Skip to content

Commit

Permalink
Updated tasks/main.yml
Browse files Browse the repository at this point in the history
  • Loading branch information
ComplianceAsCode development team authored and dmc5179 committed Feb 22, 2024
1 parent 834a248 commit 5afdf7d
Showing 1 changed file with 63 additions and 20 deletions.
83 changes: 63 additions & 20 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -444,7 +444,7 @@
lineinfile:
dest: /etc/sysconfig/sshd
state: absent
regexp: ^(?i)\s*CRYPTO_POLICY.*$
regexp: (?i)^\s*CRYPTO_POLICY.*$
tags:
- CCE-83445-7
- DISA-STIG-RHEL-09-255055
Expand Down Expand Up @@ -649,7 +649,7 @@
- low_complexity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- '"yum" in ansible_facts.packages'
- '"dnf" in ansible_facts.packages'
tags:
- CCE-83457-2
- CJIS-5.10.4.1
Expand Down Expand Up @@ -728,7 +728,7 @@
- medium_disruption | bool
- no_reboot_needed | bool
- unknown_strategy | bool
- '"yum" in ansible_facts.packages'
- '"dnf" in ansible_facts.packages'
tags:
- CCE-83463-0
- DISA-STIG-RHEL-09-214020
Expand Down Expand Up @@ -793,7 +793,17 @@
option: gpgcheck
value: '1'
no_extra_spaces: true
loop: '{{ repo_grep_results.stdout | regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) }}'
loop: '{{ repo_grep_results.stdout |regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) if repo_grep_results is not skipped else
[]}}'
when:
- DISA_STIG_RHEL_09_214025 | bool
- enable_strategy | bool
- ensure_gpgcheck_never_disabled | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_reboot_needed | bool
- repo_grep_results is not skipped
tags:
- CCE-83464-8
- CJIS-5.10.4.1
Expand All @@ -816,14 +826,6 @@
- low_complexity
- medium_disruption
- no_reboot_needed
when:
- DISA_STIG_RHEL_09_214025 | bool
- enable_strategy | bool
- ensure_gpgcheck_never_disabled | bool
- high_severity | bool
- low_complexity | bool
- medium_disruption | bool
- no_reboot_needed | bool

- name: Read permission of GPG key directory
stat:
Expand Down Expand Up @@ -923,7 +925,9 @@

- name: Set Fact - Valid fingerprints
set_fact:
gpg_valid_fingerprints: ("567E347AD0044ADE55BA8A5F199E2F91FD431D51" "7E4624258C406535D56D6F135054E4A45A6340B3")
gpg_valid_fingerprints:
- 567E347AD0044ADE55BA8A5F199E2F91FD431D51
- 7E4624258C406535D56D6F135054E4A45A6340B3
tags:
- CCE-84180-9
- CJIS-5.10.4.1
Expand Down Expand Up @@ -3525,7 +3529,7 @@
ansible.builtin.find:
paths: /etc
patterns: bashrc
contains: .*case "$name" in sshd|login) exec tmux ;; esac.*
contains: .*case "$name" in sshd|login\) tmux ;; esac.*
register: tmux_in_bashrc
when:
- DISA_STIG_RHEL_09_412015 | bool
Expand All @@ -3551,7 +3555,7 @@
ansible.builtin.find:
paths: /etc/profile.d
patterns: '*.sh'
contains: .*case "$name" in sshd|login) exec tmux ;; esac.*
contains: .*case "$name" in sshd|login\) tmux ;; esac.*
register: tmux_in_profile_d
when:
- DISA_STIG_RHEL_09_412015 | bool
Expand All @@ -3577,7 +3581,7 @@
ansible.builtin.blockinfile:
path: /etc/profile.d/tmux.sh
block: "if [ \"$PS1\" ]; then\n parent=$(ps -o ppid= -p $$)\n name=$(ps -o comm= -p $parent)\n case \"$name\" in sshd|login)\
\ exec tmux ;; esac\nfi\n"
\ tmux ;; esac\nfi\n"
create: true
when:
- DISA_STIG_RHEL_09_412015 | bool
Expand Down Expand Up @@ -6182,9 +6186,20 @@
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
## Privilege escalation via su or sudo. This is entirely handled by pam.
## Special case for systemd-run. It is not audit aware, specifically watch it
-a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
## Special case for pkexec. It is not audit aware, specifically watch it
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
## Watch for configuration changes to privilege escalation.
Expand Down Expand Up @@ -6382,9 +6397,20 @@
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
## Privilege escalation via su or sudo. This is entirely handled by pam.
## Special case for systemd-run. It is not audit aware, specifically watch it
-a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
## Special case for pkexec. It is not audit aware, specifically watch it
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
## Watch for configuration changes to privilege escalation.
Expand Down Expand Up @@ -6576,9 +6602,20 @@
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
## Privilege escalation via su or sudo. This is entirely handled by pam.
## Special case for systemd-run. It is not audit aware, specifically watch it
-a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
## Special case for pkexec. It is not audit aware, specifically watch it
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
## Watch for configuration changes to privilege escalation.
Expand Down Expand Up @@ -7923,7 +7960,7 @@
create: true
dest: /etc/modprobe.d/can.conf
regexp: install\s+can
line: install can /bin/true
line: install can /bin/false
when:
- DISA_STIG_RHEL_09_213050 | bool
- disable_strategy | bool
Expand Down Expand Up @@ -7975,7 +8012,7 @@
create: true
dest: /etc/modprobe.d/sctp.conf
regexp: install\s+sctp
line: install sctp /bin/true
line: install sctp /bin/false
when:
- DISA_STIG_RHEL_09_213060 | bool
- disable_strategy | bool
Expand Down Expand Up @@ -8039,7 +8076,7 @@
create: true
dest: /etc/modprobe.d/tipc.conf
regexp: install\s+tipc
line: install tipc /bin/true
line: install tipc /bin/false
when:
- DISA_STIG_RHEL_09_213065 | bool
- disable_strategy | bool
Expand Down Expand Up @@ -8095,7 +8132,7 @@
create: true
dest: /etc/modprobe.d/bluetooth.conf
regexp: install\s+bluetooth
line: install bluetooth /bin/true
line: install bluetooth /bin/false
when:
- DISA_STIG_RHEL_09_291035 | bool
- disable_strategy | bool
Expand Down Expand Up @@ -8244,6 +8281,7 @@
- ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts
| map(attribute="mount") | list )
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83882-1
Expand Down Expand Up @@ -8308,6 +8346,7 @@
- no_reboot_needed | bool
- ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts
| map(attribute="mount") | list )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83882-1
Expand Down Expand Up @@ -8413,6 +8452,7 @@
- ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts
| map(attribute="mount") | list )
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83878-9
Expand Down Expand Up @@ -8477,6 +8517,7 @@
- no_reboot_needed | bool
- ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts
| map(attribute="mount") | list )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83878-9
Expand Down Expand Up @@ -8582,6 +8623,7 @@
- ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts
| map(attribute="mount") | list )
- ("--fstab" | length == 0)
- device_name.stdout is defined and device_name.stdout_lines is defined
- (device_name.stdout | length == 0)
tags:
- CCE-83893-8
Expand Down Expand Up @@ -8646,6 +8688,7 @@
- no_reboot_needed | bool
- ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts
| map(attribute="mount") | list )
- mount_info is defined
- (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0)
tags:
- CCE-83893-8
Expand Down

0 comments on commit 5afdf7d

Please sign in to comment.