From bd5d922e6590c542a8183574b03297512050a172 Mon Sep 17 00:00:00 2001 From: ComplianceAsCode development team Date: Thu, 22 Feb 2024 18:59:53 -0500 Subject: [PATCH] Updated tasks/main.yml --- tasks/main.yml | 83 ++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 63 insertions(+), 20 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index c17c70c..66cd567 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -444,7 +444,7 @@ lineinfile: dest: /etc/sysconfig/sshd state: absent - regexp: ^(?i)\s*CRYPTO_POLICY.*$ + regexp: (?i)^\s*CRYPTO_POLICY.*$ tags: - CCE-83445-7 - DISA-STIG-RHEL-09-255055 @@ -649,7 +649,7 @@ - low_complexity | bool - medium_disruption | bool - no_reboot_needed | bool - - '"yum" in ansible_facts.packages' + - '"dnf" in ansible_facts.packages' tags: - CCE-83457-2 - CJIS-5.10.4.1 @@ -728,7 +728,7 @@ - medium_disruption | bool - no_reboot_needed | bool - unknown_strategy | bool - - '"yum" in ansible_facts.packages' + - '"dnf" in ansible_facts.packages' tags: - CCE-83463-0 - DISA-STIG-RHEL-09-214020 @@ -793,7 +793,17 @@ option: gpgcheck value: '1' no_extra_spaces: true - loop: '{{ repo_grep_results.stdout | regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) }}' + loop: '{{ repo_grep_results.stdout |regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) if repo_grep_results is not skipped else + []}}' + when: + - DISA_STIG_RHEL_09_214025 | bool + - enable_strategy | bool + - ensure_gpgcheck_never_disabled | bool + - high_severity | bool + - low_complexity | bool + - medium_disruption | bool + - no_reboot_needed | bool + - repo_grep_results is not skipped tags: - CCE-83464-8 - CJIS-5.10.4.1 @@ -816,14 +826,6 @@ - low_complexity - medium_disruption - no_reboot_needed - when: - - DISA_STIG_RHEL_09_214025 | bool - - enable_strategy | bool - - ensure_gpgcheck_never_disabled | bool - - high_severity | bool - - low_complexity | bool - - medium_disruption | bool - - no_reboot_needed | bool - name: Read permission of GPG key directory stat: @@ -923,7 +925,9 @@ - name: Set Fact - Valid fingerprints set_fact: - gpg_valid_fingerprints: ("567E347AD0044ADE55BA8A5F199E2F91FD431D51" "7E4624258C406535D56D6F135054E4A45A6340B3") + gpg_valid_fingerprints: + - 567E347AD0044ADE55BA8A5F199E2F91FD431D51 + - 7E4624258C406535D56D6F135054E4A45A6340B3 tags: - CCE-84180-9 - CJIS-5.10.4.1 @@ -3525,7 +3529,7 @@ ansible.builtin.find: paths: /etc patterns: bashrc - contains: .*case "$name" in sshd|login) exec tmux ;; esac.* + contains: .*case "$name" in sshd|login\) tmux ;; esac.* register: tmux_in_bashrc when: - DISA_STIG_RHEL_09_412015 | bool @@ -3551,7 +3555,7 @@ ansible.builtin.find: paths: /etc/profile.d patterns: '*.sh' - contains: .*case "$name" in sshd|login) exec tmux ;; esac.* + contains: .*case "$name" in sshd|login\) tmux ;; esac.* register: tmux_in_profile_d when: - DISA_STIG_RHEL_09_412015 | bool @@ -3577,7 +3581,7 @@ ansible.builtin.blockinfile: path: /etc/profile.d/tmux.sh block: "if [ \"$PS1\" ]; then\n parent=$(ps -o ppid= -p $$)\n name=$(ps -o comm= -p $parent)\n case \"$name\" in sshd|login)\ - \ exec tmux ;; esac\nfi\n" + \ tmux ;; esac\nfi\n" create: true when: - DISA_STIG_RHEL_09_412015 | bool @@ -6182,9 +6186,20 @@ -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes + -a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes + ## Privilege escalation via su or sudo. This is entirely handled by pam. + ## Special case for systemd-run. It is not audit aware, specifically watch it + + -a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation + + ## Special case for pkexec. It is not audit aware, specifically watch it + + -a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation + + ## Watch for configuration changes to privilege escalation. @@ -6382,9 +6397,20 @@ -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes + -a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes + ## Privilege escalation via su or sudo. This is entirely handled by pam. + ## Special case for systemd-run. It is not audit aware, specifically watch it + + -a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation + + ## Special case for pkexec. It is not audit aware, specifically watch it + + -a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation + + ## Watch for configuration changes to privilege escalation. @@ -6576,9 +6602,20 @@ -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes + -a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes + ## Privilege escalation via su or sudo. This is entirely handled by pam. + ## Special case for systemd-run. It is not audit aware, specifically watch it + + -a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation + + ## Special case for pkexec. It is not audit aware, specifically watch it + + -a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation + + ## Watch for configuration changes to privilege escalation. @@ -7923,7 +7960,7 @@ create: true dest: /etc/modprobe.d/can.conf regexp: install\s+can - line: install can /bin/true + line: install can /bin/false when: - DISA_STIG_RHEL_09_213050 | bool - disable_strategy | bool @@ -7975,7 +8012,7 @@ create: true dest: /etc/modprobe.d/sctp.conf regexp: install\s+sctp - line: install sctp /bin/true + line: install sctp /bin/false when: - DISA_STIG_RHEL_09_213060 | bool - disable_strategy | bool @@ -8039,7 +8076,7 @@ create: true dest: /etc/modprobe.d/tipc.conf regexp: install\s+tipc - line: install tipc /bin/true + line: install tipc /bin/false when: - DISA_STIG_RHEL_09_213065 | bool - disable_strategy | bool @@ -8095,7 +8132,7 @@ create: true dest: /etc/modprobe.d/bluetooth.conf regexp: install\s+bluetooth - line: install bluetooth /bin/true + line: install bluetooth /bin/false when: - DISA_STIG_RHEL_09_291035 | bool - disable_strategy | bool @@ -8244,6 +8281,7 @@ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list ) - ("--fstab" | length == 0) + - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83882-1 @@ -8308,6 +8346,7 @@ - no_reboot_needed | bool - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list ) + - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83882-1 @@ -8413,6 +8452,7 @@ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list ) - ("--fstab" | length == 0) + - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83878-9 @@ -8477,6 +8517,7 @@ - no_reboot_needed | bool - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list ) + - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83878-9 @@ -8582,6 +8623,7 @@ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list ) - ("--fstab" | length == 0) + - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length == 0) tags: - CCE-83893-8 @@ -8646,6 +8688,7 @@ - no_reboot_needed | bool - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] and "/var/log/audit" in ansible_mounts | map(attribute="mount") | list ) + - mount_info is defined - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" | length == 0) tags: - CCE-83893-8