defined and result_pam_rounds_add.changed)\n or (result_pam_rounds_edit is defined and result_pam_rounds_edit.changed)" when: + - DISA_STIG_RHEL_09_611050 | bool - accounts_password_pam_unix_rounds_password_auth | bool - configure_strategy | bool - low_complexity | bool @@ -5263,6 +5417,7 @@ - result_pam_file_present.stat.exists tags: - CCE-83615-5 + - DISA-STIG-RHEL-09-611050 - accounts_password_pam_unix_rounds_password_auth - configure_strategy - low_complexity @@ -5275,6 +5430,7 @@ manager: auto tags: - CCE-83621-3 + - DISA-STIG-RHEL-09-611055 - accounts_password_pam_unix_rounds_system_auth - configure_strategy - low_complexity @@ -5282,6 +5438,7 @@ - medium_severity - no_reboot_needed when: + - DISA_STIG_RHEL_09_611055 | bool - accounts_password_pam_unix_rounds_system_auth | bool - configure_strategy | bool - low_complexity | bool @@ -5294,6 +5451,7 @@ path: /etc/pam.d/system-auth register: result_pam_file_present when: + - DISA_STIG_RHEL_09_611055 | bool - accounts_password_pam_unix_rounds_system_auth | bool - configure_strategy | bool - low_complexity | bool @@ -5303,6 +5461,7 @@ - '"pam" in ansible_facts.packages' tags: - CCE-83621-3 + - DISA-STIG-RHEL-09-611055 - accounts_password_pam_unix_rounds_system_auth - configure_strategy - low_complexity @@ -5512,6 +5671,7 @@ - result_authselect_present.stat.exists - "(result_pam_rounds_add is defined and result_pam_rounds_add.changed)\n or (result_pam_rounds_edit is defined and result_pam_rounds_edit.changed)" when: + - DISA_STIG_RHEL_09_611055 | bool - accounts_password_pam_unix_rounds_system_auth | bool - configure_strategy | bool - low_complexity | bool @@ -5522,6 +5682,7 @@ - result_pam_file_present.stat.exists tags: - CCE-83621-3 + - DISA-STIG-RHEL-09-611055 - accounts_password_pam_unix_rounds_system_auth - configure_strategy - low_complexity @@ -5562,6 +5723,7 @@ replace: declare -xr TMOUT={{ var_accounts_tmout }} register: profile_replaced when: + - DISA_STIG_RHEL_09_412035 | bool - accounts_tmout | bool - low_complexity | bool - low_disruption | bool @@ -5571,6 +5733,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83633-8 + - DISA-STIG-RHEL-09-412035 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-2(5) @@ -5592,6 +5755,7 @@ line: declare -xr TMOUT={{ var_accounts_tmout }} state: present when: + - DISA_STIG_RHEL_09_412035 | bool - accounts_tmout | bool - low_complexity | bool - low_disruption | bool @@ -5601,6 +5765,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83633-8 + - DISA-STIG-RHEL-09-412035 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-2(5) @@ -5619,9 +5784,9 @@ manager: auto tags: - CCE-83644-5 + - DISA-STIG-RHEL-09-412055 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_bashrc - low_complexity - low_disruption @@ -5629,6 +5794,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_412055 | bool - accounts_umask_etc_bashrc | bool - low_complexity | bool - low_disruption | bool @@ -5645,6 +5811,7 @@ changed_when: false register: umask_replace when: + - DISA_STIG_RHEL_09_412055 | bool - accounts_umask_etc_bashrc | bool - low_complexity | bool - low_disruption | bool @@ -5654,9 +5821,9 @@ - '"bash" in ansible_facts.packages' tags: - CCE-83644-5 + - DISA-STIG-RHEL-09-412055 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_bashrc - low_complexity - low_disruption @@ -5670,6 +5837,7 @@ regexp: ^(\s*)umask(\s+).* replace: \g<1>umask\g<2>{{ var_accounts_user_umask }} when: + - DISA_STIG_RHEL_09_412055 | bool - accounts_umask_etc_bashrc | bool - low_complexity | bool - low_disruption | bool @@ -5680,9 +5848,9 @@ - umask_replace.found > 0 tags: - CCE-83644-5 + - DISA-STIG-RHEL-09-412055 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_bashrc - low_complexity - low_disruption @@ -5696,6 +5864,7 @@ path: /etc/bashrc line: umask {{ var_accounts_user_umask }} when: + - DISA_STIG_RHEL_09_412055 | bool - accounts_umask_etc_bashrc | bool - low_complexity | bool - low_disruption | bool @@ -5706,9 +5875,9 @@ - umask_replace.found == 0 tags: - CCE-83644-5 + - DISA-STIG-RHEL-09-412055 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_bashrc - low_complexity - low_disruption @@ -5721,9 +5890,9 @@ manager: auto tags: - CCE-83647-8 + - DISA-STIG-RHEL-09-412065 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_login_defs - low_complexity - low_disruption @@ -5731,6 +5900,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_412065 | bool - accounts_umask_etc_login_defs | bool - low_complexity | bool - low_disruption | bool @@ -5747,6 +5917,7 @@ changed_when: false register: result_umask_is_set when: + - DISA_STIG_RHEL_09_412065 | bool - accounts_umask_etc_login_defs | bool - low_complexity | bool - low_disruption | bool @@ -5756,9 +5927,9 @@ - '"shadow-utils" in ansible_facts.packages' tags: - CCE-83647-8 + - DISA-STIG-RHEL-09-412065 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_login_defs - low_complexity - low_disruption @@ -5772,6 +5943,7 @@ regexp: ^(\s*)UMASK(\s+).* replace: \g<1>UMASK\g<2>{{ var_accounts_user_umask }} when: + - DISA_STIG_RHEL_09_412065 | bool - accounts_umask_etc_login_defs | bool - low_complexity | bool - low_disruption | bool @@ -5782,9 +5954,9 @@ - result_umask_is_set.found > 0 tags: - CCE-83647-8 + - DISA-STIG-RHEL-09-412065 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_login_defs - low_complexity - low_disruption @@ -5798,6 +5970,7 @@ path: /etc/login.defs line: UMASK {{ var_accounts_user_umask }} when: + - DISA_STIG_RHEL_09_412065 | bool - accounts_umask_etc_login_defs | bool - low_complexity | bool - low_disruption | bool @@ -5808,9 +5981,9 @@ - result_umask_is_set.found == 0 tags: - CCE-83647-8 + - DISA-STIG-RHEL-09-412065 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_login_defs - low_complexity - low_disruption @@ -5829,9 +6002,9 @@ register: result_profile_d_files tags: - CCE-90828-5 + - DISA-STIG-RHEL-09-412070 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_profile - low_complexity - low_disruption @@ -5839,6 +6012,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_412070 | bool - accounts_umask_etc_profile | bool - low_complexity | bool - low_disruption | bool @@ -5854,6 +6028,7 @@ loop: '{{ result_profile_d_files.files }}' register: result_umask_replaced_profile_d when: + - DISA_STIG_RHEL_09_412070 | bool - accounts_umask_etc_profile | bool - low_complexity | bool - low_disruption | bool @@ -5863,9 +6038,9 @@ - result_profile_d_files.matched tags: - CCE-90828-5 + - DISA-STIG-RHEL-09-412070 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_profile - low_complexity - low_disruption @@ -5881,6 +6056,7 @@ path: /etc/profile line: umask {{ var_accounts_user_umask }} when: + - DISA_STIG_RHEL_09_412070 | bool - accounts_umask_etc_profile | bool - low_complexity | bool - low_disruption | bool @@ -5890,9 +6066,9 @@ - not result_profile_d_files.matched tags: - CCE-90828-5 + - DISA-STIG-RHEL-09-412070 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_profile - low_complexity - low_disruption @@ -5909,9 +6085,9 @@ register: result_umask_replaced_profile tags: - CCE-90828-5 + - DISA-STIG-RHEL-09-412070 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - - PCI-DSSv4-8.6.1 - accounts_umask_etc_profile - low_complexity - low_disruption @@ -5919,6 +6095,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_412070 | bool - accounts_umask_etc_profile | bool - low_complexity | bool - low_disruption | bool @@ -5931,6 +6108,7 @@ name: audit state: present when: + - DISA_STIG_RHEL_09_653010 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool @@ -5940,6 +6118,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83649-4 + - DISA-STIG-RHEL-09-653010 - NIST-800-53-AC-7(a) - NIST-800-53-AU-12(2) - NIST-800-53-AU-14 @@ -5962,6 +6141,7 @@ tags: - CCE-90829-3 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-653015 - NIST-800-171-3.3.1 - NIST-800-171-3.3.2 - NIST-800-171-3.3.6 @@ -5983,6 +6163,7 @@ - no_reboot_needed - service_auditd_enabled when: + - DISA_STIG_RHEL_09_653015 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool @@ -6004,6 +6185,7 @@ when: - '"audit" in ansible_facts.packages' when: + - DISA_STIG_RHEL_09_653015 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool @@ -6015,6 +6197,7 @@ tags: - CCE-90829-3 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-653015 - NIST-800-171-3.3.1 - NIST-800-171-3.3.2 - NIST-800-171-3.3.6 @@ -6042,6 +6225,7 @@ tags: - CCE-83716-1 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654275 - NIST-800-171-3.3.1 - NIST-800-171-3.4.3 - NIST-800-53-AC-6(9) @@ -6055,6 +6239,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654275 | bool - audit_rules_immutable | bool - low_complexity | bool - low_disruption | bool @@ -6068,6 +6253,7 @@ patterns: '*.rules' register: find_rules_d when: + - DISA_STIG_RHEL_09_654275 | bool - audit_rules_immutable | bool - low_complexity | bool - low_disruption | bool @@ -6079,6 +6265,7 @@ tags: - CCE-83716-1 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654275 - NIST-800-171-3.3.1 - NIST-800-171-3.4.3 - NIST-800-53-AC-6(9) @@ -6099,6 +6286,7 @@ state: absent loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules''] }}' when: + - DISA_STIG_RHEL_09_654275 | bool - audit_rules_immutable | bool - low_complexity | bool - low_disruption | bool @@ -6110,6 +6298,7 @@ tags: - CCE-83716-1 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654275 - NIST-800-171-3.3.1 - NIST-800-171-3.4.3 - NIST-800-53-AC-6(9) @@ -6133,6 +6322,7 @@ - /etc/audit/audit.rules - /etc/audit/rules.d/immutable.rules when: + - DISA_STIG_RHEL_09_654275 | bool - audit_rules_immutable | bool - low_complexity | bool - low_disruption | bool @@ -6144,6 +6334,7 @@ tags: - CCE-83716-1 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654275 - NIST-800-171-3.3.1 - NIST-800-171-3.4.3 - NIST-800-53-AC-6(9) @@ -8610,7 +8801,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -8652,7 +8842,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -8689,7 +8878,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -8724,7 +8912,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -8760,7 +8947,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -8795,7 +8981,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -8830,7 +9015,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -8866,7 +9050,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -8901,7 +9084,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -8938,7 +9120,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -8973,7 +9154,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -9009,7 +9189,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -9044,7 +9223,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -9079,7 +9257,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -9115,7 +9292,6 @@ - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 - audit_rules_sysadmin_actions - low_complexity - low_disruption @@ -9129,6 +9305,7 @@ tags: - CCE-83722-9 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9144,6 +9321,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool @@ -9158,6 +9336,7 @@ patterns: '*.rules' register: find_existing_watch_rules_d when: + - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool @@ -9169,6 +9348,7 @@ tags: - CCE-83722-9 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9191,6 +9371,7 @@ patterns: '*.rules' register: find_watch_key when: + - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool @@ -9203,6 +9384,7 @@ tags: - CCE-83722-9 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9223,6 +9405,7 @@ all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: + - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool @@ -9236,6 +9419,7 @@ tags: - CCE-83722-9 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9256,6 +9440,7 @@ all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: + - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool @@ -9269,6 +9454,7 @@ tags: - CCE-83722-9 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9291,6 +9477,7 @@ create: true mode: '0640' when: + - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool @@ -9303,6 +9490,7 @@ tags: - CCE-83722-9 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9325,6 +9513,7 @@ patterns: audit.rules register: find_existing_watch_audit_rules when: + - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool @@ -9336,6 +9525,7 @@ tags: - CCE-83722-9 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9359,6 +9549,7 @@ create: true mode: '0640' when: + - DISA_STIG_RHEL_09_654225 | bool - audit_rules_usergroup_modification_group | bool - low_complexity | bool - low_disruption | bool @@ -9371,6 +9562,7 @@ tags: - CCE-83722-9 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654225 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9392,6 +9584,7 @@ tags: - CCE-83723-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9407,6 +9600,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool @@ -9421,6 +9615,7 @@ patterns: '*.rules' register: find_existing_watch_rules_d when: + - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool @@ -9432,6 +9627,7 @@ tags: - CCE-83723-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9454,6 +9650,7 @@ patterns: '*.rules' register: find_watch_key when: + - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool @@ -9466,6 +9663,7 @@ tags: - CCE-83723-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9486,6 +9684,7 @@ all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: + - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool @@ -9499,6 +9698,7 @@ tags: - CCE-83723-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9519,6 +9719,7 @@ all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: + - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool @@ -9532,6 +9733,7 @@ tags: - CCE-83723-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9554,6 +9756,7 @@ create: true mode: '0640' when: + - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool @@ -9566,6 +9769,7 @@ tags: - CCE-83723-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9588,6 +9792,7 @@ patterns: audit.rules register: find_existing_watch_audit_rules when: + - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool @@ -9599,6 +9804,7 @@ tags: - CCE-83723-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9622,6 +9828,7 @@ create: true mode: '0640' when: + - DISA_STIG_RHEL_09_654230 | bool - audit_rules_usergroup_modification_gshadow | bool - low_complexity | bool - low_disruption | bool @@ -9634,6 +9841,7 @@ tags: - CCE-83723-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654230 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9655,6 +9863,7 @@ tags: - CCE-83712-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9670,6 +9879,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool @@ -9684,6 +9894,7 @@ patterns: '*.rules' register: find_existing_watch_rules_d when: + - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool @@ -9695,6 +9906,7 @@ tags: - CCE-83712-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9717,6 +9929,7 @@ patterns: '*.rules' register: find_watch_key when: + - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool @@ -9729,6 +9942,7 @@ tags: - CCE-83712-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9749,6 +9963,7 @@ all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: + - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool @@ -9762,6 +9977,7 @@ tags: - CCE-83712-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9782,6 +9998,7 @@ all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: + - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool @@ -9795,6 +10012,7 @@ tags: - CCE-83712-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9817,6 +10035,7 @@ create: true mode: '0640' when: + - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool @@ -9829,6 +10048,7 @@ tags: - CCE-83712-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9851,6 +10071,7 @@ patterns: audit.rules register: find_existing_watch_audit_rules when: + - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool @@ -9862,6 +10083,7 @@ tags: - CCE-83712-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9885,6 +10107,7 @@ create: true mode: '0640' when: + - DISA_STIG_RHEL_09_654235 | bool - audit_rules_usergroup_modification_opasswd | bool - low_complexity | bool - low_disruption | bool @@ -9897,6 +10120,7 @@ tags: - CCE-83712-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654235 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9918,6 +10142,7 @@ tags: - CCE-83714-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9933,6 +10158,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool @@ -9947,6 +10173,7 @@ patterns: '*.rules' register: find_existing_watch_rules_d when: + - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool @@ -9958,6 +10185,7 @@ tags: - CCE-83714-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -9980,6 +10208,7 @@ patterns: '*.rules' register: find_watch_key when: + - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool @@ -9992,6 +10221,7 @@ tags: - CCE-83714-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -10012,6 +10242,7 @@ all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: + - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool @@ -10025,6 +10256,7 @@ tags: - CCE-83714-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -10045,6 +10277,7 @@ all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: + - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool @@ -10058,6 +10291,7 @@ tags: - CCE-83714-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -10080,6 +10314,7 @@ create: true mode: '0640' when: + - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool @@ -10092,6 +10327,7 @@ tags: - CCE-83714-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -10114,6 +10350,7 @@ patterns: audit.rules register: find_existing_watch_audit_rules when: + - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool @@ -10125,6 +10362,7 @@ tags: - CCE-83714-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -10148,6 +10386,7 @@ create: true mode: '0640' when: + - DISA_STIG_RHEL_09_654240 | bool - audit_rules_usergroup_modification_passwd | bool - low_complexity | bool - low_disruption | bool @@ -10160,6 +10399,7 @@ tags: - CCE-83714-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654240 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -10181,6 +10421,7 @@ tags: - CCE-83725-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -10196,6 +10437,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool @@ -10210,6 +10452,7 @@ patterns: '*.rules' register: find_existing_watch_rules_d when: + - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool @@ -10221,6 +10464,7 @@ tags: - CCE-83725-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -10243,6 +10487,7 @@ patterns: '*.rules' register: find_watch_key when: + - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool @@ -10255,6 +10500,7 @@ tags: - CCE-83725-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -10275,6 +10521,7 @@ all_files: - /etc/audit/rules.d/audit_rules_usergroup_modification.rules when: + - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool @@ -10288,6 +10535,7 @@ tags: - CCE-83725-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -10308,6 +10556,7 @@ all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: + - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool @@ -10321,6 +10570,7 @@ tags: - CCE-83725-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -10343,6 +10593,7 @@ create: true mode: '0640' when: + - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool @@ -10355,6 +10606,7 @@ tags: - CCE-83725-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -10377,6 +10629,7 @@ patterns: audit.rules register: find_existing_watch_audit_rules when: + - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool @@ -10388,6 +10641,7 @@ tags: - CCE-83725-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -10411,6 +10665,7 @@ create: true mode: '0640' when: + - DISA_STIG_RHEL_09_654245 | bool - audit_rules_usergroup_modification_shadow | bool - low_complexity | bool - low_disruption | bool @@ -10423,6 +10678,7 @@ tags: - CCE-83725-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654245 - NIST-800-171-3.1.7 - NIST-800-53-AC-2(4) - NIST-800-53-AC-6(9) @@ -10445,8 +10701,7 @@ - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 + - PCI-DSSv4-10.2.1.4 - audit_sudo_log_events - low_complexity - low_disruption @@ -10480,8 +10735,7 @@ - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 + - PCI-DSSv4-10.2.1.4 - audit_sudo_log_events - low_complexity - low_disruption @@ -10509,8 +10763,7 @@ - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 + - PCI-DSSv4-10.2.1.4 - audit_sudo_log_events - low_complexity - low_disruption @@ -10537,8 +10790,7 @@ - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 + - PCI-DSSv4-10.2.1.4 - audit_sudo_log_events - low_complexity - low_disruption @@ -10565,8 +10817,7 @@ - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 + - PCI-DSSv4-10.2.1.4 - audit_sudo_log_events - low_complexity - low_disruption @@ -10594,8 +10845,7 @@ - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 + - PCI-DSSv4-10.2.1.4 - audit_sudo_log_events - low_complexity - low_disruption @@ -10622,8 +10872,7 @@ - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 + - PCI-DSSv4-10.2.1.4 - audit_sudo_log_events - low_complexity - low_disruption @@ -10652,8 +10901,7 @@ - CCE-86433-0 - PCI-DSS-Req-10.2.2 - PCI-DSS-Req-10.2.5.b - - PCI-DSSv4-10.2.1.5 - - PCI-DSSv4-10.2.2 + - PCI-DSSv4-10.2.1.4 - audit_sudo_log_events - low_complexity - low_disruption @@ -10667,6 +10915,7 @@ tags: - CCE-83830-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -10680,6 +10929,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_chmod | bool - low_complexity | bool - low_disruption | bool @@ -10691,6 +10941,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_chmod | bool - low_complexity | bool - low_disruption | bool @@ -10705,6 +10956,7 @@ tags: - CCE-83830-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -10814,6 +11066,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_chmod | bool - low_complexity | bool - low_disruption | bool @@ -10826,6 +11079,7 @@ tags: - CCE-83830-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -10935,6 +11189,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_chmod | bool - low_complexity | bool - low_disruption | bool @@ -10948,6 +11203,7 @@ tags: - CCE-83830-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -10967,6 +11223,7 @@ tags: - CCE-83812-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -10980,6 +11237,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_chown | bool - low_complexity | bool - low_disruption | bool @@ -10991,6 +11249,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_chown | bool - low_complexity | bool - low_disruption | bool @@ -11005,6 +11264,7 @@ tags: - CCE-83812-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -11116,6 +11376,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_chown | bool - low_complexity | bool - low_disruption | bool @@ -11128,6 +11389,7 @@ tags: - CCE-83812-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -11239,6 +11501,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_chown | bool - low_complexity | bool - low_disruption | bool @@ -11252,6 +11515,7 @@ tags: - CCE-83812-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -11271,6 +11535,7 @@ tags: - CCE-83832-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -11284,6 +11549,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_fchmod | bool - low_complexity | bool - low_disruption | bool @@ -11295,6 +11561,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_fchmod | bool - low_complexity | bool - low_disruption | bool @@ -11308,6 +11575,7 @@ tags: - CCE-83832-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -11417,6 +11685,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_fchmod | bool - low_complexity | bool - low_disruption | bool @@ -11428,6 +11697,7 @@ tags: - CCE-83832-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -11537,6 +11807,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_fchmod | bool - low_complexity | bool - low_disruption | bool @@ -11549,6 +11820,7 @@ tags: - CCE-83832-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -11568,6 +11840,7 @@ tags: - CCE-83822-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -11581,6 +11854,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - low_disruption | bool @@ -11592,6 +11866,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - low_disruption | bool @@ -11605,6 +11880,7 @@ tags: - CCE-83822-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -11714,6 +11990,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - low_disruption | bool @@ -11725,6 +12002,7 @@ tags: - CCE-83822-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -11834,6 +12112,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654015 | bool - audit_rules_dac_modification_fchmodat | bool - low_complexity | bool - low_disruption | bool @@ -11846,6 +12125,7 @@ tags: - CCE-83822-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654015 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -11865,6 +12145,7 @@ tags: - CCE-83829-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -11878,6 +12159,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_fchown | bool - low_complexity | bool - low_disruption | bool @@ -11889,6 +12171,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_fchown | bool - low_complexity | bool - low_disruption | bool @@ -11902,6 +12185,7 @@ tags: - CCE-83829-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -12013,6 +12297,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_fchown | bool - low_complexity | bool - low_disruption | bool @@ -12024,6 +12309,7 @@ tags: - CCE-83829-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -12135,6 +12421,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_fchown | bool - low_complexity | bool - low_disruption | bool @@ -12147,6 +12434,7 @@ tags: - CCE-83829-2 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -12166,6 +12454,7 @@ tags: - CCE-83831-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -12179,6 +12468,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_fchownat | bool - low_complexity | bool - low_disruption | bool @@ -12190,6 +12480,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_fchownat | bool - low_complexity | bool - low_disruption | bool @@ -12203,6 +12494,7 @@ tags: - CCE-83831-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -12314,6 +12606,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_fchownat | bool - low_complexity | bool - low_disruption | bool @@ -12325,6 +12618,7 @@ tags: - CCE-83831-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -12436,6 +12730,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_fchownat | bool - low_complexity | bool - low_disruption | bool @@ -12448,6 +12743,7 @@ tags: - CCE-83831-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -12467,6 +12763,7 @@ tags: - CCE-83821-9 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -12480,6 +12777,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool - low_disruption | bool @@ -12491,6 +12789,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool - low_disruption | bool @@ -12504,6 +12803,7 @@ tags: - CCE-83821-9 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -12718,6 +13018,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool - low_disruption | bool @@ -12729,6 +13030,7 @@ tags: - CCE-83821-9 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -12943,6 +13245,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_fremovexattr | bool - low_complexity | bool - low_disruption | bool @@ -12955,6 +13258,7 @@ tags: - CCE-83821-9 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -12974,6 +13278,7 @@ tags: - CCE-83817-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -12987,6 +13292,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool - low_disruption | bool @@ -12998,6 +13304,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool - low_disruption | bool @@ -13011,6 +13318,7 @@ tags: - CCE-83817-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -13225,6 +13533,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool - low_disruption | bool @@ -13236,6 +13545,7 @@ tags: - CCE-83817-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -13450,6 +13760,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_fsetxattr | bool - low_complexity | bool - low_disruption | bool @@ -13462,6 +13773,7 @@ tags: - CCE-83817-7 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -13481,6 +13793,7 @@ tags: - CCE-83833-4 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -13494,6 +13807,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_lchown | bool - low_complexity | bool - low_disruption | bool @@ -13505,6 +13819,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_lchown | bool - low_complexity | bool - low_disruption | bool @@ -13519,6 +13834,7 @@ tags: - CCE-83833-4 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -13630,6 +13946,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_lchown | bool - low_complexity | bool - low_disruption | bool @@ -13642,6 +13959,7 @@ tags: - CCE-83833-4 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -13753,6 +14071,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654020 | bool - audit_rules_dac_modification_lchown | bool - low_complexity | bool - low_disruption | bool @@ -13766,6 +14085,7 @@ tags: - CCE-83833-4 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654020 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -13785,6 +14105,7 @@ tags: - CCE-83814-4 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -13798,6 +14119,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_lremovexattr | bool - low_complexity | bool - low_disruption | bool @@ -13809,6 +14131,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_lremovexattr | bool - low_complexity | bool - low_disruption | bool @@ -13822,6 +14145,7 @@ tags: - CCE-83814-4 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -14036,6 +14360,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_lremovexattr | bool - low_complexity | bool - low_disruption | bool @@ -14047,6 +14372,7 @@ tags: - CCE-83814-4 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -14261,6 +14587,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_lremovexattr | bool - low_complexity | bool - low_disruption | bool @@ -14273,6 +14600,7 @@ tags: - CCE-83814-4 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -14292,6 +14620,7 @@ tags: - CCE-83808-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -14305,6 +14634,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_lsetxattr | bool - low_complexity | bool - low_disruption | bool @@ -14316,6 +14646,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_lsetxattr | bool - low_complexity | bool - low_disruption | bool @@ -14329,6 +14660,7 @@ tags: - CCE-83808-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -14543,6 +14875,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_lsetxattr | bool - low_complexity | bool - low_disruption | bool @@ -14554,6 +14887,7 @@ tags: - CCE-83808-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -14768,6 +15102,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_lsetxattr | bool - low_complexity | bool - low_disruption | bool @@ -14780,6 +15115,7 @@ tags: - CCE-83808-6 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -14799,6 +15135,7 @@ tags: - CCE-83807-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -14812,6 +15149,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_removexattr | bool - low_complexity | bool - low_disruption | bool @@ -14823,6 +15161,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_removexattr | bool - low_complexity | bool - low_disruption | bool @@ -14836,6 +15175,7 @@ tags: - CCE-83807-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -15050,6 +15390,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_removexattr | bool - low_complexity | bool - low_disruption | bool @@ -15061,6 +15402,7 @@ tags: - CCE-83807-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -15275,6 +15617,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_removexattr | bool - low_complexity | bool - low_disruption | bool @@ -15287,6 +15630,7 @@ tags: - CCE-83807-8 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -15306,6 +15650,7 @@ tags: - CCE-83811-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -15319,6 +15664,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_setxattr | bool - low_complexity | bool - low_disruption | bool @@ -15330,6 +15676,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_setxattr | bool - low_complexity | bool - low_disruption | bool @@ -15343,6 +15690,7 @@ tags: - CCE-83811-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -15557,6 +15905,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_setxattr | bool - low_complexity | bool - low_disruption | bool @@ -15568,6 +15917,7 @@ tags: - CCE-83811-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -15782,6 +16132,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654025 | bool - audit_rules_dac_modification_setxattr | bool - low_complexity | bool - low_disruption | bool @@ -15794,6 +16145,7 @@ tags: - CCE-83811-0 - CJIS-5.4.1.1 + - DISA-STIG-RHEL-09-654025 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -15812,6 +16164,7 @@ manager: auto tags: - CCE-88570-7 + - DISA-STIG-RHEL-09-654210 - audit_rules_dac_modification_umount2 - low_complexity - low_disruption @@ -15819,6 +16172,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654210 | bool - audit_rules_dac_modification_umount2 | bool - low_complexity | bool - low_disruption | bool @@ -15830,6 +16184,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654210 | bool - audit_rules_dac_modification_umount2 | bool - low_complexity | bool - low_disruption | bool @@ -15842,6 +16197,7 @@ == "s390x" or ansible_architecture == "x86_64" tags: - CCE-88570-7 + - DISA-STIG-RHEL-09-654210 - audit_rules_dac_modification_umount2 - low_complexity - low_disruption @@ -15939,6 +16295,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654210 | bool - audit_rules_dac_modification_umount2 | bool - low_complexity | bool - low_disruption | bool @@ -15949,6 +16306,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-88570-7 + - DISA-STIG-RHEL-09-654210 - audit_rules_dac_modification_umount2 - low_complexity - low_disruption @@ -16046,6 +16404,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654210 | bool - audit_rules_dac_modification_umount2 | bool - low_complexity | bool - low_disruption | bool @@ -16057,6 +16416,7 @@ - audit_arch == "b64" tags: - CCE-88570-7 + - DISA-STIG-RHEL-09-654210 - audit_rules_dac_modification_umount2 - low_complexity - low_disruption @@ -16069,6 +16429,7 @@ manager: auto tags: - CCE-83754-2 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -16082,6 +16443,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_rename | bool - low_complexity | bool - low_disruption | bool @@ -16093,6 +16455,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_rename | bool - low_complexity | bool - low_disruption | bool @@ -16106,6 +16469,7 @@ == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83754-2 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -16219,6 +16583,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_rename | bool - low_complexity | bool - low_disruption | bool @@ -16230,6 +16595,7 @@ - not ( ansible_architecture == "aarch64" ) tags: - CCE-83754-2 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -16343,6 +16709,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_rename | bool - low_complexity | bool - low_disruption | bool @@ -16355,6 +16722,7 @@ - audit_arch == "b64" tags: - CCE-83754-2 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -16373,6 +16741,7 @@ manager: auto tags: - CCE-83756-7 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -16386,6 +16755,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_renameat | bool - low_complexity | bool - low_disruption | bool @@ -16397,6 +16767,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_renameat | bool - low_complexity | bool - low_disruption | bool @@ -16409,6 +16780,7 @@ == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83756-7 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -16522,6 +16894,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_renameat | bool - low_complexity | bool - low_disruption | bool @@ -16532,6 +16905,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83756-7 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -16645,6 +17019,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_renameat | bool - low_complexity | bool - low_disruption | bool @@ -16656,6 +17031,7 @@ - audit_arch == "b64" tags: - CCE-83756-7 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -16674,6 +17050,7 @@ manager: auto tags: - CCE-83758-3 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -16687,6 +17064,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_rmdir | bool - low_complexity | bool - low_disruption | bool @@ -16698,6 +17076,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_rmdir | bool - low_complexity | bool - low_disruption | bool @@ -16711,6 +17090,7 @@ == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83758-3 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -16824,6 +17204,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_rmdir | bool - low_complexity | bool - low_disruption | bool @@ -16835,6 +17216,7 @@ - not ( ansible_architecture == "aarch64" ) tags: - CCE-83758-3 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -16948,6 +17330,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_rmdir | bool - low_complexity | bool - low_disruption | bool @@ -16960,6 +17343,7 @@ - audit_arch == "b64" tags: - CCE-83758-3 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -16978,6 +17362,7 @@ manager: auto tags: - CCE-83757-5 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -16991,6 +17376,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_unlink | bool - low_complexity | bool - low_disruption | bool @@ -17002,6 +17388,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_unlink | bool - low_complexity | bool - low_disruption | bool @@ -17015,6 +17402,7 @@ == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83757-5 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -17128,6 +17516,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_unlink | bool - low_complexity | bool - low_disruption | bool @@ -17139,6 +17528,7 @@ - not ( ansible_architecture == "aarch64" ) tags: - CCE-83757-5 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -17252,6 +17642,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_unlink | bool - low_complexity | bool - low_disruption | bool @@ -17264,6 +17655,7 @@ - audit_arch == "b64" tags: - CCE-83757-5 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -17282,6 +17674,7 @@ manager: auto tags: - CCE-83755-9 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -17295,6 +17688,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_unlinkat | bool - low_complexity | bool - low_disruption | bool @@ -17306,6 +17700,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_unlinkat | bool - low_complexity | bool - low_disruption | bool @@ -17318,6 +17713,7 @@ == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83755-9 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -17431,6 +17827,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_unlinkat | bool - low_complexity | bool - low_disruption | bool @@ -17441,6 +17838,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83755-9 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -17554,6 +17952,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654065 | bool - audit_rules_file_deletion_events_unlinkat | bool - low_complexity | bool - low_disruption | bool @@ -17565,6 +17964,7 @@ - audit_arch == "b64" tags: - CCE-83755-9 + - DISA-STIG-RHEL-09-654065 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) @@ -17583,14 +17983,13 @@ manager: auto tags: - CCE-83786-4 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption @@ -17598,6 +17997,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_creat | bool - low_complexity | bool - low_disruption | bool @@ -17609,6 +18009,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_creat | bool - low_complexity | bool - low_disruption | bool @@ -17622,14 +18023,13 @@ == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83786-4 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption @@ -17741,6 +18141,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_creat | bool - low_complexity | bool - low_disruption | bool @@ -17752,14 +18153,13 @@ - not ( ansible_architecture == "aarch64" ) tags: - CCE-83786-4 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption @@ -17871,6 +18271,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_creat | bool - low_complexity | bool - low_disruption | bool @@ -17883,14 +18284,13 @@ - audit_arch == "b64" tags: - CCE-83786-4 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption @@ -18002,6 +18402,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_creat | bool - low_complexity | bool - low_disruption | bool @@ -18013,14 +18414,13 @@ - not ( ansible_architecture == "aarch64" ) tags: - CCE-83786-4 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption @@ -18132,6 +18532,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_creat | bool - low_complexity | bool - low_disruption | bool @@ -18144,14 +18545,13 @@ - audit_arch == "b64" tags: - CCE-83786-4 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_creat - low_complexity - low_disruption @@ -18164,14 +18564,13 @@ manager: auto tags: - CCE-83800-3 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption @@ -18179,6 +18578,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_ftruncate | bool - low_complexity | bool - low_disruption | bool @@ -18190,6 +18590,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_ftruncate | bool - low_complexity | bool - low_disruption | bool @@ -18202,14 +18603,13 @@ == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83800-3 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption @@ -18321,6 +18721,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_ftruncate | bool - low_complexity | bool - low_disruption | bool @@ -18331,14 +18732,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83800-3 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption @@ -18450,6 +18850,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_ftruncate | bool - low_complexity | bool - low_disruption | bool @@ -18461,14 +18862,13 @@ - audit_arch == "b64" tags: - CCE-83800-3 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption @@ -18580,6 +18980,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_ftruncate | bool - low_complexity | bool - low_disruption | bool @@ -18590,14 +18991,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83800-3 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption @@ -18709,6 +19109,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_ftruncate | bool - low_complexity | bool - low_disruption | bool @@ -18720,14 +19121,13 @@ - audit_arch == "b64" tags: - CCE-83800-3 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_ftruncate - low_complexity - low_disruption @@ -18740,14 +19140,13 @@ manager: auto tags: - CCE-83801-1 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption @@ -18755,6 +19154,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_open | bool - low_complexity | bool - low_disruption | bool @@ -18766,6 +19166,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_open | bool - low_complexity | bool - low_disruption | bool @@ -18779,14 +19180,13 @@ == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83801-1 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption @@ -18898,6 +19298,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_open | bool - low_complexity | bool - low_disruption | bool @@ -18909,14 +19310,13 @@ - not ( ansible_architecture == "aarch64" ) tags: - CCE-83801-1 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption @@ -19028,6 +19428,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_open | bool - low_complexity | bool - low_disruption | bool @@ -19040,14 +19441,13 @@ - audit_arch == "b64" tags: - CCE-83801-1 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption @@ -19159,6 +19559,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_open | bool - low_complexity | bool - low_disruption | bool @@ -19170,14 +19571,13 @@ - not ( ansible_architecture == "aarch64" ) tags: - CCE-83801-1 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption @@ -19289,6 +19689,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_open | bool - low_complexity | bool - low_disruption | bool @@ -19301,14 +19702,13 @@ - audit_arch == "b64" tags: - CCE-83801-1 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_open - low_complexity - low_disruption @@ -19321,14 +19721,13 @@ manager: auto tags: - CCE-83794-8 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption @@ -19336,6 +19735,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_openat | bool - low_complexity | bool - low_disruption | bool @@ -19347,6 +19747,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_openat | bool - low_complexity | bool - low_disruption | bool @@ -19359,14 +19760,13 @@ == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83794-8 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption @@ -19478,6 +19878,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_openat | bool - low_complexity | bool - low_disruption | bool @@ -19488,14 +19889,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83794-8 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption @@ -19607,6 +20007,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_openat | bool - low_complexity | bool - low_disruption | bool @@ -19618,14 +20019,13 @@ - audit_arch == "b64" tags: - CCE-83794-8 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption @@ -19737,6 +20137,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_openat | bool - low_complexity | bool - low_disruption | bool @@ -19747,14 +20148,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83794-8 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption @@ -19866,6 +20266,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_openat | bool - low_complexity | bool - low_disruption | bool @@ -19877,14 +20278,13 @@ - audit_arch == "b64" tags: - CCE-83794-8 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_openat - low_complexity - low_disruption @@ -19897,14 +20297,13 @@ manager: auto tags: - CCE-83792-2 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption @@ -19912,6 +20311,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_truncate | bool - low_complexity | bool - low_disruption | bool @@ -19923,6 +20323,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_truncate | bool - low_complexity | bool - low_disruption | bool @@ -19935,14 +20336,13 @@ == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83792-2 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption @@ -20054,6 +20454,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_truncate | bool - low_complexity | bool - low_disruption | bool @@ -20064,14 +20465,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83792-2 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption @@ -20183,6 +20583,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_truncate | bool - low_complexity | bool - low_disruption | bool @@ -20194,14 +20595,13 @@ - audit_arch == "b64" tags: - CCE-83792-2 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption @@ -20313,6 +20713,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_truncate | bool - low_complexity | bool - low_disruption | bool @@ -20323,14 +20724,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83792-2 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption @@ -20442,6 +20842,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654070 | bool - audit_rules_unsuccessful_file_modification_truncate | bool - low_complexity | bool - low_disruption | bool @@ -20453,14 +20854,13 @@ - audit_arch == "b64" tags: - CCE-83792-2 + - DISA-STIG-RHEL-09-654070 - NIST-800-171-3.1.7 - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.1 - PCI-DSS-Req-10.2.4 - - PCI-DSSv4-10.2.1.1 - - PCI-DSSv4-10.2.1.4 - audit_rules_unsuccessful_file_modification_truncate - low_complexity - low_disruption @@ -20473,13 +20873,13 @@ manager: auto tags: - CCE-83802-9 + - DISA-STIG-RHEL-09-654075 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_delete - configure_strategy - low_complexity @@ -20487,6 +20887,7 @@ - medium_severity - no_reboot_needed when: + - DISA_STIG_RHEL_09_654075 | bool - audit_rules_kernel_module_loading_delete | bool - configure_strategy | bool - low_complexity | bool @@ -20498,6 +20899,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654075 | bool - audit_rules_kernel_module_loading_delete | bool - configure_strategy | bool - low_complexity | bool @@ -20510,13 +20912,13 @@ == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83802-9 + - DISA-STIG-RHEL-09-654075 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_delete - configure_strategy - low_complexity @@ -20614,6 +21016,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654075 | bool - audit_rules_kernel_module_loading_delete | bool - configure_strategy | bool - low_complexity | bool @@ -20624,13 +21027,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83802-9 + - DISA-STIG-RHEL-09-654075 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_delete - configure_strategy - low_complexity @@ -20728,6 +21131,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654075 | bool - audit_rules_kernel_module_loading_delete | bool - configure_strategy | bool - low_complexity | bool @@ -20739,13 +21143,13 @@ - audit_arch == "b64" tags: - CCE-83802-9 + - DISA-STIG-RHEL-09-654075 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_delete - configure_strategy - low_complexity @@ -20758,13 +21162,13 @@ manager: auto tags: - CCE-83803-7 + - DISA-STIG-RHEL-09-654080 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_finit - configure_strategy - low_complexity @@ -20772,6 +21176,7 @@ - medium_severity - no_reboot_needed when: + - DISA_STIG_RHEL_09_654080 | bool - audit_rules_kernel_module_loading_finit | bool - configure_strategy | bool - low_complexity | bool @@ -20783,6 +21188,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654080 | bool - audit_rules_kernel_module_loading_finit | bool - configure_strategy | bool - low_complexity | bool @@ -20795,13 +21201,13 @@ == "s390x" or ansible_architecture == "x86_64" tags: - CCE-83803-7 + - DISA-STIG-RHEL-09-654080 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_finit - configure_strategy - low_complexity @@ -20903,6 +21309,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654080 | bool - audit_rules_kernel_module_loading_finit | bool - configure_strategy | bool - low_complexity | bool @@ -20913,13 +21320,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83803-7 + - DISA-STIG-RHEL-09-654080 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_finit - configure_strategy - low_complexity @@ -21021,6 +21428,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654080 | bool - audit_rules_kernel_module_loading_finit | bool - configure_strategy | bool - low_complexity | bool @@ -21032,13 +21440,13 @@ - audit_arch == "b64" tags: - CCE-83803-7 + - DISA-STIG-RHEL-09-654080 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_finit - configure_strategy - low_complexity @@ -21051,13 +21459,13 @@ manager: auto tags: - CCE-90835-0 + - DISA-STIG-RHEL-09-654080 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_init - configure_strategy - low_complexity @@ -21065,6 +21473,7 @@ - medium_severity - no_reboot_needed when: + - DISA_STIG_RHEL_09_654080 | bool - audit_rules_kernel_module_loading_init | bool - configure_strategy | bool - low_complexity | bool @@ -21076,6 +21485,7 @@ set_fact: audit_arch: b64 when: + - DISA_STIG_RHEL_09_654080 | bool - audit_rules_kernel_module_loading_init | bool - configure_strategy | bool - low_complexity | bool @@ -21088,13 +21498,13 @@ == "s390x" or ansible_architecture == "x86_64" tags: - CCE-90835-0 + - DISA-STIG-RHEL-09-654080 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_init - configure_strategy - low_complexity @@ -21196,6 +21606,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654080 | bool - audit_rules_kernel_module_loading_init | bool - configure_strategy | bool - low_complexity | bool @@ -21206,13 +21617,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90835-0 + - DISA-STIG-RHEL-09-654080 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_init - configure_strategy - low_complexity @@ -21314,6 +21725,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654080 | bool - audit_rules_kernel_module_loading_init | bool - configure_strategy | bool - low_complexity | bool @@ -21325,13 +21737,13 @@ - audit_arch == "b64" tags: - CCE-90835-0 + - DISA-STIG-RHEL-09-654080 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.7 - - PCI-DSSv4-10.2.1.7 - audit_rules_kernel_module_loading_init - configure_strategy - low_complexity @@ -21344,6 +21756,7 @@ manager: auto tags: - CCE-83783-1 + - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21358,6 +21771,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool @@ -21372,6 +21786,7 @@ patterns: '*.rules' register: find_existing_watch_rules_d when: + - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool @@ -21382,6 +21797,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83783-1 + - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21403,6 +21819,7 @@ patterns: '*.rules' register: find_watch_key when: + - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool @@ -21414,6 +21831,7 @@ - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83783-1 + - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21433,6 +21851,7 @@ all_files: - /etc/audit/rules.d/logins.rules when: + - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool @@ -21445,6 +21864,7 @@ find_existing_watch_rules_d.matched == 0 tags: - CCE-83783-1 + - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21464,6 +21884,7 @@ all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: + - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool @@ -21476,6 +21897,7 @@ find_existing_watch_rules_d.matched == 0 tags: - CCE-83783-1 + - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21497,6 +21919,7 @@ create: true mode: '0640' when: + - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool @@ -21508,6 +21931,7 @@ - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83783-1 + - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21529,6 +21953,7 @@ patterns: audit.rules register: find_existing_watch_audit_rules when: + - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool @@ -21539,6 +21964,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83783-1 + - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21561,6 +21987,7 @@ create: true mode: '0640' when: + - DISA_STIG_RHEL_09_654250 | bool - audit_rules_login_events_faillock | bool - low_complexity | bool - low_disruption | bool @@ -21572,6 +21999,7 @@ - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83783-1 + - DISA-STIG-RHEL-09-654250 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21591,6 +22019,7 @@ manager: auto tags: - CCE-83785-6 + - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21605,6 +22034,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool @@ -21619,6 +22049,7 @@ patterns: '*.rules' register: find_existing_watch_rules_d when: + - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool @@ -21629,6 +22060,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83785-6 + - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21650,6 +22082,7 @@ patterns: '*.rules' register: find_watch_key when: + - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool @@ -21661,6 +22094,7 @@ - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83785-6 + - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21680,6 +22114,7 @@ all_files: - /etc/audit/rules.d/logins.rules when: + - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool @@ -21692,6 +22127,7 @@ find_existing_watch_rules_d.matched == 0 tags: - CCE-83785-6 + - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21711,6 +22147,7 @@ all_files: - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' when: + - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool @@ -21723,6 +22160,7 @@ find_existing_watch_rules_d.matched == 0 tags: - CCE-83785-6 + - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21744,6 +22182,7 @@ create: true mode: '0640' when: + - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool @@ -21755,6 +22194,7 @@ - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 tags: - CCE-83785-6 + - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21776,6 +22216,7 @@ patterns: audit.rules register: find_existing_watch_audit_rules when: + - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool @@ -21786,6 +22227,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83785-6 + - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21808,6 +22250,7 @@ create: true mode: '0640' when: + - DISA_STIG_RHEL_09_654255 | bool - audit_rules_login_events_lastlog | bool - low_complexity | bool - low_disruption | bool @@ -21819,6 +22262,7 @@ - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 tags: - CCE-83785-6 + - DISA-STIG-RHEL-09-654255 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -21846,7 +22290,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - - PCI-DSSv4-10.2.1.2 - audit_rules_privileged_commands - configure_strategy - low_complexity @@ -21885,7 +22328,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - - PCI-DSSv4-10.2.1.2 - audit_rules_privileged_commands - configure_strategy - low_complexity @@ -21920,7 +22362,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - - PCI-DSSv4-10.2.1.2 - audit_rules_privileged_commands - configure_strategy - low_complexity @@ -21932,7 +22373,7 @@ Mount Points ansible.builtin.set_fact: privileged_commands: '{{( result_privileged_commands_search.results | map(attribute=''stdout_lines'') | select() | list - )[-1] }}' + ) | sum(start=[]) }}' when: - audit_rules_privileged_commands | bool - configure_strategy | bool @@ -21952,7 +22393,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - - PCI-DSSv4-10.2.1.2 - audit_rules_privileged_commands - configure_strategy - low_complexity @@ -22020,7 +22460,6 @@ - NIST-800-53-AU-2(d) - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.2.2 - - PCI-DSSv4-10.2.1.2 - audit_rules_privileged_commands - configure_strategy - low_complexity @@ -22033,6 +22472,7 @@ manager: auto tags: - CCE-90262-7 + - DISA-STIG-RHEL-09-654105 - NIST-800-53-AU-12(a) - NIST-800-53-AU-12.1(ii) - NIST-800-53-AU-12.1(iv)AU-12(c) @@ -22046,6 +22486,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_654105 | bool - audit_rules_privileged_commands_kmod | bool - low_complexity | bool - low_disruption | bool @@ -22143,6 +22584,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654105 | bool - audit_rules_privileged_commands_kmod | bool - low_complexity | bool - low_disruption | bool @@ -22153,6 +22595,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90262-7 + - DISA-STIG-RHEL-09-654105 - NIST-800-53-AU-12(a) - NIST-800-53-AU-12.1(ii) - NIST-800-53-AU-12.1(iv)AU-12(c) @@ -22171,6 +22614,7 @@ manager: auto tags: - CCE-83780-7 + - DISA-STIG-RHEL-09-654150 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -22183,6 +22627,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_654150 | bool - audit_rules_privileged_commands_sudo | bool - low_complexity | bool - low_disruption | bool @@ -22280,6 +22725,7 @@ state: present when: syscalls_found | length == 0 when: + - DISA_STIG_RHEL_09_654150 | bool - audit_rules_privileged_commands_sudo | bool - low_complexity | bool - low_disruption | bool @@ -22290,6 +22736,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83780-7 + - DISA-STIG-RHEL-09-654150 - NIST-800-171-3.1.7 - NIST-800-53-AC-6(9) - NIST-800-53-AU-12(c) @@ -23581,6 +24028,7 @@ manager: auto tags: - CCE-83843-3 + - DISA-STIG-RHEL-09-212050 - NIST-800-53-SI-16 - grub2_pti_argument - low_disruption @@ -23589,6 +24037,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_212050 | bool - grub2_pti_argument | bool - low_disruption | bool - low_severity | bool @@ -23599,6 +24048,7 @@ - name: Update grub defaults and the bootloader menu command: /sbin/grubby --update-kernel=ALL --args="pti=on" when: + - DISA_STIG_RHEL_09_212050 | bool - grub2_pti_argument | bool - low_disruption | bool - low_severity | bool @@ -23609,6 +24059,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83843-3 + - DISA-STIG-RHEL-09-212050 - NIST-800-53-SI-16 - grub2_pti_argument - low_disruption @@ -23778,6 +24229,7 @@ name: rsyslog-gnutls state: present when: + - DISA_STIG_RHEL_09_652015 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool @@ -23787,6 +24239,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83987-8 + - DISA-STIG-RHEL-09-652015 - enable_strategy - low_complexity - low_disruption @@ -23811,7 +24264,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -23842,7 +24294,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -23874,7 +24325,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -23900,7 +24350,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -23933,7 +24382,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -23969,7 +24417,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -24007,7 +24454,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -24034,7 +24480,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -24046,7 +24491,7 @@ - name: Ensure Log Files Are Owned By Appropriate Group -Setup log files attribute ansible.builtin.file: path: '{{ item }}' - group: '0' + group: root state: file loop: '{{ log_files | list | flatten | unique }}' failed_when: false @@ -24064,7 +24509,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -24090,7 +24534,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -24121,7 +24564,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -24153,7 +24595,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -24179,7 +24620,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -24212,7 +24652,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -24248,7 +24687,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -24286,7 +24724,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -24313,7 +24750,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -24325,7 +24761,7 @@ - name: Ensure Log Files Are Owned By Appropriate User -Setup log files attribute ansible.builtin.file: path: '{{ item }}' - owner: '0' + owner: root state: file loop: '{{ log_files | list | flatten | unique }}' failed_when: false @@ -24343,7 +24779,6 @@ - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - - PCI-DSSv4-10.3.1 - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity @@ -24370,7 +24805,6 @@ - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.1 - - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -24401,7 +24835,6 @@ - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.1 - - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -24433,7 +24866,6 @@ - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.1 - - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -24459,7 +24891,6 @@ - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.1 - - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -24492,7 +24923,6 @@ - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.1 - - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -24528,7 +24958,6 @@ - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.1 - - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -24566,7 +24995,6 @@ - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.1 - - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -24593,7 +25021,6 @@ - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.1 - - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -24623,7 +25050,6 @@ - PCI-DSS-Req-10.5.1 - PCI-DSS-Req-10.5.2 - PCI-DSSv4-10.3.1 - - PCI-DSSv4-10.3.2 - configure_strategy - low_complexity - medium_disruption @@ -24647,6 +25073,7 @@ - CCE-86155-9 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - enable_strategy - low_complexity - low_disruption @@ -24661,7 +25088,6 @@ - CCE-83993-6 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 - - PCI-DSSv4-10.5.1 - configure_strategy - ensure_logrotate_activated - low_complexity @@ -24695,7 +25121,6 @@ - CCE-83993-6 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 - - PCI-DSSv4-10.5.1 - configure_strategy - ensure_logrotate_activated - low_complexity @@ -24722,7 +25147,6 @@ - CCE-83993-6 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 - - PCI-DSSv4-10.5.1 - configure_strategy - ensure_logrotate_activated - low_complexity @@ -24756,7 +25180,6 @@ - CCE-83993-6 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 - - PCI-DSSv4-10.5.1 - configure_strategy - ensure_logrotate_activated - low_complexity @@ -24771,6 +25194,7 @@ - CCE-86158-3 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - enable_strategy - low_complexity - low_disruption @@ -24811,6 +25235,7 @@ - CCE-86158-3 - NIST-800-53-CM-6(a) - PCI-DSS-Req-10.7 + - PCI-DSSv4-10.5.1 - enable_strategy - low_complexity - low_disruption @@ -24825,6 +25250,7 @@ line: '*.* @@{{ rsyslog_remote_loghost_address }}' create: true when: + - DISA_STIG_RHEL_09_652055 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -24834,6 +25260,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83990-2 + - DISA-STIG-RHEL-09-652055 - NIST-800-53-AU-4(1) - NIST-800-53-AU-9(2) - NIST-800-53-CM-6(a) @@ -25325,6 +25752,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_254015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -25334,6 +25762,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84125-4 + - DISA-STIG-RHEL-09-254015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) @@ -25354,6 +25783,7 @@ replace: '#net.ipv6.conf.all.accept_redirects' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_254015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -25363,6 +25793,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84125-4 + - DISA-STIG-RHEL-09-254015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) @@ -25384,6 +25815,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_254015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -25393,6 +25825,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84125-4 + - DISA-STIG-RHEL-09-254015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) @@ -25417,6 +25850,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_254020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -25426,6 +25860,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84131-2 + - DISA-STIG-RHEL-09-254020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -25444,6 +25879,7 @@ replace: '#net.ipv6.conf.all.accept_source_route' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_254020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -25453,6 +25889,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84131-2 + - DISA-STIG-RHEL-09-254020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -25472,6 +25909,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_254020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -25481,6 +25919,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84131-2 + - DISA-STIG-RHEL-09-254020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -25947,6 +26386,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_254035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -25956,6 +26396,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84113-0 + - DISA-STIG-RHEL-09-254035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -25974,6 +26415,7 @@ replace: '#net.ipv6.conf.default.accept_redirects' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_254035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -25983,6 +26425,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84113-0 + - DISA-STIG-RHEL-09-254035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -26002,6 +26445,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_254035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -26011,6 +26455,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84113-0 + - DISA-STIG-RHEL-09-254035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -26033,6 +26478,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_254040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -26042,6 +26488,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84130-4 + - DISA-STIG-RHEL-09-254040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) @@ -26049,6 +26496,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -26063,6 +26511,7 @@ replace: '#net.ipv6.conf.default.accept_source_route' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_254040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -26072,6 +26521,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84130-4 + - DISA-STIG-RHEL-09-254040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) @@ -26079,6 +26529,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -26094,6 +26545,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_254040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -26103,6 +26555,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84130-4 + - DISA-STIG-RHEL-09-254040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(b) @@ -26110,6 +26563,7 @@ - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -26424,6 +26878,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_253015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -26434,6 +26889,7 @@ tags: - CCE-84011-6 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -26453,6 +26909,7 @@ replace: '#net.ipv4.conf.all.accept_redirects' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_253015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -26463,6 +26920,7 @@ tags: - CCE-84011-6 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -26483,6 +26941,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_253015 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -26493,6 +26952,7 @@ tags: - CCE-84011-6 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253015 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -26516,6 +26976,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_253020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -26525,6 +26986,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84001-7 + - DISA-STIG-RHEL-09-253020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -26545,6 +27007,7 @@ replace: '#net.ipv4.conf.all.accept_source_route' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_253020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -26554,6 +27017,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84001-7 + - DISA-STIG-RHEL-09-253020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -26575,6 +27039,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_253020 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -26584,6 +27049,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84001-7 + - DISA-STIG-RHEL-09-253020 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -26904,6 +27370,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_253035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -26913,12 +27380,14 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84008-2 + - DISA-STIG-RHEL-09-253035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -26933,6 +27402,7 @@ replace: '#net.ipv4.conf.all.rp_filter' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_253035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -26942,12 +27412,14 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84008-2 + - DISA-STIG-RHEL-09-253035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -26963,6 +27435,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_253035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -26972,12 +27445,14 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84008-2 + - DISA-STIG-RHEL-09-253035 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -27011,6 +27486,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -27040,6 +27516,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -27070,6 +27547,7 @@ - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -27162,6 +27640,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_253040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27172,12 +27651,14 @@ tags: - CCE-84003-3 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -27192,6 +27673,7 @@ replace: '#net.ipv4.conf.default.accept_redirects' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_253040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27202,12 +27684,14 @@ tags: - CCE-84003-3 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -27223,6 +27707,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_253040 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27233,12 +27718,14 @@ tags: - CCE-84003-3 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253040 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -27257,6 +27744,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_253045 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27267,6 +27755,7 @@ tags: - CCE-84007-4 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253045 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) @@ -27286,6 +27775,7 @@ replace: '#net.ipv4.conf.default.accept_source_route' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_253045 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27296,6 +27786,7 @@ tags: - CCE-84007-4 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253045 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) @@ -27316,6 +27807,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_253045 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27326,6 +27818,7 @@ tags: - CCE-84007-4 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253045 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) @@ -27349,6 +27842,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_253050 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27358,6 +27852,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84009-0 + - DISA-STIG-RHEL-09-253050 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -27377,6 +27872,7 @@ replace: '#net.ipv4.conf.default.rp_filter' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_253050 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27386,6 +27882,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84009-0 + - DISA-STIG-RHEL-09-253050 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -27406,6 +27903,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_253050 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27415,6 +27913,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84009-0 + - DISA-STIG-RHEL-09-253050 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -27601,6 +28100,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_253060 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27610,11 +28110,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84015-7 + - DISA-STIG-RHEL-09-253060 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -27629,6 +28131,7 @@ replace: '#net.ipv4.icmp_ignore_bogus_error_responses' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_253060 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27638,11 +28141,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84015-7 + - DISA-STIG-RHEL-09-253060 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -27658,6 +28163,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_253060 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27667,11 +28173,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84015-7 + - DISA-STIG-RHEL-09-253060 - NIST-800-171-3.1.20 - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - PCI-DSS-Req-1.4.3 + - PCI-DSSv4-1.4.2 - disable_strategy - low_complexity - medium_disruption @@ -27838,6 +28346,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_253010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27848,6 +28357,7 @@ tags: - CCE-84006-6 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253010 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -27856,6 +28366,7 @@ - NIST-800-53-SC-5(2) - NIST-800-53-SC-5(3)(a) - PCI-DSS-Req-1.4.1 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -27870,6 +28381,7 @@ replace: '#net.ipv4.tcp_syncookies' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_253010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27880,6 +28392,7 @@ tags: - CCE-84006-6 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253010 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -27888,6 +28401,7 @@ - NIST-800-53-SC-5(2) - NIST-800-53-SC-5(3)(a) - PCI-DSS-Req-1.4.1 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -27903,6 +28417,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_253010 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27913,6 +28428,7 @@ tags: - CCE-84006-6 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253010 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) @@ -27921,6 +28437,7 @@ - NIST-800-53-SC-5(2) - NIST-800-53-SC-5(3)(a) - PCI-DSS-Req-1.4.1 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -27939,6 +28456,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_253065 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27949,13 +28467,14 @@ tags: - CCE-83997-7 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253065 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - - PCI-DSSv4-1.4.2 + - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption @@ -27970,6 +28489,7 @@ replace: '#net.ipv4.conf.all.send_redirects' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_253065 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -27980,13 +28500,14 @@ tags: - CCE-83997-7 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253065 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - - PCI-DSSv4-1.4.2 + - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption @@ -28002,6 +28523,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_253065 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -28012,13 +28534,14 @@ tags: - CCE-83997-7 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253065 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) - - PCI-DSSv4-1.4.2 + - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption @@ -28037,6 +28560,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_253070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -28047,12 +28571,14 @@ tags: - CCE-83999-3 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253070 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) + - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption @@ -28067,6 +28593,7 @@ replace: '#net.ipv4.conf.default.send_redirects' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_253070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -28077,12 +28604,14 @@ tags: - CCE-83999-3 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253070 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) + - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption @@ -28098,6 +28627,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_253070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -28108,12 +28638,14 @@ tags: - CCE-83999-3 - CJIS-5.10.1.1 + - DISA-STIG-RHEL-09-253070 - NIST-800-171-3.1.20 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-SC-5 - NIST-800-53-SC-7(a) + - PCI-DSSv4-1.4.5 - disable_strategy - low_complexity - medium_disruption @@ -28149,7 +28681,7 @@ - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.3.1 - PCI-DSS-Req-1.3.2 - - PCI-DSSv4-1.4.2 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -28181,7 +28713,7 @@ - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.3.1 - PCI-DSS-Req-1.3.2 - - PCI-DSSv4-1.4.2 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -28214,7 +28746,7 @@ - NIST-800-53-SC-7(a) - PCI-DSS-Req-1.3.1 - PCI-DSS-Req-1.3.2 - - PCI-DSSv4-1.4.2 + - PCI-DSSv4-1.4.3 - disable_strategy - low_complexity - medium_disruption @@ -28252,6 +28784,7 @@ search_paths: [] tags: - CCE-83903-5 + - DISA-STIG-RHEL-09-232240 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption @@ -28259,6 +28792,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_232240 | bool - dir_perms_world_writable_root_owned | bool - low_complexity | bool - medium_disruption | bool @@ -28277,6 +28811,7 @@ register: result_relevant_root_dirs tags: - CCE-83903-5 + - DISA-STIG-RHEL-09-232240 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption @@ -28284,6 +28819,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_232240 | bool - dir_perms_world_writable_root_owned | bool - low_complexity | bool - medium_disruption | bool @@ -28298,6 +28834,7 @@ loop: '{{ result_relevant_root_dirs.files }}' tags: - CCE-83903-5 + - DISA-STIG-RHEL-09-232240 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption @@ -28305,6 +28842,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_232240 | bool - dir_perms_world_writable_root_owned | bool - low_complexity | bool - medium_disruption | bool @@ -28318,6 +28856,7 @@ search_paths: '{{ search_paths | union([item.mount]) }}' loop: '{{ ansible_mounts }}' when: + - DISA_STIG_RHEL_09_232240 | bool - dir_perms_world_writable_root_owned | bool - low_complexity | bool - medium_disruption | bool @@ -28328,6 +28867,7 @@ - item.mount != '/' tags: - CCE-83903-5 + - DISA-STIG-RHEL-09-232240 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption @@ -28341,6 +28881,7 @@ search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}' loop: '{{ ansible_mounts }}' when: + - DISA_STIG_RHEL_09_232240 | bool - dir_perms_world_writable_root_owned | bool - low_complexity | bool - medium_disruption | bool @@ -28350,6 +28891,7 @@ - item.device is search("localhost:") tags: - CCE-83903-5 + - DISA-STIG-RHEL-09-232240 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption @@ -28362,6 +28904,7 @@ world_writable_dirs: [] tags: - CCE-83903-5 + - DISA-STIG-RHEL-09-232240 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption @@ -28369,6 +28912,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_232240 | bool - dir_perms_world_writable_root_owned | bool - low_complexity | bool - medium_disruption | bool @@ -28384,6 +28928,7 @@ register: result_found_dirs tags: - CCE-83903-5 + - DISA-STIG-RHEL-09-232240 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption @@ -28391,6 +28936,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_232240 | bool - dir_perms_world_writable_root_owned | bool - low_complexity | bool - medium_disruption | bool @@ -28405,6 +28951,7 @@ loop: '{{ result_found_dirs.results }}' tags: - CCE-83903-5 + - DISA-STIG-RHEL-09-232240 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption @@ -28412,6 +28959,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_232240 | bool - dir_perms_world_writable_root_owned | bool - low_complexity | bool - medium_disruption | bool @@ -28426,6 +28974,7 @@ loop: '{{ world_writable_dirs }}' tags: - CCE-83903-5 + - DISA-STIG-RHEL-09-232240 - dir_perms_world_writable_root_owned - low_complexity - medium_disruption @@ -28433,6 +28982,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_232240 | bool - dir_perms_world_writable_root_owned | bool - low_complexity | bool - medium_disruption | bool @@ -28470,8 +29020,10 @@ search_paths: [] tags: - CCE-83895-3 + - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -28479,6 +29031,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool @@ -28497,8 +29050,10 @@ register: result_relevant_root_dirs tags: - CCE-83895-3 + - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -28506,6 +29061,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool @@ -28520,8 +29076,10 @@ loop: '{{ result_relevant_root_dirs.files }}' tags: - CCE-83895-3 + - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -28529,6 +29087,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool @@ -28542,6 +29101,7 @@ search_paths: '{{ search_paths | union([item.mount]) }}' loop: '{{ ansible_mounts }}' when: + - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool @@ -28552,8 +29112,10 @@ - item.mount != '/' tags: - CCE-83895-3 + - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -28567,6 +29129,7 @@ search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}' loop: '{{ ansible_mounts }}' when: + - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool @@ -28576,8 +29139,10 @@ - item.device is search("localhost:") tags: - CCE-83895-3 + - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -28590,8 +29155,10 @@ world_writable_dirs: [] tags: - CCE-83895-3 + - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -28599,6 +29166,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool @@ -28614,8 +29182,10 @@ register: result_found_dirs tags: - CCE-83895-3 + - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -28623,6 +29193,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool @@ -28637,8 +29208,10 @@ loop: '{{ result_found_dirs.results }}' tags: - CCE-83895-3 + - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -28646,6 +29219,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool @@ -28661,8 +29235,10 @@ loop: '{{ world_writable_dirs }}' tags: - CCE-83895-3 + - DISA-STIG-RHEL-09-232245 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) + - PCI-DSSv4-2.2.6 - dir_perms_world_writable_sticky_bits - low_complexity - low_disruption @@ -28670,6 +29246,7 @@ - no_reboot_needed - restrict_strategy when: + - DISA_STIG_RHEL_09_232245 | bool - dir_perms_world_writable_sticky_bits | bool - low_complexity | bool - low_disruption | bool @@ -28768,6 +29345,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_213030 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -28777,6 +29355,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84110-6 + - DISA-STIG-RHEL-09-213030 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - disable_strategy @@ -28793,6 +29372,7 @@ replace: '#fs.protected_hardlinks' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_213030 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -28802,6 +29382,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84110-6 + - DISA-STIG-RHEL-09-213030 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - disable_strategy @@ -28819,6 +29400,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_213030 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -28828,6 +29410,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84110-6 + - DISA-STIG-RHEL-09-213030 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - disable_strategy @@ -28928,6 +29511,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_213035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -28937,6 +29521,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83900-1 + - DISA-STIG-RHEL-09-213035 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - disable_strategy @@ -28953,6 +29538,7 @@ replace: '#fs.protected_symlinks' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_213035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -28962,6 +29548,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83900-1 + - DISA-STIG-RHEL-09-213035 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - disable_strategy @@ -28979,6 +29566,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_213035 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -28988,6 +29576,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83900-1 + - DISA-STIG-RHEL-09-213035 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - disable_strategy @@ -29003,6 +29592,7 @@ register: file_exists tags: - CCE-83924-1 + - DISA-STIG-RHEL-09-232110 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy @@ -29012,6 +29602,7 @@ - medium_severity - no_reboot_needed when: + - DISA_STIG_RHEL_09_232110 | bool - configure_strategy | bool - file_owner_etc_gshadow | bool - low_complexity | bool @@ -29024,6 +29615,7 @@ path: /etc/gshadow owner: '0' when: + - DISA_STIG_RHEL_09_232110 | bool - configure_strategy | bool - file_owner_etc_gshadow | bool - low_complexity | bool @@ -29033,6 +29625,7 @@ - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83924-1 + - DISA-STIG-RHEL-09-232110 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy @@ -29049,10 +29642,11 @@ tags: - CCE-83926-6 - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-232150 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - - PCI-DSSv4-7.2.6 + - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_etc_shadow - low_complexity @@ -29060,6 +29654,7 @@ - medium_severity - no_reboot_needed when: + - DISA_STIG_RHEL_09_232150 | bool - configure_strategy | bool - file_owner_etc_shadow | bool - low_complexity | bool @@ -29072,6 +29667,7 @@ path: /etc/shadow owner: '0' when: + - DISA_STIG_RHEL_09_232150 | bool - configure_strategy | bool - file_owner_etc_shadow | bool - low_complexity | bool @@ -29082,10 +29678,11 @@ tags: - CCE-83926-6 - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-232150 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - - PCI-DSSv4-7.2.6 + - PCI-DSSv4-2.2.6 - configure_strategy - file_owner_etc_shadow - low_complexity @@ -29100,10 +29697,11 @@ tags: - CCE-83934-0 - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-232055 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - - PCI-DSSv4-7.2.6 + - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_etc_group - low_complexity @@ -29111,6 +29709,7 @@ - medium_severity - no_reboot_needed when: + - DISA_STIG_RHEL_09_232055 | bool - configure_strategy | bool - file_permissions_etc_group | bool - low_complexity | bool @@ -29123,6 +29722,7 @@ path: /etc/group mode: u-xs,g-xws,o-xwt when: + - DISA_STIG_RHEL_09_232055 | bool - configure_strategy | bool - file_permissions_etc_group | bool - low_complexity | bool @@ -29133,10 +29733,11 @@ tags: - CCE-83934-0 - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-232055 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - - PCI-DSSv4-7.2.6 + - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_etc_group - low_complexity @@ -29150,6 +29751,7 @@ register: file_exists tags: - CCE-83921-7 + - DISA-STIG-RHEL-09-232065 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy @@ -29159,6 +29761,7 @@ - medium_severity - no_reboot_needed when: + - DISA_STIG_RHEL_09_232065 | bool - configure_strategy | bool - file_permissions_etc_gshadow | bool - low_complexity | bool @@ -29171,6 +29774,7 @@ path: /etc/gshadow mode: u-xwrs,g-xwrs,o-xwrt when: + - DISA_STIG_RHEL_09_232065 | bool - configure_strategy | bool - file_permissions_etc_gshadow | bool - low_complexity | bool @@ -29180,6 +29784,7 @@ - file_exists.stat is defined and file_exists.stat.exists tags: - CCE-83921-7 + - DISA-STIG-RHEL-09-232065 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy @@ -29196,10 +29801,11 @@ tags: - CCE-83931-6 - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-232075 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - - PCI-DSSv4-7.2.6 + - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_etc_passwd - low_complexity @@ -29207,6 +29813,7 @@ - medium_severity - no_reboot_needed when: + - DISA_STIG_RHEL_09_232075 | bool - configure_strategy | bool - file_permissions_etc_passwd | bool - low_complexity | bool @@ -29219,6 +29826,7 @@ path: /etc/passwd mode: u-xs,g-xws,o-xwt when: + - DISA_STIG_RHEL_09_232075 | bool - configure_strategy | bool - file_permissions_etc_passwd | bool - low_complexity | bool @@ -29229,10 +29837,11 @@ tags: - CCE-83931-6 - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-232075 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - - PCI-DSSv4-7.2.6 + - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_etc_passwd - low_complexity @@ -29247,10 +29856,11 @@ tags: - CCE-83941-5 - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-232270 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - - PCI-DSSv4-7.2.6 + - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_etc_shadow - low_complexity @@ -29258,6 +29868,7 @@ - medium_severity - no_reboot_needed when: + - DISA_STIG_RHEL_09_232270 | bool - configure_strategy | bool - file_permissions_etc_shadow | bool - low_complexity | bool @@ -29270,6 +29881,7 @@ path: /etc/shadow mode: u-xwrs,g-xwrs,o-xwrt when: + - DISA_STIG_RHEL_09_232270 | bool - configure_strategy | bool - file_permissions_etc_shadow | bool - low_complexity | bool @@ -29280,10 +29892,11 @@ tags: - CCE-83941-5 - CJIS-5.5.2.2 + - DISA-STIG-RHEL-09-232270 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.7.c - - PCI-DSSv4-7.2.6 + - PCI-DSSv4-2.2.6 - configure_strategy - file_permissions_etc_shadow - low_complexity @@ -29421,6 +30034,7 @@ failed_when: device_name.rc > 1 changed_when: false when: + - DISA_STIG_RHEL_09_231100 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29430,6 +30044,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83877-1 + - DISA-STIG-RHEL-09-231100 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -29450,6 +30065,7 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: + - DISA_STIG_RHEL_09_231100 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29461,6 +30077,7 @@ - (device_name.stdout | length > 0) tags: - CCE-83877-1 + - DISA-STIG-RHEL-09-231100 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -29487,6 +30104,7 @@ - '' - defaults when: + - DISA_STIG_RHEL_09_231100 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29498,6 +30116,7 @@ - (device_name.stdout | length == 0) tags: - CCE-83877-1 + - DISA-STIG-RHEL-09-231100 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -29515,6 +30134,7 @@ set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: + - DISA_STIG_RHEL_09_231100 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29525,6 +30145,7 @@ - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83877-1 + - DISA-STIG-RHEL-09-231100 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -29546,6 +30167,7 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: + - DISA_STIG_RHEL_09_231100 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29556,6 +30178,7 @@ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83877-1 + - DISA-STIG-RHEL-09-231100 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -29575,6 +30198,7 @@ failed_when: device_name.rc > 1 changed_when: false when: + - DISA_STIG_RHEL_09_231055 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29584,6 +30208,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83875-5 + - DISA-STIG-RHEL-09-231055 - NIST-800-53-CM-6(b) - configure_strategy - high_disruption @@ -29599,6 +30224,7 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: + - DISA_STIG_RHEL_09_231055 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29610,6 +30236,7 @@ - (device_name.stdout | length > 0) tags: - CCE-83875-5 + - DISA-STIG-RHEL-09-231055 - NIST-800-53-CM-6(b) - configure_strategy - high_disruption @@ -29631,6 +30258,7 @@ - '' - defaults when: + - DISA_STIG_RHEL_09_231055 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29642,6 +30270,7 @@ - (device_name.stdout | length == 0) tags: - CCE-83875-5 + - DISA-STIG-RHEL-09-231055 - NIST-800-53-CM-6(b) - configure_strategy - high_disruption @@ -29654,6 +30283,7 @@ set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: + - DISA_STIG_RHEL_09_231055 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29664,6 +30294,7 @@ - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83875-5 + - DISA-STIG-RHEL-09-231055 - NIST-800-53-CM-6(b) - configure_strategy - high_disruption @@ -29680,6 +30311,7 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: + - DISA_STIG_RHEL_09_231055 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29690,6 +30322,7 @@ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83875-5 + - DISA-STIG-RHEL-09-231055 - NIST-800-53-CM-6(b) - configure_strategy - high_disruption @@ -29704,6 +30337,7 @@ failed_when: device_name.rc > 1 changed_when: false when: + - DISA_STIG_RHEL_09_231050 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29714,6 +30348,7 @@ | map(attribute="mount") | list ) tags: - CCE-83894-6 + - DISA-STIG-RHEL-09-231050 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -29734,6 +30369,7 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: + - DISA_STIG_RHEL_09_231050 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29746,6 +30382,7 @@ - (device_name.stdout | length > 0) tags: - CCE-83894-6 + - DISA-STIG-RHEL-09-231050 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -29772,6 +30409,7 @@ - '' - defaults when: + - DISA_STIG_RHEL_09_231050 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29784,6 +30422,7 @@ - (device_name.stdout | length == 0) tags: - CCE-83894-6 + - DISA-STIG-RHEL-09-231050 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -29801,6 +30440,7 @@ set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: + - DISA_STIG_RHEL_09_231050 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29812,6 +30452,7 @@ - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83894-6 + - DISA-STIG-RHEL-09-231050 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -29833,6 +30474,7 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: + - DISA_STIG_RHEL_09_231050 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29844,6 +30486,7 @@ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83894-6 + - DISA-STIG-RHEL-09-231050 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -29865,6 +30508,7 @@ state: mounted fstype: '{{ item.fstype }}' when: + - DISA_STIG_RHEL_09_231200 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -29878,6 +30522,7 @@ - '{{ ansible_facts.mounts }}' tags: - CCE-83873-0 + - DISA-STIG-RHEL-09-231200 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30155,6 +30800,7 @@ failed_when: device_name.rc > 1 changed_when: false when: + - DISA_STIG_RHEL_09_231130 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30165,6 +30811,7 @@ map(attribute="mount") | list ) tags: - CCE-83885-4 + - DISA-STIG-RHEL-09-231130 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30185,6 +30832,7 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: + - DISA_STIG_RHEL_09_231130 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30197,6 +30845,7 @@ - (device_name.stdout | length > 0) tags: - CCE-83885-4 + - DISA-STIG-RHEL-09-231130 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30223,6 +30872,7 @@ - '' - defaults when: + - DISA_STIG_RHEL_09_231130 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30235,6 +30885,7 @@ - (device_name.stdout | length == 0) tags: - CCE-83885-4 + - DISA-STIG-RHEL-09-231130 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30252,6 +30903,7 @@ set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: + - DISA_STIG_RHEL_09_231130 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30263,6 +30915,7 @@ - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83885-4 + - DISA-STIG-RHEL-09-231130 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30284,6 +30937,7 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: + - DISA_STIG_RHEL_09_231130 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30295,6 +30949,7 @@ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83885-4 + - DISA-STIG-RHEL-09-231130 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30314,6 +30969,7 @@ failed_when: device_name.rc > 1 changed_when: false when: + - DISA_STIG_RHEL_09_231135 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30324,6 +30980,7 @@ map(attribute="mount") | list ) tags: - CCE-83872-2 + - DISA-STIG-RHEL-09-231135 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30344,6 +31001,7 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: + - DISA_STIG_RHEL_09_231135 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30356,6 +31014,7 @@ - (device_name.stdout | length > 0) tags: - CCE-83872-2 + - DISA-STIG-RHEL-09-231135 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30382,6 +31041,7 @@ - '' - defaults when: + - DISA_STIG_RHEL_09_231135 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30394,6 +31054,7 @@ - (device_name.stdout | length == 0) tags: - CCE-83872-2 + - DISA-STIG-RHEL-09-231135 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30411,6 +31072,7 @@ set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: + - DISA_STIG_RHEL_09_231135 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30422,6 +31084,7 @@ - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83872-2 + - DISA-STIG-RHEL-09-231135 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30443,6 +31106,7 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: + - DISA_STIG_RHEL_09_231135 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30454,6 +31118,7 @@ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83872-2 + - DISA-STIG-RHEL-09-231135 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30473,6 +31138,7 @@ failed_when: device_name.rc > 1 changed_when: false when: + - DISA_STIG_RHEL_09_231150 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30483,6 +31149,7 @@ | map(attribute="mount") | list ) tags: - CCE-83887-0 + - DISA-STIG-RHEL-09-231150 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30503,6 +31170,7 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: + - DISA_STIG_RHEL_09_231150 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30515,6 +31183,7 @@ - (device_name.stdout | length > 0) tags: - CCE-83887-0 + - DISA-STIG-RHEL-09-231150 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30541,6 +31210,7 @@ - '' - defaults when: + - DISA_STIG_RHEL_09_231150 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30553,6 +31223,7 @@ - (device_name.stdout | length == 0) tags: - CCE-83887-0 + - DISA-STIG-RHEL-09-231150 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30570,6 +31241,7 @@ set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: + - DISA_STIG_RHEL_09_231150 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30581,6 +31253,7 @@ - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83887-0 + - DISA-STIG-RHEL-09-231150 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30602,6 +31275,7 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: + - DISA_STIG_RHEL_09_231150 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30613,6 +31287,7 @@ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83887-0 + - DISA-STIG-RHEL-09-231150 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30632,6 +31307,7 @@ failed_when: device_name.rc > 1 changed_when: false when: + - DISA_STIG_RHEL_09_231155 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30642,6 +31318,7 @@ | map(attribute="mount") | list ) tags: - CCE-83870-6 + - DISA-STIG-RHEL-09-231155 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30662,6 +31339,7 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: + - DISA_STIG_RHEL_09_231155 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30674,6 +31352,7 @@ - (device_name.stdout | length > 0) tags: - CCE-83870-6 + - DISA-STIG-RHEL-09-231155 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30700,6 +31379,7 @@ - '' - defaults when: + - DISA_STIG_RHEL_09_231155 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30712,6 +31392,7 @@ - (device_name.stdout | length == 0) tags: - CCE-83870-6 + - DISA-STIG-RHEL-09-231155 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30729,6 +31410,7 @@ set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: + - DISA_STIG_RHEL_09_231155 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30740,6 +31422,7 @@ - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83870-6 + - DISA-STIG-RHEL-09-231155 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -30761,6 +31444,7 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: + - DISA_STIG_RHEL_09_231155 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -30772,6 +31456,7 @@ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83870-6 + - DISA-STIG-RHEL-09-231155 - NIST-800-53-AC-6 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) @@ -31049,6 +31734,7 @@ failed_when: device_name.rc > 1 changed_when: false when: + - DISA_STIG_RHEL_09_231180 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -31059,6 +31745,7 @@ | map(attribute="mount") | list ) tags: - CCE-83866-4 + - DISA-STIG-RHEL-09-231180 - configure_strategy - high_disruption - low_complexity @@ -31073,6 +31760,7 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: + - DISA_STIG_RHEL_09_231180 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -31085,6 +31773,7 @@ - (device_name.stdout | length > 0) tags: - CCE-83866-4 + - DISA-STIG-RHEL-09-231180 - configure_strategy - high_disruption - low_complexity @@ -31105,6 +31794,7 @@ - '' - defaults when: + - DISA_STIG_RHEL_09_231180 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -31117,6 +31807,7 @@ - (device_name.stdout | length == 0) tags: - CCE-83866-4 + - DISA-STIG-RHEL-09-231180 - configure_strategy - high_disruption - low_complexity @@ -31128,6 +31819,7 @@ set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' }) }}' when: + - DISA_STIG_RHEL_09_231180 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -31139,6 +31831,7 @@ - mount_info is defined and "noexec" not in mount_info.options tags: - CCE-83866-4 + - DISA-STIG-RHEL-09-231180 - configure_strategy - high_disruption - low_complexity @@ -31154,6 +31847,7 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: + - DISA_STIG_RHEL_09_231180 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -31165,6 +31859,7 @@ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83866-4 + - DISA-STIG-RHEL-09-231180 - configure_strategy - high_disruption - low_complexity @@ -31178,6 +31873,7 @@ failed_when: device_name.rc > 1 changed_when: false when: + - DISA_STIG_RHEL_09_231185 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -31188,6 +31884,7 @@ | map(attribute="mount") | list ) tags: - CCE-83863-1 + - DISA-STIG-RHEL-09-231185 - configure_strategy - high_disruption - low_complexity @@ -31202,6 +31899,7 @@ - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: + - DISA_STIG_RHEL_09_231185 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -31214,6 +31912,7 @@ - (device_name.stdout | length > 0) tags: - CCE-83863-1 + - DISA-STIG-RHEL-09-231185 - configure_strategy - high_disruption - low_complexity @@ -31234,6 +31933,7 @@ - '' - defaults when: + - DISA_STIG_RHEL_09_231185 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -31246,6 +31946,7 @@ - (device_name.stdout | length == 0) tags: - CCE-83863-1 + - DISA-STIG-RHEL-09-231185 - configure_strategy - high_disruption - low_complexity @@ -31257,6 +31958,7 @@ set_fact: mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' }) }}' when: + - DISA_STIG_RHEL_09_231185 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -31268,6 +31970,7 @@ - mount_info is defined and "nosuid" not in mount_info.options tags: - CCE-83863-1 + - DISA-STIG-RHEL-09-231185 - configure_strategy - high_disruption - low_complexity @@ -31283,6 +31986,7 @@ state: mounted fstype: '{{ mount_info.fstype }}' when: + - DISA_STIG_RHEL_09_231185 | bool - configure_strategy | bool - high_disruption | bool - low_complexity | bool @@ -31294,6 +31998,7 @@ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83863-1 + - DISA-STIG-RHEL-09-231185 - configure_strategy - high_disruption - low_complexity @@ -31312,6 +32017,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_213010 | bool - disable_strategy | bool - low_complexity | bool - low_severity | bool @@ -31321,6 +32027,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83952-2 + - DISA-STIG-RHEL-09-213010 - NIST-800-171-3.1.5 - NIST-800-53-SI-11(a) - NIST-800-53-SI-11(b) @@ -31338,6 +32045,7 @@ replace: '#kernel.dmesg_restrict' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_213010 | bool - disable_strategy | bool - low_complexity | bool - low_severity | bool @@ -31347,6 +32055,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83952-2 + - DISA-STIG-RHEL-09-213010 - NIST-800-171-3.1.5 - NIST-800-53-SI-11(a) - NIST-800-53-SI-11(b) @@ -31365,6 +32074,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_213010 | bool - disable_strategy | bool - low_complexity | bool - low_severity | bool @@ -31374,6 +32084,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83952-2 + - DISA-STIG-RHEL-09-213010 - NIST-800-171-3.1.5 - NIST-800-53-SI-11(a) - NIST-800-53-SI-11(b) @@ -31691,6 +32402,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_213015 | bool - disable_strategy | bool - low_complexity | bool - low_severity | bool @@ -31700,6 +32412,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83959-7 + - DISA-STIG-RHEL-09-213015 - NIST-800-53-AC-6 - disable_strategy - low_complexity @@ -31715,6 +32428,7 @@ replace: '#kernel.perf_event_paranoid' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_213015 | bool - disable_strategy | bool - low_complexity | bool - low_severity | bool @@ -31724,6 +32438,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83959-7 + - DISA-STIG-RHEL-09-213015 - NIST-800-53-AC-6 - disable_strategy - low_complexity @@ -31740,6 +32455,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_213015 | bool - disable_strategy | bool - low_complexity | bool - low_severity | bool @@ -31749,6 +32465,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83959-7 + - DISA-STIG-RHEL-09-213015 - NIST-800-53-AC-6 - disable_strategy - low_complexity @@ -31916,6 +32633,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_213075 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -31925,6 +32643,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83957-1 + - DISA-STIG-RHEL-09-213075 - NIST-800-53-AC-6 - NIST-800-53-SC-7(10) - disable_strategy @@ -31941,6 +32660,7 @@ replace: '#kernel.unprivileged_bpf_disabled' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_213075 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -31950,6 +32670,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83957-1 + - DISA-STIG-RHEL-09-213075 - NIST-800-53-AC-6 - NIST-800-53-SC-7(10) - disable_strategy @@ -31967,6 +32688,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_213075 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -31976,6 +32698,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83957-1 + - DISA-STIG-RHEL-09-213075 - NIST-800-53-AC-6 - NIST-800-53-SC-7(10) - disable_strategy @@ -31996,6 +32719,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_213080 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -32005,6 +32729,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83965-4 + - DISA-STIG-RHEL-09-213080 - NIST-800-53-SC-7(10) - disable_strategy - low_complexity @@ -32020,6 +32745,7 @@ replace: '#kernel.yama.ptrace_scope' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_213080 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -32029,6 +32755,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83965-4 + - DISA-STIG-RHEL-09-213080 - NIST-800-53-SC-7(10) - disable_strategy - low_complexity @@ -32045,6 +32772,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_213080 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -32054,6 +32782,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83965-4 + - DISA-STIG-RHEL-09-213080 - NIST-800-53-SC-7(10) - disable_strategy - low_complexity @@ -32073,6 +32802,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_251045 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -32082,6 +32812,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83966-2 + - DISA-STIG-RHEL-09-251045 - NIST-800-53-CM-6 - NIST-800-53-SC-7(10) - disable_strategy @@ -32098,6 +32829,7 @@ replace: '#net.core.bpf_jit_harden' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_251045 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -32107,6 +32839,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83966-2 + - DISA-STIG-RHEL-09-251045 - NIST-800-53-CM-6 - NIST-800-53-SC-7(10) - disable_strategy @@ -32124,6 +32857,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_251045 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -32133,6 +32867,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83966-2 + - DISA-STIG-RHEL-09-251045 - NIST-800-53-CM-6 - NIST-800-53-SC-7(10) - disable_strategy @@ -32238,9 +32973,7 @@ - CCE-83981-1 - NIST-800-53-SI-11(a) - NIST-800-53-SI-11(b) - - PCI-DSSv4-3.3.1.1 - - PCI-DSSv4-3.3.1.2 - - PCI-DSSv4-3.3.1.3 + - PCI-DSSv4-3.3.1 - disable_strategy - low_complexity - medium_disruption @@ -32266,9 +32999,7 @@ - CCE-83981-1 - NIST-800-53-SI-11(a) - NIST-800-53-SI-11(b) - - PCI-DSSv4-3.3.1.1 - - PCI-DSSv4-3.3.1.2 - - PCI-DSSv4-3.3.1.3 + - PCI-DSSv4-3.3.1 - disable_strategy - low_complexity - medium_disruption @@ -32295,9 +33026,7 @@ - CCE-83981-1 - NIST-800-53-SI-11(a) - NIST-800-53-SI-11(b) - - PCI-DSSv4-3.3.1.1 - - PCI-DSSv4-3.3.1.2 - - PCI-DSSv4-3.3.1.3 + - PCI-DSSv4-3.3.1 - disable_strategy - low_complexity - medium_disruption @@ -32316,6 +33045,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_213025 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -32325,6 +33055,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83972-0 + - DISA-STIG-RHEL-09-213025 - NIST-800-53-CM-6(a) - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) @@ -32343,6 +33074,7 @@ replace: '#kernel.kptr_restrict' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_213025 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -32352,6 +33084,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83972-0 + - DISA-STIG-RHEL-09-213025 - NIST-800-53-CM-6(a) - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) @@ -32371,6 +33104,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_213025 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -32380,6 +33114,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83972-0 + - DISA-STIG-RHEL-09-213025 - NIST-800-53-CM-6(a) - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) @@ -32402,6 +33137,7 @@ file_type: any register: find_sysctl_d when: + - DISA_STIG_RHEL_09_213070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -32411,12 +33147,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83971-2 + - DISA-STIG-RHEL-09-213070 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) - PCI-DSS-Req-2.2.1 - - PCI-DSSv4-2.2.3 + - PCI-DSSv4-3.3.1 - disable_strategy - low_complexity - medium_disruption @@ -32431,6 +33168,7 @@ replace: '#kernel.randomize_va_space' loop: '{{ find_sysctl_d.files }}' when: + - DISA_STIG_RHEL_09_213070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -32440,12 +33178,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83971-2 + - DISA-STIG-RHEL-09-213070 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) - PCI-DSS-Req-2.2.1 - - PCI-DSSv4-2.2.3 + - PCI-DSSv4-3.3.1 - disable_strategy - low_complexity - medium_disruption @@ -32461,6 +33200,7 @@ state: present reload: true when: + - DISA_STIG_RHEL_09_213070 | bool - disable_strategy | bool - low_complexity | bool - medium_disruption | bool @@ -32470,12 +33210,13 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-83971-2 + - DISA-STIG-RHEL-09-213070 - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-SC-30 - NIST-800-53-SC-30(2) - PCI-DSS-Req-2.2.1 - - PCI-DSSv4-2.2.3 + - PCI-DSSv4-3.3.1 - disable_strategy - low_complexity - medium_disruption @@ -32488,6 +33229,7 @@ manager: auto tags: - CCE-83985-2 + - DISA-STIG-RHEL-09-212040 - NIST-800-53-CM-6(a) - grub2_page_poison_argument - low_disruption @@ -32496,6 +33238,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_212040 | bool - grub2_page_poison_argument | bool - low_disruption | bool - medium_complexity | bool @@ -32506,6 +33249,7 @@ - name: Update grub defaults and the bootloader menu command: /sbin/grubby --update-kernel=ALL --args="page_poison=1" when: + - DISA_STIG_RHEL_09_212040 | bool - grub2_page_poison_argument | bool - low_disruption | bool - medium_complexity | bool @@ -32516,6 +33260,7 @@ - '"grub2-common" in ansible_facts.packages' tags: - CCE-83985-2 + - DISA-STIG-RHEL-09-212040 - NIST-800-53-CM-6(a) - grub2_page_poison_argument - low_disruption @@ -32529,6 +33274,7 @@ manager: auto tags: - CCE-83986-0 + - DISA-STIG-RHEL-09-212045 - NIST-800-53-CM-6(a) - grub2_slub_debug_argument - low_disruption @@ -32537,6 +33283,7 @@ - reboot_required - restrict_strategy when: + - DISA_STIG_RHEL_09_212045 | bool - grub2_slub_debug_argument | bool - low_disruption | bool - medium_complexity | bool @@ -32547,6 +33294,7 @@ - name: Update grub defaults and the bootloader menu command: /sbin/grubby --update-kernel=ALL --args="slub_debug={{ var_slub_debug_options }}" when: + - DISA_STIG_RHEL_09_212045 | bool - grub2_slub_debug_argument | bool - low_disruption | bool - medium_complexity | bool @@ -32557,6 +33305,7 @@ - '"grub2-common" in ansible_facts.packages' tags: - CCE-83986-0 + - DISA-STIG-RHEL-09-212045 - NIST-800-53-CM-6(a) - grub2_slub_debug_argument - low_disruption @@ -32654,6 +33403,7 @@ line: SELINUXTYPE={{ var_selinux_policy_name }} state: present when: + - DISA_STIG_RHEL_09_431015 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -32663,12 +33413,14 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84074-4 + - DISA-STIG-RHEL-09-431015 - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - NIST-800-53-AC-3 - NIST-800-53-AC-3(3)(a) - NIST-800-53-AU-9 - NIST-800-53-SC-7(21) + - PCI-DSSv4-1.2.6 - low_complexity - low_disruption - medium_severity @@ -32702,6 +33454,7 @@ line: SELINUX={{ var_selinux_state }} state: present when: + - DISA_STIG_RHEL_09_431010 | bool - high_severity | bool - low_complexity | bool - low_disruption | bool @@ -32711,6 +33464,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84079-3 + - DISA-STIG-RHEL-09-431010 - NIST-800-171-3.1.2 - NIST-800-171-3.7.2 - NIST-800-53-AC-3 @@ -32933,6 +33687,7 @@ name: sendmail state: absent when: + - DISA_STIG_RHEL_09_215020 | bool - disable_strategy | bool - low_complexity | bool - low_disruption | bool @@ -32942,6 +33697,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90830-1 + - DISA-STIG-RHEL-09-215020 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) @@ -32960,6 +33716,7 @@ create: true state: present when: + - DISA_STIG_RHEL_09_653125 | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool @@ -32969,6 +33726,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90826-9 + - DISA-STIG-RHEL-09-653125 - NIST-800-53-CM-6(a) - configure_strategy - low_complexity @@ -32982,6 +33740,7 @@ path: /usr/bin/newaliases register: result_newaliases_present when: + - DISA_STIG_RHEL_09_653125 | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool @@ -32991,6 +33750,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90826-9 + - DISA-STIG-RHEL-09-653125 - NIST-800-53-CM-6(a) - configure_strategy - low_complexity @@ -33003,6 +33763,7 @@ ansible.builtin.command: cmd: newaliases when: + - DISA_STIG_RHEL_09_653125 | bool - configure_strategy | bool - low_complexity | bool - low_disruption | bool @@ -33013,6 +33774,7 @@ - result_newaliases_present.stat.exists tags: - CCE-90826-9 + - DISA-STIG-RHEL-09-653125 - NIST-800-53-CM-6(a) - configure_strategy - low_complexity @@ -33038,7 +33800,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - - PCI-DSSv4-2.2.4 + - PCI-DSSv4-1.4.2 - low_complexity - low_disruption - medium_severity @@ -33069,7 +33831,7 @@ - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - - PCI-DSSv4-2.2.4 + - PCI-DSSv4-1.4.2 - low_complexity - low_disruption - medium_severity @@ -33082,6 +33844,7 @@ name: chrony state: present when: + - DISA_STIG_RHEL_09_252010 | bool - enable_strategy | bool - low_complexity | bool - low_disruption | bool @@ -33091,6 +33854,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-84215-3 + - DISA-STIG-RHEL-09-252010 - PCI-DSS-Req-10.4 - PCI-DSSv4-10.6.1 - enable_strategy @@ -33233,6 +33997,7 @@ state: absent tags: - CCE-84152-8 + - DISA-STIG-RHEL-09-215030 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) @@ -33246,6 +34011,7 @@ - no_reboot_needed - package_ypserv_removed when: + - DISA_STIG_RHEL_09_215030 | bool - disable_strategy | bool - high_severity | bool - low_complexity | bool @@ -33259,10 +34025,12 @@ state: absent tags: - CCE-84143-7 + - DISA-STIG-RHEL-09-215035 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-IA-5(1)(c) + - PCI-DSSv4-2.2.4 - disable_strategy - high_severity - low_complexity @@ -33270,6 +34038,7 @@ - no_reboot_needed - package_rsh-server_removed when: + - DISA_STIG_RHEL_09_215035 | bool - disable_strategy | bool - high_severity | bool - low_complexity | bool @@ -33305,6 +34074,7 @@ state: absent tags: - CCE-84158-5 + - PCI-DSSv4-2.2.4 - disable_strategy - low_complexity - low_disruption @@ -33346,6 +34116,7 @@ state: absent tags: - CCE-84149-4 + - DISA-STIG-RHEL-09-215040 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) @@ -33358,6 +34129,7 @@ - no_reboot_needed - package_telnet-server_removed when: + - DISA_STIG_RHEL_09_215040 | bool - disable_strategy | bool - high_severity | bool - low_complexity | bool @@ -33393,9 +34165,11 @@ state: absent tags: - CCE-84154-4 + - DISA-STIG-RHEL-09-215060 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) + - PCI-DSSv4-2.2.4 - disable_strategy - high_severity - low_complexity @@ -33403,6 +34177,7 @@ - no_reboot_needed - package_tftp-server_removed when: + - DISA_STIG_RHEL_09_215060 | bool - disable_strategy | bool - high_severity | bool - low_complexity | bool @@ -33416,6 +34191,7 @@ state: absent tags: - CCE-84153-6 + - PCI-DSSv4-2.2.4 - disable_strategy - low_complexity - low_disruption @@ -33437,6 +34213,7 @@ failed_when: false check_mode: false when: + - DISA_STIG_RHEL_09_255120 | bool - configure_strategy | bool - file_permissions_sshd_private_key | bool - low_complexity | bool @@ -33446,6 +34223,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90820-2 + - DISA-STIG-RHEL-09-255120 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - NIST-800-53-AC-17(a) @@ -33468,6 +34246,7 @@ with_items: - '{{ root_owned_keys.stdout_lines }}' when: + - DISA_STIG_RHEL_09_255120 | bool - configure_strategy | bool - file_permissions_sshd_private_key | bool - low_complexity | bool @@ -33477,6 +34256,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90820-2 + - DISA-STIG-RHEL-09-255120 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - NIST-800-53-AC-17(a) @@ -33498,6 +34278,7 @@ failed_when: false check_mode: false when: + - DISA_STIG_RHEL_09_255120 | bool - configure_strategy | bool - file_permissions_sshd_private_key | bool - low_complexity | bool @@ -33507,6 +34288,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90820-2 + - DISA-STIG-RHEL-09-255120 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - NIST-800-53-AC-17(a) @@ -33529,6 +34311,7 @@ with_items: - '{{ dedicated_group_owned_keys.stdout_lines }}' when: + - DISA_STIG_RHEL_09_255120 | bool - configure_strategy | bool - file_permissions_sshd_private_key | bool - low_complexity | bool @@ -33538,6 +34321,7 @@ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CCE-90820-2 + - DISA-STIG-RHEL-09-255120 - NIST-800-171-3.1.13 - NIST-800-171-3.13.10 - NIST-800-53-AC-17(a) @@ -33580,6 +34364,7 @@ insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: + - DISA_STIG_RHEL_09_255095 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -33590,6 +34375,7 @@ tags: - CCE-90805-3 - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255095 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-17(a) @@ -33633,6 +34419,7 @@ insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: + - DISA_STIG_RHEL_09_255100 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -33644,6 +34431,7 @@ tags: - CCE-90811-1 - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255100 - NIST-800-171-3.1.11 - NIST-800-53-AC-12 - NIST-800-53-AC-17(a) @@ -33699,6 +34487,7 @@ insertbefore: BOF validate: /usr/sbin/sshd -t -f %s when: + - DISA_STIG_RHEL_09_255045 | bool - low_complexity | bool - low_disruption | bool - medium_severity | bool @@ -33709,6 +34498,7 @@ tags: - CCE-90800-4 - CJIS-5.5.6 + - DISA-STIG-RHEL-09-255045 - NIST-800-171-3.1.1 - NIST-800-171-3.1.5 - NIST-800-53-AC-17(a)