From 6c7609c923920d0ced7898fd35a5dd569e49057e Mon Sep 17 00:00:00 2001 From: David Morse Date: Fri, 19 May 2017 18:40:18 -0600 Subject: [PATCH] Cleanup for Cent7.3 and Ansible 2.3 --- README.md | 4 +- handlers/main.yml | 4 +- tasks/cat1.yml | 459 +++--- tasks/cat2.yml | 2967 +++++++++++++++++++-------------------- tasks/cat3.yml | 1316 +++++++++-------- tasks/not_automated.yml | 32 +- tasks/post.yml | 4 +- tasks/prelim.yml | 141 +- 8 files changed, 2458 insertions(+), 2469 deletions(-) diff --git a/README.md b/README.md index 54addfa..6c71e22 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,6 @@ Dependencies Ansible > 1.8 - Example Playbook ------------------------- @@ -90,4 +89,5 @@ Some examples of using tags: License ------- -MIT \ No newline at end of file +MIT + diff --git a/handlers/main.yml b/handlers/main.yml index 7818252..12d768a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -15,7 +15,9 @@ service: name=xinetd state=reloaded - name: restart auditd - service: name=auditd state=restarted + service: + name: auditd + state: started - name: unload usb-storage modprobe: name=usb-storage state=absent diff --git a/tasks/cat1.yml b/tasks/cat1.yml index 4a4c545..1fd72da 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -4,194 +4,198 @@ command: grep nosignature /etc/rpmrc /usr/lib/rpm/rpmrc /usr/lib/rpm/redhat/rpmrc ~root/.rpmrc register: rpm_sig_audit failed_when: rpm_sig_audit.stdout_lines|length > 0 - always_run: yes + check_mode: no changed_when: no ignore_errors: yes tags: - - cat1 - - high - - V-38462 - - rpm - - audit - - packages + - cat1 + - high + - V-38462 + - rpm + - audit + - packages - name: "HIGH | V-38462 | PATCH | The RPM package management tool must cryptographically verify the authenticity of all software packages during installation" lineinfile: - state: absent - dest: "{{ item }}" - regexp: nosignature + state: absent + dest: "{{ item }}" + regexp: nosignature ignore_errors: yes with_items: - - /etc/rpmrc - - /usr/lib/rpm/rpmrc - - /usr/lib/rpm/redhat/rpmrc - - ~root/.rpmrc + - /etc/rpmrc + - /usr/lib/rpm/rpmrc + - /usr/lib/rpm/redhat/rpmrc + - ~root/.rpmrc tags: - - cat1 - - V-38462 - - rpm - - packages - - patch + - cat1 + - V-38462 + - rpm + - packages + - patch - name: "HIGH | V-38476 | AUDIT | Vendor-provided cryptographic certificates must be installed to verify the integrity of system software" command: rpm -q gpg-pubkey register: rpm_key_audit - always_run: yes + check_mode: no changed_when: no ignore_errors: yes tags: - - cat1 - - high - - V-38476 - - rpm - - audit + - cat1 + - high + - V-38476 + - gpgcheck + - rpm + - audit - name: "HIGH | V-38476 | PATCH | Vendor-provided cryptographic certificates must be installed to verify the integrity of system software" rpm_key: - state: present - key: "{{ gpg_key_url }}" + state: present + key: "{{ gpg_key_url }}" tags: - - cat1 - - high - - V-38476 - - rpm - - patch + - cat1 + - high + - V-38476 + - gpgcheck + - rpm + - patch - name: "HIGH | V-38491 | AUDIT | There must be no hosts.equiv on the system" stat: - path: /etc/hosts.equiv + path: /etc/hosts.equiv register: hosts_equiv_audit - always_run: yes + check_mode: no ignore_errors: yes tags: - - cat1 - - high - - V-38491 - - hosts_equiv - - audit + - cat1 + - high + - V-38491 + - hosts_equiv + - audit - name: "HIGH | V-38491 | PATCH | There must be no hosts.equiv on the system" file: - state: absent - dest: /etc/hosts.equiv + state: absent + dest: /etc/hosts.equiv tags: - - cat1 - - high - - V-38491 - - hosts_equiv - - patch + - cat1 + - high + - V-38491 + - hosts_equiv + - patch - name: "HIGH | V-38491 | AUDIT | There must be no .rhosts files on the system" stat: - path: ~{{ item }}/.rhosts + path: ~{{ item }}/.rhosts register: rhosts_audit - always_run: yes - with_items: "{{ users.stdout_lines }}" + check_mode: no + with_items: users.stdout_lines ignore_errors: True failed_when: "rhosts_audit.stat.exists is defined and rhosts_audit.stat.exists == True" tags: - - cat1 - - high - - V-38491 - - hosts_equiv - - audit + - cat1 + - high + - V-38491 + - hosts_equiv + - audit - name: "HIGH | V-38491 | PATCH | There must be no .rhosts files on the system" file: state: absent dest: ~{{ item }}/.rhosts - with_items: "{{ users.stdout_lines }}" + with_items: users.stdout_lines tags: - - cat1 - - high - - V-38491 - - rhosts - - patch + - cat1 + - high + - V-38491 + - rhosts + - patch - name: "HIGH | V-38497 | AUDIT | The system must not have accounts configured with blank or null passwords" command: grep nullok /etc/pam.d/system-auth changed_when: false - always_run: yes + check_mode: no ignore_errors: yes register: nullok_audit failed_when: nullok_audit.stdout_lines|length > 0 tags: - - cat1 - - high - - V-38497 - - passwords - - audit + - cat1 + - high + - V-38497 + - passwords + - audit - name: "HIGH | V-38497 | PATCH | The system must not have accounts configured with blank or null passwords" replace: - dest: /etc/pam.d/system-auth - regexp: nullok + dest: /etc/pam.d/system-auth + regexp: 'nullok ?' tags: - - cat1 - - high - - V-38497 - - passwords - - patch + - cat1 + - high + - V-38497 + - passwords + - patch - name: "HIGH | V-38587 | AUDIT | The telnet-server package must not be installed" command: rpm -q telnet-server ignore_errors: yes - always_run: yes + check_mode: no changed_when: no register: telnet_server_audit failed_when: "'is not installed' not in telnet_server_audit.stdout" tags: - - cat1 - - high - - V-38587 - - telnet - - unsecure_services - - audit + - cat1 + - high + - V-38587 + - telnet + - unsecure_services + - audit - name: "HIGH | V-38587 | PATCH | The telnet-server package must not be installed" yum: name: telnet-server state: absent tags: - - cat1 - - high - - V-38587 - - telnet - - unsecure_services - - patch + - cat1 + - high + - V-38587 + - telnet + - unsecure_services + - patch - name: "HIGH | V-38589 | AUDIT | The telnet daemon must not be running" command: chkconfig 'telnet' --list register: telnet_service_audit failed_when: "'No such file or directory' not in telnet_service_audit.stderr" changed_when: false - always_run: yes + check_mode: no ignore_errors: yes tags: - - cat1 - - high - - V-38589 - - telnet - - unsecure_services - - audit + - cat1 + - high + - V-38589 + - telnet + - unsecure_services + - audit - name: "HIGH | V-38589 | PATCH | The telnet daemon must not be running" + #if the service does not exist you can't stop it + when: "'service telnet: No such file' not in telnet_service_audit.stderr" service: name: telnet state: stopped enabled: no ignore_errors: yes tags: - - cat1 - - high - - V-38589 - - telnet - - unsecure_services - - patch + - cat1 + - high + - V-38589 + - telnet + - unsecure_services + - patch - name: "HIGH | V-38591 | AUDIT | The rsh-server package must not be installed" command: rpm -q rsh-server - always_run: yes + check_mode: no register: rsh_server_audit failed_when: "'is not installed' not in rsh_server_audit.stdout" changed_when: no @@ -209,240 +213,243 @@ name: rsh-server state: absent tags: - - cat1 - - high - - V-38591 - - rsh - - unsecure_services - - patch + - cat1 + - high + - V-38591 + - rsh + - unsecure_services + - patch - name: "HIGH | V-38594 | AUDIT | The rshd service must not be running" command: chkconfig 'rsh' --list register: rsh_service_audit failed_when: "'No such file or directory' not in rsh_service_audit.stderr" changed_when: false - always_run: yes + check_mode: no ignore_errors: yes tags: - - cat1 - - high - - V-38594 - - rsh - - rlogin - - unsecure_services - - audit + - cat1 + - high + - V-38594 + - rsh + - rlogin + - unsecure_services + - audit - name: "HIGH | V-38594 | PATCH | The rshd service must not be running" + #if the service is not installed it is by default not enabled so that is a pass + when: "'service rsh: No such file' not in rsh_service_audit.stderr" service: name: rsh state: stopped enabled: no - ignore_errors: yes tags: - - cat1 - - high - - V-38594 - - rsh - - unsecure_services - - patch + - cat1 + - high + - V-38594 + - rsh + - unsecure_services + - patch - name: "HIGH | V-38598 | AUDIT | The rexecd service must not be running" command: chkconfig 'rexec' --list ignore_errors: yes register: rexec_status_audit failed_when: "'No such file or directory' not in rexec_status_audit.stderr" - always_run: yes + check_mode: no changed_when: no tags: - - cat1 - - high - - V-38598 - - rexec - - audit + - cat1 + - high + - V-38598 + - rexec + - audit - name: "HIGH | V-38598 | PATCH | The rexecd service must not be running" + #if the service is not installed it is by default not enabled so that is a pass + when: "'service rexec: No such file' not in rexec_status_audit.stderr" service: - name: rexec - state: stopped - ignore_errors: yes + name: rexec + state: stopped tags: - - cat1 - - high - - V-38598 - - rexec - - patch + - cat1 + - high + - V-38598 + - rexec + - patch - name: "HIGH | V-38602 | AUDIT | The rlogind service must not be running" command: chkconfig 'rlogin' --list ignore_errors: yes register: rlogin_status_audit failed_when: "'No such file or directory' not in rlogin_status_audit.stderr" - always_run: yes + check_mode: no changed_when: no tags: - - cat1 - - high - - V-38602 - - rlogin - - audit + - cat1 + - high + - V-38602 + - rlogin + - audit - name: "HIGH | V-38602 | PATCH | The rlogind service must not be running" + #if the service is not installed it is by default not enabled so that is a pass + when: "'service rlogin: No such file' not in rlogin_status_audit.stderr" service: name: rlogin enabled: no - ignore_errors: yes tags: - - cat1 - - high - - V-38602 - - rlogin - - patch + - cat1 + - high + - V-38602 + - rlogin + - patch - name: "HIGH | V-38607 | AUDIT | The SSH daemon must be configured to use only the SSHv2 protocol" command: grep "Protocol 2" /etc/ssh/sshd_config register: proto2_audit ignore_errors: yes - always_run: yes + check_mode: no changed_when: no tags: - - cat1 - - high - - V-38607 - - ssh - - audit + - cat1 + - high + - V-38607 + - ssh + - audit - name: "HIGH | V-38607 | PATCH | The SSH daemon must be configured to use only the SSHv2 protocol" lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?Protocol \d' - line: 'Protocol 2' + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?Protocol \d' + line: 'Protocol 2' notify: restart ssh tags: - - high - - cat1 - - V-38607 - - ssh - - patch + - high + - cat1 + - V-38607 + - ssh + - patch - name: "HIGH | V-38614 | AUDIT | The SSH daemon must not allow authentication using an empty password" command: grep "PermitEmptyPasswords yes" /etc/ssh/sshd_config ignore_errors: yes - always_run: yes + check_mode: no changed_when: false register: ssh_empty_pass_audit failed_when: ssh_empty_pass_audit.stdout_lines|length > 0 tags: - - high - - cat1 - - ssh - - audit - - V-38614 + - high + - cat1 + - ssh + - audit + - V-38614 - name: "HIGH | V-38614 | PATCH | The SSH daemon must not allow authentication using an empty password" lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?PermitEmptyPasswords' - line: 'PermitEmptyPasswords no' + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?PermitEmptyPasswords' + line: 'PermitEmptyPasswords no' tags: - - ssh - - high - - cat1 - - V-38614 - - ssh + - ssh + - high + - cat1 + - V-38614 + - ssh - name: "HIGH | V-38653 | AUDIT | The snmpd service must not use a default password" shell: grep -v "^#" /etc/snmp/snmpd.conf| grep public register: snmpd_audit failed_when: snmpd_audit.stdout_lines|length > 0 - always_run: yes + check_mode: no when: snmpconf_test.stat.exists changed_when: no ignore_errors: yes tags: - - cat1 - - high - - V-38653 - - snmp - - always + - cat1 + - high + - V-38653 + - snmp + - always - name: "HIGH | V-38653 | PATCH | The snmpd service must not use a default password" replace: - backup: yes - dest: /etc/snmp/snmpd.conf - regexp: (^com2sec.*default\s+)public - replace: \1{{ cent7stig_snmp_community }} + backup: yes + dest: /etc/snmp/snmpd.conf + regexp: (^com2sec.*default\s+)public + replace: \1{{ cent7stig_snmp_community }} when: snmpconf_test.stat.exists and snmpd_audit.stdout != [] notify: restart snmpd tags: - - cat1 - - high - - V-38653 - - snmp - - patch + - cat1 + - high + - V-38653 + - snmp + - patch # V-38666 checks can be found in not_automated.yml - name: "HIGH | V-38668 | AUDIT | The x86 Ctrl-Alt-Delete key sequence must be disabled" stat: - path: /usr/lib/systemd/system/ctrl-alt-del.target + path: /usr/lib/systemd/system/ctrl-alt-del.target register: ctrl_alt_del_audit - always_run: yes + check_mode: no changed_when: no failed_when: "ctrl_alt_del_audit.stat.islnk is defined and ctrl_alt_del_audit.stat.islnk == False or ctrl_alt_del_audit.stat.lnk_source != '/dev/null'" ignore_errors: yes tags: - - V-38668 - - high - - cat1 - - audit - - ctrl_alt_delete + - V-38668 + - high + - cat1 + - audit + - ctrl_alt_delete - name: "HIGH | V-38668 | PATCH | The x86 Ctrl-Alt-Delete key sequence must be disabled" file: - dest: /usr/lib/systemd/system/ctrl-alt-del.target - src: /dev/null - state: link + dest: /usr/lib/systemd/system/ctrl-alt-del.target + src: /dev/null + state: link tags: - - high - - cat1 - - V-38668 - - ctrl_alt_delete - - patch + - high + - cat1 + - V-38668 + - ctrl_alt_delete + - patch # V-38677 can be found in not_automated.yml - name: "HIGH | V-38701 | AUDIT | The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system" command: grep "server_args = -s" /etc/xinetd.d/tftp register: tftp_audit - always_run: yes + check_mode: no when: "'tftp' in xinetd_services.stdout_lines" ignore_errors: yes tags: - - tftp - - high - - cat1 - - V-38701 - - audit + - tftp + - high + - cat1 + - V-38701 + - audit - name: "HIGH | V-38701 | PATCH | The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system" lineinfile: - state: present - backup: yes - dest: /etc/xinetd.d/tftp - regexp: 'server_args\\s+=\\s+(/.*$)' - line: '\tserver_args\t\t= -s \\1' - backrefs: yes + state: present + backup: yes + dest: /etc/xinetd.d/tftp + regexp: 'server_args\\s+=\\s+(/.*$)' + line: '\tserver_args\t\t= -s \\1' + backrefs: yes when: "cent7stig_tftp_required and 'tftp' in xinetd_services.stdout_lines" ignore_errors: yes tags: - - cat1 - - V-38701 - - high - - patch - - tftp - - tftp-server - - unsecure_services + - cat1 + - V-38701 + - high + - patch + - tftp + - tftp-server + - unsecure_services notify: reload xinetd diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 8b2f5e6..c90973a 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -4,7 +4,7 @@ # Not automated V-38439 The system must provide automated support for account management functions. - name: "MEDIUM | V-38443, V-38448, V-38449 | AUDIT | The /etc/gshadow file must be owned by root. The /etc/gshadow file must be group-owned by root. The /etc/gshadow file must have mode 0000" stat: - path: /etc/gshadow + path: /etc/gshadow register: gshadow_stat ignore_errors: yes tags: @@ -18,8 +18,8 @@ - name: "MEDIUM | V-38443 | PATCH | The /etc/gshadow file must be owned by root." file: - path: /etc/gshadow - owner: root + path: /etc/gshadow + owner: root register: gshadow_stat tags: - cat2 @@ -30,8 +30,8 @@ - name: "MEDIUM | V-38448 | PATCH | The /etc/gshadow file must be group-owned by root." file: - path: /etc/gshadow - group: root + path: /etc/gshadow + group: root register: gshadow_stat tags: - cat2 @@ -42,8 +42,8 @@ - name: "MEDIUM | V-38449 | PATCH | The /etc/gshadow file must have mode 0000" file: - path: /etc/gshadow - mode: "0000" + path: /etc/gshadow + mode: "0000" register: gshadow_stat tags: - cat2 @@ -54,7 +54,7 @@ - name: "MEDIUM | V-38450, V-38451, V-38457 | AUDIT | The /etc/passwd file must be owned by root. The /etc/passwd file must be group-owned by root.The /etc/passwd file must have mode 0644 or less permissive" stat: - path: /etc/passwd + path: /etc/passwd register: /etc/passwd_stat ignore_errors: yes tags: @@ -68,8 +68,8 @@ - name: "MEDIUM | V-38450 | PATCH | The /etc/passwd file be owned by root" file: - path: /etc/passwd - owner: root + path: /etc/passwd + owner: root tags: - cat2 - patch @@ -79,8 +79,8 @@ - name: "MEDIUM | V-38451 | PATCH | The /etc/passwd file be group-owned by root" file: - path: /etc/passwd - group: root + path: /etc/passwd + group: root tags: - cat2 - patch @@ -90,8 +90,8 @@ - name: "MEDIUM | V-38457 | PATCH | The /etc/passwd file must have mode 0644 or less permissive" file: - path: /etc/passwd - mode: "u-x,g-wx,o-wx" + path: /etc/passwd + mode: "u-x,g-wx,o-wx" tags: - cat2 - patch @@ -101,7 +101,7 @@ - name: "MEDIUM | V-38458, V-38459, V-38461 | AUDIT | The /etc/group file must be owned by root. The /etc/group file must be group-owned by root.The /etc/group file must have mode 0644 or less permissive" stat: - path: /etc/group + path: /etc/group register: /etc/group_stat ignore_errors: yes tags: @@ -115,8 +115,8 @@ - name: "MEDIUM | V-38458 | PATCH | The /etc/group file be owned by root" file: - path: /etc/group - owner: root + path: /etc/group + owner: root tags: - cat2 - patch @@ -126,8 +126,8 @@ - name: "MEDIUM | V-38459 | PATCH | The /etc/group file be group-owned by root" file: - path: /etc/group - group: root + path: /etc/group + group: root tags: - cat2 - patch @@ -137,376 +137,375 @@ - name: "MEDIUM | V-38461 | PATCH | The /etc/group file must have mode 0644 or less permissive" file: - path: /etc/group - mode: "u-x,g-wx,o-wx" + path: /etc/group + mode: "u-x,g-wx,o-wx" tags: - - cat2 - - patch - - medium - - V-38461 - - file_perms + - cat2 + - patch + - medium + - V-38461 + - file_perms - name: "MEDIUM | V-38464 | AUDIT | The audit system must take appropriate action when there are disk errors on the audit storage volume." shell: grep disk_error_action /etc/audit/auditd.conf | cut -d = -f 2 | xargs basename register: disk_err_action_audit changed_when: no - always_run: yes + check_mode: no ignore_errors: yes tags: - - cat2 - - medium - - V-38464 - - auditd - - audit + - cat2 + - medium + - V-38464 + - auditd + - audit - name: "MEDIUM | V-38464 | PATCH | The audit system must take appropriate action when there are disk errors on the audit storage volume." lineinfile: - regexp: "(^disk_error_action\\s*=)(\\s*)" - line: "\\1 {{ cent7stig_auditd_config['disk_full_action'] }}" - dest: /etc/audit/auditd.conf - backrefs: yes + regexp: "(^disk_error_action\\s*=)(\\s*)" + line: "\\1 {{ cent7stig_auditd_config['disk_full_action'] }}" + dest: /etc/audit/auditd.conf + backrefs: yes tags: - - cat2 - - medium - - V-38464 - - auditd - - patch + - cat2 + - medium + - V-38464 + - auditd + - patch - name: "MEDIUM | V-38465 | AUDIT | Library files must have mode 0755 or less permissive" become_user: root script: sys_libs_with_bad_perms.sh register: library_perms_audit + check_mode: no changed_when: no ignore_errors: yes tags: - - cat2 - - medium - - V-38465 - - file_perms - - always + - cat2 + - medium + - V-38465 + - file_perms - name: "MEDIUM | V-38465 | PATCH | Library files must have mode 0755 or less permissive" file: - state: file - mode: "go-w" - path: "{{ item }}" + state: file + mode: "go-w" + path: "{{ item }}" when: library_perms_audit.stdout - with_items: "{{ library_perms_audit.stdout_lines }}" + with_items: library_perms_audit.stdout_lines tags: - - cat2 - - medium - - V-38465 - - file_perms - - patch + - cat2 + - medium + - V-38465 + - file_perms + - patch - name: "MEDIUM | V-38466 | AUDIT | Library files must be owned by root" become_user: root script: sys_libs_with_bad_owner.sh register: library_owner_audit + check_mode: no changed_when: no ignore_errors: yes tags: - - cat2 - - medium - - V-38466 - - file_perms - - always + - cat2 + - medium + - V-38466 + - file_perms - name: "MEDIUM | V-38466 | PATCH | Library files must be owned by root" file: - state: file - owner: "root" - path: "{{ item }}" + state: file + owner: "root" + path: "{{ item }}" when: library_owner_audit.stdout - with_items: "{{ library_owner_audit.stdout_lines }}" + with_items: library_owner_audit.stdout_lines tags: - - cat2 - - medium - - V-38466 - - file_perms - - patch + - cat2 + - medium + - V-38466 + - file_perms + - patch - name: "MEDIUM | V-384648 | AUDIT | The audit system must take appropriate action when the audit storage volume is full." shell: grep disk_full_action /etc/audit/auditd.conf | cut -d = -f 2 | xargs basename register: disk_full_action_audit changed_when: no - always_run: yes + check_mode: no ignore_errors: yes tags: - - cat2 - - medium - - V-38468 - - auditd - - audit + - cat2 + - medium + - V-38468 + - auditd + - audit - name: "MEDIUM | V-38468 | PATCH | The audit system must take appropriate action when the audit storage volume is full." lineinfile: - regexp: '(^disk_full_action\\s*=)(\\s*)' - line: "\\1 {{ cent7stig_auditd_config['disk_full_action'] }}" - dest: /etc/audit/auditd.conf - backrefs: yes + regexp: '(^disk_full_action\\s*=)(\\s*)' + line: "\\1 {{ cent7stig_auditd_config['disk_full_action'] }}" + dest: /etc/audit/auditd.conf + backrefs: yes tags: - - cat2 - - medium - - V-38468 - - auditd - - patch + - cat2 + - medium + - V-38468 + - auditd + - patch - name: "MEDIUM | V-38469 | AUDIT | All system command files must have mode 755 or less permissive." script: sys_command_files_with_bad_perms.sh become_user: root register: system_files_perms_audit changed_when: no - always_run: yes + check_mode: no ignore_errors: yes tags: - - cat2 - - medium - - V-38469 - - file_perms - - always + - cat2 + - medium + - V-38469 + - file_perms - name: "MEDIUM | V-38469 | PATCH | All system command files must have mode 755 or less permissive" file: - state: file - mode: "og-w" - path: "{{ item }}" + state: file + mode: "og-w" + path: "{{ item }}" when: system_files_perms_audit.stdout - with_items: "{{ system_files_perms_audit.stdout_lines }}" + with_items: "{{system_files_perms_audit.stdout_lines}}" tags: - - cat2 - - medium - - V-38469 - - file_perms - - patch + - cat2 + - medium + - V-38469 + - file_perms + - patch - name: "MEDIUM | V-38470 | AUDIT | The audit system must alert designated staff members when the audit storage volume approaches capacity.." shell: grep space_left_action /etc/audit/auditd.conf | cut -d = -f 2 | xargs basename register: space_left_action_audit changed_when: no - always_run: yes + check_mode: no ignore_errors: yes tags: - - cat2 - - medium - - V-38470 - - auditd - - audit + - cat2 + - medium + - V-38470 + - auditd + - audit - name: "MEDIUM | V-38470 | PATCH | The audit system must alert designated staff members when the audit storage volume approaches capacity.." lineinfile: - regexp: '(^space_left_action\\s*=)(\\s*)' - line: "\\1 {{ cent7stig_auditd_config['space_left_action'] }}" - dest: /etc/audit/auditd.conf - backrefs: yes + regexp: '(^space_left_action\\s*=)(\\s*)' + line: "\\1 {{ cent7stig_auditd_config['space_left_action'] }}" + dest: /etc/audit/auditd.conf + backrefs: yes tags: - - cat2 - - medium - - V-38470 - - auditd - - patch + - cat2 + - medium + - V-38470 + - auditd + - patch - name: "MEDIUM | V-38472 | AUDIT | All system command files must be owned by root" script: sys_command_files_with_bad_owner.sh become_user: root register: sys_commands_owner_audit - always_run: yes + check_mode: no changed_when: no ignore_errors: yes tags: - - cat2 - - medium - - V-38472 - - file_perms - - always + - cat2 + - medium + - V-38472 + - file_perms - name: "MEDIUM | V-38472 | PATCH | All system command files must be owned by root" file: - state: file - owner: root + state: file + owner: root when: sys_commands_owner_audit.stdout - with_items: "{{ sys_commands_owner_audit.stdout_lines }}" + with_items: sys_commands_owner_audit.stdout_lines tags: - - cat2 - - medium - - V-38472 - - file_perms - - patch + - cat2 + - medium + - V-38472 + - file_perms + - patch - name: "MEDIUM | V-38475 | AUDIT | The system must require passwords to contain a minimum of 14 characters." shell: grep -E '^PASS_MIN_LEN' /etc/login.defs | awk '{print $2}' register: min_pwd_len_audit changed_when: no - always_run: yes + check_mode: no ignore_errors: yes tags: - - cat2 - - medium - - V-38475 - - passwords - - audit + - cat2 + - medium + - V-38475 + - passwords + - audit - name: "MEDIUM | V-38475 | PATCH | The system must require passwords to contain a minimum of 14 characters." lineinfile: - regexp: '(^PASS_MIN_LEN)\s*(\d*)' - line: '\1 {{ cent7stig_pass_min_length }}' - dest: /etc/login.defs - backrefs: yes + regexp: '(^PASS_MIN_LEN)\s*(\d*)' + line: '\1 {{ cent7stig_pass_min_length }}' + dest: /etc/login.defs + backrefs: yes tags: - - cat2 - - medium - - V-38475 - - passwords - - patch + - cat2 + - medium + - V-38475 + - passwords + - patch - name: "MEDIUM | V-38477 | AUDIT | Users must not be able to change passwords more than once every 24 hours." shell: grep -E '^PASS_MIN_DAYS' /etc/login.defs | awk '{print $2}' register: pwd_min_days_audit changed_when: no - always_run: yes + check_mode: no ignore_errors: yes tags: - - cat2 - - medium - - V-38477 - - passwords - - audit + - cat2 + - medium + - V-38477 + - passwords + - audit - name: "MEDIUM | V-38477 | PATCH | The system must require passwords to contain a minimum of 14 characters." lineinfile: - regexp: '(^PASS_MIN_DAYS)\s*(\d*)' - line: '\1 {{ cent7stig_pass_min_days }}' - dest: /etc/login.defs - backrefs: yes + regexp: '(^PASS_MIN_DAYS)\s*(\d*)' + line: '\1 {{ cent7stig_pass_min_days }}' + dest: /etc/login.defs + backrefs: yes tags: - - cat2 - - medium - - V-38477 - - passwords - - patch + - cat2 + - medium + - V-38477 + - passwords + - patch - name: "MEDIUM | V-38479 | AUDIT | User passwords must be changed at least every 60 days." shell: grep -E '^PASS_MAX_DAYS' /etc/login.defs | awk '{print $2}' register: pwd_max_days_audit changed_when: no - always_run: yes + check_mode: no ignore_errors: yes tags: - - cat2 - - medium - - V-38479 - - passwords - - audit + - cat2 + - medium + - V-38479 + - passwords + - audit - name: "MEDIUM | V-38479 | PATCH | User passwords must be changed at least every 60 days." lineinfile: - regexp: '(^PASS_MAX_DAYS)\s*(\d*)' - line: '\1 {{ cent7stig_pass_max_days }}' - dest: /etc/login.defs - backrefs: yes + regexp: '(^PASS_MAX_DAYS)\s*(\d*)' + line: '\1 {{ cent7stig_pass_max_days }}' + dest: /etc/login.defs + backrefs: yes tags: - - cat2 - - medium - - V-38479 - - passwords - - patch + - cat2 + - medium + - V-38479 + - passwords + - patch - name: "MEDIUM | V-38481 | AUDIT | System security patches and updates must be installed and up-to-date." command: yum check-update + args: + warn: false changed_when: no register: yum_pkgs_update_audit ignore_errors: yes tags: - - cat2 - - medium - - V-38481 - - yum - - updates - - audit + - cat2 + - medium + - V-38481 + - yum + - updates + - audit - name: "MEDIUM | V-38481 | PATCH | System security patches and updates must be installed and up-to-date." yum: - name: '*' - state: latest - update_cache: yes + name: '*' + state: latest + update_cache: yes when: cent7stig_update_packages tags: - - cat2 - - medium - - V-38481 - - yum - - updates - - patch + - cat2 + - medium + - V-38481 + - yum + - updates + - patch - name: "MEDIUM | V-38483 | AUDIT | The system package management tool must cryptographically verify the authenticity of system software packages during installation." shell: find /etc/yum{.conf,.repos.d/*.repo} -exec grep -ls '^gpgcheck=0' {} \; changed_when: false - always_run: yes + check_mode: no register: repo_crypto_check_audit ignore_errors: yes tags: - - cat2 - - medium - - V-38483 - - rpm - - yum - - always - - gpgcheck + - cat2 + - medium + - V-38483 + - rpm + - yum + - gpgcheck - name: "MEDIUM | V-38483 | PATCH | The system package management tool must cryptographically verify the authenticity of system software packages during installation." replace: - backup: yes - dest: '{{ item }}' - regexp: '^gpgcheck=0' - replace: 'gpgcheck=1' + backup: yes + dest: '{{ item }}' + regexp: '^gpgcheck=0' + replace: 'gpgcheck=1' with_flattened: - /etc/yum.conf - - "{{ repo_crypto_check_audit.stdout_lines }}" + - repo_crypto_check_audit.stdout_lines tags: - - cat2 - - medium - - V-38483 - - rpm - - gpgcheck - - patch + - cat2 + - medium + - V-38483 + - rpm + - gpgcheck + - patch - name: "MEDIUM | V-38484 | AUDIT | The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh." shell: grep -i "^PrintLastLog" /etc/ssh/sshd_config | awk '{ print $2 }' register: last_log_audit changed_when: no - always_run: yes + check_mode: no ignore_errors: yes tags: - - medium - - cat2 - - V-38484 - - sshd - - audit + - medium + - cat2 + - V-38484 + - sshd + - audit - name: "MEDIUM | V-38484 | PATCH | The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh." lineinfile: - regexp: '(^PrintLastLog)\s*(\d*)' - line: '\1 yes' - dest: /etc/ssh/sshd_config - backrefs: yes + regexp: '(^PrintLastLog)\s*(\d*)' + line: '\1 yes' + dest: /etc/ssh/sshd_config + backrefs: yes tags: - - medium - - cat2 - - V-38484 - - sshd - - patch + - medium + - cat2 + - V-38484 + - sshd + - patch - name: "MEDIUM | V-38484 | PATCH | The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh." lineinfile: - line: 'PrintLastLog yes' - dest: /etc/ssh/sshd_config + line: 'PrintLastLog yes' + dest: /etc/ssh/sshd_config tags: - - medium - - cat2 - - V-38484 - - sshd - - patch + - medium + - cat2 + - V-38484 + - sshd + - patch # V-38486 cannot be automated # V-38488 cannot be automated @@ -515,65 +514,65 @@ command: rpm -q aide register: aide_installed_audit changed_when: no - always_run: yes + check_mode: no ignore_errors: yes tags: - - medium - - cat2 - - V-38489 - - audit - - aide - - integrity + - medium + - cat2 + - V-38489 + - audit + - aide + - integrity - name: "MEDIUM | V-38489 | PATCH | A file integrity tool must be installed." yum: - name: aide - state: present + name: aide + state: present when: cent7stig_install_packages tags: - - medium - - cat2 - - V-38489 - - audit - - aide - - integrity + - medium + - cat2 + - V-38489 + - audit + - aide + - integrity - name: "MEDIUM | V-38490 | AUDIT | The operating system must enforce requirements for the connection of mobile devices to operating systems" shell: "test -f /etc/modprobe.d/disable-usb.conf || grep -r usb-storage /etc/modprobe.conf || grep -r usb-storage /etc/modprobe.d" register: usb_reqs_audit - always_run: yes + check_mode: no changed_when: no ignore_errors: yes tags: - - medium - - cat2 - - V-38490 - - mobile_devices - - usb_devices - - kernel_modules - - audit + - medium + - cat2 + - V-38490 + - mobile_devices + - usb_devices + - kernel_modules + - audit - name: "MEDIUM | V-38490 | PATCH | The operating system must enforce requirements for the connection of mobile devices to operating systems" copy: - backup: no - src: disable-usb.conf - dest: /etc/modprobe.d/disable-usb.conf - owner: root - group: root - mode: "0644" - tags: - - medium - - cat2 - - V-38490 - - mobile_devices - - usb_devices - - kernel_modules - - patch + backup: no + src: disable-usb.conf + dest: /etc/modprobe.d/disable-usb.conf + owner: root + group: root + mode: "0644" + tags: + - medium + - cat2 + - V-38490 + - mobile_devices + - usb_devices + - kernel_modules + - patch - name: "MEDIUM | V-38492 | AUDIT | The system must prevent the root account from logging in from virtual consoles." command: grep '^vc/[0-9]' /etc/securetty register: vc_root_login_audit - always_run: yes + check_mode: no changed_when: no failed_when: vc_root_login_audit.stdout_lines|length > 0 ignore_errors: yes @@ -589,142 +588,137 @@ - name: "MEDIUM | V-38492 | PATCH | The system must prevent the root account from logging in from virtual consoles" lineinfile: - state: absent - dest: /etc/securetty - regexp: '^.*vc/?\d' - backup: yes - tags: - - cat2 - - V-38492 - - root_access - - logon_settings - - tty - - virtual_consoles - - medium - - patch + state: absent + dest: /etc/securetty + regexp: '^.*vc/?\d' + backup: yes + tags: + - cat2 + - V-38492 + - root_access + - logon_settings + - tty + - virtual_consoles + - medium + - patch - name: "MEDIUM | V-38493 | AUDIT | Audit log directories must have mode 0755 or less permissive." shell: grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//' | xargs -I % find % -type d -perm /022 changed_when: no - always_run: yes + check_mode: no register: audit_log_dir_perms_audit ignore_errors: yes tags: - - cat2 - - V-38493 - - medium - - file_perms - - auditd - - audit_permissions - - always + - cat2 + - V-38493 + - medium + - file_perms + - auditd + - audit_permissions - name: "MEDIUM | V-38493 | PATCH | Audit log directories must have mode 0755 or less permissive." file: - state: directory - mode: "go-w" - path: "{{ item }}" - with_items: "{{ audit_log_dir_perms_audit.stdout_lines }}" + state: directory + mode: "go-w" + path: "{{ item }}" + with_items: audit_log_dir_perms_audit.stdout_lines when: audit_log_dir_perms_audit.stdout tags: - - cat2 - - V-38493 - - medium - - file_perms - - auditd - - audit_permissions - - patch + - cat2 + - V-38493 + - medium + - file_perms + - auditd + - audit_permissions + - patch - name: "MEDIUM | V-38495 | AUDIT | Audit log files must be owned by root." shell: grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//' | xargs -I % find % -type f ! -user root changed_when: no - always_run: yes + check_mode: no register: audit_log_dir_owner_audit ignore_errors: yes tags: - - cat2 - - V-38495 - - medium - - file_perms - - auditd - - audit_permissions - - always + - cat2 + - V-38495 + - medium + - file_perms + - auditd + - audit_permissions - name: "MEDIUM | V-38495 | PATCH | Audit log files must be owned by root." file: - state: file - owner: root - path: "{{ item }}" - with_items: "{{ audit_log_dir_owner_audit.stdout_lines }}" + state: file + owner: root + path: "{{ item }}" + with_items: audit_log_dir_owner_audit.stdout_lines when: audit_log_dir_owner_audit.stdout tags: - - cat2 - - V-38495 - - medium - - file_perms - - auditd - - audit_permissions - - patch + - cat2 + - V-38495 + - medium + - file_perms + - auditd + - audit_permissions + - patch - name: "MEDIUM | V-38496 | AUDIT | Default system accounts, other than root, must be locked" shell: > awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow | xargs -I{} grep {} /etc/passwd | awk -F: '$3 < 500 {print $1}' register: unlocked_sys_accounts_audit changed_when: false - always_run: yes + check_mode: no ignore_errors: yes tags: - - cat2 - - medium - - V-38496 - - always - - accounts - - system_accounts + - cat2 + - medium + - V-38496 + - accounts + - system_accounts - name: "MEDIUM | V-38496 | PATCH | Default system accounts, other than root, must be locked" user: - name: "{{ item }}" - state: present - expires: 1412541480 - with_items: "{{ unlocked_sys_accounts_audit.stdout_lines }}" + name: "{{ item }}" + state: present + expires: 1412541480 + with_items: unlocked_sys_accounts_audit.stdout_lines when: unlocked_sys_accounts_audit.stdout tags: - - cat2 - - medium - - V-38496 - - patch - - accounts - - system_accounts + - cat2 + - medium + - V-38496 + - patch + - accounts + - system_accounts - name: "MEDIUM | V-38498 | AUDIT | Audit log files must have mode 0640 or less permissive." shell: grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %n | xargs -I % find % -perm /137 register: audit_log_file_perms_audit changed_when: no - always_run: yes + check_mode: no ignore_errors: yes tags: - - medium - - cat2 - - auditd - - always - - logs - - V-38498 - - file_perms + - medium + - cat2 + - auditd + - logs + - V-38498 + - file_perms - name: "MEDIUM | V-38498 | PATCH | Audit log files must have mode 0640 or less permissive." file: - state: file - path: "{{ item }}" - mode: "u-x,g-wx,o-rwx" - ignore_errors: yes - with_items: "{{ audit_log_file_perms_audit.stdout_lines }}" + state: file + path: "{{ item }}" + mode: "u-x,g-wx,o-rwx" + with_items: "{{audit_log_file_perms_audit.stdout_lines}}" tags: - - medium - - cat2 - - auditd - - patch - - logs - - V-38498 - - file_perms + - medium + - cat2 + - auditd + - patch + - logs + - V-38498 + - file_perms # V-38499 is checked but not automatically patched, please see not_automated.yml # V-38500 is checked but not automatically patched, please see not_automated.yml @@ -732,430 +726,425 @@ - name: "MEDIUM | V-38501 | AUDIT | The system must disable accounts after excessive login failures within a 15-minute interval." shell: grep -h pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth | grep fail_interval | awk -F'=' '{print $NF}' changed_when: no - always_run: yes + check_mode: no register: login_failures_interval ignore_errors: yes tags: - - medium - - cat2 - - logon_settings - - audit - - V-38501 - - pam + - medium + - cat2 + - logon_settings + - audit + - V-38501 + - pam - name: "MEDIUM | V-38501 | AUDIT | The system must disable accounts after excessive login failures within a 15-minute interval." shell: grep -hG '^account\s*required\s*pam_faillock\.so' /etc/pam.d/system-auth /etc/pam.d/password-auth changed_when: no - always_run: yes + check_mode: no register: login_failures_account_require failed_when: login_failures_account_require.stdout_lines|length > 0 ignore_errors: yes tags: - - medium - - cat2 - - logon_settings - - audit - - V-38501 - - pam + - medium + - cat2 + - logon_settings + - audit + - V-38501 + - pam - name: "MEDIUM | V-38501 | AUDIT | The system must disable accounts after excessive login failures within a 15-minute interval." assert: - that: "{{ item | integer }} > 900" - that: "{{ login_failures_account_require.stdout_lines | length }} == 2" - with_items: "{{ login_failures_interval.stdout_lines }}" + that: + - "{{ item | integer }} > 900" + - "{{ login_failures_account_require.stdout_lines | length }} == 2" + with_items: "{{login_failures_interval.stdout_lines}}" register: login_failures_interval_audit ignore_errors: yes tags: - - medium - - cat2 - - logon_settings - - audit - - V-38501 - - pam + - medium + - cat2 + - logon_settings + - audit + - V-38501 + - pam - name: "MEDIUM | V-38501 | PATCH | The system must disable accounts after excessive login failures within a 15-minute interval." - pamd: - name: "{{ item }}" - new_control: required - new_module_path: pam_faillock.so - new_type: auth - type: auth - module_path: pam_unix.so - control: sufficient - module_arguments: preauth silent deny=3 unlock_time=604800 fail_interval=900 - state: before + pam: + service: "{{ item }}" + type: auth + control: required + pam_module: pam_faillock.so + before_line: auth sufficient pam_unix.so + arguments: preauth silent deny=3 unlock_time=604800 fail_interval=900 + state: present with_items: - - password-auth - - system-auth + - password-auth + - system-auth tags: - - medium - - cat2 - - logon_settings - - patch - - V-38501 - - pam + - medium + - cat2 + - logon_settings + - patch + - V-38501 + - pam - name: "MEDIUM | V-38501 | PATCH | The system must disable accounts after excessive login failures within a 15-minute interval." - pamd: - name: "{{ item }}" - new_type: auth - new_control: '[default=die]' - new_module_path: pam_faillock.so - type: auth - control: sufficient - module_path: pam_unix.so - module_arguments: authfail deny=3 unlock_time=604800 fail_interval=900 - state: after + pam: + service: "{{ item }}" + type: auth + control: '[default=die]' + pam_module: pam_faillock.so + after_line: auth sufficient pam_unix.so + arguments: authfail deny=3 unlock_time=604800 fail_interval=900 + state: present with_items: - - password-auth - - system-auth + - password-auth + - system-auth tags: - - medium - - cat2 - - logon_settings - - patch - - V-38501 - - pam + - medium + - cat2 + - logon_settings + - patch + - V-38501 + - pam - name: | - MEDIUM | V-38502 | AUDIT | The /etc/shadow file must be owned by root. - MEDIUM | V-38503 | AUDIT | The /etc/shadow file must be group-owned by root. - MEDIUM | V-38504 | AUDIT | The /etc/shadow file must have mode 0000. + MEDIUM | V-38502 | AUDIT | The /etc/shadow file must be owned by root. + MEDIUM | V-38503 | AUDIT | The /etc/shadow file must be group-owned by root. + MEDIUM | V-38504 | AUDIT | The /etc/shadow file must have mode 0000. stat: - path: /etc/shadow + path: /etc/shadow register: shadow_owner_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38502 - - shadow - - file_perms - - audit + - medium + - cat2 + - V-38502 + - shadow + - file_perms + - audit - name: "MEDIUM | V-38502 | PATCH | The /etc/shadow file must be owned by root." file: - state: file - owner: root - path: /etc/shadow + state: file + owner: root + path: /etc/shadow tags: - - medium - - cat2 - - V-38502 - - shadow - - file_perms - - patch + - medium + - cat2 + - V-38502 + - shadow + - file_perms + - patch - name: "MEDIUM | V-38503 | PATCH | The /etc/shadow file must be group-owned by root." file: - state: file - group: root - path: /etc/shadow + state: file + group: root + path: /etc/shadow tags: - - medium - - cat2 - - V-38503 - - shadow - - file_perms - - patch + - medium + - cat2 + - V-38503 + - shadow + - file_perms + - patch - name: "MEDIUM | V-38504 | PATCH | The /etc/shadow file must have mode 0000." file: - state: file - mode: "0000" - path: /etc/shadow + state: file + mode: "0000" + path: /etc/shadow tags: - - medium - - cat2 - - V-38504 - - shadow - - file_perms - - patch + - medium + - cat2 + - V-38504 + - shadow + - file_perms + - patch - name: "MEDIUM | V-38511 | AUDIT | IP forwarding for IPv4 must not be enabled, unless the system is a router." shell: sysctl net.ipv4.ip_forward | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: ipv4_ip_forwarding_audit ignore_errors: yes tags: - - V-38511 - - cat2 - - medium - - ip_forward - - ipv4 - - audit + - V-38511 + - cat2 + - medium + - ip_forward + - ipv4 + - audit - name: "MEDIUM | V-38511 | AUDIT | IP forwarding for IPv4 must not be enabled, unless the system is a router." shell: sysctl net.ipv4.ip_forward | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: ipv4_ip_forwarding_audit ignore_errors: yes tags: - - V-38511 - - cat2 - - medium - - ip_forward - - ipv4 - - audit + - V-38511 + - cat2 + - medium + - ip_forward + - ipv4 + - audit - name: "MEDIUM | V-38511 | PATCH | IP forwarding for IPv4 must not be enabled unless the system is a router" sysctl: - name: net.ipv4.ip_forward - value: 0 - state: present - reload: yes + name: net.ipv4.ip_forward + value: 0 + state: present + reload: yes when: not cent7stig_system_is_router tags: - - cat2 - - V-38511 - - kernel_parameters - - network - - medium - - patch + - cat2 + - V-38511 + - kernel_parameters + - network + - medium + - patch ## the ansible script is going to assume iptables over firewalld.. this provides cent6 > cent 7 migration and provides better docker support - name: "MEDIUM | V-38512 | AUDIT | The operating system must prevent public IPv4 access into an organizations internal networks except as appropriately mediated by managed interfaces employing boundary protection devices" command: chkconfig 'iptables' --list - always_run: yes + check_mode: no changed_when: no register: iptables_audit failed_when: "'No such file or directory' not in iptables_audit.stderr" ignore_errors: yes tags: - - V-38512 - - ipv4 - - network - - firewall - - medium - - cat2 - - audit + - V-38512 + - ipv4 + - network + - firewall + - medium + - cat2 + - audit - name: "MEDIUM | V-38512 | PATCH | The operating system must prevent public IPv4 access into an organizations internal networks except as appropriately mediated by managed interfaces employing boundary protection devices" yum: - name: iptables-services - state: present + name: iptables-services + state: present when: cent7stig_install_packages tags: - - V-38512 - - ipv4 - - network - - firewall - - medium - - cat2 - - patch + - V-38512 + - ipv4 + - network + - firewall + - medium + - cat2 + - patch - name: "MEDIUM | V-38512 | PATCH | The operating system must prevent public IPv4 access into an organizations internal networks except as appropriately mediated by managed interfaces employing boundary protection devices" service: - name: firewalld - enabled: no - state: stopped - ignore_errors: yes + name: firewalld + enabled: no + state: stopped tags: - - V-38512 - - ipv4 - - network - - firewall - - medium - - cat2 - - patch + - V-38512 + - ipv4 + - network + - firewall + - medium + - cat2 + - patch - name: "MEDIUM | V-38512 | PATCH | The operating system must prevent public IPv4 access into an organizations internal networks except as appropriately mediated by managed interfaces employing boundary protection devices" service: - name: iptables - enabled: yes - state: started - tags: - - V-38512 - - ipv4 - - network - - firewall - - medium - - cat2 - - patch + name: iptables + enabled: yes + state: started + tags: + - V-38512 + - ipv4 + - network + - firewall + - medium + - cat2 + - patch - name: "MEDIUM | V-38513 | AUDIT | The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets." shell: grep ":INPUT" /etc/sysconfig/iptables | awk '{print $2}' changed_when: no - always_run: yes + check_mode: no register: ipv4_fw_deny_all_audit ignore_errors: yes tags: - - V-38513 - - ipv4 - - network - - firewall - - medium - - cat2 - - audit + - V-38513 + - ipv4 + - network + - firewall + - medium + - cat2 + - audit - name: "MEDIUM | V-38513 | PATCH | The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets." lineinfile: - state: present - dest: /etc/sysconfig/iptables - regexp: ':INPUT' - line: ':INPUT DROP [0:0]' + state: present + dest: /etc/sysconfig/iptables + regexp: ':INPUT' + line: ':INPUT DROP [0:0]' notify: restart iptables tags: - - cat2 - - medium - - V-38513 - - ipv4 - - firewall - - network - - patch + - cat2 + - medium + - V-38513 + - ipv4 + - firewall + - network + - patch - name: "MEDIUM | V-38514 | AUDIT | The Datagram Congestion Control Protocol (DCCP) must be disabled unless required." command: grep -rse "^install\s*dccp\s*/bin/true$" /etc/modprobe.conf /etc/modprobe.d changed_when: no - always_run: yes + check_mode: no register: dccp_audit ignore_errors: yes tags: - - V-38514 - - cat2 - - medium - - dccp - - transport - - audit + - V-38514 + - cat2 + - medium + - dccp + - transport + - audit - name: "MEDIUM | V-38514 | PATCH | The Datagram Congestion Control Protocol (DCCP) must be disabled unless required." lineinfile: - state: present - create: yes - line: install dccp /bin/true - dest: /etc/modprobe.d/disable-dccp.conf - owner: root - group: root - mode: "0644" - tags: - - V-38514 - - cat2 - - medium - - dccp - - transport - - patch + state: present + create: yes + line: install dccp /bin/true + dest: /etc/modprobe.d/disable-dccp.conf + owner: root + group: root + mode: "0644" + tags: + - V-38514 + - cat2 + - medium + - dccp + - transport + - patch - name: "MEDIUM | V-38515 | AUDIT | The Stream Control Transmission Protocol (SCTP) must be disabled unless required." command: grep -rse "^install\s*sctp\s*/bin/true$" /etc/modprobe.conf /etc/modprobe.d changed_when: no - always_run: yes + check_mode: no register: sctp_audit ignore_errors: yes tags: - - V-38515 - - cat2 - - medium - - sctp - - transport - - audit + - V-38515 + - cat2 + - medium + - sctp + - transport + - audit - name: "MEDIUM | V-38515 | PATCH | The Stream Control Transmission Protocol (SCTP) must be disabled unless required." lineinfile: - state: present - create: yes - line: install sctp /bin/true - dest: /etc/modprobe.d/disable-sctp.conf - owner: root - group: root - mode: "0644" - tags: - - V-38515 - - cat2 - - medium - - sctp - - transport - - patch + state: present + create: yes + line: install sctp /bin/true + dest: /etc/modprobe.d/disable-sctp.conf + owner: root + group: root + mode: "0644" + tags: + - V-38515 + - cat2 + - medium + - sctp + - transport + - patch - name: "MEDIUM | V-38516 | AUDIT | The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required." command: grep -rse "^install\s*tipc\s*/bin/true$" /etc/modprobe.conf /etc/modprobe.d changed_when: no - always_run: yes + check_mode: no register: tipc_audit ignore_errors: yes tags: - - V-38516 - - cat2 - - medium - - tipc - - transport - - audit + - V-38516 + - cat2 + - medium + - tipc + - transport + - audit - name: "MEDIUM | V-38516 | PATCH | The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required." lineinfile: - state: present - create: yes - line: install tipc /bin/true - dest: /etc/modprobe.d/disable-tipc.conf - owner: root - group: root - mode: "0644" - tags: - - V-38516 - - cat2 - - medium - - tipc - - transport - - patch + state: present + create: yes + line: install tipc /bin/true + dest: /etc/modprobe.d/disable-tipc.conf + owner: root + group: root + mode: "0644" + tags: + - V-38516 + - cat2 + - medium + - tipc + - transport + - patch - name: "MEDIUM | V-38518 | AUDIT | All rsyslog-generated log files must be owned by root." shell: grep -e "/" /etc/rsyslog.conf /etc/rsyslog.d/* | grep -v ':\$' | sed 's/-//'| awk 'NF==2 {print $2}' changed_when: no - always_run: yes + check_mode: no register: rsyslog_logfiles ignore_errors: yes tags: - - cat2 - - medium - - V-38518 - - log_files - - rsyslog - - always + - cat2 + - medium + - V-38518 + - log_files + - rsyslog - name: "MEDIUM | V-38518 | AUDIT | All rsyslog-generated log files must be owned by root." stat: - path: "{{ item }}" - with_items: "{{ rsyslog_logfiles.stdout_lines }}" + path: "{{ item }}" + with_items: rsyslog_logfiles.stdout_lines register: rsyslog_logfiles_audit ignore_errors: yes tags: - - cat2 - - medium - - V-38518 - - log_files - - rsyslog - - audit + - cat2 + - medium + - V-38518 + - log_files + - rsyslog + - audit - name: "MEDIUM | V-38518 | PATCH | All rsyslog-generated log files must be owned by root." file: - path: "{{ item }}" - owner: root - follow: yes - state: file - with_items: "{{ rsyslog_logfiles.stdout_lines }}" - tags: - - cat2 - - medium - - V-38518 - - log_files - - rsyslog - - patch + path: "{{ item }}" + owner: root + follow: yes + state: file + with_items: "{{rsyslog_logfiles.stdout_lines}}" + tags: + - cat2 + - medium + - V-38518 + - log_files + - rsyslog + - patch - name: "MEDIUM | V-38519 | PATCH | All rsyslog-generated log files must be group-owned by root." file: - dest: "{{ item }}" - group: root - state: file - follow: yes - with_items: "{{ rsyslog_logfiles.stdout_lines }}" - tags: - - cat2 - - medium - - V-38519 - - log_files - - rsyslog - - patch + dest: "{{ item }}" + group: root + state: file + follow: yes + with_items: "{{rsyslog_logfiles.stdout_lines}}" + tags: + - cat2 + - medium + - V-38519 + - log_files + - rsyslog + - patch # V-38520 not automatically remediated. See not_automated.yml # V-38521 not automatically remediated. See not_automated.yml @@ -1163,610 +1152,601 @@ - name: "MEDIUM | V-38523 | AUDIT | The system must not accept IPv4 source-routed packets on any interface." shell: sysctl net.ipv4.conf.all.accept_source_route | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: ipv4_source_routed_packets_any_int_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38523 - - audit - - ipv4 - - sysctl - - kernel_parameters - - network + - medium + - cat2 + - V-38523 + - audit + - ipv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38523 | PATCH | The system must not accept IPv4 source-routed packets on any interface." sysctl: - name: net.ipv4.conf.all.accept_source_route - value: 0 - state: present - reload: yes - tags: - - medium - - cat2 - - V-38523 - - patch - - ipv4 - - sysctl - - kernel_parameters - - network + name: net.ipv4.conf.all.accept_source_route + value: 0 + state: present + reload: yes + tags: + - medium + - cat2 + - V-38523 + - patch + - ipv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38524 | AUDIT | The system must not accept ICMPv4 redirect packets on any interface." shell: sysctl net.ipv4.conf.all.accept_redirects | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: icmpv4_redirect_packets_any_int_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38524 - - audit - - ICMPv4 - - sysctl - - kernel_parameters - - network + - medium + - cat2 + - V-38524 + - audit + - ICMPv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38524 | PATCH | The system must not accept ICMPv4 redirect packets on any interface." sysctl: - name: net.ipv4.conf.all.accept_redirects - value: 0 - state: present - reload: yes - tags: - - medium - - cat2 - - V-38524 - - patch - - ICMPv4 - - sysctl - - kernel_parameters - - network + name: net.ipv4.conf.all.accept_redirects + value: 0 + state: present + reload: yes + tags: + - medium + - cat2 + - V-38524 + - patch + - ICMPv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38526 | AUDIT | The system must not accept ICMPv4 secure redirect packets on any interface." shell: sysctl net.ipv4.conf.all.secure_redirects | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: icmpv4_secure_redirect_packets_any_int_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38526 - - audit - - ICMPv4 - - sysctl - - kernel_parameters - - network + - medium + - cat2 + - V-38526 + - audit + - ICMPv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38526 | PATCH | The system must not accept ICMPv4 secure redirect packets on any interface." sysctl: - name: net.ipv4.conf.all.secure_redirects - value: 0 - state: present - reload: yes - tags: - - medium - - cat2 - - V-38526 - - patch - - ICMPv4 - - sysctl - - kernel_parameters - - network + name: net.ipv4.conf.all.secure_redirects + value: 0 + state: present + reload: yes + tags: + - medium + - cat2 + - V-38526 + - patch + - ICMPv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38529 | AUDIT | The system must not accept IPv4 source-routed packets by default." shell: sysctl net.ipv4.conf.default.accept_source_route | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: ipv4_source_routed_packets_default_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38529 - - audit - - ipv4 - - sysctl - - kernel_parameters - - network + - medium + - cat2 + - V-38529 + - audit + - ipv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38529 | PATCH | The system must not accept IPv4 source-routed packets by default." sysctl: - name: net.ipv4.conf.default.accept_source_route - value: 0 - state: present - reload: yes - tags: - - medium - - cat2 - - V-38529 - - patch - - ipv4 - - sysctl - - kernel_parameters - - network + name: net.ipv4.conf.default.accept_source_route + value: 0 + state: present + reload: yes + tags: + - medium + - cat2 + - V-38529 + - patch + - ipv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38532 | AUDIT | The system must not accept ICMPv4 secure redirect packets by default." shell: sysctl net.ipv4.conf.default.secure_redirects | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: icmpv4_secure_redirects_default_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38532 - - audit - - ICMPv4 - - sysctl - - kernel_parameters - - network + - medium + - cat2 + - V-38532 + - audit + - ICMPv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38532 | PATCH | The system must not accept ICMPv4 secure redirect packets by default." sysctl: - name: net.ipv4.conf.default.secure_redirects - value: 0 - state: present - reload: yes - tags: - - medium - - cat2 - - V-38532 - - patch - - ICMPv4 - - sysctl - - kernel_parameters - - network + name: net.ipv4.conf.default.secure_redirects + value: 0 + state: present + reload: yes + tags: + - medium + - cat2 + - V-38532 + - patch + - ICMPv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38539 | AUDIT | The system must be configured to use TCP syncookies when experiencing a TCP SYN flood." shell: sysctl net.ipv4.tcp_syncookies | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: tcp_syncookies_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38539 - - audit - - tcp - - sysctl - - kernel_parameters - - network + - medium + - cat2 + - V-38539 + - audit + - tcp + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38539 | PATCH | The system must be configured to use TCP syncookies when experiencing a TCP SYN flood." sysctl: - name: net.ipv4.tcp_syncookies - value: 1 - state: present - reload: yes - tags: - - medium - - cat2 - - V-38539 - - patch - - tcp - - sysctl - - kernel_parameters - - network + name: net.ipv4.tcp_syncookies + value: 1 + state: present + reload: yes + tags: + - medium + - cat2 + - V-38539 + - patch + - tcp + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38542 | AUDIT | The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces." shell: sysctl net.ipv4.conf.all.rp_filter | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: ipv4_reverse_path_filter_all_int_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38542 - - audit - - ipv4 - - sysctl - - kernel_parameters - - network + - medium + - cat2 + - V-38542 + - audit + - ipv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38542 | PATCH | The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces." sysctl: - name: net.ipv4.conf.all.rp_filter - value: 1 - state: present - reload: yes - tags: - - medium - - cat2 - - V-38542 - - patch - - ipv4 - - sysctl - - kernel_parameters - - network + name: net.ipv4.conf.all.rp_filter + value: 1 + state: present + reload: yes + tags: + - medium + - cat2 + - V-38542 + - patch + - ipv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38544 | AUDIT | The system must use a reverse-path filter for IPv4 network traffic when possible by default." shell: sysctl net.ipv4.conf.default.rp_filter | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: ipv4_reverse_path_filter_default_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38544 - - audit - - ipv4 - - sysctl - - kernel_parameters - - network + - medium + - cat2 + - V-38544 + - audit + - ipv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38544 | PATCH | The system must use a reverse-path filter for IPv4 network traffic when possible by default." sysctl: - name: net.ipv4.conf.default.rp_filter - value: 1 - state: present - reload: yes - tags: - - medium - - cat2 - - V-38544 - - patch - - ipv4 - - sysctl - - kernel_parameters - - network + name: net.ipv4.conf.default.rp_filter + value: 1 + state: present + reload: yes + tags: + - medium + - cat2 + - V-38544 + - patch + - ipv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38546 | AUDIT | The IPv6 protocol handler must not be bound to the network stack unless needed." shell: grep -rsE '^options\s*ipv6\s*disable=1' /etc/modprobe.conf /etc/modprobe.d | awk -F':' '{print $2}' | awk -F'=' '{print $2}' register: ipv6_protocol_handler_bound_network_stack_audit changed_when: no - always_run: yes + check_mode: no ignore_errors: yes tags: - - V-38546 - - cat2 - - medium - - ipv6 - - network - - always + - V-38546 + - cat2 + - medium + - ipv6 + - network - name: "MEDIUM | V-38546 | PATCH | The IPv6 protocol handler must not be bound to the network stack unless needed." lineinfile: - state: present - create: yes - line: options ipv6 disable=1 - dest: /etc/modprobe.d/disable-ipv6.conf + state: present + create: yes + line: options ipv6 disable=1 + dest: /etc/modprobe.d/disable-ipv6.conf when: ipv6_protocol_handler_bound_network_stack_audit.stdout != 1 tags: - - V-38546 - - cat2 - - medium - - ipv6 - - network - - audit + - V-38546 + - cat2 + - medium + - ipv6 + - network + - audit - name: "MEDIUM | V-38548 | AUDIT | The system must ignore ICMPv6 redirects by default." shell: sysctl net.ipv6.conf.default.accept_redirects | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: icmpv6_ignore_redirects_default_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38548 - - audit - - ICMPv4 - - sysctl - - kernel_parameters - - network + - medium + - cat2 + - V-38548 + - audit + - ICMPv4 + - sysctl + - kernel_parameters + - network - name: "MEDIUM | V-38548 | PATCH | The system must ignore ICMPv6 redirects by default." sysctl: - name: net.ipv6.conf.default.accept_redirects - value: 0 - state: present - reload: yes + name: net.ipv6.conf.default.accept_redirects + value: 0 + state: present + reload: yes when: cent7stig_ipv6_in_use tags: - - medium - - cat2 - - V-38548 - - patch - - ICMPv4 - - sysctl - - kernel_parameters - - network + - medium + - cat2 + - V-38548 + - patch + - ICMPv4 + - sysctl + - kernel_parameters + - network - name: | - MEDIUM | V-38549 | AUDIT | The system must employ a local IPv6 firewall. - MEDIUM | V-38553 | PATCH | The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. - command: service ip6tables status + MEDIUM | V-38549 | AUDIT | The system must employ a local IPv6 firewall. + MEDIUM | V-38553 | PATCH | The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. + command: systemctl status ip6tables when: cent7stig_ipv6_in_use changed_when: no - always_run: yes + check_mode: no register: ip6tables_audit ignore_errors: yes tags: - - cat2 - - medium - - iptables - - ip6tables - - V-38549 - - V-38553 - - audit + - cat2 + - medium + - iptables + - ip6tables + - V-38549 + - V-38553 + - audit - name: | - MEDIUM | V-38549 | PATCH | The system must employ a local IPv6 firewall. - MEDIUM | V-38553 | PATCH | The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. + MEDIUM | V-38549 | PATCH | The system must employ a local IPv6 firewall. + MEDIUM | V-38553 | PATCH | The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. service: - name: ip6tables - state: started - enabled: yes + name: ip6tables + state: started + enabled: yes when: cent7stig_ipv6_in_use tags: - - cat2 - - medium - - iptables - - ip6tables - - V-38549 - - V-38553 - - patch - -- name: | - MEDIUM | V-38555 | AUDIT | The system must employ a local IPv4 firewall. - MEDIUM | V-38560 | AUDIT | The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. - command: service iptables status + - cat2 + - medium + - iptables + - ip6tables + - V-38549 + - V-38553 + - patch + +- name: | + MEDIUM | V-38555 | AUDIT | The system must employ a local IPv4 firewall. + MEDIUM | V-38560 | AUDIT | The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. + command: systemctl status iptables changed_when: no - always_run: yes + check_mode: no register: iptables_audit ignore_errors: yes tags: - - cat2 - - medium - - iptables - - V-38555 - - V-38560 - - audit + - cat2 + - medium + - iptables + - V-38555 + - V-38560 + - audit -- name: | - MEDIUM | V-38555 | PATCH | The system must employ a local IPv4 firewall. - MEDIUM | V-38560 | PATCH | The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. +- name: | + MEDIUM | V-38555 | PATCH | The system must employ a local IPv4 firewall. + MEDIUM | V-38560 | PATCH | The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. service: - name: iptables - state: started - enabled: yes + name: iptables + state: started + enabled: yes tags: - - cat2 - - medium - - iptables - - V-38555 - - V-38560 - - patch + - cat2 + - medium + - iptables + - V-38555 + - V-38560 + - patch - name: "MEDIUM | V-38573 | AUDIT | The system must disable accounts after three consecutive unsuccessful logon attempts." shell: grep -h pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth | grep deny=3 changed_when: no - always_run: yes + check_mode: no register: logon_attempts_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38573 - - logon_settings - - accounts - - audit - - pam + - medium + - cat2 + - V-38573 + - logon_settings + - accounts + - audit + - pam - name: "MEDIUM | V-38573 | PATCH | The system must disable accounts after three consecutive unsuccessful logon attempts." - pamd: - name: "{{ item }}" - new_type: auth - new_control: required - new_module_path: pam_faillock.so - type: auth - control: sufficient - module_path: pam_unix.so - module_arguments: preauth silent deny=3 unlock_time=604800 fail_interval=900 - state: before + pam: + service: "{{ item }}" + type: auth + control: required + pam_module: pam_faillock.so + arguments: preauth silent deny=3 unlock_time=604800 fail_interval=900 + before_line: auth sufficient pam_unix.so + state: present with_items: - - system-auth - - password-auth + - system-auth + - password-auth tags: - - medium - - cat2 - - V-38573 - - logon_settings - - accounts - - patch - - pam + - medium + - cat2 + - V-38573 + - logon_settings + - accounts + - patch + - pam - name: "MEDIUM | V-38573 | PATCH | The system must disable accounts after three consecutive unsuccessful logon attempts." - pamd: - name: "{{ item }}" - new_type: auth - new_control: '[default=die]' - new_module_path: pam_faillock.so - type: auth - control: sufficient - module_path: pam_unix.so - module_arguments: authfail deny=3 unlock_time=604800 fail_interval=900 - state: after + pam: + service: "{{ item }}" + type: auth + control: '[default=die]' + pam_module: pam_faillock.so + arguments: authfail deny=3 unlock_time=604800 fail_interval=900 + after_line: auth sufficient pam_unix.so + state: present with_items: - - system-auth - - password-auth + - system-auth + - password-auth tags: - - medium - - cat2 - - V-38573 - - logon_settings - - accounts - - patch - - pam + - medium + - cat2 + - V-38573 + - logon_settings + - accounts + - patch + - pam - name: "MEDIUM | V-38573 | PATCH | The system must disable accounts after three consecutive unsuccessful logon attempts." - pamd: - name: "{{ item }}" - new_type: account - new_control: required - new_module_path: pam_faillock.so - type: account - control: required - module_path: pam_unix.so - state: before + pam: + service: "{{ item }}" + type: account + control: required + pam_module: pam_faillock.so + before_line: account required pam_unix.so + state: present with_items: - - system-auth - - password-auth + - system-auth + - password-auth tags: - - medium - - cat2 - - V-38573 - - logon_settings - - accounts - - patch - - pam + - medium + - cat2 + - V-38573 + - logon_settings + - accounts + - patch + - pam - name: "MEDIUM | V-38574 | AUDIT | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth)." - shell: find /etc/pam.d/ -type f -not -name '*.*' + shell: find /etc/pam.d/ -type f -not -name '*.*' changed_when: no register: pamd_files ignore_errors: yes tags: - - medium - - cat2 - - V-38574 - - logon_settings - - accounts - - passwords - - always - - pam + - medium + - cat2 + - V-38574 + - logon_settings + - accounts + - passwords + - pam - name: "MEDIUM | V-38574 | AUDIT | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth)." shell: grep password -h /etc/pam.d/* | grep pam_unix.so | awk '{print $4}' changed_when: no - always_run: yes + check_mode: no register: pam_pwd_hash_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38574 - - logon_settings - - accounts - - passwords - - always + - medium + - cat2 + - V-38574 + - logon_settings + - accounts + - passwords - name: "MEDIUM | V-38574 | PATCH | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth)." # The PAM module doesn't make sense for this particular rule. Lineinfile works perfectly here. lineinfile: - dest: "{{ item }}" - backrefs: yes - regexp: (^password\s*.*pam_unix.so.*)(md5|sha256|blowfish|bigcrypt)(.*) - line: \1sha512\3 - backup: yes - with_items: "{{ pamd_files.stdout_lines }}" - tags: - - medium - - cat2 - - V-38574 - - logon_settings - - accounts - - passwords - - patch - - pam + dest: "{{ item }}" + backrefs: yes + regexp: (^password\s*.*pam_unix.so.*)(md5|sha256|blowfish|bigcrypt)(.*) + line: \1sha512\3 + backup: yes + with_items: "{{pamd_files.stdout_lines}}" + tags: + - medium + - cat2 + - V-38574 + - logon_settings + - accounts + - passwords + - patch + - pam - name: "MEDIUM | V-38576 | AUDIT | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs)" shell: grep ENCRYPT_METHOD /etc/login.defs | awk '{print $2}' - always_run: yes + check_mode: no changed_when: no register: login_defs_audit ignore_errors: yes tags: - - audit - - medium - - cat2 - - V-38576 - - passwords + - audit + - medium + - cat2 + - V-38576 + - passwords - name: "MEDIUM | V-38576 | PATCH | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs)" - lineinfile: - state: present - backup: yes - dest: /etc/login.defs - regexp: '^ENCRYPT_METHOD' - line: 'ENCRYPT_METHOD SHA512' - tags: - - cat2 - - medium - - patch - - V-38576 - - passwords + lineinfile: + state: present + backup: yes + dest: /etc/login.defs + regexp: '^ENCRYPT_METHOD' + line: 'ENCRYPT_METHOD SHA512' + tags: + - cat2 + - medium + - patch + - V-38576 + - passwords - name: "MEDIUM | V-38577 | AUDIT | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf)" shell: grep crypt_style /etc/libuser.conf | awk '{print $3}' - always_run: yes + check_mode: no changed_when: no register: libuser_audit ignore_errors: yes tags: - - cat2 - - medium - - audit - - V-38577 - - passwords + - cat2 + - medium + - audit + - V-38577 + - passwords - name: "MEDIUM | V-38577 | PATCH | The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf)" ini_file: - state: present - backup: yes - dest: /etc/libuser.conf - section: defaults - option: crypt_style - value: sha512 - tags: - - cat2 - - medium - - audit - - V-38577 - - passwords + state: present + backup: yes + dest: /etc/libuser.conf + section: defaults + option: crypt_style + value: sha512 + tags: + - cat2 + - medium + - audit + - V-38577 + - passwords - name: | - MEDIUM | V-38579 | AUDIT | The system boot loader configuration file(s) must be owned by root. - MEDIUM | V-38581 | AUDIT | The system boot loader configuration file(s) must be group-owned by root. - MEDIUM | V-38583 | AUDIT | The system boot loader configuration file(s) must have mode 0600 or less permissive. - stat: - path: /boot/grub2/grub.cfg + MEDIUM | V-38579 | AUDIT | The system boot loader configuration file(s) must be owned by root. + MEDIUM | V-38581 | AUDIT | The system boot loader configuration file(s) must be group-owned by root. + MEDIUM | V-38583 | AUDIT | The system boot loader configuration file(s) must have mode 0600 or less permissive. + stat: + path: /boot/grub2/grub.cfg register: grub_conf_audit - always_run: yes + check_mode: no ignore_errors: yes tags: - - cat2 - - medium - - V-38579 - - V-38581 - - V-38583 - - file_perms - - grub - - audit + - cat2 + - medium + - V-38579 + - V-38581 + - V-38583 + - file_perms + - grub + - audit - name: "MEDIUM | V-38579 | PATCH | The system boot loader configuration file(s) must be owned by root." - file: - dest: /boot/grub2/grub.cfg - owner: root - state: file - follow: yes - tags: - - cat2 - - medium - - V-38579 - - file_perms - - grub - - patch + file: + dest: /boot/grub2/grub.cfg + owner: root + state: file + follow: yes + tags: + - cat2 + - medium + - V-38579 + - file_perms + - grub + - patch - name: "MEDIUM | V-38580 | AUDIT | The audit system must be configured to audit the loading and unloading of dynamic kernel modules." shell: egrep -e "(-w |-F path=)/sbin/insmod" /etc/audit/audit.rules; egrep -e "(-w |-F path=)/sbin/modprobe" /etc/audit/audit.rules; egrep -e "(-w |-F path=)/sbin/rmmod" /etc/audit/audit.rules;grep -w "init_module" /etc/audit/audit.rules; grep -w "init_module" /etc/audit/audit.rules - always_run: yes + check_mode: no changed_when: false register: dynamic_kernel_loading_audit ignore_errors: yes @@ -1780,613 +1760,610 @@ - name: "MEDIUM | V-38580 | PATCH | The audit system must be configured to audit the loading and unloading of dynamic kernel modules." lineinfile: - backup: yes - line: "{{ item }}" - dest: /etc/audit/audit.rules - state: present + backup: yes + line: "{{ item }}" + dest: /etc/audit/audit.rules + state: present with_items: - - -w /sbin/insmod -p x -k modules - - -w /sbin/rmmod -p x -k modules - - -w /sbin/modprobe -p x -k modules - - -a always,exit -F arch=b{{ansible_architecture | regex_replace('.*_(\\d*)','\\\\1')}} -S init_module -S delete_module -k modules + - -w /sbin/insmod -p x -k modules + - -w /sbin/rmmod -p x -k modules + - -w /sbin/modprobe -p x -k modules + - -a always,exit -F arch=b{{ansible_architecture | regex_replace('.*_(\\d*)','\\\\1')}} -S init_module -S delete_module -k modules tags: - cat2 - medium - - patch + - patch - kernel - auditd - V-38580 - name: "MEDIUM | V-38581 | PATCH | The system boot loader configuration file(s) must be group-owned by root" - file: - path: /boot/grub2/grub.cfg - group: root - follow: yes - tags: - - cat2 - - V-38583 - - file_perms - - medium - - patch - - grub + file: + path: /boot/grub2/grub.cfg + group: root + follow: yes + tags: + - cat2 + - V-38583 + - file_perms + - medium + - patch + - grub # If any xinted service is found to be on, skip these tasks since xinetd can be on if a service is using it - name: "MEDIUM | V-38582 | AUDIT | The xinetd service must be disabled if no network services utilizing it are enabled" shell: "systemctl status xinetd" changed_when: no - always_run: yes + check_mode: no register: xinetd_services failed_when: xinetd_services.stderr ignore_errors: yes tags: - - cat2 - - V-38582 - - medium - - xinetd - - services - - always + - cat2 + - V-38582 + - medium + - xinetd + - services -- name: "MEDIUM | V-38582 | PATCH | The xinetd service must be disabled if no network services utilizing it are enabled" - service: - name: xinetd - enabled: no - state: stopped +- name: "MEDIUM | V-38582 | PATCH | The xinetd service must be disabled if no network services utilizing it are enabled" + service: + name: xinetd + enabled: no + state: stopped when: xinetd_services.stdout and '(running)' not in xinetd_services.stdout - tags: - - cat2 - - medium - - V-38582 - - xinetd - - services - - patch - -- name: "MEDIUM | V-38583| PATCH | The system boot loader configuration file(s) must have mode 0600 or less permissive." - file: - path: /boot/grub2/grub.cfg - mode: u-x,go-rwx - follow: yes - tags: - - cat2 - - V-38583 - - file_perms - - medium - - patch - - grub + tags: + - cat2 + - medium + - V-38582 + - xinetd + - services + - patch + +- name: "MEDIUM | V-38583| PATCH | The system boot loader configuration file(s) must have mode 0600 or less permissive." + file: + path: /boot/grub2/grub.cfg + mode: u-x,go-rwx + follow: yes + tags: + - cat2 + - V-38583 + - file_perms + - medium + - patch + - grub - name: "MEDIUM | V-38585 | AUDIT | The system boot loader must require authentication." shell: 'grep password /boot/grub2/grub.cfg | grep -v encrypted' - always_run: yes + check_mode: no changed_when: no register: grub_auth_audit failed_when: grub_auth_audit.stdout_lines|length > 0 ignore_errors: yes tags: - - cat2 - - medium - - V-38585 - - grub - - passwords - - always + - cat2 + - medium + - V-38585 + - grub + - passwords - name: "MEDIUM | V-38585 | PATCH | The system boot loader must require authentication." grub_crypt: - password: "{{ cent7stig_bootloader_password }}" + password: "{{ cent7stig_bootloader_password }}" register: grub_pass when: grub_auth_audit.failed == true tags: - - cat2 - - medium - - V-38585 - - grub - - passwords - - patch + - cat2 + - medium + - V-38585 + - grub + - passwords + - patch - name: "MEDIUM | V-38585 | PATCH | The system boot loader must require authentication." lineinfile: - state: present - line: password --encrypted {{ grub_pass.passhash }} - dest: /boot/grub2/grub.cfg - follow: yes - insertafter: '^#\\s' - regexp: password + state: present + line: password --encrypted {{ grub_pass.passhash }} + dest: /boot/grub2/grub.cfg + follow: yes + insertafter: '^#\\s' + regexp: password when: grub_auth_audit.failed == true tags: - - cat2 - - medium - - V-38585 - - grub - - passwords - - patch + - cat2 + - medium + - V-38585 + - grub + - passwords + - patch - name: "MEDIUM | V-38586 | AUDIT | The system must require authentication upon booting into single-user and maintenance modes." command: grep SINGLE /etc/sysconfig/init changed_when: no - always_run: yes + check_mode: no register: single_user_mode_auth_audit ignore_errors: yes tags: - - cat2 - - medium - - V-38585 - - root_access - - audit + - cat2 + - medium + - V-38585 + - root_access + - audit - name: "MEDIUM | V-38586 | PATCH | The system must require authentication upon booting into single-user and maintenance modes." - lineinfile: - state: present - backup: yes - dest: /etc/sysconfig/init - regexp: '^(#)?SINGLE' - line: 'SINGLE=/sbin/sulogin' - tags: - - cat2 - - medium - - V-38585 - - root_access - - patch + lineinfile: + state: present + backup: yes + dest: /etc/sysconfig/init + regexp: '^(#)?SINGLE' + line: 'SINGLE=/sbin/sulogin' + tags: + - cat2 + - medium + - V-38585 + - root_access + - patch - name: "MEDIUM | V-38588 | AUDIT | The system must not permit interactive boot." command: grep PROMPT /etc/sysconfig/init - always_run: yes + check_mode: no changed_when: no register: interactive_boot_audit ignore_errors: yes tags: - - cat2 - - medium - - V-38588 - - interactive_boot - - audit + - cat2 + - medium + - V-38588 + - interactive_boot + - audit - name: "MEDIUM | V-38588 | PATCH | The system must not permit interactive boot." lineinfile: - state: present - backup: yes - dest: /etc/sysconfig/init - regexp: '^PROMPT=' - line: 'PROMPT=no' - tags: - - cat2 - - medium - - V-38588 - - interactive_boot - - patch - -- name: "MEDIUM | V-38592 | AUDIT | The system must require administrator action to unlock an account locked by excessive failed login attempts." + state: present + backup: yes + dest: /etc/sysconfig/init + regexp: '^PROMPT=' + line: 'PROMPT=no' + tags: + - cat2 + - medium + - V-38588 + - interactive_boot + - patch + +- name: "MEDIUM | V-38592 | AUDIT | The system must require administrator action to unlock an account locked by excessive failed login attempts." shell: grep -h pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth | grep unlock_time changed_when: no - always_run: yes + check_mode: no register: admin_unlock_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38592 - - logon_settings - - accounts - - audit - - pam - -- name: "MEDIUM | V-38592 | PATCH | The system must require administrator action to unlock an account locked by excessive failed login attempts." - pamd: - name: "{{ item }}" - new_type: auth - new_control: required - new_module_path: pam_faillock.so - type: auth - module_path: pam_unix.so - control: sufficient - module_arguments: preauth silent deny=3 unlock_time=604800 fail_interval=900 - state: before + - medium + - cat2 + - V-38592 + - logon_settings + - accounts + - audit + - pam + +- name: "MEDIUM | V-38592 | PATCH | The system must require administrator action to unlock an account locked by excessive failed login attempts." + pam: + service: "{{ item }}" + type: auth + control: required + pam_module: pam_faillock.so + arguments: preauth silent deny=3 unlock_time=604800 fail_interval=900 + before_line: auth sufficient pam_unix.so + state: present with_items: - - system-auth - - password-auth - tags: - - medium - - cat2 - - V-38573 - - logon_settings - - accounts - - patch - - pam - -- name: "MEDIUM | V-38592 | PATCH | The system must require administrator action to unlock an account locked by excessive failed login attempts." - pamd: - name: "{{ item }}" - new_type: auth - new_control: '[default=die]' - new_module_path: pam_faillock.so - module_arguments: authfail deny=3 unlock_time=604800 fail_interval=900 - type: auth - control: sufficient - module_path: pam_unix.so - state: after + - system-auth + - password-auth + tags: + - medium + - cat2 + - V-38573 + - logon_settings + - accounts + - patch + - pam + +- name: "MEDIUM | V-38592 | PATCH | The system must require administrator action to unlock an account locked by excessive failed login attempts." + pam: + service: "{{ item }}" + type: auth + control: '[default=die]' + pam_module: pam_faillock.so + arguments: authfail deny=3 unlock_time=604800 fail_interval=900 + after_line: auth sufficient pam_unix.so + state: present with_items: - - system-auth - - password-auth - tags: - - medium - - cat2 - - V-38573 - - logon_settings - - accounts - - patch - - pam - -- name: "MEDIUM | V-38592 | PATCH | The system must require administrator action to unlock an account locked by excessive failed login attempts." - pamd: - name: "{{ item }}" - new_type: account - new_control: required - new_module_path: pam_faillock.so - type: account - control: required - module_path: pam_unix.so - state: before + - system-auth + - password-auth + tags: + - medium + - cat2 + - V-38573 + - logon_settings + - accounts + - patch + - pam + +- name: "MEDIUM | V-38592 | PATCH | The system must require administrator action to unlock an account locked by excessive failed login attempts." + pam: + service: "{{ item }}" + type: account + control: required + pam_module: pam_faillock.so + before_line: account required pam_unix.so + state: present with_items: - - system-auth - - password-auth + - system-auth + - password-auth tags: - - medium - - cat2 - - V-38573 - - logon_settings - - accounts - - patch - - pam + - medium + - cat2 + - V-38573 + - logon_settings + - accounts + - patch + - pam - name: "MEDIUM | V-38593 | AUDIT | The Department of Defense (DoD) login banner must be displayed immediately prior to or as part of console login prompts" command: cat /etc/issue changed_when: no - always_run: yes + check_mode: no register: login_banner_audit ignore_errors: yes - tags: - - cat2 - - medium - - V-38593 - - logon_settings - - dod_logon_banner - - audit + tags: + - cat2 + - medium + - V-38593 + - logon_settings + - dod_logon_banner + - audit - name: "MEDIUM | V-38593 | PATCH | The Department of Defense (DoD) login banner must be displayed immediately prior to or as part of console login prompts" - copy: - src: issue - dest: /etc/{{ item }} - owner: root - group: root - mode: "0644" - backup: yes + copy: + src: issue + dest: /etc/{{ item }} + owner: root + group: root + mode: "0644" + backup: yes with_items: - issue - issue.net - tags: - - cat2 - - medium - - V-38593 - - logon_settings - - dod_logon_banner - - patch + tags: + - cat2 + - medium + - V-38593 + - logon_settings + - dod_logon_banner + - patch -# Not automated: V-38595 | The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. +# Not automated: V-38595 | The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. - name: "MEDIUM | V-38596 | AUDIT | The system must implement virtual address space randomization." shell: sysctl kernel.randomize_va_space | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: virt_addr_space_randomization_audit ignore_errors: yes - tags: - - cat2 - - audit - - medium - - sysctl - - kernel - - V-38596 + tags: + - cat2 + - audit + - medium + - sysctl + - kernel + - V-38596 - name: "MEDIUM | V-38596 | PATCH | The system must implement virtual address space randomization." sysctl: - name: kernel.randomize_va_space - value: 2 - state: present - reload: yes - tags: - - cat2 - - patch - - medium - - sysctl - - kernel - - V-38596 + name: kernel.randomize_va_space + value: 2 + state: present + reload: yes + tags: + - cat2 + - patch + - medium + - sysctl + - kernel + - V-38596 - name: "MEDIUM | V-38597 | AUDIT | The system must limit the ability of processes to have simultaneous write and execute access to memory." shell: sysctl kernel.exec-shield | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: simultaneous_wr_memory_audit ignore_errors: yes tags: - - cat2 - - audit - - medium - - sysctl - - kernel - - V-38597 + - cat2 + - audit + - medium + - sysctl + - kernel + - V-38597 - name: "MEDIUM | V-38597 | PATCH | The system must limit the ability of processes to have simultaneous write and execute access to memory." sysctl: - name: kernel.exec-shield - value: 1 - state: present - reload: yes + name: kernel.exec-shield + value: 1 + state: present + reload: yes #dsmorse: from what I can tell RHEL & Cent 7 do not allow you configure exec-shield, I expect this to change in the final STIG when: "(ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') and ansible_distribution_major_version < 7" tags: - - cat2 - - patch - - medium - - sysctl - - kernel - - V-38597 + - cat2 + - patch + - medium + - sysctl + - kernel + - V-38597 - name: "MEDIUM | V-38599 | AUDIT | The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner" shell: grep banner_file /etc/vsftpd/vsftpd.conf | cut -f2- -d'=' | xargs cat changed_when: no - always_run: yes + check_mode: no register: vsftpd_banner_audit ignore_errors: yes when: vsftpd_services.stdout_lines|length > 0 tags: - - cat2 - - medium - - V-38599 - - vsftp - - dod_logon_banner - - logon_settings - - audit + - cat2 + - medium + - V-38599 + - vsftp + - dod_logon_banner + - logon_settings + - audit - name: "MEDIUM | V-38599 | PATCH | The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner" - lineinfile: - state: present - backup: yes - dest: /etc/vsftpd/vsftpd.conf - regexp: '^#?banner_file' - line: 'banner_file=/etc/issue' + lineinfile: + state: present + backup: yes + dest: /etc/vsftpd/vsftpd.conf + regexp: '^#?banner_file' + line: 'banner_file=/etc/issue' when: vsftpd_services.stdout_lines|length > 0 notify: restart vsftpd - tags: - - cat2 - - medium - - V-38599 - - vsftp - - dod_logon_banner - - logon_settings - - patch + tags: + - cat2 + - medium + - V-38599 + - vsftp + - dod_logon_banner + - logon_settings + - patch - name: "MEDIUM | V-38600 | AUDIT | The system must not send ICMPv4 redirects by default." shell: sysctl net.ipv4.conf.default.send_redirects | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: icmpv4_redirects_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38600 - - icmp - - sysctl - - audit + - medium + - cat2 + - V-38600 + - icmp + - sysctl + - audit - name: "MEDIUM | V-38600 | PATCH | The system must not send ICMPv4 redirects by default." sysctl: - name: net.ipv4.conf.default.send_redirects - value: 0 - reload: yes + name: net.ipv4.conf.default.send_redirects + value: 0 + reload: yes tags: - - medium - - cat2 - - V-38600 - - icmp - - sysctl - - patch + - medium + - cat2 + - V-38600 + - icmp + - sysctl + - patch - name: "MEDIUM | V-38601 | AUDIT | The system must not send ICMPv4 redirects from any interface." shell: sysctl net.ipv4.conf.all.send_redirects | awk '{print $3}' changed_when: no - always_run: yes + check_mode: no register: any_iface_icmp_redirect_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38601 - - icmp - - sysctl - - audit + - medium + - cat2 + - V-38601 + - icmp + - sysctl + - audit - name: "MEDIUM | V-38601 | PATCH | The system must not send ICMPv4 redirects from any interface." sysctl: - name: net.ipv4.conf.all.send_redirects - value: 0 - reload: yes + name: net.ipv4.conf.all.send_redirects + value: 0 + reload: yes tags: - - medium - - cat2 - - V-38601 - - icmp - - sysctl - - patch + - medium + - cat2 + - V-38601 + - icmp + - sysctl + - patch - name: "MEDIUM | V-38603 | AUDIT | The ypserv package must not be installed." command: rpm -q ypserv - always_run: yes + check_mode: no changed_when: no register: ypserv_audit ignore_errors: yes tags: - - medium - - V-38603 - - audit - - cat2 - - ypserv - - packages + - medium + - V-38603 + - audit + - cat2 + - ypserv + - packages - name: "MEDIUM | V-38603 | PATCH | The ypserv package must not be installed." yum: - name: ypserv - state: absent + name: ypserv + state: absent tags: - - medium - - V-38603 - - patch - - cat2 - - ypserv - - packages + - medium + - V-38603 + - patch + - cat2 + - ypserv + - packages - name: "MEDIUM | V-38604 | AUDIT | The ypbind service must not be running." command: chkconfig "ypbind" --list - changed_when: no - always_run: yes + changed_when: no + check_mode: no register: ypbind_service_audit failed_when: "'No such file or directory' not in ypbind_service_audit.stderr" ignore_errors: yes tags: - - medium - - V-38604 - - audit - - cat2 - - ypbind - - services + - medium + - V-38604 + - audit + - cat2 + - ypbind + - services - name: "MEDIUM | V-38604 | PATCH | The ypbind service must not be running." + #if the service is not installed it is by default not enabled so that is a pass + when: "'service ypbind: No such file' not in ypbind_service_audit.stderr" service: - name: ypbind - state: stopped - enabled: no - ignore_errors: yes + name: ypbind + state: stopped + enabled: no tags: - - medium - - V-38604 - - patch - - cat2 - - ypbind - - services + - medium + - V-38604 + - patch + - cat2 + - ypbind + - services - name: "MEDIUM | V-38605 | AUDIT | The cron service must be running" - command: service crond status + command: systemctl status crond changed_when: no - always_run: yes + check_mode: no ignore_errors: yes register: crond_status_audit tags: - - medium - - cat2 - - cron - - audit - - V-38605 - - services + - medium + - cat2 + - cron + - audit + - V-38605 + - services - name: "MEDIUM | V-38605 | PATCH | The cron service must be running" service: - name: crond - state: started - enabled: yes + name: crond + state: started + enabled: yes tags: - - medium - - cat2 - - cron - - patch - - V-38605 - - services + - medium + - cat2 + - cron + - patch + - V-38605 + - services - name: "MEDIUM | V-38606 | AUDIT | The tftp-server package must not be installed unless required." command: rpm -q tftp-server - always_run: yes + check_mode: no changed_when: no register: tftp_server_install_audit when: not cent7stig_tftp_required ignore_errors: yes tags: - - medium - - cat2 - - V-38606 - - tftp - - packages - - audit + - medium + - cat2 + - V-38606 + - tftp + - packages + - audit - name: "MEDIUM | V-38606 | PATCH | The tftp-server packages must not be intalled unless required." yum: - name: tftp-server - state: absent + name: tftp-server + state: absent when: not cent7stig_tftp_required tags: - - medium - - cat2 - - V-38606 - - tftp - - packages - - patch + - medium + - cat2 + - V-38606 + - tftp + - packages + - patch - name: "MEDIUM | V-38609 | AUDIT | The TFTP service must not be running." command: chkconfig "tftp" --list - always_run: yes + check_mode: no changed_when: no ignore_errors: yes + register: tftp_service_audit + failed_when: "'No such file or directory' not in tftp_service_audit.stderr" tags: - - medium - - cat2 - - V-38609 - - audit - - tftp - - services - + - medium + - cat2 + - V-38609 + - audit + - tftp + - services + - name: "MEDIUM | V-38609 | PATCH | The TFTP service must not be running." + #if the service is not installed it is by default not enabled so that is a pass + when: "'service tftp: No such file' not in tftp_service_audit.stderr" service: - name: tftp - state: stopped - enabled: no - ignore_errors: yes + name: tftp + state: stopped + enabled: no tags: - - medium - - cat2 - - V-38609 - - tftp - - services - - patch + - medium + - cat2 + - V-38609 + - tftp + - services + - patch - name: "MEDIUM | V-38611 | AUDIT | The SSH daemon must ignore .rhosts files." command: grep -i IgnoreRhosts /etc/ssh/sshd_config - always_run: yes + check_mode: no changed_when: no register: sshd_rhosts_ignore_audit ignore_errors: yes tags: - - medium - - cat2 - - V-38611 - - ssh - - rhosts - - sshd - - audit + - medium + - cat2 + - V-38611 + - ssh + - rhosts + - sshd + - audit - name: "MEDIUM | V-38611 | PATCH | The SSH daemon must ignore .rhosts files." lineinfile: - state: present - regexp: '^#?IgnoreRhosts' - line: IgnoreRhosts yes - dest: /etc/ssh/sshd_config - tags: - - cat2 - - medium - - V-38611 - - rhosts - - sshd - - patch + state: present + regexp: '^#?IgnoreRhosts' + line: IgnoreRhosts yes + dest: /etc/ssh/sshd_config + tags: + - cat2 + - medium + - V-38611 + - rhosts + - sshd + - patch # Search for world writable files and print them out if any are found - name: "MEDIUM | V-38643 | PATCH | Looking for world-writable files on the system" command: find / -xdev -type f -perm -002 register: world_writable_files + check_mode: no changed_when: false tags: [ 'cat2' , 'V-38643', 'file_perms' ] @@ -2413,6 +2390,7 @@ - name: "MEDIUM | V-38652 | PATCH | Checking for nfs mounts missing the 'nodev' option" shell: mount | grep 'type nfs' | grep -v 'nodev' changed_when: false + check_mode: no register: nfs_mounts_missing_nodev failed_when: nfs_mounts_missing_nodev.stderr tags: [ 'cat2' , 'V-38652' , 'nfs' ] @@ -2432,13 +2410,14 @@ - name: "MEDIUM | V-38652 | PATCH | Checking for nfs mounts missing the 'nosuid' option" shell: mount | grep 'type nfs' | grep -v 'nosuid' changed_when: false + check_mode: no failed_when: nfs_mounts_missing_nosuid.stderr register: nfs_mounts_missing_nosuid tags: [ 'cat2' , 'V-38652' , 'nfs' ] - name: "MEDIUM | V-38652 | PATCH | Remote file systems must be mounted with the nosuid option" - debug: var=nfs_mounts_missing_nosuid.stdout_lines when: nfs_mounts_missing_nosuid.stdout + debug: var=nfs_mounts_missing_nosuid.stdout_lines tags: [ 'cat2' , 'V-38652' , 'nfs' ] - name: "MEDIUM | V-38652 | PATCH | Remote file systems must be mounted with the nosuid option" @@ -2447,7 +2426,7 @@ tags: [ 'cat2' , 'V-38652' , 'nfs' ] - name: "MEDIUM | V-38664 | PATCH | The system package management tool must verify ownership on all files and directories associated with the audit package - MEDIUM | V-38665 | PATCH | The system package management tool must verify group-ownership on all files and directories associated with the audit package" + MEDIUM | V-38665 | PATCH | The system package management tool must verify group-ownership on all files and directories associated with the audit package" shell: "rpm -V audit | grep '^.....\\(U\\.\\|\\.G\\|UG\\)'" register: audit_ownership changed_when: audit_ownership.stdout != '' @@ -2466,7 +2445,7 @@ # Look for prior versions of SNMP in use and disable them if found - name: "MEDIUM | | PATCH | Check for SNMP config" stat: - path: /etc/snmp/snmpd.conf + path: /etc/snmp/snmpd.conf register: snmpconf_test - name: "MEDIUM | V-38660 | PATCH | Checking SNMP versions in use" @@ -2497,24 +2476,24 @@ - name: "MEDIUM | V-38671 | PATCH | Ensure postfix is installed" yum: - name: postfix - state: present + name: postfix + state: present when: cent7stig_install_packages tags: - - cat2 - - V-38671 - - patch + - cat2 + - V-38671 + - patch - name: "MEDIUM | V-38671 | PATCH | The sendmail package must be removed" yum: - name: sendmail - state: absent + name: sendmail + state: absent tags: - - cat2 - - V-38671 - - patch - - sendmail - - unauthorized_packages + - cat2 + - V-38671 + - patch + - sendmail + - unauthorized_packages - name: "MEDIUM | V-38674 | PATCH | X Windows must not be enabled unless required" lineinfile: @@ -2536,6 +2515,7 @@ # are named like 'ifcfg-eth0.2014-07-18@13:19~' and will match the glob. - name: "MEDIUM | V-38679 | AUDIT | List interface config files" shell: ls /etc/sysconfig/network-scripts/ifcfg-* | grep -v $(date +%Y) + check_mode: no changed_when: false register: interface_config_files tags: @@ -2543,7 +2523,6 @@ - V-38679 - network - dhcp - - always - name: "MEDIUM | V-38679 | PATCH | The DHCP client must be disabled if not needed" lineinfile: @@ -2552,7 +2531,7 @@ regexp: '^BOOTPROTO=' line: 'BOOTPROTO=\"none\"' backup: no - with_items: "{{ interface_config_files.stdout_lines }}" + with_items: "{{interface_config_files.stdout_lines}}" register: dhcp_change when: interface_config_files.stdout and not cent7stig_use_dhcp tags: [ 'cat2' , 'V-38679' , 'network' , 'dhcp' ] @@ -2596,11 +2575,11 @@ tags: [ 'cat2' , 'V-38682' , 'kernel_modules' , 'bluetooth' ] - name: "MEDIUM | | PATCH | V-38670 Medium The operating system must detect unauthorized changes to software and information.\n - \tMEDIUM | | PATCH | V-38673 Medium The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.\n - \tMEDIUM | | PATCH | V-38695 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries\n - \tMEDIUM | | PATCH | V-38696 Medium The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system\n - \tMEDIUM | | PATCH | V-38698 Medium The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency\n - \tMEDIUM | | PATCH | V-38700 Medium The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs" + \tMEDIUM | | PATCH | V-38673 Medium The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.\n + \tMEDIUM | | PATCH | V-38695 Medium A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries\n + \tMEDIUM | | PATCH | V-38696 Medium The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system\n + \tMEDIUM | | PATCH | V-38698 Medium The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency\n + \tMEDIUM | | PATCH | V-38700 Medium The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs" cron: > name='Run AIDE integrity check weekly' minute={{ cent7stig_aide_cron["aide_minute"] | default('05') }} @@ -2613,7 +2592,7 @@ - name: "MEDIUM | V-38519 | PATCH | Check file state and type to avoid hard link failures" stat: path={{ item }} - with_items: "{{ rsyslog_logfiles.stdout_lines }}" + with_items: rsyslog_log_files.stdout_lines register: log_files_st tags: [ 'cat2' , 'V-38519' , 'V-38518' , 'V-38623' , 'file_perms' ] @@ -2629,7 +2608,7 @@ file: state: absent dest: ~{{ item }}/.netrc - with_items: "{{ users.stdout_lines }}" + with_items: "{{users.stdout_lines}}" tags: [ 'cat2' , 'V-38619' , 'netrc' ] - name: "MEDIUM | V-38620 | PATCH | Installing NTP for V-38620 Medium/V-38621 Medium" @@ -2672,8 +2651,8 @@ tags: [ 'cat2' , 'V-38629' , 'gui' , 'screen_lock' ] - name: "MEDIUM | V-38628 | PATCH | The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event - \tMEDIUM | V-38631 | PATCH | The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods - \tMEDIUM | V-38632 | PATCH | The operating system must produce audit records containing sufficient information to establish what type of events occurred." + \tMEDIUM | V-38631 | PATCH | The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods + \tMEDIUM | V-38632 | PATCH | The operating system must produce audit records containing sufficient information to establish what type of events occurred." service: name=auditd state=started enabled=yes tags: [ 'cat2' , 'V-38628' , 'V-38631' , 'V-38632' , 'auditd' ] @@ -2685,6 +2664,7 @@ - name: "MEDIUM | V-38637 | PATCH | Check for auditd files that have a different hash than rpm expects" shell: "rpm -V audit | awk '$1 ~ /..5/ && $2 != \"c\"'" changed_when: false + check_mode: no register: audit_integrity_check failed_when: audit_integrity_check.stderr tags: [ 'cat2' , 'V-38637' , 'auditd' , 'rpm' ] @@ -2692,6 +2672,8 @@ - name: "MEDIUM | V-38637 | PATCH | The system package management tool must verify contents of all files associated with the audit package" command: yum -y reinstall audit when: audit_integrity_check.stdout + args: + warn: false tags: [ 'cat2' , 'V-38637' , 'auditd' , 'rpm' ] - name: "MEDIUM | V-38622 | PATCH | Mail relaying must be restricted" @@ -2703,18 +2685,19 @@ # sysctl kernel settings - name: "MEDIUM | V-38617 | PATCH | The SSH daemon must be configured to use only FIPS 140-2 approved ciphers - \tMEDIUM | V-38611 | PATCH | The SSH daemon must ignore .rhosts files - \tMEDIUM | V-38612 | PATCH | The SSH daemon must not allow host-based authentication - \tMEDIUM | V-38613 | PATCH | The system must not permit root logins using remote access programs such as ssh" + \tMEDIUM | V-38611 | PATCH | The SSH daemon must ignore .rhosts files + \tMEDIUM | V-38612 | PATCH | The SSH daemon must not allow host-based authentication + \tMEDIUM | V-38613 | PATCH | The system must not permit root logins using remote access programs such as ssh" lineinfile: > state={{ item.st }} - backup=yes dest=/etc/ssh/sshd_config + backup=yes + dest=/etc/ssh/sshd_config regexp={{ item.rx }} line={{ item.ln }} with_items: - - { st: 'present', rx: "'^#?Ciphers'", ln: "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" } - - { st: 'present', rx: "'^#?HostbasedAuthentication'", ln: "HostbasedAuthentication no" } - - { st: 'present', rx: "'^#?PermitRootLogin'", ln: "PermitRootLogin no" } + - { st: 'present', rx: '^#?Ciphers', ln: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' } + - { st: 'present', rx: '^#?HostbasedAuthentication', ln: 'HostbasedAuthentication no' } + - { st: 'present', rx: '^#?PermitRootLogin', ln: 'PermitRootLogin no' } tags: [ 'cat2' , 'V-38617' , 'V-38611' , 'V-38612' , 'V-38613', 'ssh' ] notify: restart ssh @@ -2725,8 +2708,8 @@ regexp={{ item.rx }} line={{ item.ln }} with_items: - - { st: 'present', rx: "'^#?Banner'", ln: "Banner /etc/issue" } - - { st: 'present', rx: "'^(#)?PrintLastLog'", ln: "PrintLastLog yes" } + - { st: 'present', rx: '^#?Banner', ln: 'Banner /etc/issue' } + - { st: 'present', rx: '^(#)?PrintLastLog', ln: 'PrintLastLog yes' } tags: [ 'cat2' , 'V-38615' , 'V-38484' , 'ssh' , 'logon_settings' , 'dod_logon_banner' ] notify: restart ssh diff --git a/tasks/cat3.yml b/tasks/cat3.yml index 5c7174b..951bdef 100644 --- a/tasks/cat3.yml +++ b/tasks/cat3.yml @@ -6,27 +6,29 @@ register: autofs_service_audit changed_when: false failed_when: "'No such file or directory' not in autofs_service_audit.stderr" - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38437 - - autofs - - services - - audit + - cat3 + - low + - V-38437 + - autofs + - services + - audit - name: "LOW | V-38437 | PATCH | Automated file system mounting tools must not be enabled unless needed." + #if the service is not installed it is by default not enabled so that is a pass + when: "'service autofs: No such file' not in autofs_service_audit.stderr" service: - name: autofs - state: stopped - enabled: no + name: autofs + state: stopped + enabled: no tags: - - cat3 - - low - - V-38437 - - autofs - - services - - patch + - cat3 + - low + - V-38437 + - autofs + - services + - patch # V-38438 grub @@ -36,115 +38,114 @@ changed_when: false failed_when: false register: rpm_verify_packages - always_run: yes + check_mode: no when: cent7stig_update_packages tags: - - cat3 - - low - - V-38447 - - V-38452 - - V-38453 - - V-38454 - - always + - cat3 + - low + - V-38447 + - V-38452 + - V-38453 + - V-38454 - name: "LOW | V-38447 | AUDIT | The system package management tool must verify contents of all files associated with packages." command: rpm -qf {{ item | regex_replace('^..5......\\s+(/.+)$', '\\1') }} register: rpm_integrity_audit - when: item | match("^..5......[^c]*/.+$") - with_items: "{{ rpm_verify_packages.stdout_lines }}" - always_run: yes + when: cent7stig_update_packages and item | match("^..5......[^c]*/.+$") + with_items: rpm_verify_packages.stdout_lines + check_mode: no tags: - - cat3 - - low - - V-38447 - - rpm - - always + - cat3 + - low + - V-38447 + - rpm - name: "LOW | V-38447 | PATCH | The system package management tool must verify contents of all files associated with packages." command: yum reinstall -y {{ item.stdout }} - when: item|changed - with_items: "{{ rpm_integrity_audit.results }}" + args: + warn: false + when: cent7stig_update_packages and item|changed + with_items: rpm_integrity_audit.results tags: - - cat3 - - low - - V-38447 - - rpm - - patch + - cat3 + - low + - V-38447 + - rpm + - patch # V-38452 rpm system permissions - name: "LOW | V-38452 | AUDIT | The system package management tool must verify permissions on all files and directories associated with packages." command: rpm -qf {{ item | regex_replace('^.M.......\\s+[a-z]?\\s*(/.+)$', '\\1') }} - when: item | match("^.M.......\\s+.*?/.+$") + when: cent7stig_update_packages and item | match("^.M.......\\s+.*?/.+$") register: rpm_file_permissions_audit - with_items: "{{ rpm_verify_packages.stdout_lines }}" - always_run: yes + with_items: rpm_verify_packages.stdout_lines + check_mode: no tags: - - cat3 - - low - - V-38452 - - rpm - - always + - cat3 + - low + - V-38452 + - rpm - name: "LOW | V-38452 | PATCH | The system package management tool must verify permissions on all files and directories associated with packages." command: rpm --setperms {{ item.stdout }} - when: item|changed - with_items: "{{ rpm_file_permissions_audit.results }}" + when: cent7stig_update_packages and item|changed + with_items: rpm_file_permissions_audit.results tags: - - cat3 - - low - - V-38452 - - rpm - - patch + - cat3 + - low + - V-38452 + - rpm + - patch # V-38453 rpm group perms - name: "LOW | V-38453 | AUDIT | The system package management tool must verify group-ownership on all files and directories associated with packages." command: rpm -qf {{ item | regex_replace('^......G..\\s+[a-z]?\\s*(/.+)$', '\\1') }} - when: item | match("^......G..\\s+.*?/.+$") + when: cent7stig_update_packages and item | match("^......G..\\s+.*?/.+$") register: rpm_group_ownership_audit - with_items: "{{ rpm_verify_packages.stdout_lines }}" - always_run: yes + with_items: rpm_verify_packages.stdout_lines + check_mode: no tags: - - cat3 - - low - - V-38453 - - rpm - - audit + - cat3 + - low + - V-38453 + - rpm + - audit - name: "LOW | V-38453 | PATCH | The system package management tool must verify group-ownership on all files and directories associated with packages." command: rpm --setugids {{ item.stdout }} - when: item|changed - with_items: "{{ rpm_group_ownership_audit.results }}" + when: cent7stig_update_packages and item|changed + with_items: rpm_group_ownership_audit.results tags: - - cat3 - - low - - V-38453 - - rpm - - audit + - cat3 + - low + - V-38453 + - rpm + - audit # V-38454 rpm user perms - name: "LOW | V-38454 | AUDIT | The system package management tool must verify ownership on all files and directories associated with packages." command: rpm -qf {{ item | regex_replace('^.....U...\\s+[a-z]?\\s*(/.+)$', '\\1') }} - when: item | match("^.....U...\\s+.*?/.+$") + when: cent7stig_update_packages and item | match("^.....U...\\s+.*?/.+$") register: rpm_group_ownership_audit - with_items: "{{ rpm_verify_packages.stdout_lines }}" - always_run: yes + with_items: rpm_verify_packages.stdout_lines + check_mode: no tags: - - cat3 - - low - - V-38454 - - rpm - - audit + - cat3 + - low + - V-38454 + - rpm + - audit - name: "LOW | V-38454 | PATCH | The system package management tool must verify ownership on all files and directories associated with packages." command: rpm --setugids {{ item.stdout }} - when: item|changed - with_items: "{{ rpm_group_ownership_audit.results }}" + when: cent7stig_update_packages and item|changed + with_items: rpm_group_ownership_audit.results tags: - - cat3 - - low - - V-38454 - - rpm - - audit + - cat3 + - low + - V-38454 + - rpm + - audit # V-38455 see not_automated.yml @@ -156,25 +157,25 @@ register: nfs_all_squash_disabled_audit failed_when: nfs_all_squash_disabled_audit.stdout_lines|length > 0 changed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38460 - - nfs - - audit + - cat3 + - low + - V-38460 + - nfs + - audit - name: "LOW | V-38460 | PATCH | The NFS server must not have the all_squash option enabled." replace: - backup: no - dest: /etc/exports - regexp: ',?all_squash' - tags: - - cat3 - - low - - V-38460 - - nfs - - patch + backup: no + dest: /etc/exports + regexp: ',?all_squash' + tags: + - cat3 + - low + - V-38460 + - nfs + - patch notify: restart nfs # V-38463 see not_automated.yml @@ -187,28 +188,28 @@ register: auditd_syslog_output_audit failed_when: false changed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38471 - - auditd - - audit + - cat3 + - low + - V-38471 + - auditd + - audit - name: "LOW | V-38471 | PATCH | The system must forward audit records to the syslog service." lineinfile: - state: present - backup: no - dest: /etc/audisp/plugins.d/syslog.conf - regexp: '^#?active' - line: 'active = yes' + state: present + backup: no + dest: /etc/audisp/plugins.d/syslog.conf + regexp: '^#?active' + line: 'active = yes' notify: restart auditd tags: - - cat3 - - low - - V-38471 - - auditd - - patch + - cat3 + - low + - V-38471 + - auditd + - patch # V-38473 see not_automated.yml @@ -217,38 +218,37 @@ command: gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome_settings_daemon/keybindings/screensaver when: cent7stig_xwindows_required register: gui_screen_lock_hotkey_audit - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38474 - - screen_lock - - audit + - cat3 + - low + - V-38474 + - screen_lock + - audit - name: "LOW | V-38474 | PATCH | Low The system must allow locking of graphical desktop sessions." command: gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gnome_settings_daemon/keybindings/screensaver "l" when: cent7stig_xwindows_required tags: - - cat3 - - low - - V-38474 - - screen_lock - - patch + - cat3 + - low + - V-38474 + - screen_lock + - patch # V-38478 rhnsd service - name: "LOW | V-38478 | AUDIT | The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite." command: chkconfig 'rhnsd' --list register: rhnsd_service_audit - always_run: yes + check_mode: no changed_when: false failed_when: "'No such file or directory' not in rhnsd_service_audit.stderr" ignore_errors: yes tags: - - cat3 - - low - - V-38478 - - rhnsd - - always + - cat3 + - low + - V-38478 + - rhnsd - name: "LOW | V-38478 | PATCH | The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite." shell: chkconfig rhnsd off && chkconfig rhnsd --list @@ -256,11 +256,11 @@ when: "rhnsd_service_audit.rc == 0 and ':on' in rhnsd_service_audit.stdout" failed_when: "rhnsd_service_disable.rc != 0 and ':on' in rhnsd_service_disable.stdout" tags: - - cat3 - - low - - V-38478 - - rhnsd - - patch + - cat3 + - low + - V-38478 + - rhnsd + - patch - name: "LOW | V-38478 | PATCH | The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite." command: service rhnsd stop @@ -269,11 +269,11 @@ failed_when: result.rc != 0 and result.rc != 6 changed_when: "rhnsd_service_stop.rc == 0 and 'Stopping' in rhnsd_service_stop.stdout and 'OK' in rhnsd_service_stop.stdout" tags: - - cat3 - - low - - V-38478 - - rhnsd - - patch + - cat3 + - low + - V-38478 + - rhnsd + - patch # V-38480 pass warn age - name: "LOW | V-38480 | AUDIT | Users must be warned 7 days in advance of password expiration." @@ -281,27 +281,27 @@ register: logindefs_pass_warn_age_audit failed_when: logindefs_pass_warn_age_audit.rc == 2 changed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38480 - - passwords - - audit + - cat3 + - low + - V-38480 + - passwords + - audit - name: "LOW | V-38480 | PATCH | Users must be warned 7 days in advance of password expiration." lineinfile: - state: present - backup: no - dest: /etc/login.defs - regexp: '^#?PASS_WARN_AGE' - line: 'PASS_WARN_AGE\t7' - tags: - - cat3 - - low - - V-38480 - - passwords - - patch + state: present + backup: no + dest: /etc/login.defs + regexp: '^#?PASS_WARN_AGE' + line: 'PASS_WARN_AGE\t7' + tags: + - cat3 + - low + - V-38480 + - passwords + - patch # V-38482 pam cracklib digits @@ -309,30 +309,30 @@ - name: "LOW | V-38487 | AUDIT | The system package management tool must cryptographically verify the authenticity of all software packages during installation." command: find /etc/yum.repos.d/ -exec grep -ls '^gpgcheck=0' {} \; changed_when: false - always_run: yes + check_mode: no register: repo_d_gpgcheck_check_audit tags: - - cat3 - - low - - V-38487 - - rpm - - audit - - gpgcheck + - cat3 + - low + - V-38487 + - rpm + - audit + - gpgcheck - name: "LOW | V-38487 | PATCH | The system package management tool must cryptographically verify the authenticity of all software packages during installation." replace: - backup: no - dest: '{{ item }}' - regexp: '^gpgcheck=0' - replace: 'gpgcheck=1' - with_items: "{{ repo_d_gpgcheck_check_audit.stdout_lines }}" - tags: - - cat3 - - low - - V-38487 - - rpm - - gpgcheck - - patch + backup: no + dest: '{{ item }}' + regexp: '^gpgcheck=0' + replace: 'gpgcheck=1' + with_items: repo_d_gpgcheck_check_audit.stdout_lines + tags: + - cat3 + - low + - V-38487 + - rpm + - gpgcheck + - patch # V-38494 securetty - name: "LOW | V-38494 | AUDIT | The system must prevent the root account from logging in from serial consoles." @@ -340,26 +340,26 @@ register: securetty_serial_consoles_audit failed_when: securetty_serial_consoles_audit.rc == 2 changed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38494 - - secure_tty - - audit + - cat3 + - low + - V-38494 + - secure_tty + - audit - name: "LOW | V-38494 | PATCH | The system must prevent the root account from logging in from serial consoles." lineinfile: - state: absent - dest: /etc/securetty - regexp: '^ttyS[0-9]' - backup: no + state: absent + dest: /etc/securetty + regexp: '^ttyS[0-9]' + backup: no tags: - - cat3 - - low - - V-38494 - - secure_tty - - patch + - cat3 + - low + - V-38494 + - secure_tty + - patch # V-38516 modprobe rds - name: "LOW | V-38516 | AUDIT | The Reliable Datagram Sockets (RDS) protocol must be disabled unless required." @@ -367,30 +367,30 @@ register: modprobe_disable_rds_audit failed_when: false changed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38516 - - rds - - kernel_modules - - audit + - cat3 + - low + - V-38516 + - rds + - kernel_modules + - audit - name: "LOW | V-38516 | PATCH | The Reliable Datagram Sockets (RDS) protocol must be disabled unless required." copy: - backup: no - src: disable-rds.conf - dest: /etc/modprobe.d/disable-rds.conf - owner: root - group: root - mode: 0644 - tags: - - cat3 - - low - - V-38516 - - rds - - kernel_modules - - patch + backup: no + src: disable-rds.conf + dest: /etc/modprobe.d/disable-rds.conf + owner: root + group: root + mode: 0644 + tags: + - cat3 + - low + - V-38516 + - rds + - kernel_modules + - patch # V-38522 auditd timeofday changes @@ -404,31 +404,31 @@ register: sysctl_log_martians_audit failed_when: false changed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38528 - - kernel_parameters - - network - - log_martians - - audit + - cat3 + - low + - V-38528 + - kernel_parameters + - network + - log_martians + - audit - name: "LOW | V-38528 | PATCH The system must log Martian packets." sysctl: - name: net.ipv4.conf.all.log_martians - value: 1 - state: present - reload: yes - ignoreerrors: yes - tags: - - cat3 - - low - - V-38528 - - kernel_parameters - - network - - log_martians - - patch + name: net.ipv4.conf.all.log_martians + value: 1 + state: present + reload: yes + ignoreerrors: yes + tags: + - cat3 + - low + - V-38528 + - kernel_parameters + - network + - log_martians + - patch # V-38530 auditd localtime @@ -440,31 +440,31 @@ register: sysctl_accept_redirects_audit failed_when: false changed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38533 - - kernel_parameters - - network - - icmp_redirects - - audit + - cat3 + - low + - V-38533 + - kernel_parameters + - network + - icmp_redirects + - audit - name: "LOW | V-38533 | PATCH | The system must ignore ICMPv4 redirect messages by default." sysctl: - name: net.ipv4.conf.default.accept_redirects - value: 0 - state: present - reload: yes - ignoreerrors: yes - tags: - - cat3 - - low - - V-38533 - - kernel_parameters - - network - - icmp_redirects - - patch + name: net.ipv4.conf.default.accept_redirects + value: 0 + state: present + reload: yes + ignoreerrors: yes + tags: + - cat3 + - low + - V-38533 + - kernel_parameters + - network + - icmp_redirects + - patch # V-38534 auditd account mod @@ -474,31 +474,31 @@ register: sysctl_ignore_broadcasts_audit failed_when: false changed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38535 - - kernel_parameters - - network - - ignore_broadcasts - - audit + - cat3 + - low + - V-38535 + - kernel_parameters + - network + - ignore_broadcasts + - audit - name: "LOW | V-38535 | PATCH | The system must not respond to ICMPv4 sent to a broadcast address." sysctl: - name: net.ipv4.icmp_echo_ignore_broadcasts - value: 1 - state: present - reload: yes - ignoreerrors: yes - tags: - - cat3 - - low - - V-38535 - - kernel_parameters - - network - - ignore_broadcasts - - patch + name: net.ipv4.icmp_echo_ignore_broadcasts + value: 1 + state: present + reload: yes + ignoreerrors: yes + tags: + - cat3 + - low + - V-38535 + - kernel_parameters + - network + - ignore_broadcasts + - patch # V-38536 auditd account disable @@ -508,31 +508,31 @@ register: sysctl_ignore_bogus_error_responses_audit failed_when: false changed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38537 - - kernel_parameters - - network - - ignore_broadcasts - - audit + - cat3 + - low + - V-38537 + - kernel_parameters + - network + - ignore_broadcasts + - audit - name: "LOW | V-38537 | PATCH | The system must ignore ICMPv4 bogus error responses." sysctl: - name: net.ipv4.icmp_ignore_bogus_error_responses - value: 1 - state: present - reload: yes - ignoreerrors: yes - tags: - - cat3 - - low - - V-38537 - - kernel_parameters - - network - - ignore_bogus_error - - patch + name: net.ipv4.icmp_ignore_bogus_error_responses + value: 1 + state: present + reload: yes + ignoreerrors: yes + tags: + - cat3 + - low + - V-38537 + - kernel_parameters + - network + - ignore_bogus_error + - patch # V-38538 auditd account term @@ -590,39 +590,38 @@ register: pkgs_xinetd_installed_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38584 - - xinetd - - audit + - cat3 + - low + - V-38584 + - xinetd + - audit - name: "LOW | V-38584 | AUDIT | The xinetd service must be uninstalled if no network services utilizing it are enabled." shell: "chkconfig --list | sed -n '/xinetd based services/,$p'" register: pkgs_xinetd_services_audit changed_when: false failed_when: false - always_run: yes + check_mode: no when: cent7stig_install_packages tags: - - cat3 - - low - - V-38584 - - xinetd - - always + - cat3 + - low + - V-38584 + - xinetd - name: "LOW | V-38584 | PATCH | The xinetd service must be uninstalled if no network services utilizing it are enabled." yum: - name: xinetd - state: absent + name: xinetd + state: absent when: "not ':on' in pkgs_xinetd_services_audit.stdout" tags: - - cat3 - - low - - V-38584 - - xinetd - - patch + - cat3 + - low + - V-38584 + - xinetd + - patch # V-38590 install screen - name: "LOW | V-38590 | AUDIT | The system must allow locking of the console screen in text mode." @@ -630,27 +629,27 @@ register: pkgs_screen_installed_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38590 - - screen_lock - - tmux - - audit + - cat3 + - low + - V-38590 + - screen_lock + - tmux + - audit - name: "LOW | V-38590 | PATCH | The system must allow locking of the console screen in text mode." yum: - name: tmux - state: present + name: tmux + state: present when: cent7stig_install_packages tags: - - cat3 - - low - - V-38590 - - screen_lock - - tmux - - patch + - cat3 + - low + - V-38590 + - screen_lock + - tmux + - patch # V-38608 sshd conf @@ -664,41 +663,43 @@ register: avahi_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38618 - - avahi - - services - - audit + - cat3 + - low + - V-38618 + - avahi + - services + - audit - name: "LOW | V-38618 | AUDIT | The avahi service must be disabled." - command: service avahi-daemon status + command: systemctl status avahi-daemon register: avahi_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38618 - - avahi - - services - - audit + - cat3 + - low + - V-38618 + - avahi + - services + - audit - name: "LOW | V-38618 | PATCH | The avahi service must be disabled." + #if the service is not installed we don't have to stop it + when: "'Unit avahi-daemon.service could not be found' not in avahi_service_running_audit.stderr" service: - name: avahi-daemon - state: stopped - enabled: no + name: avahi-daemon + state: stopped + enabled: no tags: - - cat3 - - low - - V-38618 - - avahi - - services - - patch + - cat3 + - low + - V-38618 + - avahi + - services + - patch # V-38624 logrotate @@ -708,24 +709,24 @@ register: pkgs_openldap_server_installed_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38627 - - openldap_server - - audit + - cat3 + - low + - V-38627 + - openldap_server + - audit - name: "LOW | V-38627 | PATCH | The openldap-servers package must not be installed unless required." yum: - name: openldap-servers - state: absent + name: openldap-servers + state: absent tags: - - cat3 - - low - - V-38627 - - openldap_server - - patch + - cat3 + - low + - V-38627 + - openldap_server + - patch # V-38635 auditd @@ -733,45 +734,33 @@ # V-38640 abrtd service - name: "LOW | V-38640 | AUDIT | The Automatic Bug Reporting Tool (abrtd) service must not be running." - command: chkconfig 'abrtd' --list + command: systemctl status abrtd register: abrtd_service_enabled_audit changed_when: false - failed_when: "'No such file or directory' not in abrtd_service_enabled_audit.stderr" - always_run: yes - tags: - - cat3 - - low - - V-38640 - - abrtd - - services - - audit - -- name: "LOW | V-38640 | AUDIT | The Automatic Bug Reporting Tool (abrtd) service must not be running." - command: service abrtd status - register: abrtd_service_running_audit - changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38640 - - abrtd - - services - - audit + - cat3 + - low + - V-38640 + - abrtd + - services + - audit - name: "LOW | V-38640 | PATCH | The Automatic Bug Reporting Tool (abrtd) service must not be running." + #if the service is not installed we don't have to stop it + when: "'Unit abrtd.service could not be found' not in abrtd_service_enabled_audit.stderr" service: - name: abrtd - state: stopped - enabled: no + name: abrtd + state: stopped + enabled: no tags: - - cat3 - - low - - V-38640 - - abrtd - - services - - patch + - cat3 + - low + - V-38640 + - abrtd + - services + - patch # V-38641 atd service - name: "LOW | V-38641 | AUDIT | The atd service must be disabled." @@ -779,41 +768,43 @@ register: atd_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38641 - - atd - - services - - audit + - cat3 + - low + - V-38641 + - atd + - services + - audit - name: "LOW | V-38641 | AUDIT | The atd service must be disabled." - command: service atd status + command: systemctl status atd register: atd_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38641 - - atd - - services - - audit + - cat3 + - low + - V-38641 + - atd + - services + - audit - name: "LOW | V-38641 | PATCH | The atd service must be disabled." + #if the service is not installed we don't have to stop it + when: "'Unit atd.service could not be found' not in atd_service_running_audit.stderr" service: - name: atd - state: stopped - enabled: no + name: atd + state: stopped + enabled: no tags: - - cat3 - - low - - V-38641 - - atd - - services - - patch + - cat3 + - low + - V-38641 + - atd + - services + - patch # V-38642 umask @@ -823,41 +814,41 @@ register: ntpdate_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38644 - - ntpdate - - services - - audit + - cat3 + - low + - V-38644 + - ntpdate + - services + - audit - name: "LOW | V-38644 | AUDIT | The ntpdate service must not be running." - command: service ntpdate status + command: systemctl status ntpdate register: ntpdate_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38644 - - ntpdate - - services - - audit + - cat3 + - low + - V-38644 + - ntpdate + - services + - audit - name: "LOW | V-38644 | PATCH | The ntpdate service must not be running." service: - name: ntpdate - state: stopped - enabled: no + name: ntpdate + state: stopped + enabled: no tags: - - cat3 - - low - - V-38644 - - ntpdate - - services - - patch + - cat3 + - low + - V-38644 + - ntpdate + - services + - patch # V-38645 umask @@ -867,41 +858,41 @@ register: oddjobd_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38646 - - oddjobd - - services - - audit + - cat3 + - low + - V-38646 + - oddjobd + - services + - audit - name: "LOW | V-38646 | AUDIT | The oddjobd service must not be running." - command: service oddjobd status + command: systemctl status oddjobd register: oddjobd_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38646 - - oddjobd - - services - - audit + - cat3 + - low + - V-38646 + - oddjobd + - services + - audit - name: "LOW | V-38646 | PATCH | The oddjobd service must not be running." service: - name: oddjobd - state: stopped - enabled: no + name: oddjobd + state: stopped + enabled: no tags: - - cat3 - - low - - V-38646 - - oddjobd - - services - - patch + - cat3 + - low + - V-38646 + - oddjobd + - services + - patch # V-38647 umask @@ -911,41 +902,43 @@ register: qpidd_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38648 - - qpidd - - services - - audit + - cat3 + - low + - V-38648 + - qpidd + - services + - audit - name: "LOW | V-38648 | AUDIT | The qpidd service must not be running." - command: service qpidd status + command: systemctl status qpidd register: qpidd_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38648 - - qpidd - - services - - audit + - cat3 + - low + - V-38648 + - qpidd + - services + - audit - name: "LOW | V-38648 | PATCH | The qpidd service must not be running." + #if the service is not installed we don't have to stop it + when: "'Unit qpidd.service could not be found' not in qpidd_service_running_audit.stderr" service: - name: qpidd - state: stopped - enabled: no + name: qpidd + state: stopped + enabled: no tags: - - cat3 - - low - - V-38648 - - qpidd - - services - - patch + - cat3 + - low + - V-38648 + - qpidd + - services + - patch # V-38649 umask @@ -955,41 +948,41 @@ register: rdisc_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38650 - - rdisc - - services - - audit + - cat3 + - low + - V-38650 + - rdisc + - services + - audit - name: "LOW | V-38650 | AUDIT | The rdisc service must not be running." - command: service rdisc status + command: systemctl status rdisc register: rdisc_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38650 - - rdisc - - services - - audit + - cat3 + - low + - V-38650 + - rdisc + - services + - audit - name: "LOW | V-38650 | PATCH | The rdisc service must not be running." service: - name: rdisc - state: stopped - enabled: no + name: rdisc + state: stopped + enabled: no tags: - - cat3 - - low - - V-38650 - - rdisc - - services - - patch + - cat3 + - low + - V-38650 + - rdisc + - services + - patch # V-38651 umask @@ -1011,41 +1004,41 @@ register: postfix_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38669 - - postfix - - services - - audit + - cat3 + - low + - V-38669 + - postfix + - services + - audit - name: "LOW | V-38669 | AUDIT | The postfix service must be enabled for mail delivery." - command: service postfix status + command: systemctl status postfix register: postfix_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38669 - - postfix - - services - - audit + - cat3 + - low + - V-38669 + - postfix + - services + - audit - name: "LOW | V-38669 | PATCH | The postfix service must be enabled for mail delivery." service: - name: postfix - state: started - enabled: yes + name: postfix + state: started + enabled: yes tags: - - cat3 - - low - - V-38669 - - postfix - - services - - patch + - cat3 + - low + - V-38669 + - postfix + - services + - patch # V-38672 netconsole service - name: "LOW | V-38672 | AUDIT | The netconsole service must be disabled unless required." @@ -1053,41 +1046,41 @@ register: netconsole_service_enabled_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38672 - - netconsole - - services - - audit + - cat3 + - low + - V-38672 + - netconsole + - services + - audit - name: "LOW | V-38672 | AUDIT | The netconsole service must be disabled unless required." - command: service netconsole status + command: systemctl status netconsole register: netconsole_service_running_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38672 - - netconsole - - services - - audit + - cat3 + - low + - V-38672 + - netconsole + - services + - audit - name: "LOW | V-38672 | PATCH | The netconsole service must be disabled unless required." service: - name: netconsole - state: stopped - enabled: no + name: netconsole + state: stopped + enabled: no tags: - - cat3 - - low - - V-38672 - - netconsole - - services - - patch + - cat3 + - low + - V-38672 + - netconsole + - services + - patch # V-38675 limits core @@ -1097,25 +1090,25 @@ register: pkgs_xwindows_installed_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38676 - - xwindows - - audit + - cat3 + - low + - V-38676 + - xwindows + - audit - name: "LOW | V-38676 | PATCH | The xorg-x11-server-common (X Windows) package must not be installed, unless required." yum: - name: "@X Window System" - state: absent + name: "@X Window System" + state: absent when: not cent7stig_xwindows_required tags: - - cat3 - - low - - V-38676 - - xwindows - - audit + - cat3 + - low + - V-38676 + - xwindows + - audit # V-38681 see not_automated.yml @@ -1131,27 +1124,27 @@ register: pkgs_vpn_installed_audit changed_when: false failed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38687 - - openswan - - vpn - - audit + - cat3 + - low + - V-38687 + - openswan + - vpn + - audit - name: "LOW | V-38687 | PATCH | The system must provide VPN connectivity for communications over untrusted networks." yum: - name: openswan - state: present + name: openswan + state: present when: cent7stig_install_packages tags: - - cat3 - - low - - V-38687 - - openswan - - vpn - - patch + - cat3 + - low + - V-38687 + - openswan + - vpn + - patch # V-38690 emergency accounts @@ -1171,30 +1164,30 @@ register: vsftpd_service_installed_audit changed_when: false failed_when: false - always_run: yes + check_mode: no when: vsftpd_services.stdout_lines|length > 0 tags: - - cat3 - - low - - V-38702 - - logging - - ftp - - audit + - cat3 + - low + - V-38702 + - logging + - ftp + - audit - name: "LOW | V-38702 | AUDIT | The FTP daemon must be configured for logging or verbose mode." command: grep -l vsftpd /etc/xinetd.d/* register: vsftpd_xinetd_startup_file_audit changed_when: false failed_when: false - always_run: yes + check_mode: no when: vsftpd_services.stdout_lines|length > 0 tags: - - cat3 - - low - - V-38702 - - logging - - ftp - - audit + - cat3 + - low + - V-38702 + - logging + - ftp + - audit - name: "LOW | V-38702 | AUDIT | The FTP daemon must be configured for logging or verbose mode." command: grep server_args {{ vsftpd_xinetd_startup_file_audit.stdout }} @@ -1202,45 +1195,45 @@ changed_when: false failed_when: false when: vsftpd_services.stdout_lines|length > 0 - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-38702 - - logging - - ftp - - audit + - cat3 + - low + - V-38702 + - logging + - ftp + - audit - name: "LOW | V-38702 | AUDIT | The FTP daemon must be configured for logging or verbose mode." command: "grep '^xferlog_enable' {{ vsftpd_config_file_audit.stdout | default('/etc/vsftpd/vsftpd.conf') }}" register: vsftpd_xinetd_config_file_audit changed_when: false failed_when: false - always_run: yes + check_mode: no when: vsftpd_services.stdout_lines|length > 0 tags: - - cat3 - - low - - V-38702 - - logging - - ftp - - audit + - cat3 + - low + - V-38702 + - logging + - ftp + - audit - name: "LOW | V-38702 | PATCH | The FTP daemon must be configured for logging or verbose mode." lineinfile: - state: present - backup: no - dest: "{{ vsftpd_config_file_audit.stdout | default('/etc/vsftpd/vsftpd.conf') }}" - regexp: '^#?xferlog_enable' - line: 'xferlog_enable=YES' + state: present + backup: no + dest: "{{ vsftpd_config_file_audit.stdout | default('/etc/vsftpd/vsftpd.conf') }}" + regexp: '^#?xferlog_enable' + line: 'xferlog_enable=YES' when: vsftpd_services.stdout_lines|length > 0 tags: - - cat3 - - low - - V-38702 - - logging - - ftp - - audit + - cat3 + - low + - V-38702 + - logging + - ftp + - audit notify: restart vsftpd # V-51369 selinux @@ -1249,24 +1242,24 @@ register: selinux_policy_audit failed_when: selinux_policy_audit.stdout_lines|length > 0 changed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-51369 - - selinux - - audit + - cat3 + - low + - V-51369 + - selinux + - audit - name: "LOW | V-51369 | PATCH | The system must use a Linux Security Module configured to limit the privileges of system services." selinux: - policy: targeted - state: enforcing + policy: targeted + state: enforcing tags: - - cat3 - - low - - V-51369 - - selinux - - patch + - cat3 + - low + - V-51369 + - selinux + - patch # V-51379 selinux - name: "LOW | V-51379 | AUDIT | All device files must be monitored by the system Linux Security Module." @@ -1274,13 +1267,12 @@ register: selinux_device_file_context_audit failed_when: false changed_when: false - always_run: yes + check_mode: no tags: - - cat3 - - low - - V-51379 - - secontext - - always + - cat3 + - low + - V-51379 + - secontext - name: "LOW | V-51379 | PATCH | All device files must be monitored by the system Linux Security Module." command: restorecon -r /dev/ @@ -1289,11 +1281,11 @@ failed_when: selinux_device_file_context_patch.rc != 0 changed_when: selinux_device_file_context_patch.stdout tags: - - cat3 - - low - - V-51379 - - secontext - - patch + - cat3 + - low + - V-51379 + - secontext + - patch # --- BREAK --- # @@ -1353,7 +1345,7 @@ backup: yes dest: /etc/login.defs regexp: '^UMASK' - line: 'UMASK 077' + line: 'UMASK 077' tags: [ 'cat3' , 'V-38645' , 'umask' ] - name: "LOW | V-38608 | PATCH | The SSH daemon must set a timeout interval on idle sessions" @@ -1392,13 +1384,13 @@ backup: yes dest: /etc/security/limits.conf regexp: '^#?\\*.*(hard|soft).*core' - line: '* hard core 0' + line: '* hard core 0' tags: [ 'cat3' , 'V-38675' , 'core_dump' ] - name: "LOW | V-38685 | PATCH | Temporary accounts must be provisioned with an expiration date" command: chage -E {{ item.expiration }} {{ item.user }} when: cent7stig_temporary_users is defined - with_items: "{{ cent7stig_temporary_users }}" + with_items: cent7stig_temporary_users tags: [ 'cat3' , 'V-38685' , 'accounts' ] - name: "LOW | V-38684 | PATCH | The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements" @@ -1408,7 +1400,7 @@ dest: /etc/security/limits.conf insertbefore: '^# End of file' regexp: '^#?\\*.*maxlogins' - line: '* hard maxlogins {{ cent7stig_maxlogins }}' + line: '* hard maxlogins {{ cent7stig_maxlogins }}' tags: [ 'cat3' , 'V-38684' , 'logon_settings' ] - name: Use strong MAC algorithms diff --git a/tasks/not_automated.yml b/tasks/not_automated.yml index 22190e7..20b9134 100644 --- a/tasks/not_automated.yml +++ b/tasks/not_automated.yml @@ -2,7 +2,7 @@ - name: "HIGH | V-38666 | AUDIT | The system must use and update a DoD-approved virus scan program" command: /etc/init.d/nails status ignore_errors: yes - always_run: yes + check_mode: no changed_when: no register: av_nails_status_audit tags: @@ -16,7 +16,7 @@ shell: grep uvscan /etc/cron* /var/spool/cron/* register: av_uvscan_cron_audit ignore_errors: yes - always_run: yes + check_mode: no changed_when: no tags: - cat1 @@ -30,7 +30,7 @@ register: av_defs_audit changed_when: no ignore_errors: yes - always_run: yes + check_mode: no tags: - cat1 - V-38666 @@ -43,7 +43,7 @@ register: nfs_insecure_locking_audit ignore_errors: yes changed_when: no - always_run: yes + check_mode: no tags: - cat1 - high @@ -55,7 +55,7 @@ - name: "MEDIUM | V-38499 | AUDIT | The /etc/passwd file must not contain password hashes" shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd" changed_when: false - always_run: yes + check_mode: no register: etc_password_hash_audit tags: - cat2 @@ -67,7 +67,7 @@ - name: "MEDIUM | V-38500 | AUDIT | The root account must be the only account having a UID of 0" shell: "awk -F: '($3 == \"0\") {print}' /etc/passwd | grep -v root" changed_when: no - always_run: yes + check_mode: no ignore_errors: yes register: users_uid_0_audit tags: @@ -82,7 +82,7 @@ shell: grep -E '^\*\.\*\s*[@:]{1,2}[a-z.:]*' /etc/rsyslog.conf changed_when: no ignore_errors: yes - always_run: yes + check_mode: no register: rsyslog_log_mgmt_audit tags: - audit @@ -97,7 +97,7 @@ - name: "LOW | V-38455 | AUDIT | The system must use a separate file system for /tmp" shell: mount | grep "on /tmp " register: tmp_mounted_audit - always_run: yes + check_mode: no ignore_errors: yes changed_when: no tags: @@ -112,7 +112,7 @@ register: var_mounted_audit changed_when: no ignore_errors: yes - always_run: yes + check_mode: no tags: - cat3 - V-38456 @@ -123,7 +123,7 @@ - name: "LOW | V-38463 | AUDIT | The system must use a separate file system for /var/log" shell: mount | grep "on /var/log " register: varlog_mounted_audit - always_run: yes + check_mode: no changed_when: no ignore_errors: yes tags: @@ -136,7 +136,7 @@ - name: "LOW | V-38467 | AUDIT | The system must use a separate file system for /var/log/audit" shell: mount | grep "on /var/log/audit " register: varlogaudit_mounted_audit - always_run: yes + check_mode: no changed_when: no ignore_errors: yes tags: @@ -149,7 +149,7 @@ - name: "LOW | V-38473 | AUDIT | The system must use a separate file system for user home directories" shell: mount | grep "on /home " register: home_mounted_audit - always_run: yes + check_mode: no changed_when: no ignore_errors: yes tags: @@ -164,7 +164,7 @@ changed_when: false failed_when: false register: missing_group_audit - always_run: yes + check_mode: no tags: - cat3 - low @@ -177,7 +177,7 @@ changed_when: false failed_when: false register: duplicate_account_audit - always_run: yes + check_mode: no tags: - cat3 - low @@ -189,7 +189,7 @@ shell: "lsblk | awk '$6 == \"part\" && $7 ~ /\\// {print $NF}' | xargs -I{} find {} -xdev -type d -perm -0002 \\! -perm -1000" changed_when: false register: stick_bit_public_dir_audit - always_run: yes + check_mode: no tags: - cat3 - low @@ -202,7 +202,7 @@ shell: "lsblk | awk '$6 == \"part\" && $7 ~ /\\// {print $NF}' | xargs -I{} find {} -xdev -type d -perm -0002 -uid +499 -print" changed_when: false register: system_account_public_dir_audit - always_run: yes + check_mode: no tags: - cat3 - low diff --git a/tasks/post.yml b/tasks/post.yml index 48a308a..16fcd1a 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -1,6 +1,8 @@ --- - name: Cleanup temp files - file: path={{ item }} state=absent + file: + path: "{{ item }}" + state: absent changed_when: false with_items: - /tmp/cent7stig_rpm_verify diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 53ed5fd..b68c727 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -2,116 +2,118 @@ # Preliminary tasks that should always be run - name: "PRELIM | Check for /etc/snmp/snmpd.conf" stat: - path: /etc/snmp/snmpd.conf + path: /etc/snmp/snmpd.conf register: snmpconf_test - always_run: yes + check_mode: no tags: - - cat1 - - cat2 - - V-38653 - - snmp - - always + - cat1 + - cat2 + - V-38653 + - snmp + - always # Setup variables based on operating system - name: "PRELIM | Set gpg_key_url for CentOS" set_fact: - gpg_key_url: http://mirror.centos.org/centos/RPM-GPG-KEY-{{ ansible_distribution }}-{{ ansible_distribution_major_version }} + gpg_key_url: http://mirror.centos.org/centos/RPM-GPG-KEY-{{ ansible_distribution }}-{{ ansible_distribution_major_version }} when: "ansible_distribution == 'CentOS'" - always_run: yes + check_mode: no tags: - - cat1 - - V-38476 - - always + - cat1 + - V-38476 + - gpgcheck + - always - name: "PRELIM | Set gpg_key_url for Red Hat" set_fact: - gpg_key_url: https://www.redhat.com/security/fd431d51.txt + gpg_key_url: https://www.redhat.com/security/fd431d51.txt when: "ansible_distribution == 'RedHat'" - always_run: yes + check_mode: no tags: - - cat1 - - V-38476 - - always + - cat1 + - V-38476 + - gpgcheck + - always # List users in order to look files inside each home directory - name: "PRELIM | List users accounts" command: "awk -F: '{print $1}' /etc/passwd" register: users changed_when: false - always_run: yes + check_mode: no tags: - - cat1 - - cat2 - - always + - cat1 + - cat2 + - always - name: "PRELIM | Identify Unlocked Accounts" shell: > - awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow + awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow register: unlocked_accounts changed_when: false - always_run: yes + check_mode: no tags: - - cat1 - - cat2 - - cat3 - - always + - cat1 + - cat2 + - cat3 + - always - name: "PRELIM | Identify Unlocked Sys Accounts" shell: > - awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow | xargs -I{} grep {} /etc/passwd | awk -F: '$3 < 500 {print $1}' + awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow | xargs -I{} grep {} /etc/passwd | awk -F: '$3 < 500 {print $1}' register: unlocked_sys_accounts changed_when: false - always_run: yes + check_mode: no tags: - - cat1 - - cat2 - - cat3 - - always + - cat1 + - cat2 + - cat3 + - always - name: "PRELIM | List system accounts" shell: "grep -Ev '/home|root' /etc/passwd | cut -d : -f 1" register: system_users changed_when: false - always_run: yes + check_mode: no tags: - - cat1 - - cat2 - - cat3 - - always + - cat1 + - cat2 + - cat3 + - always # Get separate lists of SysV and xinetd services - name: "PRELIM | List SysV services" shell: "systemctl list-unit-files --type service | grep sysv | awk '{print $1}'" register: sysv_services changed_when: false - always_run: yes + check_mode: no tags: - - cat1 - - cat2 - - cat3 - - always + - cat1 + - cat2 + - cat3 + - always - name: "PRELIM | List vsftpd services" shell: "systemctl list-unit-files --type service | grep vsftpd | awk '{print $1}'" register: vsftpd_services changed_when: false - always_run: yes + check_mode: no tags: - - cat1 - - cat2 - - cat3 - - always + - cat1 + - cat2 + - cat3 + - always - name: "PRELIM | List xinetd services" shell: "systemctl list-unit-files --type service | grep xinetd | awk '{print $1}'" register: xinetd_services changed_when: false - always_run: yes + check_mode: no tags: - - cat1 - - cat2 - - cat3 - - always + - cat1 + - cat2 + - cat3 + - always # See if IPv6 is enabled and set a fact - name: "PRELIM | Check if IPv6 is enabled" @@ -120,44 +122,45 @@ failed_when: false register: cent7stig_ipv6test ignore_errors: yes - always_run: yes + check_mode: no tags: - - ipv6 - - always + - ipv6 + - always - name: "PRELIM | Set ipv6_in_use to 'true'" - set_fact: ipv6_in_use=true when: cent7stig_ipv6test.stdout - always_run: yes + set_fact: ipv6_in_use=true + check_mode: no tags: - - ipv6 - - always + - ipv6 + - always # Get list of shells - name: "PRELIM | Get list of shells on system" shell: grep -Pv "/(sh|nologin|dash)" /etc/shells | sed -r 's#/((bin|sbin|usr)/)+##' register: shells changed_when: false - always_run: yes + check_mode: no tags: - - umask - - always + - umask + - always - name: "PRELIM | Check for device files with unlabeled_t context" shell: ls -RZ /dev | grep unlabeled_t register: cent7stig_dev_unlabeled_context changed_when: false failed_when: false + check_mode: no when: cent7stig_cat3 tags: - - selinux - - always + - selinux + - always - name: "PRELIM | Check for samba" stat: path=/etc/samba/smb.conf register: samba_check tags: - - cat3 - - V-38656 - - smb - - always + - cat3 + - V-38656 + - smb + - always